Whistleblower Policy

November 2025

Introduction

This Policy establishes Siteimprove's internal whistleblower channel and procedures in accordance with the Danish Whistleblower Protection Act (Act no. 1436 of 29 June 2021) and EU Directive (EU) 2019/1937.

The purpose is to ensure that individuals can safely and confidentially report serious breaches of law or other serious matters, including issues of significant public interest even where no direct legal violation has occurred, without risk of retaliation.

Scope

This whistleblower policy (the "Policy") applies to:

Current and former employees, board members, external consultants, contractors, and agency staff
Customers
Partners
Suppliers
Other third parties who have acquired information in a work-related context

All the above are collectively referred to as "Associates". This policy is intended to encourage and enable Associates to make reports concerning serious breaches such as:

reaches of EU or Danish law (e.g. fraud, bribery, corruption, data protection, environmental, health or safety violations); suspected fraud, unethical business practices, bribery, corruption, data protection, environmental, or other improper or unlawful activity, or serious health and safety concerns within Siteimprove
Serious breaches of internal policies

Minor HR matters not constituting serious breaches should be handled through normal HR channels.

The purpose of this Policy is also to outline the process Siteimprove will follow when evaluating and investigating such reports.

Reporting

Any Associate that has concerns or reason to believe that an employee or board member of Siteimprove has been in violation of the above should report the violation through Siteimprove's online whistleblower portal by filing a report below. Siteimprove's whistleblower channel is operated by an independent law firm to ensure confidentiality and impartiality. Accordingly, reports are not submitted directly to Siteimprove but are instead received by the external provider Bird & Bird.

The report should explain and describe the violation in as much detail as possible. The more information provided, the better the efficiency of the investigation.

Reports may be made anonymously or with the reporter's identity disclosed. Both will be handled confidentially.

Anyone may also report directly to the official external whistleblower authority operated by the Danish Data Protection Agency (Datatilsynet) at https://whistleblower.dk.

Acknowledgement and investigation

If you've provided an email address, you will receive an acknowledgement of receipt within 7 days. Every report of a possible violation will be investigated promptly and impartially, with every effort to maintain the confidentiality of the Associate and the reported individual(s). If you've provided an email address and your report is assessed as a valid whistleblower request, you and the individual(s) concerned will be informed of the results of the investigation within (3) months after the report has been received.

Individual(s) reported

Siteimprove will ensure that any person reported under this Policy fully enjoys the right to a fair investigation and the presumption of innocence, and the right to be informed about the investigation and access to their file. This means that any person reported will receive:

A notice that a report about them has been submitted
Information about who will investigate their file and the purpose
Information about the treatment of the file and their right to access it
Information that the file may be submitted to the police or other public authorities

However, if the General Counsel estimates that informing the reported individual(s) at an early stage could put the investigation or the Associate at risk, sharing of the above information might need to be deferred. Deferrals of information will be decided on a case-by-case basis and the reasons for any restriction will be documented.

Findings

If Siteimprove finds that a violation has taken place, it will take appropriate corrective and remedial action, up to termination and reporting the violation to a competent legal authority.

Anonymity

All reports are treated confidentially, and the identity of the whistleblower will not be disclosed without consent or a clear legal obligation. If the identity of the Associate is known to Siteimprove, we will treat your reporting confidentially and protect your identity internally. Only if a police investigation or other external investigations are needed Siteimprove might be required to reveal an Associates personal information, insofar as and to the extent required.

No retaliation

No person may be subject to retaliation against, harassment of, or other adverse action against an Associate (including colleagues or any other third party who assist the Associate with the reporting) because they reported a suspected violation or assisted in an investigation. Any instances of retaliation should be reported as a violation as defined in this Policy. Examples of prohibited retaliation include:

Suspension, lay-off, dismissal, or equivalent measures
Coercion, intimidation, or discrimination
Negative performance assessment or employment reference
Early termination or cancellation of contracts for goods or services

Personal Data Processing

Siteimprove will process Personal Data of the Associate, the reported person(s) and any other third parties involved for the purposes provided in this Policy and in accordance with Siteimprove's privacy notices as specified below:

Privacy Notice for Employees - applicable for former and present employees, board members, external consultants, contractors, and agency staff, available on Siteimprove intranet.
For every other Associate than described above: Privacy Notice: Website and social media, available here: https://www.siteimprove.com/privacy/website-privacy-policy/.

Bird & Bird will also process personal data relating to the associate. Their privacy notice, which includes all relevant information about how your personal data is processed, is included in this policy as Annex A and can be found below the form.

Personal data will be stored only for as long as necessary to investigate and conclude the case and to comply with applicable legal obligations. In general, retention will not exceed the period considered reasonable under applicable data protection and whistleblower legislation.

