Compliance Hotline — Privacy Policy

Last updated: May 5, 2026

This Privacy Policy explains how Exclusion Screening, LLC ("Exclusion Screening," "we," "us," "our") collects, uses, shares, and protects personal information in connection with the Compliance Hotline service available at compliancehotline.com and through tenant-branded reporting pages, the AI chatbot, the telephone hotline, and related features (collectively, the "Service").

The Compliance Hotline is a business-to-business compliance reporting platform. Most personal information processed through the Service is processed on behalf of a customer organization ("Customer") that has subscribed to the Service for its own compliance program. Where Exclusion Screening acts on behalf of a Customer, the Customer is the controller (or business) of that information and Exclusion Screening is the processor (or service provider). Our relationship with Customers is governed by a separate Subscription Agreement.

This Policy is written for a U.S. business audience. References to "personal information" carry their ordinary U.S. meaning and, where relevant, the meaning given to "personal information" under the California Consumer Privacy Act ("CCPA").

1. Who this Policy covers

This Policy applies to:

• Reporters who submit a compliance concern through a Customer's hotline page (web form, AI chatbot, telephone, or email);
• Authorized Users of a Customer who log into the dashboard to review and resolve reports;
• Visitors to compliancehotline.com who do not submit a report; and
• Prospects who request a demo, sign up for a free trial, or contact us about the Service.

2. Information we collect

2.1 Information Reporters provide

When a Reporter submits a report (or interacts with the AI chatbot or telephone hotline), we may collect:

• Identifying information (only if the Reporter chooses to identify themselves) — name and email address;
• Email address for follow-up — required from all Reporters, including anonymous Reporters, so the system can deliver case access links and update notifications. For anonymous Reporters, this email is encrypted and is not visible to the Customer's investigators or to our administrative personnel through the Service;
• Report content — the narrative of the concern, including any details the Reporter chooses to share (dates, locations, departments, people involved, attachments);
• Submission metadata — case type, severity, department, location, source channel (web, chat, phone, email), submission timestamp; and
• Telephone reports — caller phone number (as supplied by the Reporter's carrier and the Dialpad telephony provider), call recording, transcription, and AI-generated call summary, where the Customer's hotline accepts phone reports.

2.2 Information Authorized Users provide

For Authorized Users (administrators and investigators), we collect name, email, hashed password, role, and activity logs (sign-in timestamps, actions taken in the dashboard).

2.3 Information collected automatically

When you visit the Service, we (and our service providers) collect technical and usage information, including IP address, browser and device type, operating system, referring URL, pages viewed, dates and times of visits, and information from cookies and similar technologies. We use Cloudflare Turnstile to distinguish humans from bots on public forms; Turnstile may collect device and browser signals for fraud prevention.

2.4 Information from third parties

If you sign up by federated identity, link a Slack workspace, or use a similar third-party integration, we receive the information that integration provides (typically name, email, workspace identifier, and access tokens scoped to the relevant function).

3. How we use information

We use information to:

• provide and operate the Service, including routing reports to the correct Customer and Authorized Users, sending notifications, generating case access links, and storing case history;
• run the AI chatbot and AI completeness review features (see the AI Policy at compliancehotline.com/ai-policy for details);
• secure the Service — authenticate users, prevent and investigate fraud, abuse, and misuse, and protect the rights and safety of users, Customers, and the public;
• send transactional and service messages (account, billing, security, and case notifications);
• bill Customers for the Service and collect payment;
• improve and develop the Service, including in aggregated and de-identified form;
• comply with legal obligations and respond to lawful requests; and
• contact Prospects who have requested information about the Service.

We do not sell personal information, and we do not use Customer Data or Reporter content to train or fine-tune any general-purpose machine learning model. AI providers process Reporter inputs only as transient input to generate the response; see the AI Policy for the specifics.

4. Anonymous reports — how anonymity actually works

When a Reporter chooses to submit anonymously:

• The Reporter's name and email are encrypted at the application layer using AES-256-GCM. In production, the encryption key is managed by AWS KMS and is not accessible to Exclusion Screening personnel or to the application database.
• The Customer's investigators see the report content but cannot view the Reporter's name or email through the dashboard.
• The encrypted email is decrypted only by the system, in memory, to deliver notifications (such as case status updates and renewed access links) directly to the Reporter.
• Application logs do not record plaintext names or emails for anonymous Reporters; only an opaque hash prefix is logged for correlation.

Anonymity is a strong technical control, but it is not absolute. The narrative of a report can itself reveal who wrote it. Reporters who wish to remain anonymous should be careful about including details that uniquely identify them.

5. How we share information

We share personal information only as described below.

5.1 With the Customer

A Reporter's report (excluding the encrypted identity fields, when the Reporter has chosen anonymity) is shared with the Authorized Users of the Customer organization the report concerns. The Customer is the controller (or business) of that information for its own purposes (investigating the concern, recordkeeping, regulatory compliance). The Customer's own privacy practices apply to its handling of the report after that point.

5.2 With service providers (subprocessors)

We use the following categories of service providers to operate the Service. Each processes personal information only on our instructions and is bound by confidentiality and data-protection terms.

