Privacy Policy
Effective date: February 17, 2026 Last updated: April 5, 2026
1. Introduction
EthicsPortal (“we”, “us”, “our”) is operated by Yaroslav Shmarov, an individual based in Warsaw, Poland. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use EthicsPortal at ethicsportal.eu (the “Service”).
By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.
Contact: support@ethicsportal.eu
2. Information we collect
2.1 Account information
When you create an account, we collect:
- Email address
- Display name (if provided)
- Locale preference
Authentication is passwordless — we use magic links (one-time codes sent to your email) and optional OAuth sign-in via Google. We do not collect or store passwords.
2.2 Payment information
Payments are processed entirely by Stripe. We do not store credit card numbers, bank account numbers, or other sensitive financial data on our servers. Stripe may collect payment details directly. Please refer to Stripe’s Privacy Policy for details.
2.3 Server logs
Our servers automatically record information when you access the Service, including:
- IP address
- Browser type and version
- Pages visited and timestamps
- Referring URL
Server logs are used for security monitoring and debugging. They are not used for advertising or tracking.
2.4 Whistleblower report data
When a whistleblower submits a report through an organization’s portal, we collect:
- Report description, category, and source
- Reporter name and contact information (if voluntarily provided)
- Messages exchanged between the reporter and the organization
Report descriptions, reporter names, reporter contact details, and message contents are encrypted in the database using application-level encryption. IP addresses of whistleblowers are anonymized using a one-way hash and are never stored in their original form. Server logs for portal routes are scrubbed of IP addresses to protect whistleblower identity.
2.5 OAuth data
If you sign in with Google, we receive your email address and profile name from Google. We also store encrypted OAuth tokens to maintain your connection. You can disconnect your Google account at any time from your account settings.
3. How we use your information
We use the information we collect to:
- Provide the Service — create and manage your account
- Process payments — handle subscriptions through Stripe
- Send notifications — deliver in-app and email notifications about account activity
- Maintain security — detect and prevent fraud, abuse, and unauthorized access
- Improve the Service — diagnose technical issues and improve functionality
We do not sell your personal information. We do not use your data for advertising.
4. Third-party services
We share data with the following third-party services, only as necessary to provide the Service:
| Service | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Email, payment details (collected by Stripe directly) |
| Cloudflare R2 | File uploads (avatars, attachments) | Uploaded files |
| Postmark | Transactional email delivery | Email address, email content |
| Cloudflare Web Analytics | Privacy-friendly website analytics | Page views, referrer, browser type, country (anonymous, no cookies, no personal data) |
| Honeybadger | Error and exception tracking | Error details, request context (URL, IP address, browser type) — no personal data is intentionally collected |
| Google OAuth2 | Optional sign-in authentication | Email address, profile name (only if you choose to sign in with Google) |
Each third-party service is governed by its own privacy policy. We encourage you to review them.
5. Cookies
We use the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
_ethicsportal_session | Session management (authentication) | 2 years |
session_token | Signed session identifier for persistent login | Permanent |
locale | Stores your language preference | 1 year |
A temporary pending_authentication_token cookie (15 minutes) is used during the magic link sign-in process.
All cookies are set with the Secure and HttpOnly flags in production. We do not use third-party tracking cookies, advertising cookies, or analytics cookies. CSRF protection is handled via tokens embedded in HTML forms, not cookies.
6. Data storage and security
- Server location: Our servers are hosted by Hetzner in Nuremberg, Germany (European Union)
- Encryption in transit: All connections use HTTPS/TLS
- Encryption at rest: Whistleblower report data (descriptions, reporter names, contact details, messages) and OAuth tokens are encrypted in the database using Active Record Encryption
- Passwordless authentication: We use magic links and OAuth — no passwords are stored
- Access control: Database access is restricted to authorized personnel only
While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please contact us at support@ethicsportal.eu.
7. Data retention
- Account data is retained for as long as your account is active
- Organization data is retained while your organization is active
- Whistleblower reports — closed or dismissed reports are automatically deleted after 60 months (5 years) in accordance with EU Whistleblower Directive retention guidelines. Active and ongoing reports are retained until closed
- Server logs are retained for up to 90 days
- Payment records are retained as required by applicable tax and accounting laws
- Audit logs — records of who accessed reports and when are retained alongside the report for compliance purposes
When you delete your account, your personal data is permanently removed from our systems, except where retention is required by law (e.g., financial records).
8. Your rights under GDPR
Because we are based in the European Union, the General Data Protection Regulation (GDPR) applies. You have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your data (“right to be forgotten”)
- Restriction — request that we limit how we process your data
- Data portability — request your data in a structured, machine-readable format
- Object — object to processing of your data
- Withdraw consent — withdraw consent at any time where processing is based on consent
How to exercise your rights: You can manage most of your data directly through your account settings. To delete your account, visit your account settings page. For any other requests, email us at support@ethicsportal.eu.
Our legal basis for processing your data is:
- Contract performance — to provide the Service you signed up for
- Legitimate interest — to maintain security and improve the Service
- Consent — for optional features
9. Account and data deletion
You can delete your account at any time from your account settings. Account deletion permanently removes:
- Your profile and account information
- Your organization memberships
10. Children’s privacy
The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, please contact us at support@ethicsportal.eu and we will delete it.
11. International data transfers
Your data is stored on servers located in Germany (EU). If you access the Service from outside the EU, your data will be transferred to and processed in the EU. The EU provides a high level of data protection under the GDPR.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through an in-app notification. The “Last updated” date at the top of this page indicates when the policy was last revised.
Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.
13. Contact us
If you have questions about this Privacy Policy or want to exercise your data rights, contact us at:
Email: support@ethicsportal.eu Location: Warsaw, Poland