Privacy Policy

Privacy Policy

This Privacy Policy governs the manner in which the Whitely platform (“Whitely”, “we”, “us”, “our”) collects, uses, processes, stores, and discloses information received from users of our website whitely.hr (“Website”) in order to provide you with services available through the Website (“Services”).

This Privacy Policy has incorporated provisions of the EU General Data Protection Regulation (GDPR), ePrivacy Directive, The Croatian Data Protection Act and is compliant with them and set in coherence with other valid generally binding legal regulations as we act in accordance with personal information processing rules within the European Economic Area (EEA).

We respect the privacy of all users of the Website and ensure that the Personal Data of the consumers are treated confidentially and in compliance with applicable laws and regulations.

This Privacy Policy applies to the Website, the Services, and products offered by Whitely. We assume that you have carefully read this document and accepted it. By using the Website, our Services, and products offered by Whitely, contacting us you express your consent to the terms of this Privacy Policy. By clicking the confirm-checkbox while creating the Account on the Platform you provide us with your explicit consent to the terms of this Privacy Policy and all the data practices described in this Privacy Policy and in the Terms and Conditions including the processing, storage, and usage of your Personal Data.

If you disagree with this Privacy Policy, then you should refrain from using our Website and/or Services or opening an Account. This Privacy Policy is an integral part of our Terms and Conditions. If you have any questions regarding this Privacy Policy and/or questions/requests regarding your Personal Data, please contact our Data Protection Officer at [email protected].

Information regarding GDPR

The General Data Protection Regulation (“GDPR”) is EU privacy and data protection law. It calls for more granular privacy guardrails in an organization’s systems, more nuanced data protection agreements, and more consumer-friendly and detailed disclosures about an organization’s privacy and data protection practices.

This Regulation applies to the processing of Personal Data wholly or partly by automated means, and to the processing other than by automated means of Personal Data which form part of a filing system or are intended to form part of a filing system. Generally, The GDPR requirements apply to all companies, institutions, and organizations that process Personal Data.

Processing Personal Data is a broad concept under the GDPR

The GDPR sets out the rules on how organizations may handle the Personal Data of individuals. The terms “Personal Data” and “processing” are key within this regulation, and understanding their specific meanings helps clarify the full scope of the law.

Personal Data refers to any piece of information connected to an identified or identifiable person. This definition is intentionally broad, as it covers any details that could either alone, or together with other information, be used to recognize someone. Personal Data is not limited to obvious identifiers such as a name or e-mail address — it can also include financial details or, in some circumstances, even an IP address.

Additionally, some types of Personal Data are considered particularly sensitive and receive stronger protection under the GDPR. These special categories include data revealing a person’s racial or ethnic origin, political views, religious or philosophical beliefs, trade union affiliation, genetic and biometric data, health information, details concerning someone’s sex life or sexual orientation, and information related to criminal convictions or alleged offenses.

Processing Personal Data is the central activity that gives rise to obligations under the GDPR. The term Processing covers any action or sequence of actions carried out on Personal Data or sets of Personal Data, whether automated or manual. This includes operations such as collecting, recording, organizing, structuring, storing, modifying, retrieving, consulting, using, disclosing through transmission or other means, aligning or combining, restricting, erasing, or destroying data.

The GDPR can apply to organizations located outside the EU

The GDPR is relevant to any globally operating company, not just those located in the EU. Under the GDPR, organizations may be in scope if (i) the organization is established in the EU, or (ii) the organization is not established in the EU, but the data processing activities are with regard to EU individuals and relate to the offering of goods and services to them or the monitoring of their behavior.

Personal Data collection and usage

We collect, store, and use your Personal Data in accordance with the purposes described in this Privacy Policy. We have outlined the categories of Personal Data that may be processed about you, as well as the reasons and methods for their use.

While providing our services, we may also rely on third-party software, tools, or other resources (“Service Providers”) that are operated by independent entities. These Service Providers may also collect and process the Personal Data of our Users. The manner in which each Service Provider collects, processes, stores, and uses Personal Data is governed by the Privacy Policy of that specific Service Provider.

You can review the Privacy Policies of our current Service Providers’ software products at the following links:

• Zendesk: https://www.zendesk.co.uk/company/agreements-and-terms/privacy-notice/
• Sumsub: https://sumsub.com/privacy-notice/

This list of Service Providers is not exhaustive and may be updated or expanded over time. In all cases, Users may review the applicable Privacy Policies of any Service Providers with whom Whitely collaborates on their official websites.

What Personal Data Whitely may collect

We collect and process all types of Personal Data to provide you with our Services, ensure that Services function properly, as well as to verify your identity and ensure the security of our Services, as follows:

Whitely may use Personal Data that you give us to register with us to:

• process your registration request;
• on-board you as a customer;
• provide our products and Services;
• manage and administer our Services, including your account with us;
• communicate with you about your account and our Services, including informing you of our products and Services;
• send personalized offers of Services and products.

Whitely may use Know Your Customer (KYC) Personal Data to:

• carry out regulatory checks and meet our obligations to our regulators;
• help us ensure that our customers are genuine and to prevent and detect fraud, money laundering and other crime (such as terrorist financing and offenses involving identity theft).

Whitely may use Personal Data that you provide as part of your account with us to:

• manage and administer your account with us;
• communicate with you regarding your account and our Services.

Whitely may use Personal Data relating to your use of our Services to:

• manage and administer our Services and systems;
• check if you are in a location or using a device consistent with our records in order to help prevent fraud;
• develop and improve our Services based on analyzing this information, the behaviors of our users, and the technical capabilities of our users;
• improve our Services to better suit the behaviors and technical capabilities of the users of our Service;
• answer any issues or concerns;
• monitor customer communications for quality and training purposes.

