Privacy Statement
The trust reflected in our client relationships means a great deal to Red Flag Reporting. As a hotline provider, we recognize that protecting your privacy is critical to our effectiveness and continued success.
Bound by standards of confidentiality that are even more stringent than the law requires, Red Flag Reporting assures you that your confidence in our professional ethics and reliance on our capabilities will always be honored.
Collecting information
As a hotline service, we collect only nonpublic personal information that is provided to us by reporters, you or obtained by us with your authorization.
Disclosing information
For current and former clients, we do not disclose any nonpublic personal information obtained in the course of our hotline services, except as required or permitted by law. Permitted disclosures include, for instance, providing information to our employees. In such situations, we stress the confidential nature of the information being shared.
Protecting your confidentiality and security
We retain records relating to the hotline services we provide so that we are better able to assist you with your professional needs and in some cases, to comply with professional guidelines. In order to guard your nonpublic personal information, as a hotline provider we maintain physical, electronic, and procedural safeguards that comply with our professional standards.
COPPA Statement
Red Flag Reporting does not solicit information from individuals under the age of thirteen. This website is not intended for use by individuals under the age of thirteen.
E.U./UK/ Swiss Data Privacy Framework Policy
The trust reflected in our client relationships means a great deal to RFR Resources, LLC (dba Red Flag Reporting and dba Culminate CMS), collectively “the Company.” As a hotline and software as a service provider, we recognize that protecting your privacy is critical to our effectiveness and continued success.
This Data Privacy Framework (the “Policy”) sets forth the privacy principles that the Company adheres to in regards to personal information transferred from the European Union (EU), the UK, and Switzerland to the United States of America. The Company follows the Data Privacy Framework principles (“the Principles”) as agreed to by the European Commission and the U.S. Department of Commerce (https://www.dataprivacyframework.gov) regarding the collection, use, and retention of personal information from European Union member countries, the UK, and Switzerland. We certify that we comply with the Data Privacy Framework principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement and liability.
Red Flag Reporting complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Red Flag Reporting has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Red Flag Reporting has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
This Data Privacy Framework Policy (the “Policy”) applies to all personal information received by the Company in the United States of America from the European Union, the UK, and Switzerland, in all formats including electronic, paper or verbal.
PRIVACY PRINCIPLES
The privacy principles in this Policy are based on the Data Privacy Framework. The Company is committed to being subject to the principles of the Data Privacy Framework as it relates to all personal data received from the EU, the UK, and Switzerland in reliance on the Data Privacy Framework.
NOTICE:
NOTICE: The purpose of the Company is to empower people to speak-up, anonymously or not, about unethical or unsafe behavior in the workplace and to empower employers to address such concerns. In order to reduce the risk of harm to individuals and organizations, organizations engage us for those services and make us available to their employees, customers, vendors, students and/or others. Information provided to us may include names and locations of employment, or any other information deemed relevant by concerned reporter or member of management. This information is collected so that our clients’ management can investigate concerns specific to their organization only. At no point do we request individual specific government assigned identification numbers or personal bank account or credit card numbers. As a result of the process, and while we do not process personal data, reporters may or may not disclose confidential information about themselves or other individuals. For example, an employee reporting suspected fraudulent activity by another employee may disclose “the card holder’s name is John Doe and the credit card number is 1234 5678.” We do not disclose personal data to third parties. Anyone identified in a report provided to us was identified by the reporter and/or management and is assumed to be innocent of any accusations unless proven otherwise. Reports received relative to an organization engaging us are provided only to that organization, unless a) otherwise required by law, b) except where permitted, required and or directed by contract with the engaging organization, or c) required by lawful requests by public authorities, including to meet national security or law enforcement requirements, so that the engaging organization can ensure an ethical and safe work environment. We do not disclose private information to third-parties for reasons incompatible with the above.
Inquiries or complaints may be directed to:
Privacy Officer
RFR Resources, LLC
PO Box 4230
Akron, Ohio 44321
In accordance with the Principles, we will reply to an individual’s complaints within 45 days of receipt.
CHOICE: While we do not disclose personal information to third parties or for purposes incompatible with the purpose for which it was originally collected or subsequently authorized, individuals may still specifically opt-out of any such use by contacting us via any of the means noted below. Furthermore, for sensitive information, and in accordance with the Data Privacy Framework, individuals may give us affirmative or explicit permission to disclose such information to third parties and/or to use it for reasons other than its original purpose. Such opting in or out may be done by contacting our customer service team at [email protected] or our Privacy Officer at the address listed above.
ACCOUNTABILITY FOR ONWARD TRANSFER: Our agents do not obtain personal data from us. Our agents do not retain personal information but rather may enter personal information obtained from reporters into our database. We obtain assurances from our agents that they take appropriate steps to ensure that personal information is transferred in a manner consistent with the obligations under the principles and to safeguard personal information consistently with this policy. We do not transfer any information to third parties acting as a controller. We will take reasonable and appropriate action to stop and remediate unauthorized processing, if any. If in the future we do transfer personal information to a third party acting as an agent on our behalf, our organization shall remain liable under the DPF Principles if our agent processes such personal information in a manner inconsistent with the DPF Principles, unless we prove that we are not responsible for the event giving rise to the damage.
SECURITY: We maintain physical, electronic, and procedural safeguards to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
DATA INTEGRITY AND PURPOSE LIMITATION: We use personal information only when it is relevant for the purposes for which it will be used or as subsequently authorized by the individual. For as long as we have access to such personal information, we take reasonable steps to ensure that such personal data is reliable for its intended use, accurate, complete, and current.
