Important Notice for Clients: If you are a client of Konto.com and wish to report a concern about our conduct, a suspected breach of applicable law, or any irregularity relating to the operation of the Konto.com platform, you are welcome to use our whistleblowing channels below. This policy protects you in the same way as it protects employees. Clients who are not employees are not subject to disciplinary action for good-faith reports.

If you have a complaint about a product, service, or transaction, please use our Complaints Procedure instead. The whistleblowing channel is reserved for concerns about suspected legal violations, fraud, AML breaches, data protection violations, or unethical conduct.

1. Introduction

1.1. Purpose

This Policy sets out the principles and framework through which Rondo Services SP ZOO (operating the Konto.com platform; hereinafter “the Company” or “Konto.com”) receives, assesses, and investigates anonymous and non-anonymous reports on serious irregularities, omissions, or offences. Reports can be filed by staff, clients, contractors, partners, and all other stakeholders.

The Company is committed to the highest standards of ethical and professional conduct, with zero tolerance for illegal and irregular activities that may impact its operations, clients, reputation, and regulatory standing.

Whistleblowing policies are intended to make it easier for anyone to report irregularities in good faith, without fear of adverse consequences. Protecting the integrity of the Company and the Konto.com platform requires the active support of all employees, former employees, candidates, clients, and parties with whom the Company has a business relationship.

1.2. Scope - Who can report

This Policy applies to:

• All employees of Rondo Services SP ZOO (including directors, officers, agents, staff, temporary workers, interns, consultants, and contractors), regardless of the nature or duration of their engagement;
• Former employees and job candidates;
• Clients of Konto.com - any client who becomes aware of a suspected violation, irregularity, or unethical conduct relating to the operation of the Konto.com platform or its staff;
• Suppliers, agents, business partners, and other third parties with whom the Company has a commercial relationship.

This Policy applies everywhere, for all locations, roles, and seniority levels.

1.3. Reportable concerns

The Whistleblowing Policy applies to concerns about suspected or actual criminal conduct, unethical conduct, or other misconduct including a suspected breach of EU or national law by or within the Company, including but not limited to:

• Accounting, internal accounting controls, or auditing matters;
• Money laundering or terrorist financing;
• Insider dealing or market abuse;
• Breach of client confidentiality or privacy (including GDPR violations);
• Fraud, theft, or misappropriation of client assets;
• Bribery or corruption;
• MiCA or crypto-asset regulation violations;
• Undesirable or discriminatory behaviours.

Violations of law for the purpose of this Policy include actions or omissions contrary to law or intended to circumvent law, in particular concerning:

• corruption;
• public procurement;
• financial services, products, and markets;
• counteracting money laundering and terrorism financing;
• product safety and compliance with requirements;
• transport safety;
• environmental protection;
• radiological protection and nuclear safety;
• food and feed safety;
• animal health and welfare;
• public health;
• consumer protection;
• protection of privacy and personal data;
• security of networks and IT systems;
• financial interests of the State Treasury of the Republic of Poland, local government units, and the European Union;
• the internal market of the European Union, including public law rules on competition, state aid, and corporate taxation;
• constitutional freedoms and rights of persons and citizens in their relations with public authorities.

The Company may additionally allow reports on violations of internal regulations or ethical standards, where consistent with applicable law.

1.4. Local regulations

In jurisdictions where local laws or regulations set stricter rules than those in this Policy, the stricter rules prevail. Rondo Services SP ZOO operates under Polish law (Act of 14 June 2024 on the Protection of Whistleblowers) and Romanian law (Law no. 361/2022 on the protection of whistleblowers in the public interest), both implementing EU Directive 2019/1937.

2. Policy Principles

This Policy is structured around the following key principles:

• safeguarding of confidentiality;
• non-retaliation;
• anonymous reporting;
• reporting in good faith; and
• protection of accused persons.