For an updated list of subprocessors, contact privacy@compliancehotline.com.

5.3 With professional advisors

We may share information with our auditors, lawyers, accountants, and insurers under duties of confidentiality.

5.4 In legal and safety situations

We may disclose information if we believe in good faith that it is reasonably necessary to (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce these Terms or our Subscription Agreement; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Exclusion Screening, our Customers, our users, or the public.

If we receive a legal request that we believe is overbroad, we will narrow it where we reasonably can. Where legally permitted, we will notify the affected Customer before disclosing.

5.5 In a corporate transaction

If Exclusion Screening is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred to the successor entity, subject to the protections of this Policy.

6. Data retention

• Cases and case messages — retained for the duration of the Customer's subscription and for the period required by the Customer's compliance program. Following termination of the Customer's subscription, Customer Data is retained for thirty (30) days to support data export, after which it is deleted in accordance with our standard retention practices, except where retention is required by law or pending investigation.
• Anonymous Reporter encrypted identity fields — retained for the same period as the case, then deleted.
• Telephone call recordings and transcripts — retained per the Customer's configuration and our default retention period.
• Authorized User accounts — retained while active and for a reasonable period after deactivation for audit purposes.
• Server and security logs — retained for a rolling period (typically 90 days) for operational and security purposes. Logs do not contain plaintext anonymous Reporter PII.
• Billing records — retained for the period required by tax and accounting laws.

7. Security

We use technical and organizational measures designed to protect personal information, including:

• TLS encryption in transit;
• encryption at rest for the database and object storage;
• application-layer AES-256-GCM encryption with KMS-managed keys for anonymous Reporter identity fields;
• hashed passwords;
• short-lived JWT access tokens and HttpOnly refresh-token cookies;
• role-based access control and tenant isolation;
• structured logging that strips plaintext PII for anonymous Reporters; and
• routine vulnerability management and access review.

No system is perfectly secure. If we become aware of a security incident affecting personal information, we will notify the affected Customer and applicable regulators as required by law.

8. Sensitive data restrictions

The Service is not designed or authorized as a repository for protected health information ("PHI") under HIPAA, payment card data subject to PCI-DSS, government-classified information, or similar regulated data sets. Reporters and Authorized Users should not include such data in reports or messages except as reasonably necessary to describe a compliance concern. Exclusion Screening is not a HIPAA business associate of any Customer with respect to the Service unless the parties have executed a separate written business associate agreement.

9. Children

The Service is not directed to children under 18 and we do not knowingly collect information from children under 18. If you believe a child has submitted information through the Service, please contact privacy@compliancehotline.com so we can take appropriate action.

10. Your choices and rights

10.1 Reporter follow-up emails

Anonymous Reporters can stop receiving follow-up emails by closing their browser and not returning to the case access link. We do not maintain marketing lists for Reporters.

10.2 Marketing emails (Prospects)

If you have asked us about the Service, you can unsubscribe at any time using the link in our marketing emails. We will continue to send you transactional or account-related messages where applicable.

10.3 California residents (CCPA)

If you are a California resident interacting with us in our capacity as a "business" (rather than as a service provider to a Customer), you have the right to request access to and deletion of personal information we hold about you, and to be free from retaliation for exercising those rights. We do not sell personal information and do not "share" personal information for cross-context behavioral advertising. To submit a request, email privacy@compliancehotline.com from the email associated with your interaction; we will verify your identity before responding.

If you are a Reporter or an Authorized User, your information is processed on behalf of the Customer organization, and most rights requests should be directed to that Customer. We will assist Customers in responding to verified requests as required by applicable law.

10.4 Other U.S. state privacy laws

Residents of other states with comprehensive privacy laws (for example, Virginia, Colorado, Connecticut, Utah, Texas) may have similar rights. Contact privacy@compliancehotline.com to make a request, and we will respond as required by applicable law.

11. International users

The Service is hosted in the United States and intended for use by U.S.-based customers. By using the Service, you understand that your information will be processed in the United States, which may have different data-protection laws than your country of residence. We do not currently offer the Service for the purpose of processing personal data of residents of the European Economic Area, the United Kingdom, or Switzerland; if your organization needs that posture, please contact us before subscribing.

12. Cookies and similar technologies

We use a small number of cookies and similar technologies to:

• keep you signed in (session cookies, refresh-token cookies);
• secure the Service (CSRF, anti-bot signals); and
• understand traffic and improve the marketing site (analytics on compliancehotline.com).

We do not use cookies for cross-site advertising. Most browsers let you refuse cookies, but parts of the Service will not function without them (for example, sign-in).

13. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will provide reasonable notice (for example, by posting a notice on the site or emailing Customer admins). The "Last updated" date at the top of this Policy reflects the most recent version. Your continued use of the Service after the effective date constitutes acceptance.

14. Contact

Questions, requests, or concerns about this Policy or our privacy practices:

Exclusion Screening, LLC — Privacy Email: privacy@compliancehotline.com Web: compliancehotline.com

For Customers: privacy questions about your tenant should also be raised in your Customer support channel.