Skip to main content Required by EU law for organizations with 50+ employees

Privacy Policy #

Effective date: February 17, 2026 Last updated: May 30, 2026

1. Introduction #

EthicsPortal (“we”, “us”, “our”) is a trade name used by Yaroslav Shmarov, a sole proprietor (jednoosobowa działalność gospodarcza) registered in Poland (NIP: 5272755790), at ul. Obrzeżna 1A, 02-691 Warsaw, Poland. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use EthicsPortal at ethicsportal.eu (the “Service”).

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

Contact: privacy@ethicsportal.eu

Baseline contracting-party information is published on the trust page.

2. Information we collect #

2.1 Account information #

When you create an account, we collect:

Authentication is passwordless — we use magic links (one-time codes sent to your email). We do not collect or store passwords.

2.2 Payment information #

Payments are processed entirely by Stripe . We do not store credit card numbers, bank account numbers, or other sensitive financial data on our servers. Stripe may collect payment details directly. Please refer to Stripe’s Privacy Policy for details.

2.3 Server logs #

Our servers automatically record information when you access the Service, including:

Server logs are used for security monitoring and debugging. They are not used for advertising or tracking.

For whistleblower portal routes specifically, application logs are configured to scrub the reporter’s IP address.

2.4 Whistleblower report data #

When a whistleblower submits a report through an organization’s portal, we collect:

Report descriptions, reporter names, reporter contact details, and message contents are encrypted in the database using application-level encryption. IP addresses of whistleblowers are anonymized using a one-way hash and are never stored in their original form. Server logs for portal routes are scrubbed of IP addresses to protect whistleblower identity.

2.5 Personal data of third parties named in reports #

A whistleblower report may contain personal data about other people — for example, the person a report concerns, or witnesses. For this report data, EthicsPortal acts as a processor on behalf of the customer organization, which is the controller. The organization is responsible for the lawfulness of this processing and for providing any information required under Article 14 GDPR to the individuals concerned.

In line with Article 14(5)(b) GDPR and the confidentiality requirements of the EU Whistleblower Directive (2019/1937), notifying a named individual may be deferred or restricted where doing so would prejudice an investigation or compromise the protection of the whistleblower’s identity.

3. How we use your information #

We use the information we collect to:

We do not sell your personal information. We do not use your data for advertising.

4. Third-party services #

We share data with the following third-party services, only as necessary to provide the Service:

ServicePurposeData shared
StripePayment processingEmail, payment details (collected by Stripe directly)
Hetzner Object StorageFile uploads (avatars, attachments)Uploaded files
MailjetTransactional email deliveryEmail address, email content
Cloudflare Web AnalyticsPrivacy-friendly website analyticsPage views, referrer, browser type, country (anonymous, no cookies, no personal data)
Plausible AnalyticsPrivacy-friendly website analytics (EU-hosted, Germany)Page views, referrer, browser type, country (anonymous, no cookies, IP not stored, no personal data). Loaded only on the public marketing website — never on the application or the whistleblower reporting channel. See Plausible’s Data Policy
AppSignalError and exception tracking, application performance monitoringError details and request context for admin and handler interfaces
CrispLive chat supportEmail address, name, chat messages, browser type, pages visited. Crisp is based in France (EU). See Crisp’s Privacy Policy

Each third-party service is governed by its own privacy policy. We encourage you to review them.

5. Cookies #

We use the following cookies:

CookiePurposeDuration
_ethicsportal_sessionSession management (authentication)30 days
session_tokenSigned session identifier for persistent loginServer-side session expires after 14 days of inactivity
localeStores your language preference1 year

A temporary pending_authentication_token cookie (15 minutes) is used during the magic link sign-in process.

Crisp live chat may set its own cookies (e.g., crisp-client/*) when handlers use the in-app support chat. These cookies are functional, not used for advertising, and are only set inside the handler portal — not on the marketing site or the whistleblower reporting channel.

All first-party cookies are set with the Secure and HttpOnly flags in production. We do not use third-party tracking cookies or advertising cookies. CSRF protection is handled via tokens embedded in HTML forms, not cookies.

6. Data storage and security #

While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please contact us at security@ethicsportal.eu .

7. Data retention #

When you delete your account, your personal data is permanently removed from our systems, except where retention is required by law (e.g., financial records).

8. Your rights under GDPR #

Because we are based in the European Union, the General Data Protection Regulation (GDPR) applies. You have the right to:

How to exercise your rights: You can manage most of your data directly through your account settings. To delete your account, visit your account settings page. For any other requests, email us at privacy@ethicsportal.eu .

If you submitted a whistleblower report: the organization whose portal you used is the controller of that report, and EthicsPortal acts as its processor. You can access and download a full copy of your report at any time from the portal using your access code and passcode. To correct information, add a message to your report; for any other request, contact the organization (we will assist them as processor). Because the law requires reports to be retained for a set period, erasure may not be possible until that period expires.

Data Protection Officer: Inquiries regarding our data protection practices may be directed to dpo@ethicsportal.eu .

Our legal basis for processing your data is:

9. Account and data deletion #

You can delete your account at any time from your account settings. Account deletion permanently removes:

10. Children’s privacy #

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, please contact us at privacy@ethicsportal.eu and we will delete it.

11. International data transfers #

Core whistleblower report data is stored on servers located in Germany (EU). The marketing site is delivered via Cloudflare (United States); the reporting and handler portals are not. Where transfers to a non-EU subprocessor occur, they are described on the DPA and subprocessors pages.

12. Job applicants #

When you apply for a role with us (for example, by emailing careers@ethicsportal.eu ), we collect and process:

Legal basis: processing is necessary to take steps at your request prior to entering a contract, and our legitimate interest in assessing candidates and running a fair hiring process. We do not ask for, and ask that you do not send, special-category data (such as health, religion, or trade union membership) or your pay history from previous roles.

Retention: we keep application data only as long as needed to assess your application and fill the role. If you are not hired, we delete your application data after the process closes, unless you ask us to keep it on file for future roles, in which case we hold it for up to 12 months.

You have the same GDPR rights over your application data as set out in section 8. To exercise them, or to ask us to delete your application, email privacy@ethicsportal.eu .

13. Changes to this policy #

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through an in-app notification. The “Last updated” date at the top of this page indicates when the policy was last revised.

Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

14. Contact us #

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at:

General: support@ethicsportal.eu Privacy / GDPR rights: privacy@ethicsportal.eu Data Protection Officer: dpo@ethicsportal.eu Security disclosures: security@ethicsportal.eu Legal / DPA: legal@ethicsportal.eu Location: Warsaw, Poland

Last updated: