Personal data processing and protection policy of the Avrora Multimarket whistleblowing line

This Policy (hereinafter referred to as the Policy) defines the rules for processing and protecting personal data when using the whistleblowing line available at https://avrora.ethicontrol.com. The Policy is based on the requirements of the GDPR and the legislation of Ukraine in the field of personal data protection.

1. General provisions

• This Policy has been developed in accordance with the Law of Ukraine "On Personal Data Protection" No. 2297-VI dated 01.06.2010, and taking into account the requirements of the GDPR data protection standard.
  
• The Policy applies to all personal data that may be obtained or processed through the Avrora Multimarket whistleblowing line.
  
• Use of the portal (including submitting a report, navigating, or communicating via the system) means you have read and accept the terms of this Policy.

2. Key definitions

• Personal Data Base — an organized system of personal data in electronic form.
  
• Controller (Operator) — LLC “Vygidna Pokupka”.
  
• Processor — LLC “Ethicontrol”.
  
• Data Subject (User) — a natural person whose data is processed through the portal.
  
• Processing — any action with personal data (collection, storage, transmission, deletion, etc.).
  
• Consent — voluntary and informed expression of will by the data subject for processing in accordance with the purpose.
  
• Anonymization / De-identification — removal of identifying elements so that the subject cannot be identified.

3. What data we collect

• Data you provide in the report: report text, attached files, selected report categories, and other responses to questions (strictly those related to the investigation of the report).
• Contact data — only if you voluntarily provide it (name, email, phone number) — to allow for feedback.
  
• Technical data — event logs, basic device/browser info, IP (if needed) — only as much as necessary for system operation and security.
  
• Data about persons mentioned in the report (witnesses, subjects, etc.) — only as much as is necessary for investigation.

4. Purpose and legal basis for processing

• We process personal data to receive, verify, and review reports, prevent violations, protect individuals, and comply with legal requirements.
  
• For users from the EU/EEA, data is processed either on a legal basis (Art. 6(1)(c) GDPR) or the company’s legitimate interest — to ensure ethics, security, and prevention of abuse (Art. 6(1)(f) GDPR). In short: if you share your contact info — this is only with your consent.
  
• Sensitive data (Art. 9 and 10 GDPR) is processed only in cases permitted by law and only as much as is necessary for handling the report.
  
• In Ukraine, processing is carried out in accordance with Law No. 2297‑VI “On Personal Data Protection”.

5. Access and transfer

• Within LLC “Vygidna Pokupka,” data is accessible only to employees who have a legitimate need (compliance, internal audit, legal).
  
• LLC “Ethicontrol”, as the processor, processes data strictly according to procedures and business processes approved by LLC “Vygidna Pokupka.”
  
• Some technical infrastructure (e.g., servers in Germany) is serviced by reliable partner companies. A list of these companies is published by LLC “Ethicontrol” on their website (https://ethicontrol.com/en/privacy-policy: Privacy Policy – Section 7).
  
• Data may be transferred to competent state authorities in cases required by law.

6. Cookies, analytics, and tracking technologies

• The whistleblowing portal does not use web analytics or tracking scripts and collects no excessive data — only basic technical data necessary for portal functionality. It is technically impossible to identify users from this data.
  
• The portal only uses first-party cookies required for operation.
  
• On the portal we do not use cookies from third-party providers. We also do not transmit or share any personally identifiable information with third parties.

7. Data retention

• Data is retained only as long as necessary for review, investigation, and fulfillment of legal or internal obligations.
  
• LLC “Ethicontrol” stores data in encrypted form on EU-based servers.
  
• After the retention period, data is deleted or anonymized per internal policy of LLC “Vygidna Pokupka”.

8. Data subject rights

• EU/EEA individuals have rights under the GDPR: access, correction, deletion, restriction, objection, data portability, and the right to lodge a complaint with a supervisory authority.
  
• In Ukraine — rights as per Law No. 2297‑VI (access to information, correction, deletion, complaint to the Ombudsman).
  
• You may contact LLC “Vygidna Pokupka” with a request — your rights will be fulfilled in coordination with LLC “Ethicontrol”.

9. Contacts and rights fulfillment

• For questions about this Policy or to exercise your rights: [email protected]; hotline 0 800 300 066; other contact details are on the official Avrora Multimarket (LLC “Vygidna Pokupka”) pages.
  
• For inquiries about data processing by LLC “Ethicontrol” (as a processor): [email protected].
  
• You also have the right to contact the relevant supervisory authority. In Ukraine this is Personal Data Protection Unit of the Ukrainian Parliament Commissioner for Human Rights (Ombudsman). Website — https://ombudsman.gov.ua.

10. Security

• LLC “Ethicontrol” implements security standards including ISO 27001 / ISO 27701 principles; encryption during data transfer and storage; role-based access etc.
  
• Access is granted only to staff who need it, with internal access and logging procedures.

11. Changes to the policy

• LLC “Vygidna Pokupka,” as the data controller, reserves the right to change this Policy unilaterally in case of legal updates, changes to data processing methods, or technical platform conditions.
  
• All changes are published on the whistleblowing portal. The current version is always available via the link.
  
• Continued use of the portal after updates means acceptance of the revised Policy.