Governance

This Policy is owned by General Councel. We may update this notice from time to time as a result of changes in legal, technical or business developments. The latest version will always be available online.

File a report

Your report will be reviewed promptly. You will receive acknowledgement of receipt within 7 days and a conclusion of the review no later than 3 (three) months after your submission.

What is your suspicion? *

Do you work in the organization? *

Yes

Not specified

In what country did the incident take place? *

In which company did the incident take place? *

In which city did the incident take place?*

Please give the name of the affected department *

Who is involved in the incident? *

Attach document

Contact details (optional)

Name

Phone number

By submitting your contact details, you acknowledge and consent to being contacted in the course of the investigation and to receive a conclusion of the review. Privacy Policy

Annex A

PRIVACY NOTICE – BIRD & BIRD’S ADMINISTRATION OF SITEIMPROVES’ WHISTLEBLOWER SCHEME

1. Introduction

This privacy notice ("Privacy Notice") is intended to provide you with information on how Bird & Bird Advokatpartnerselskab, CVR no. 35144501 ("Bird & Bird", "us", "our", "we") collect and process personal data in connection with the administration of the whistleblower scheme of Siteimprove A/S, CVR no. 25537017, and the entities in United States, Germany, Australia and United Kingdom (collectively "Siteimprove") ("Whistleblower Scheme").

Act no. 1436 of 29-06-2021 on the Protection of Whistleblowers ("Whistleblower Protection Act") requires certain companies to establish a whistleblower scheme. Siteimprove is subject to the Act as of December 2023.

Siteimprove has partially outsourced the operation of the Whistleblower Scheme to Bird & Bird as an external third party.

This Privacy Notice applies to whistleblowers, reported persons, persons whose personal data are otherwise included in reports (witnesses, etc.) and contact persons of Siteimprove's internal Whistleblower Unit (as defined in the Whistleblower Policy).

If you choose to be an anonymous whistleblower, we will not process any personal data about you. However, please be aware that if it is in any way possible (indirectly) to identify who you are, then you will not be anonymous, and our processing of your personal data will be subject to this Privacy Notice.

We will only process your personal data in accordance with this Privacy Notice and applicable relevant legislation, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the (Danish) Data Protection Act and the Whistleblower Protection Act.

We receive all reports and carry out an initial screening of whether they fall within the scope of the Whistleblower Scheme. We are data controller for this initial processing of personal data.

We will forward screened reports which fall within the scope of the Whistleblower Scheme to Siteimprove's internal Whistleblower Unit, who will then process the report. You can read more about this in Siteimprove's "Privacy Notice".

Bird & Bird can be contacted via the contact details provided in section 8.

2. The data we collect, the purpose and the legal basis for processing

2.1 If you are a whistleblower

We will process your name, contact details and the content of your report.

The purpose of our processing is Bird & Bird’s legitimate interest in being able to administer the Whistleblower Scheme on behalf of Siteimprove, including initial screening of reported matters, to ensure they are handled correctly and that you receive feedback, and to assist Siteimprove in establishing, exercising, or defending legal claims (Legal basis is the Whistleblower Protection Act § 22 / GDPR art. 6(1) (f), art. 9(2) (f) and the Data Protection Act § 8).

2.2 If you have been reported through the Whistleblower Scheme:

If you have been reported, we will process any personal data about you that may have been included in the report. This can be anything from your name to information about any conduct, act, omission, statement, or criminal offence committed by you.

The purpose of the processing is Bird & Bird's legitimate interest in administering the Whistleblower Scheme, including initial screening of reported matters, to ensure they are handled correctly, and to assist Siteimprove in establishing, exercising, or defending legal claims (Legal basis is the Whistleblower Protection Act § 22 / GDPR art. 6(1) (f), art. 9(2) (f) and the Data Protection Act § 8).

2.3 If you are otherwise part of a report (witnesses, etc.):

If you are mentioned in a report as, for example, a relevant witness or similar (either by name, title or in any other way that makes you identifiable), we will process this personal data about you.

The purpose of our processing is Bird & Bird’s legitimate interest in being able to administer the Whistleblower Scheme on behalf of Siteimprove, including initial screening of reported matters to ensure they are handled correctly, and to assist Siteimprove in establishing, exercising, or defending legal claims (Legal basis is the Whistleblower Protection Act § 22 / GDPR art. 6(1) (f), art. 9(2) (f) and the Data Protection Act § 8).

2.4 If you are a contact person in Siteimprove's (internal) Whistleblower Unit:

As part of your association with Siteimprove's internal Whistleblower Unit, we process your name, title and contact information.