2.1. Safeguarding of confidentiality

All persons involved in the whistleblowing process treat information confidentially and with utmost care. Data is stored digitally and/or physically and is accessible only to officers directly involved in the reporting and investigation process on a ‘need-to-know’ basis.

The identity of the reporting person is not revealed without their explicit consent, unless disclosure is required by a court order in subsequent judicial proceedings. This protection applies equally to employees and clients who file reports.

All reports will be treated confidentially. The identity of the whistleblower will be protected to the fullest extent possible under applicable law.

2.2. Non-retaliation

The Company strictly prohibits any form of retaliation against any person - whether an employee or a client - who files a report under this Policy in good faith. Any person found retaliating against a whistleblower will face appropriate action, including disciplinary action, civil action, or criminal prosecution.

Retaliation includes any adverse action taken against a reporting person as a result of their report. In an employment context, prohibited retaliatory measures include in particular:

• refusal to enter into an employment relationship;
• termination or notice of termination of the employment relationship;
• reduction in wages;
• suspension of or omission from promotion;
• transfer to a lower position;
• suspension from duties;
• unfavorable change in place of work or working hours;
• negative evaluation of work results;
• imposing disciplinary or financial penalties;
• coercion, intimidation, or exclusion;
• mobbing or discrimination;
• causing financial or non-material damage, including infringement of personal rights.

An attempt or threat to apply any such measure is also considered retaliatory. If you believe you have suffered adverse consequences as a result of a report made under this Policy, report it to the CEO, who will arrange an independent investigation.

2.3. Anonymous reporting

Anonymous reporting is permitted under this Policy. The Company would rather receive anonymous reports than have a concern go unreported. However, anonymous reports may limit the Company’s ability to investigate, ask follow-up questions, or provide feedback. It will also be more difficult to ensure protection if the reporter’s identity is not known.

The Company encourages reporting persons to disclose their identity or at least provide contact details to facilitate follow-up, wherever they feel comfortable doing so.

2.4. Reporting in good faith

This Policy protects whistleblowers who report in good faith - that is, who had reasonable grounds to believe the information was true at the time of reporting. If the information later proves incorrect but was reported in good faith, the whistleblower is still protected.

Those who deliberately and knowingly report false or misleading information do not benefit from protection. Deliberate misuse of the whistleblowing channel may result in disciplinary action (for employees) or other appropriate measures (for clients and third parties).

2.5. Protection of accused persons

The privacy and employment rights of any person who is the subject of a report will be carefully considered throughout the investigation. A person who is the subject of an investigation will be informed about its cause where appropriate and will be protected from unintended negative effects going beyond the objective of any measure taken. Persons who are the subject of reports made in bad faith are equally protected.

3. How to File a Report

A whistleblowing report can be filed by employees, clients, and third parties via the following designated secure channels:

• Online form: https://www.konto.com/legal/whistleblowing-policy

• Email: whistleblowing@konto.com
• Phone: +40741715729 (Monday–Friday, 09:00–17:00)

• Post: Compliance Department, Rondo Services SP ZOO, Ul. Hoza 86 / 210, 00-682 Warszawa, Poland.

‍

All channels (except the phone line) are available 24 hours a day, 7 days a week. The phone line is available on working days, 09:00–17:00.

For clients: you are not required to use any specific channel. Use whichever channel you feel most comfortable with. Reports submitted via any of the channels above will receive the same level of confidentiality and protection.

Employees may also raise concerns with their line manager, the HR Department, the Compliance Officer, or a senior representative of their choice. In these cases, the recipient must contact the Reporting Officer without delay.

Prior to lodging a report, any person may discuss their concern confidentially with the Reporting Officer by sending a request to whistleblowing@konto.com.

3.1. Internal vs. external reporting

Reporting persons are encouraged to use the internal channels above before addressing external reporting authorities. By exception, if a crime is taking place, the external reporting channel may be used first or simultaneously.

External reporting channels may be used at any time, regardless of whether internal reporting has occurred or an internal investigation is ongoing.