ACCESS: Individuals may have access to personal information we have about them and may correct, amend or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question or where the rights of other persons would be violated.
RECOURSE, ENFORCEMENT AND LIABILITY: The Company is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
In compliance with the Data Privacy Framework Principles, Red Flag Reporting commits to resolve complaints about our collection or use of your personal information. Individuals in the European Union, the UK, or Switzerland with inquiries or complaints regarding our Data Privacy Framework policy should first contact Red Flag Reporting at:
Privacy Officer
RFR Resources, LLC
PO Box 4230
Akron, Ohio 44321, USA
P: 1-877-676-6551
F: 1-330-572-8146
Red Flag Reporting has further committed to refer unresolved Data Privacy Framework complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
Red Flag Reporting commits to cooperate with EU data protection authorities (DPAs), appropriate authorities within the UK, and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU, the UK, and Switzerland in the context of the employment relationship.
As a last resort, privacy complaints that remain unresolved after pursuing these and other channels may be subject to binding arbitration before the Data Privacy Framework Panel to be created jointly by the US Department of Commerce and the European Commission.
The Company provides its employees with education on the Data Privacy Framework Principles and has self-assessment procedures in place to ensure its compliance. The Company uses a self-assessment approach to ensure compliance with this Privacy Policy and periodically verifies that the Privacy Policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Data Privacy Framework Principles. Any employee that the Company determined to be in violation of this policy will be subject to disciplinary action up to and including termination of employment.
CONTACT INFORMATION: Questions or comments regarding this Policy should be submitted to the following person by mail as follows:
Privacy Officer
RFR Resources, LLC
PO Box 4230
Akron, Ohio 44321, USA
P: 1-877-676-6551
F: 1-330-572-8146
DATA PRIVACY FRAMEWORK POLICY CHANGES: This Policy may be amended from time to time. This policy was last modified February 26, 2024. This policy is publicized at: https://www.redflagreporting.com/about-red-flag-reporting/privacy-policy/.
California Consumer Privacy Act
While Red Flag Reporting (“RFR”) does not meet the definition of a “Business” that is subject to the California Consumer Privacy Act (“the Act”), per section 1798.140 (c) of the Act, we note the following:
- RFR does not sell any consumer’s personal information. RFR does not disclose any consumer’s personal information, except as noted in the following comments.
- Personally identifiable information entered into our system is entered by individuals exercising their free speech in order to ensure safe and ethical behavior at a specific organization or who are inquiring of our clients regarding personal information related to the Act. Management of that specific organization will have access to the information entered by the individual and may also enter personally identifiable information related to its investigation of reported concerns or inquiries related to the Act.
- Personally identifiable information entered into our system is not entered for “commercial purposes” as defined in the Act. It is entered as a form of noncommercial freedom of speech.
- Personally identifiable information entered into our system may include any information that answers questions such as:
- Who is involved?
- What happened?
- Where did it happen?
- When did it happen?
- Why did it happen?
- How did it happen?
- Is there any other information that would assist in the investigation of the concern?
- According to the Act, consumers may request the deletion of the consumer’s personal information.
- The Act notes, however, in section 1798.105 (d) that such information is not required to be deleted when it is needed to “exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided by the law” or to “otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.”
- Requests for information may be made by calling 1-877-647-3335 or visiting RedFlagReporting.com, clicking on “Contact Us,” selecting any of the options and providing contact information.
Compliance Standards for Collecting and Using Mobile Phone Numbers
To ensure compliance with legal and regulatory standards when collecting and using your mobile phone numbers for messaging, we adhere to the following guidelines:
- Obtaining Explicit Consent
- Express Written Consent: We will obtain your explicit written consent before sending any messages. This will be done through a clear and conspicuous opt-in mechanism, such as a checkbox that is not pre-checked.
- Documentation: We will keep records of all consents received, including the date, time, and method of consent.
- Providing Clear Disclosures
- Purpose of Collection: We will clearly inform you why your phone number is being collected and how it will be used.
- Frequency of Messages: We will specify the frequency of messages you can expect to receive.
- Opt-Out Instructions: We will provide easy-to-follow instructions on how you can opt out of receiving messages at any time.
- Adhering to Regulatory Frameworks
- Telephone Consumer Protection Act (TCPA): We ensure compliance with TCPA regulations, which govern telemarketing and text messaging practices in the U.S. This includes honoring the National Do-Not-Call Registry and obtaining prior express written consent for marketing messages.
- General Data Protection Regulation (GDPR): If you are an EU resident, we comply with GDPR by obtaining explicit consent and providing clear information on data usage.
- Cellular Telecommunications Industry Association (CTIA) Guidelines: We do no SMS marketing; however, if we were to in the future we would follow CTIA guidelines for best practices in SMS marketing, including message content and frequency.
- Implementing Data Protection Measures
- Data Encryption: We use encryption to protect your phone number and other personal data.
- Access Control: We limit access to collected data to authorized personnel only.
- Regular Audits: We conduct regular audits to ensure compliance with all relevant regulations and guidelines.
- Responding to Opt-Out Requests Promptly
- Immediate Action: We process opt-out requests immediately to avoid sending further messages to those who have opted out.
- Confirmation: We send a confirmation message to users who opt out, acknowledging their request and confirming that they will no longer receive messages.
- No Sharing with Third Parties
- Privacy Assurance: We do not share your mobile phone number with third parties or affiliates for marketing or promotional purposes. Your information is used solely for the purposes you have consented to.
By following these guidelines, we ensure that the collection and use of your mobile phone number for messaging are compliant with legal standards and respectful of your preferences.