Whistleblower Policy

§ 1. General Provisions

This Policy is the internal procedure for reporting breaches of law and undertaking follow-up actions, compliant with the requirements set out in Chapter 3 of the Act of June 14, 2024, on protecting persons reporting breaches of law (hereinafter: The Act).

§ 2. Definitions

The definitions of the terms used in this Policy are as follows:

1. The Organization - Mirumee Software Sp. z o.o. Sp. k.
2. Whistleblower (Reporting Person)- an individual who reports a breach of law in a work-related context, regardless of their position, form of employment, or cooperation, including: an employee, former employee, job applicant, a person providing work on a basis other than an employment relationship (including civil law contracts), an entrepreneur, a shareholder or partner, a member of a legal entity's body, a person providing work under the supervision and direction of a contractor, subcontractor or supplier (including under a civil law contract), an intern, a volunteer.
3. Internal Report - report of a breach of law involving Mirumee Software Sp. z o.o. Sp. k.
4. Information on a Breach of Law - information regarding a reasonable suspicion of an actual or potential legal breach of law that has occurred or is likely to occur within the Organization or another entity with which the Reporting Person maintains or maintained contact in a work-related context, or concerning an attempt to conceal such a breach.
5. Follow-up Actions - the employer's actions to verify the claims made in the Report include conducting an internal investigation, clarifying the situation, filing charges where necessary, taking steps to recover financial resources, and concluding the process of accepting and verifying the report.
6. The Committee - internal Reporting Committee.
7. Person Concerned - the person concerned by the report.
8. Reporting Channel - the technical and organizational solutions facilitate the submission of a report. 
9. Retaliatory Actions - actions that negatively affect the Whistleblower's situation, causing harm or damage, are related to the submitted Report.
10. Breach of Law - an action or failure to act that breaks the law or tries to avoid it regarding public procurement; financial services and markets; preventing money laundering and terrorist financing; product safety; transport safety; environmental protection; radiological and nuclear safety; food safety; animal welfare; public health; consumer protection; privacy and data protection; security of information systems; financial interests of the European Union; and competition laws.
11. The Act - the Act of June 14 on the protection of persons reporting breaches of law.

§ 3. Internal Reporting Procedure

1. Internal Reports shall be submitted to the Internal Reporting Committee appointed by the Employer.
2. The procedure defined by this Policy does not cover the receipt of anonymous reports, including oral, telephone, or voice communication system reports.
3. The procedure defined by this Policy does not cover receiving reports on breaches of employee duties subject to liability provided for in the Labour Code or the Organization's internal documents regulating employment relations.
4. This Policy also does not apply to cases excluded from the scope of The Act.
5. The Whistleblower may submit reports via the following channels: 
6. Dedicated email inbox: report@mirumee.com 
7. By filling out the irregularity report form – the report form template is Attachment No. 2 to this procedure.
8. Internal Reports shall be submitted electronically. Any member of the Committee may receive a Report submitted via the dedicated email inbox.

§ 4. Internal Reporting Committee

1. Mirumee Software Sp. z o.o. Sp. k. will establish an Internal Reporting Committee of 3 to 5 members, including the HR Department and additional individuals designated by that department.
2. The Committee’s tasks include: 

a. Receiving Internal Reports via the dedicated email inbox, which any member of the Committee may receive. 

b. Confirm receipt of the Report to the Reporting Person within 7 days, unless the Reporting Person did not provide a contact address for confirmation.

3. The Committee is obliged to undertake Follow-up Actions with due diligence. Specifically: 

a.The Committee must conduct a thorough investigation using all available information and evidence. To achieve this, the Committee may request additional information or evidence from the Whistleblower, interview the Whistleblower, the Person Concerned, and any witnesses, review Company documentation, and take other necessary steps.

b. report acceptance and verification procedure may be concluded if any of the following conditions are met: the allegations in the report are determined to be false, the matters reported fall outside the scope of this Policy, or the reported violation is minor. It does not warrant any further follow-up actions.

c. Providing the Reporting Person with feedback within 3 months of the confirmation of receipt of the report, or if no confirmation was provided, within 3 months from the expiry of 7 days after the Report was submitted.

4. If the Internal Report's assessment indicates a breach of employee duties, the Committee shall close the procedure for receiving and verifying reports in that case and refer the matter to Mirumee Software Sp. z o.o. Sp. k.

5. The Committee shall draw up a protocol or note from the Follow-up Actions conducted.

6. The Committee acts collegially, making decisions by a majority of votes, with the number of "for" votes being decisive. The committee shall draw up a voting protocol in matters requiring a decision.

7.Documents prepared by the Committee are signed by all members, and each member has the right to submit a dissenting opinion.

§ 5. Register of Reports

1. All Reports must be recorded in the Register of Reports, regardless of the outcome of the Clarification Proceedings.
2. The HR Department is responsible for maintaining the Register of Reports.
3. The Register of Reports shall contain at least: the Whistleblower's contact details, all detailed information regarding the Report, the course of the analysis and review process, the persons and bodies involved, and information on the Follow-up and preventive actions taken.
4. The Register of Reports is kept confidential, and the documents and information collected during the analysis and review are stored for a minimum of five years following the completion of the Clarification Proceedings.
5. The Register of Reports constitutes Attachment No. 4 to this Policy.