The purpose of the processing is Bird & Bird's legitimate interest in administering the Whistleblower Scheme on behalf of Siteimprove, including initial screening of reported matters, to ensure they are handled correctly, forward feedback to the Whistleblowers, as well as ensuring the communication channel with Siteimprove's internal Whistleblower Unit, who receive the screened reports and carry out any further examination and investigation, including for the establishment, exercise, or defence of legal claims (Legal basis is the Whistleblower Protection Act § 22 / GDPR art. 6(1) (f) art. 9(2) (f) and the Data Protection Act § 8).

2.5 Other processing

If we wish to process your personal data for purposes other than that for which the personal data was originally collected, we will provide you with information about this purpose prior to further processing.

To the extent that we refer to our legitimate interest as legal basis for processing of the personal data specified above, we have conducted a balancing test for those interests to ensure that our interests are not overridden by your interests or fundamental rights and freedoms. Please contact us by using the contact information found in section 8 below if you wish to receive more information on the balancing test.

3. How is your personal data collected

As a result of the operation of the Whistleblower Scheme, we may collect information as follows:

(i) Personal data of whistleblowers is collected directly from the whistleblower;

(ii) Personal data of reported persons is first collected from the whistleblower. The same applies to personal data of witnesses etc. mentioned in whistleblower reports. If you have been reported, or are otherwise mentioned in a report, you should be aware that our duty to disclose information to you may be limited as a result of the statutory duty of confidentiality in the Act on the Protection of Whistleblowers § 25, cf. GDPR Art. 14(5)(d), or where your interests in the information are deemed to be overridden by considerations of our private as well as public interests, including the investigation of the reported matter, pursuant to the Data Protection Act § 22(1) and (2) and/or

(iii) Personal data of members of Siteimprove's internal Whistleblower Unit is collected directly from these members.

4. Disclosure of your personal data

We disclose reports to Siteimprove, if they fall within the scope of the Whistleblower Scheme.

Please be aware, that even if you choose not to disclose your name and contact details to Siteimproves' internal Whistleblower Unit, your report may contain information that allows others to guess your identity.

5. Transfer of your personal data to third countries

We will not transfer your personal data to recipients outside of the EU or EEA.

6. Your rights

You have certain rights when it comes to the processing of your personal data. Below is a summary of your rights, how to exercise them and any limitations to them.

6.1 The right of access by the data subject

Request access to your personal data. It allows you to receive a copy of personal data we have recorded about you and ensure that we are processing it lawfully. You must send a written request to us via the contact details provided under section 8. You may be asked to prove that you are who you say you are.

Depending on the circumstances of a whistleblower report, we may be entitled to make exceptions to your right of access, in accordance with the Data Protection Act § 22(1) and (2).

6.2 The right to rectification

Request rectification of personal data that we hold about you. This gives you the opportunity to have incorrect or incomplete information we hold about you corrected.

6.3 The right to erasure ("the right to be forgotten")

You may have the right to have all or some of your personal data erased by us. To the extent that continued processing of your data is necessary, for example, to comply with our legal obligations or to establish, exercise or defend legal claims, we are not obliged to delete your personal data.

6.4 The right to restriction of processing

You may have the right to restrict the processing of your personal data to storage only, for example if you want us to demonstrate its accuracy or our purpose for processing it.

6.5 The right to object

You have the right to object at any time to our processing of your personal data which we carry out based on our legitimate interests, on grounds relating to your particular situation giving rise to the objection.

6.6 The right to withdraw consent

Where our processing is solely based on your consent you have the right to withdraw your consent at any time. Such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.

6.7 The right to lodge a complaint

You have the right at any time to lodge a complaint with the Data Protection Authority about our processing of your personal data. In Denmark you can lodge a complaint with Datatilsynet. You can read more about how to lodge a complaint on Datatilsynet's website here.

7. Data retention

Reports which concern less serious infringements or other matters, and which are therefore not covered by the Whistleblower Scheme, are deleted within 7 days of receipt.

Reports covered by the Whistleblower Scheme will be forwarded to Siteimprove's internal Whistleblower Unit, which will be in charge of the further process of handling the report, including determining when it can be deleted.

You can read more about how Siteimprove handles this in Siteimprove's "Privacy Notice".

We reserve the right to retain your personal data for a longer period if it is deemed necessary for Bird & Bird to establish, enforce, or defend a legal claim.

8. Contact information

Bird & Bird is the data controller for the personal data that we process about you as part of our administration of the Whistleblower Scheme.

If you have any questions or comments about this Privacy Notice or wish to exercise any of your rights under section 6, please contact:

Bird & Bird Advokatpartnerselskab

CVR no. 35144501

Sundkrogsgade 21

2100 København Ø

cph.gdpr@twobirds.com

9. Changes to this privacy notice

If we make changes to this Privacy Notice, updates will be available on this page. This version of Bird & Bird's Privacy Notice on the processing of personal data in connection with the administration of Siteimprove's Whistleblower Scheme is dated October 2025.