Skip to content

Privacy Policy

Whalebone Privacy Policy

Last modified on 01 June 2023

Contact info

This document provides information on the main principles of collecting and protecting personal and other data (“Privacy Policy”) by our company, Whalebone, s.r.o with registered address at Jezuitská 13/14 , 602 00 Brno, Czech Republic, Company ID: 05120403, VAT No.: CZ05120403 (“our company”, “we” or “us”).

This Privacy Policy has been compiled to give the individuals (“you”) a clear understanding of how we collect, use, protect or otherwise handle your personal data when you access our website, platform, use an online application or our products containing a link to this privacy policy.

How to contact us

At general email address  or our DPO at: or write to us to the address listed above.

How to contact the supervisory authority

Should you wish to lodge a complaint or if you feel that our company has not addressed your concern in a satisfactory manner, you may contact the Office for Personal Data Protection, contact details here:    

Personal data processed when using our company website

You can browse through most of our website without giving us any information about yourself.

Personal data categories

For the purposes listed below, we may collect Personal Data, including, but not limited to:

Personal data you give us in the contact form, such as user name, email address, telephone number. For job applications, we also process your CV and cover letter if sent to us. If you subscribe to our newsletters, we will also process your usage data (information about your activity on the website). Your usage data may be used for automated profiling to evaluate your potential interest in our products.

We track the domains from which visitors come to collect statistics on Whalebone’s site traffic for usage and trend analysis;

Whalebone’s website servers use standard log files. These logs include Internet Protocol (IP) addresses, ISP (Internet service provider), type of browser, and page information to administer our website, refine flow and content, and to gather broad demographic information for aggregate usage.

Sources of personal data  

Personal data may be submitted by you and/or collected by Whalebone when you use this website and/or log into certain areas of this website. With regard to services we provide to our customers we may obtain the  personal data from our customers, resellers and other business partners who provide the services to you.

This Website also automatically collects users’ IP addresses.

Purpose of the processing and legal basis  

  • Based on your consent

When we create your user account, when you fill online form, when you subscribe to our newsletter or e-book or other informational communication.

If your personal data is processed on the basis of your prior consent to its processing, you may withdraw your consent at any time by sending a written notice to us or e-mail us. You can also opt-out of receiving our marketing information at any time by using the unsubscribe link provided in every email we send you.

  • Based on contract or prospective contract

In case you apply for  employment until the application has been considered, after that based on our legitimate interest, if applicable    

  • Based on legal obligation  

We may process your personal data when it is required for compliance with accounting, tax, anti-money laundering, legal order, or other obligations to which we are subject.

  • Based on legitimate interest  

we will use your Personal Data for:

• Product enhancement, research and to provide product improvements, new features and product updates;

• Providing information about possible privacy, security and performance improvements and products that supplement or improve our products and to optimize the format and content of this type of information;

• 3rd-party analytics to improve and evaluate the quality and performance of our products, services and websites and to follow usage trends, and to analyze conversions, campaigns and user acquisitions;

• Enable efficient performance of our business by supporting internal commercial and administrative processes (e.g. controlling, finance, legal compliance, business intelligence, information security etc.);

• Secure our applications and systems; and

• Establish, exercise or defend our legal rights.

Retention period    

Our company will store your personal data in accordance with the time limits stipulated hereunder or until you request for deletion within your rights of GDPR.

Unless a specific period of time is specified for a particular purpose of processing personal data, we will retain the personal data collected, as long as it is in our legitimate interest (for example, to provide you with the agreed service or to comply with legal requirements).

Our company retains the personal data collected in order to process your request submitted via an online form until the request is processed.

In the case of newsletter subscription, your personal data will be processed from the date of collection until you choose to unsubscribe from the newsletter via the link provided in any email we send you.

In case you apply for employment, we will retain your personal data until the application has been considered and then for a further 6 months if we have informed you that your application has been unsuccessful.

Once we no longer have a legitimate interest to process your personal data or once the processing period has expired, your personal data is anonymized (where allowed by law), deleted or destroyed. If this is not possible (e.g. if the data is stored in backup archives), your personal data will be stored securely and isolated from further processing until it can be deleted.

