Privacy Policy #
Effective date: February 17, 2026 Last updated: May 30, 2026
1. Introduction #
EthicsPortal (“we”, “us”, “our”) is operated by Yaroslav Shmarov, registered at ul. Obrzeżna 1A, 02-691 Warsaw, Poland. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use EthicsPortal at ethicsportal.eu (the “Service”).
By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.
Contact: privacy@ethicsportal.eu
Baseline contracting-party information is published on the trust page.
2. Information we collect #
2.1 Account information #
When you create an account, we collect:
- Email address
- Display name (if provided)
- Locale preference
Authentication is passwordless — we use magic links (one-time codes sent to your email). We do not collect or store passwords.
2.2 Payment information #
Payments are processed entirely by Stripe . We do not store credit card numbers, bank account numbers, or other sensitive financial data on our servers. Stripe may collect payment details directly. Please refer to Stripe’s Privacy Policy for details.
2.3 Server logs #
Our servers automatically record information when you access the Service, including:
- IP address
- Browser type and version
- Pages visited and timestamps
- Referring URL
Server logs are used for security monitoring and debugging. They are not used for advertising or tracking.
For whistleblower portal routes specifically, application logs are configured to scrub the reporter’s IP address.
2.4 Whistleblower report data #
When a whistleblower submits a report through an organization’s portal, we collect:
- Report description, category, and source
- Reporter name and contact information (if voluntarily provided)
- Messages exchanged between the reporter and the organization
Report descriptions, reporter names, reporter contact details, and message contents are encrypted in the database using application-level encryption. IP addresses of whistleblowers are anonymized using a one-way hash and are never stored in their original form. Server logs for portal routes are scrubbed of IP addresses to protect whistleblower identity.
3. How we use your information #
We use the information we collect to:
- Provide the Service — create and manage your account
- Process payments — handle subscriptions through Stripe
- Send notifications — deliver in-app and email notifications about account activity
- Maintain security — detect and prevent fraud, abuse, and unauthorized access
- Improve the Service — diagnose technical issues and improve functionality
We do not sell your personal information. We do not use your data for advertising.
4. Third-party services #
We share data with the following third-party services, only as necessary to provide the Service:
| Service | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Email, payment details (collected by Stripe directly) |
| Hetzner Object Storage | File uploads (avatars, attachments) | Uploaded files |
| Mailjet | Transactional email delivery | Email address, email content |
| Cloudflare Web Analytics | Privacy-friendly website analytics | Page views, referrer, browser type, country (anonymous, no cookies, no personal data) |
| AppSignal | Error and exception tracking, application performance monitoring | Error details and request context for admin and handler interfaces |
| Crisp | Live chat support | Email address, name, chat messages, browser type, pages visited. Crisp is based in France (EU). See Crisp’s Privacy Policy |
Each third-party service is governed by its own privacy policy. We encourage you to review them.
5. Cookies #
We use the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
_ethicsportal_session | Session management (authentication) | 2 years |
session_token | Signed session identifier for persistent login | Server-side session expires after 14 days of inactivity |
locale | Stores your language preference | 1 year |
A temporary pending_authentication_token cookie (15 minutes) is used during the magic link sign-in process.
Crisp live chat may set its own cookies (e.g., crisp-client/*) when handlers use the in-app support chat. These cookies are functional, not used for advertising, and are only set inside the handler portal — not on the marketing site or the whistleblower reporting portal.
All first-party cookies are set with the Secure and HttpOnly flags in production. We do not use third-party tracking cookies or advertising cookies. CSRF protection is handled via tokens embedded in HTML forms, not cookies.
6. Data storage and security #
- Server location: Core application data is hosted by Hetzner in Nuremberg, Germany (European Union)
- Encryption in transit: All connections use HTTPS/TLS
- Encryption at rest: Whistleblower report data (descriptions, reporter names, contact details, messages) is encrypted in the database using Active Record Encryption
- Passwordless authentication: We use magic links — no passwords are stored
- Access control: Database access is restricted to authorized personnel only
While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please contact us at security@ethicsportal.eu .
7. Data retention #
- Account data is retained for as long as your account is active
- Organization data is retained while your organization is active
- Whistleblower reports — closed or dismissed reports are automatically deleted after the retention period configured by the customer organization (12, 24, 36, or 60 months). Active and ongoing reports are retained until closed
- Server logs are retained for up to 90 days
- Payment records are retained as required by applicable tax and accounting laws
- Audit logs — records of who accessed reports and when are retained alongside the report for compliance purposes
When you delete your account, your personal data is permanently removed from our systems, except where retention is required by law (e.g., financial records).
8. Your rights under GDPR #
Because we are based in the European Union, the General Data Protection Regulation (GDPR) applies. You have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your data (“right to be forgotten”)
- Restriction — request that we limit how we process your data
- Data portability — request your data in a structured, machine-readable format
- Object — object to processing of your data
- Withdraw consent — withdraw consent at any time where processing is based on consent
How to exercise your rights: You can manage most of your data directly through your account settings. To delete your account, visit your account settings page. For any other requests, email us at privacy@ethicsportal.eu .
Data Protection Officer: Inquiries regarding our data protection practices may be directed to dpo@ethicsportal.eu .
Our legal basis for processing your data is:
- Contract performance — to provide the Service you signed up for
- Legitimate interest — to maintain security and improve the Service
- Consent — for optional features
9. Account and data deletion #
You can delete your account at any time from your account settings. Account deletion permanently removes:
- Your profile and account information
- Your organization memberships
10. Children’s privacy #
The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, please contact us at privacy@ethicsportal.eu and we will delete it.
11. International data transfers #
Core whistleblower report data is stored on servers located in Germany (EU). The marketing site is delivered via Cloudflare (United States); the reporting and handler portals are not. Where transfers to a non-EU subprocessor occur, they are described on the DPA and subprocessors pages.
12. Job applicants #
When you apply for a role with us (for example, by emailing careers@ethicsportal.eu ), we collect and process:
- Your name and contact details
- Your CV, application message, and anything you choose to tell us about your experience
- Notes from any interviews or conversations during the hiring process
Legal basis: processing is necessary to take steps at your request prior to entering a contract, and our legitimate interest in assessing candidates and running a fair hiring process. We do not ask for, and ask that you do not send, special-category data (such as health, religion, or trade union membership) or your pay history from previous roles.
Retention: we keep application data only as long as needed to assess your application and fill the role. If you are not hired, we delete your application data after the process closes, unless you ask us to keep it on file for future roles, in which case we hold it for up to 12 months.
You have the same GDPR rights over your application data as set out in section 8. To exercise them, or to ask us to delete your application, email privacy@ethicsportal.eu .
13. Changes to this policy #
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through an in-app notification. The “Last updated” date at the top of this page indicates when the policy was last revised.
Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.
14. Contact us #
If you have questions about this Privacy Policy or want to exercise your data rights, contact us at:
General: support@ethicsportal.eu Privacy / GDPR rights: privacy@ethicsportal.eu Data Protection Officer: dpo@ethicsportal.eu Security disclosures: security@ethicsportal.eu Legal / DPA: legal@ethicsportal.eu Location: Warsaw, Poland
Last updated: