The trust reflected in our client relationships means a great deal to Red Flag Reporting. As a hotline provider, we recognize that protecting your privacy is critical to our effectiveness and continued success.
Bound by standards of confidentiality that are even more stringent than the law requires, Red Flag Reporting assures you that your confidence in our professional ethics and reliance on our capabilities will always be honored.
As a hotline service, we collect only nonpublic personal information that is provided to us by reporters, you or obtained by us with your authorization.
For current and former clients, we do not disclose any nonpublic personal information obtained in the course of our hotline services, except as required or permitted by law. Permitted disclosures include, for instance, providing information to our employees. In such situations, we stress the confidential nature of the information being shared.
Protecting your confidentiality and security
We retain records relating to the hotline services we provide so that we are better able to assist you with your professional needs and in some cases, to comply with professional guidelines. In order to guard your nonpublic personal information, as a hotline provider we maintain physical, electronic, and procedural safeguards that comply with our professional standards.
Red Flag Reporting does not solicit information from individuals under the age of thirteen. This website is not intended for use by individuals under the age of thirteen.
E.U. / Swiss Privacy Shield Policy
The trust reflected in our client relationships means a great deal to RFR Resources, LLC (dba Red Flag Reporting and dba Culminate CMS), collectively “the Company.” As a hotline and software as a service provider, we recognize that protecting your privacy is critical to our effectiveness and continued success.
This Privacy Shield Policy (the “Policy”) sets forth the privacy principles that the Company adheres to in regards to personal information transferred from the European Union (EU) and Switzerland to the United States of America. The Company follows the Privacy Shield principles (“the Principles”) as agreed to by the European Commission and the U.S. Department of Commerce (https://www.privacyshield.gov) regarding the collection, use, and retention of personal information from European Union member countries. We certify that we comply with the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement and liability.
This Privacy Shield Policy (the “Policy”) applies to all personal information received by the Company in the United States of America from the European Union and Switzerland, in all formats including electronic, paper or verbal.
The privacy principles in this Policy are based on the Privacy Shield Framework. The Company is committed to being subject to the principles of the Privacy Shield Framework as it relates to all personal data received from the EU and Switzerland in reliance on the Privacy Shield.
NOTICE: The purpose of the Company is to empower people to speak-up, anonymously or not, about unethical or unsafe behavior in the workplace and to empower employers to address such concerns. In order to reduce the risk of harm to individuals and organizations, organizations engage us for those services and make us available to their employees, customers, vendors, students and/or others. Information provided to us may include names and locations of employment, or any other information deemed relevant by concerned reporter or member of management. This information is collected so that our clients’ management can investigate concerns specific to their organization only. At no point do we request individual specific government assigned identification numbers or personal bank account or credit card numbers. As a result of the process, and while we do not process personal data, reporters may or may not disclose confidential information about themselves or other individuals. For example, an employee reporting suspected fraudulent activity by another employee may disclose “the card holder’s name is John Doe and the credit card number is 1234 5678.” We do not disclose personal data to third parties. Anyone identified in a report provided to us was identified by the reporter and/or management and is assumed to be innocent of any accusations unless proven otherwise. Reports received relative to an organization engaging us are provided only to that organization, unless a) otherwise required by law, b) except where permitted, required and or directed by contract with the engaging organization, or c) required by lawful requests by public authorities, including to meet national security or law enforcement requirements, so that the engaging organization can ensure an ethical and safe work environment. We do not disclose private information to third-parties for reasons incompatible with the above.
Inquiries or complaints may be directed to:
RFR Resources, LLC
PO Box 4230
Akron, Ohio 44321
In accordance with the Principles, we will reply to complaints within 45 days of receipt.