§ 6. Prohibition of Retaliatory Actions

1. The Act strictly prohibits retaliatory actions against whistleblowers who submit reports, whether internal or external.
2. Undertaking any repressive, discriminatory, or unfair treatment towards the Whistleblower will be treated as a breach of this Policy. It may result in disciplinary action or termination of the agreement connecting the person undertaking the retaliatory actions with Mirumee Software Sp. z o.o. Sp. k.
3. Retaliatory Actions against a Whistleblower include, in particular, unjustified: refusal to establish an employment relationship, termination with or without notice of the employment relationship, failure to conclude a fixed-term employment contract after the termination of a probationary contract, failure to conclude a subsequent fixed-term employment contract or an indefinite contract (where the employee had a justified expectation of such a contract), reduction of remuneration, withholding promotion or omitting the employee during promotions, omitting the employee when granting non-wage work benefits, transfer to another position, suspension from duties, unfavorable change of the place of work or work schedule, or negative performance review. Or negative opinion, imposing a disciplinary measure (including a financial penalty), omitting the employee from professional training, unjustified referral for a medical examination, or action aimed at hindering future employment in a given sector or industry, unless Mirumee Software Sp. z o.o. Sp. k. proves that objective reasons guided it.
4. A threat or attempt to apply a measure specified above is also considered unfavorable treatment, unless Mirumee Software Sp. z o.o. Sp. k. proves that objective reasons guided it.
5. Negative actions taken against a Whistleblower constitute Retaliatory Actions only if their sole reason is the submission of a Report by the Whistleblower. This means the Company may undertake any justified measures against the Whistleblower (e.g., for breach of employee duties) based on objective reasons.

§ 7. Personal Data Protection

1. The Whistleblower's personal data and other identifying data shall not be disclosed unless they give their express consent.
2. The Committee may collect and process the Person Concerned's personal data for verification and Follow-up Actions, even without their consent.
3. The Committee maintains the Register of Internal Reports. Mirumee Software Sp. z o.o. Sp. k. is the Data Controller for the data collected in the Register.
4. Data in the Register is stored for 5 years from the date the report was accepted.
5. Only the Committee and the Mirumee Software Sp. z o.o. Sp. k. (to the extent indicated in this Policy and The Act) are authorized to receive and verify reports, undertake Follow-up Actions, and process the personal data of the Reporting Persons and Persons Concerned.
6. The persons authorized under paragraph 7 are obligated to maintain secrecy/confidentiality.

§ 8. Information on External Reporting Procedure

1. An External Report is information about a breach of law submitted to a public or central authority.
2. The authorities referred to in paragraph 1 are: 

a. Central Authority: The Polish Commissioner for Human Rights (Rzecznik Praw Obywatelskich). 

b. Public Authority receiving reports regarding competition rules and consumer protection: The President of the Office of Competition and Consumer Protection (Prezes Urzędu Ochrony Konkurencji i Konsumentów). 

c. Public Authorities: Authorities receiving external reports regarding breaches in areas falling within their scope of activity.

3. External Reports can be anonymous or allow for the identification of the Reporting Person.

4. The Central or Public Authority receiving the report is the Data Controller for the data provided in the External Report.

5. External reports may be submitted in one of three formats: orally, in writing, or electronically.

6. Oral reports can be submitted in the following ways: 

a. By telephone using a recorded hotline. 

b. At the request of the Reporting Person, during a direct meeting organized at the authority's premises. This meeting will take place within a designated period, which will not exceed 7 days from the date of the request.

7.The Central or Public Authority confirms receipt of the external report to the Reporting Person immediately, but no later than seven working days from receiving the report, provided the Reporting Person provided a contact address.

8. The Public Authority undertakes Follow-up Actions by: 

a. Verifying the External Report and assessing the veracity of its allegations;

b. Referring to the External Report to another public authority competent in the area of the breach contained in it.

9. The Public Authority may request clarifications or additional information from the Reporting Person. If the Reporting Person objects to sending the requested clarifications or providing additional information, or if sending such requests could endanger the protection of that person's identity, the public authority shall refrain from requesting clarifications or additional information.

10. The Public Authority provides feedback to the Reporting Person within a period not exceeding 3 months from the date of confirmation of receipt of the report, and in particularly justified cases, within 6 months from that date.

§ 9. Final Provisions

1. In matters not regulated by this Policy, the provisions of The Act shall apply.
2. The Policy has been agreed upon with the employee representative.
3. The Policy enters into force 2 weeks after its announcement to employees in the manner adopted by Mirumee Software Sp. z o.o. Sp. k.
4. The attachments to this procedure are: Attachment 1 (Template of the declaration
5. of acquaintance with the Policy) and Attachment 2 (Irregularity Report Form).