We may use Personal Data that we collect from third parties to:

• register you as a customer or provide Services to you;
• manage and administer our Services and systems;
• help us to prevent and detect fraud.

We may use Personal Data that we collect through your use of our Website to:

• develop new Services based on the information being collected, the behaviors of our users, and the technical capabilities of our users;
• identify issues with the website, including website security, and user's experience of it;
• monitor the way our website is used, where our customers have come from online, and the way in which our website is used by different user groups;
• do statistical analysis and research to better understand our customers and their use of our Services.

We may use Personal Data collected from individuals representing organizations to:

• provide Services and products;
• build relationships and B2B collaborations with other organizations;
• provide marketing communications to these individuals;
• improve our Services and develop new Services based on the preferences and behaviors of these individuals;
• obtain Services for our business.

Rights of the Personal Data subject

You have certain rights with respect to your Personal Data, including those set forth below.

• Right to be informed – information about collection and use of your Personal Data.
• Right to access – confirmation whether Personal Data is processed and related information.
• Right to rectification – correction of inaccurate or incomplete Personal Data.
• Right to erasure – deletion where data is no longer necessary or no other legal ground applies.
• Right to restriction – limiting processing, to be performed only upon separate consent.
• Right to data portability – receive and transmit your Personal Data in a machine-readable format.
• Right to object – object to processing where no overriding legitimate grounds exist.
• Right to withdraw – withdraw consent at any time.
• Right to non-discrimination – no discrimination for exercising your rights.

To exercise any of these rights, please contact our Data Protection Officer at [email protected].

Direct Marketing

If you have previously provided your explicit consent to receive marketing communications from us, you may withdraw this consent at any time. You can also unsubscribe from our marketing messages whenever you wish.

We may still contact you for operational or service-related reasons, or to fulfil our contractual obligations to you. Such communications are not considered marketing and are carried out on the basis of our legitimate interests.

Legal requirements

We are required to collect certain categories of Personal Data to meet our legal obligations related to anti-fraud measures, Anti-Money Laundering (AML), Countering the Financing of Terrorism (CFT), and Know Your Customer (KYC) procedures. Without this information, we are unable to establish or maintain a Service relationship with you.

We may process your Personal Data when required by law, or upon a reasonable request from law enforcement, regulatory authorities, or other competent bodies, as well as for the establishment, exercise, or defense of legal claims. Personal Data relevant to ongoing investigations or legal proceedings will be retained until those matters are fully concluded.

Personal Data We Do Not Process

We do not collect or retain any information relating to individuals under the age of 18. Minors are not permitted to use our Website or Services. By accessing or using our Website and Services, you confirm that you are of legal age and have the capacity to enter into a binding agreement.

We do not process sensitive Personal Data categories, including details about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health information, or data concerning an individual’s sexual life or sexual orientation.

Security of Personal Data

We apply physical, technical, and organizational safeguards to maintain the confidentiality of your Personal Data and to protect it against loss, theft, unauthorized access, misuse, alteration, destruction, or other unlawful actions by third parties. Our security framework includes measures such as encryption in transit and at rest, diversification of storage systems, strict access controls, anonymization techniques, and multi-signature access tools. Access to Personal Data is limited to authorized personnel bound by confidentiality obligations. We regularly review and update our information security policies and procedures.

Sharing your Personal Data

We do not sell, trade, or rent our Users’ Personal Data to any third parties. We may transfer certain Personal Data of Users to third-party financial institutions in exceptional cases when required by their rules and policies to identify Users and provide Services.

Users acknowledge and consent that we can transfer their Personal Data to third parties that carry out KYC checks and fraud database checks. Such third parties have been assessed by us and guarantee compliance with the legislation on the processing of personal data and with this Privacy Policy.

Retention of Personal Data

We retain your Personal Data only for periods necessary to fulfil the purposes outlined in this Privacy Policy unless a longer retention period is required or allowed by law. For legal or regulatory obligations and industry standards, you give us consent to keep records throughout the term of your Account and for 8 years after the closure of your Account.

We may store your Personal Data in a depersonalized or aggregated form. We may store your personal data for longer where it is in our legitimate business interests and not prohibited by law.

Personal Data disclosure

We may share certain Personal Data with trusted business partners who assist us in delivering our Services, including providers of cloud hosting, insurance, analytics, research, and other operational or technical support services. We disclose only the minimum necessary information for the specific purpose. We do not share Personal Data to third parties for their own marketing or promotional activities.

We may disclose Personal Data when required by law, pursuant to a court order, within judicial proceedings, or in response to lawful requests from public authorities — within and outside your country of residence. We may also release Personal Data where necessary to safeguard national security, support law enforcement, or serve other matters of significant public interest.

Personal Data transfers

Your Personal Data may be transferred to and stored in countries other than the one in which it was originally collected, including locations outside the EEA, the United Kingdom, and Switzerland. Whenever we transfer Personal Data internationally, we ensure it is handled securely and in accordance with this Privacy Policy and applicable legal standards designed to ensure adequate protection.

• The destination country has been recognized by the European Commission as providing an adequate level of data protection; or
• We have implemented appropriate safeguards, such as EU Standard Contractual Clauses with supplementary measures, or the recipient is subject to approved Binding Corporate Rules.

Changes to the Privacy Policy

We reserve the right to update or modify this Privacy Policy at our sole discretion and at any time. Any amendments will become effective immediately upon publication. You are encouraged to review this Privacy Policy periodically to stay informed about updates or revisions. Continued use of our Services after changes have been implemented constitutes your acknowledgment and acceptance of the revised Privacy Policy.