Our Identity Protection service

Our company offers / provides to its customers (namely telco providers) services consisting of the provision of information about the availability of personal data of their end-customers from leaked databases on the internet and the related collection of statistical data about logins and passwords to various services from leaked databases (the “Service”). This Service includes processing of personal data of data subjects (end-customers).  

Purpose of the processing and legal basis

The processing of personal data is carried out for the following purposes:

  1. the creation and maintenance of a database of logins to various services from leaked databases (which would enable the telco providers to notify end-customers about the availability of their data on the internet); and
  2. statistics and evidence.

This processing is done on the basis of our Company's legitimate interests as well as of legitimate interests of our customers and of their end-customers in accordance with GDPR. The legitimate interest consists primarily in the protection of persons concerned from security risks (when the Service would allow notification of the persons concerned about leak of their personal data). For the purpose of statistics and evidence, our Company’s legitimate interest consists of the improvement of the security awareness and provision of useful information to the relevant community.

We have balanced your interests against our interests for the above mentioned processing operations. You have the right to object to those processing operations on grounds relating to our particular situation. For additional details please see the below section Your data protection rights.

Personal data categories and sources

Most of the personal data our company processes is obtained from leaked databases.

Within the activity the following personal data are processed: logins and password, other personal data contained in the analyzed leaked databases, except for sensitive data.

Retention period

Passwords to various services from leaked databases will only be retained for a maximum period of  4 weeks.

The remaining personal data (i.e. logins) will be retained for the entire duration of the processing.

Who may have access to personal data

For the specific purpose, we engage external providers who may have access to or process your personal data (the personal data processors). We use the services of the following categories of personal data recipients:

  • service providers related to our IT, operation and communication services
  • admin and development providers of the websites, providers performing analysis and improvements of our websites
  • external ATS system provider
  • career portals (if you chose to respond to our job opening)

We take full responsibility in relation to the relevant data protection legislation and ensuring that your personal data is equally protected in case it is processed by an external provider contracted by us.

In certain circumstances, we share and/or are obliged to share your personal data with state authorities to comply with authorities proceedings.

Your personal data will never be forwarded, sold or traded with other companies, organizations or individuals without your consent.

Protection of personal data

Your data will be protected by technical and organizational measures and processes to fulfill legal security requirements and guard against unauthorized access and disclosure. Some information will be hashed and managed in encrypted form. We are certified. The information on the current certifications may be found here.


Whalebone’s site utilizes “cookies”, to learn more about this policy and how we use cookies check Whalebone Cookie Policy.

Your data protection rights

You have the following rights regarding the processing of your Personal Data:

Right to be informed

You can request information about the processing of your personal data.

Right to access

You may request a copy of your personal data.

Right to rectification

You may request from us to correct any inaccuracy or to complete incomplete personal data.

Right to data portability

You have the right to receive personal data processed for the purpose of conclusion and performance of a contract or personal data which you have provided and is being processed on the basis of consent, in machine-readable format. This right applies only to personal data which is processed by automated means.

Right to erasure (“right to be forgotten”)

In specific cases stipulated by law, you have the right to request deletion of your personal data, e.g., if there is no legally recognized title for further processing of your personal data on our part (incl. protection of Whalebone’s legitimate interests and rights).

Right to object

Applies to cases of processing carried out based on our legitimate interest. You have the possibility to object to such processing, in relation to your particular situation, and we are required to assess the processing to ensure compliance with applicable regulations and legally binding rules. In case of direct marketing, we shall cease processing Personal Data for such purposes after the objection.

Right to restrict processing

As alternative to your right of erasure you may ask us to stop processing your PD. We will still hold the data, but will not process it any further.

Privacy policy of 3rd parties

Our company’s website contains links to other websites. Our privacy policy applies only to our website, so if you click on a link to another website, you should read their privacy policy. We have no control over the content of external websites to which the website hyperlinks. We are not responsible for the processing of your personal data on external websites. These hyperlinks are provided as a service to users and are accessed at your own responsibility.

Changes to our privacy policy

Our company keeps its privacy policy under regular review and places any updates on this webpage. The changes will be effective as of the date of such posting.