3.2. Public disclosure

A whistleblower making a public disclosure is protected if:

• an internal report was made, followed by an external report, and neither the Company nor the public authority took appropriate follow-up action or provided feedback within the applicable deadlines; or
• an external report was made directly and the public authority did not take appropriate action within the applicable deadline;

‍

unless the whistleblower failed to provide a contact address to which such information should be forwarded.

‍

A whistleblower is also protected on public disclosure if they had reasonable grounds to believe that: 

(a) the violation constitutes a direct or obvious threat to the public interest; 

(b) making an external report would expose them to retaliation; or 

(c) in the case of an external report, there is little likelihood of effective counteraction due to the specific circumstances of the case.

4. Investigation Process

4.1. Initial assessment

Upon receipt of a report, an initial assessment will be conducted to determine the validity and seriousness of the allegations. The reporting person will be contacted within seven (7) calendar days of receipt to confirm acknowledgement and explain next steps - unless no contact details were provided.

The reporting person will receive feedback on the outcome of the investigation within three (3) months of acknowledgement of receipt (or three months from the expiry of the seven-day acknowledgement period if no confirmation was sent).

The identity of the reporting person will not be disclosed to anyone beyond the Reporting Officer without their explicit consent.

4.2. Full investigation

If the initial assessment indicates potential misconduct, a formal investigation will be launched by the Reporting Officer or an appointed independent team. The key principles of this Policy are upheld throughout. If at any point there is a risk that the identity of the reporting person would be revealed, the Reporting Officer will inform them and leave the decision to continue or cease the investigation to them, unless law requires external reporting.

For complex or high-profile investigations, an Advisory Committee (comprising Head of Legal, Head of Compliance, the Reporting Officer, and CEO) will be established. 

The identity of the whistleblower will not be shared with the Advisory Committee.

4.3. Storing information

All reports are treated with the strictest confidentiality and stored only for as long as necessary and proportionate. Personal data manifestly not relevant to a specific report will not be collected or, if accidentally collected, will be deleted within 14 days.

Personal data processed in connection with a report and related documents are stored for five (5) years after the end of the calendar year in which follow-up action was completed or after the proceedings initiated by those actions were completed, in accordance with the Polish Act of 14 June 2024 (Art. 28) and Romanian Law no. 361/2022 (Art. 25).

4.4. Feedback

If contact details are provided, the Reporting Officer will inform the reporting person whether the report is within the scope of this Policy, and if so, of the applicable whistleblower protection measures and next steps. Appropriate actions based on findings may include disciplinary measures, policy changes, or legal action.

5. Privacy Notice for Whistleblowing Reports

The Whistleblowing Privacy Notice constitutes the data protection privacy notice for persons who submit reports through the Konto.com whistleblowing channels.

6. Roles and Responsibilities

6.1. Employees

Employees are encouraged to be vigilant, challenge questionable behaviours, and report concerns. Employees are:

• encouraged to report concerns in good faith to the Reporting Officer before using external channels;
• permitted to consult with the Reporting Officer before filing a report;
• responsible for providing all relevant information and cooperating with investigations;
• obliged to respect confidentiality when involved in an investigation;
• prohibited from attempting to discover the identity of an anonymous whistleblower.

6.2. Clients

Clients who report concerns in good faith are protected from retaliation in the context of their business relationship with the Company. The Company will not close a client’s account, restrict services, or take any adverse commercial action as a result of a good-faith whistleblowing report. Clients are under no obligation to use any specific channel and may report anonymously.

6.3. Senior Management

Senior Management is responsible for implementing and supervising this Policy, setting appropriate tone at the top, appointing a qualified Reporting Officer, and ensuring publication of contact details on konto.com.

6.4. Compliance Officers

Compliance Officers advise Senior Management on Policy implementation, monitor embedding and compliance, and advise on local deviations.