CHOICE: While we do not disclose personal information to third parties or for purposes incompatible with the purpose for which it was originally collected or subsequently authorized, individuals may still specifically opt-out of any such use by contacting us via any of the means noted below. Furthermore, for sensitive information, and in accordance with the Privacy Shield Framework, individuals may give us affirmative or explicit permission to disclose such information to third parties and/or to use it for reasons other than its original purpose. Such opting in or out may be done by contacting our customer service team at [email protected] or our Privacy Officer at the address listed above.
ACCOUNTABILITY FOR ONWARD TRANSFER: Our agents do not obtain personal data from us. Our agents do not retain personal information but rather may enter personal information obtained from reporters into our database. We obtain assurances from our agents that they take appropriate steps to ensure that personal information is transferred in a manner consistent with the obligations under the principles and to safeguard personal information consistently with this policy. We do not transfer any information to third parties acting as a controller. We will take reasonable and appropriate action to stop and remediate unauthorized processing, if any. We are liable in cases of onward transfers to third parties.
SECURITY: We maintain physical, electronic, and procedural safeguards to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
DATA INTEGRITY AND PURPOSE LIMITATION: We use personal information only when it is relevant for the purposes for which it will be used or as subsequently authorized by the individual. For as long as we have access to such personal information, we take reasonable steps to ensure that such personal data is reliable for its intended use, accurate, complete, and current.
ACCESS: Individuals may have access to personal information we have about them and may correct, amend or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question or where the rights of other persons would be violated.
RECOURSE, ENFORCEMENT AND LIABILITY: The Company is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
In compliance with the Privacy Shield Principles, Red Flag Reporting commits to resolve complaints about our collection or use of your personal information. Individuals in the European Union or Switzerland with inquiries or complaints regarding our Private Shield policy should first contact Red Flag Reporting at:
RFR Resources, LLC
PO Box 4230
Akron, Ohio 44321
Red Flag Reporting has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit https://www.jamsadr.com/file-an-eu-us-privacy-shield-or-safe-harbor-claim for more information or to file a complaint. The services of JAMS are provided at no cost to you.
Red Flag Reporting commits to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.
As a last resort, privacy complaints that remain unresolved after pursuing these and other channels may be subject to binding arbitration before the Privacy Shield Panel to be created jointly by the US Department of Commerce and the European Commission.
CONTACT INFORMATION: Questions or comments regarding this Policy should be submitted to the following person by mail as follows:
RFR Resources, LLC
PO Box 4230
Akron, Ohio 44321
PRIVACY SHIELD POLICY CHANGES: This Policy may be amended from time to time. This policy was last modified January 31, 2020. This policy is publicized at: https://www.redflagreporting.com/about-red-flag-reporting/privacy-policy/.
California Consumer Privacy Act
While Red Flag Reporting (“RFR”) does not meet the definition of a “Business” that is subject to the California Consumer Privacy Act (“the Act”), per section 1798.140 (c) of the Act, we note the following:
- RFR does not sell any consumer’s personal information. RFR does not disclose any consumer’s personal information, except as noted in the following comments.
- Personally identifiable information entered into our system is entered by individuals exercising their free speech in order to ensure safe and ethical behavior at a specific organization or who are inquiring of our clients regarding personal information related to the Act. Management of that specific organization will have access to the information entered by the individual and may also enter personally identifiable information related to its investigation of reported concerns or inquiries related to the Act.
- Personally identifiable information entered into our system is not entered for “commercial purposes” as defined in the Act. It is entered as a form of noncommercial freedom of speech.
- Personally identifiable information entered into our system may include any information that answers questions such as:
- Who is involved?
- What happened?
- Where did it happen?
- When did it happen?
- Why did it happen?
- How did it happen?
- Is there any other information that would assist in the investigation of the concern?
- According to the Act, consumers may request the deletion of the consumer’s personal information.
- The Act notes, however, in section 1798.105 (d) that such information is not required to be deleted when it is needed to “exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided by the law” or to “otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.”
- Requests for information may be made by calling 1-877-647-3335 or visiting RedFlagReporting.com, clicking on “Contact Us,” selecting any of the options and providing contact information.