Regulatory compliance

Whistleblowing channel (Internal Reporting System)

This is a courtesy translation. In case of any discrepancy, the Spanish version prevails.

Last reviewed: 17 June 2026.

Tarraco App Lab, S.L.U. provides an internal whistleblowing channel —its Internal Reporting System— so that any person connected with the entity may report, with full safeguards, facts that may constitute an infringement. This channel is established and governed in accordance with the regulations set out below.

1. Regulatory framework

This internal channel is established and governed in accordance with the following regulations:

  • Law 2/2023, of 20 February, governing the protection of persons who report regulatory infringements and the fight against corruption.
  • Directive (EU) 2019/1937 of the European Parliament and of the Council, of 23 October 2019, on the protection of persons who report breaches of Union law.
  • Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPDGDD) for the processing of the personal data of the informant and of the persons concerned.
  • The remaining applicable criminal, administrative and employment law.

2. Who may report

Any natural person who, in an employment or professional context with Tarraco App Lab, has become aware of facts that may constitute an infringement. In particular, and without limitation:

  • Employees, current and former.
  • Self-employed persons and freelancers who collaborate with Tarraco App Lab.
  • Shareholders, members and members of the management body.
  • Persons working for or under the supervision of contractors, subcontractors and suppliers.
  • Volunteers and trainees.
  • Persons whose working relationship has not yet begun, where information on infringements has been obtained during the recruitment process or pre-contractual negotiation.
  • Relatives and persons close to the above who could suffer retaliation.

3. What can be reported

The following may be the subject of a report through this channel:

  • Acts or omissions that may constitute an infringement of European Union law falling within the material scope of Directive 2019/1937 (sectors such as public procurement, financial services, prevention of money laundering, product safety, protection of personal data, public health, consumer protection, security of networks and information systems, etc.).
  • Acts or omissions that may constitute a criminal offence as defined in the Spanish Criminal Code or in special criminal laws.
  • Acts or omissions that may constitute a serious or very serious administrative infringement, in particular those involving financial loss to the Public Treasury or to Social Security.
  • Infringements of the Code of Ethics, of internal policies and of the operating procedures of Tarraco App Lab.
  • Any conduct that endangers the security of the personal data processed, the integrity of the systems or compliance with the GDPR.

The following are not admissible through this channel: mere complaints, opinions, suggestions, commercial service claims or interpersonal matters with no regulatory content. For these, the appropriate route is the ordinary contact form.

4. Available channels

Any eligible person may report through the following means, all of them secure and confidential:

  • Email: legal@tarracoapplab.com. Communications addressed to the channel are treated confidentially, with access restricted to the Officer of the Internal Reporting System.
  • Postal mail: a sealed envelope addressed to "Internal Reporting System — Tarraco App Lab, S.L.U.", with registered address in Tarragona (the full postal address is provided on request by email where anonymous delivery is needed).
  • In-person meeting: at the informant's request, at a place and time that guarantee confidentiality, within a maximum of 7 days from the request.
  • External channel: alternatively, without having to use the internal channel, the informant may go directly to the Independent Authority for the Protection of Informants (A.I.P.I.) created by Law 2/2023, submitting the report —identified or completely anonymous— through its electronic office sede.proteccioninformante.gob.es, or to the regional authorities and the Public Prosecutor's Office where appropriate.

5. Anonymity and confidentiality

The informant may report on an identified or completely anonymous basis. Tarraco App Lab guarantees that:

  • The identity of the informant will not be revealed to the persons concerned or to third parties, except by order of the competent judicial authority in the context of a criminal investigation. Where this occurs, the informant will be notified in writing in advance, unless legally prohibited.
  • Access to the channel and to the case files is restricted to a single person with specific identity and training: the Officer of the Internal Reporting System.
  • Personal data is processed in accordance with the GDPR, on the legal basis of compliance with the legal obligation under art. 32 of Law 2/2023 and the public interest in the prevention, investigation and prosecution of infringements (art. 6.1.c and 6.1.e GDPR).
  • The case-file data will be kept for the time strictly necessary to resolve the investigation and will then be deleted, unless subsequent legal retention applies. In any event, no longer than 10 years.

6. Prohibition of retaliation

Any retaliation, direct or indirect, against the informant, their relatives, persons close to them and facilitators is expressly prohibited. In particular, the following are prohibited:

  • Suspension, dismissal, non-renewal, transfer or any substantial change to working conditions.
  • Imposition of a disciplinary measure or penalty.
  • Coercion, intimidation, harassment or ostracism.
  • Discrimination or unfavourable treatment.
  • Unfavourable entries in performance evaluations.
  • Early termination of the contract for goods or services.

Any retaliation will be subject to the penalties provided for in Law 2/2023 (fines of up to €1,000,000 for legal persons, and criminal liability where appropriate). A person harmed by retaliation is entitled to compensation for damages.

7. Handling procedure

  1. Acknowledgement of receipt: the Officer of the Internal Reporting System will send the informant (where the informant has identified themselves or provided a secure anonymous contact channel) an acknowledgement of receipt within a maximum of 7 calendar days from receipt of the communication.
  2. Investigation: the Officer will open an internal investigation proportionate to the facts. They may request additional information from the informant, the person concerned and other witnesses, always with guarantees of confidentiality. If the facts could constitute a criminal offence, the information will be referred to the Public Prosecutor's Office. If they affect the financial interest of the EU, to the European Public Prosecutor's Office.
  3. Hearing of the person concerned: before the decision, the person concerned by the report will be given a hearing, with safeguards for their defence, without revealing the informant's identity.
  4. Decision: the maximum period to resolve and communicate the outcome of the proceedings to the informant is 3 months from the acknowledgement of receipt, extendable by a further 3 months due to the complexity of the case, with written justification.
  5. Corrective measures: if the investigation confirms the infringement, the necessary corrective, disciplinary and, where appropriate, judicial measures will be adopted.
  6. Closure: if the investigation does not confirm the infringement, the case file will be closed with a reasoned decision.

8. Officer of the Internal Reporting System

The Officer of the Internal Reporting System is the management body of Tarraco App Lab, S.L.U.. In the event of a conflict of interest (a report that may affect the Officer themselves or their environment), the matter will be automatically transferred to the external channel of the Independent Authority for the Protection of Informants (A.I.P.I.), guaranteeing independence.

9. Processing of the channel's personal data

The processing of the personal data collected through this channel is carried out with the following detailed information:

  • Controller: Tarraco App Lab, S.L.U. (company in formation), with registered address in Tarragona (Catalonia, Spain); legal@tarracoapplab.com.
  • Purpose: management of the Internal Reporting System in accordance with Law 2/2023.
  • Legal basis: compliance with the legal obligation under art. 32 of Law 2/2023 (art. 6.1.c GDPR) and public interest in the prevention and prosecution of infringements (art. 6.1.e GDPR).
  • Recipients: the Officer of the Internal Reporting System and, where appropriate, the Public Prosecutor's Office, the European Public Prosecutor's Office, the Labour Inspectorate, the AEPD or another competent authority.
  • Retention: the time strictly necessary to resolve the investigation, up to a maximum of 10 years. Data that is not necessary will be deleted within 3 months from receipt of the communication, unless required as later evidence.
  • Rights: access, rectification, erasure, objection and restriction, under the terms of the GDPR. They may be exercised at legal@tarracoapplab.com. They may be exceptionally restricted to preserve the ongoing investigation. The AEPD is the competent supervisory authority.

10. Changes to this policy

This policy may be updated to reflect regulatory changes or changes in how the channel operates. The current version and the review date are published on this page.

Report to the channel File a report with the A.I.P.I.