6.5. Reporting Officer

The Reporting Officer receives and acknowledges reports, conducts preliminary investigations, maintains confidentiality, provides feedback to reporting persons, and reports quarterly to the Company Whistleblower Reporting Officer.

6.6. Company Whistleblower Reporting Officer

The Company Whistleblower Reporting Officer reports periodically to the CEO on how the Policy and related procedures are functioning. These reports will not contain the identity of whistleblowers.

8

Whistleblowing Privacy Notice

Controller

Rondo Services SP ZOO 

Ul. Hoza 86 / 210, 00-682 Warszawa, Poland 

dpo@konto.com 

whistleblowing@konto.com

Purpose and legal basis

Personal data submitted through the whistleblowing channel is processed for the purpose of receiving, assessing, investigating, and recording reports of suspected irregularities, breaches of law, or unethical conduct.

The legal basis is Art. 6(1)(c) GDPR (legal obligation), specifically:

• Polish Act of 14 June 2024 on the Protection of Whistleblowers (Dz.U. 2024 poz. 928), Arts. 10-28;
• Romanian Law no. 361/2022 on the protection of whistleblowers in the public interest, Arts. 6-25;
• EU Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law.

Categories of personal data processed

• Identity and contact details of the reporter (where provided);
• Details of persons mentioned in the report;
• Description of alleged misconduct, supporting materials, and investigation findings;
• Metadata of communications related to the report.

Recipients

• Designated Whistleblower Reporting Officer and authorised internal personnel (on a need-to-know basis);
• External legal or investigative consultants (where necessary, bound by confidentiality);
• Competent external authorities where escalation is required by law:
  
  • Poland: Ombudsman of the Republic of Poland (Rzecznik Praw Obywatelskich) — https://bip.brpo.gov.pl/en
  • Romania: National Integrity Agency (Agenţia Naţională de Integritate) — https://avertizori.integritate.eu/
  • EU institutions (European Commission, OLAF, ESMA, European Ombudsman) — see Section below for full list

Retention

Personal data are stored for five (5) years after completion of the investigation or final decision (specifically, after the end of the calendar year in which follow-up action was completed, or after proceedings initiated by such action were completed). Irrelevant data are deleted within 14 days of identification.

Your rights

You have the right to: access your personal data; request rectification or erasure; restrict or object to processing (where applicable). However, certain rights may be restricted if exercising them would compromise the integrity of an ongoing investigation.

You also have the right to lodge a complaint with the competent supervisory authority:

• Poland: Prezes UODO, ul. Stawki 2, 00-193 Warsaw — https://uodo.gov.pl
• Romania: ANSPDCP, B-dul G-ral Gheorghe Magheru 28-30, Bucharest — https://www.dataprotection.ro

Security and confidentiality

Data is processed under strict confidentiality. Access is limited to authorised persons on a need-to-know basis. Technical and organisational measures including encryption, secure servers, and access controls are applied.

‍

DPO contact: 

Rondo Services SP ZOO – Data Protection Officer 

dpo@konto.com 

Ul. Hoza 86 / 210, 00-682 Warszawa, Poland

External Reporting Authorities

Reports may also be made directly to national or EU authorities. The following list provides the key external reporting channels:

• EU:
  
  • European Parliament: https://www.europarl.europa.eu/about-parliament/en
  • European Commission: https://ec.europa.eu/assets/sg/report-a-breach/complaints_en/
  • OLAF (Anti-Fraud Office): https://anti-fraud.ec.europa.eu/olaf-and-you/report-fraud_en
  • ESMA: https://www.esma.europa.eu/investor-corner/make-complaint
  • European Ombudsman: https://www.ombudsman.europa.eu/en/make-a-complaint
    
• Poland:
  
  • Ombudsman (Rzecznik Praw Obywatelskich): https://bip.brpo.gov.pl/en
• Romania:
  
  • National Integrity Agency (ANI): https://avertizori.integritate.eu/

‍

‍

‍