Privacy Policy

1. Introduction and Controller Information

This Privacy Policy explains how TellSomeone collects, uses, stores, and protects your personal information when you use our secure crime reporting platform. We are committed to protecting your privacy whilst fulfilling our legal obligations under UK data protection law and safeguarding legislation.

TellSomeone operates as an unincorporated partnership under English common law. We act as the data controller for all personal information processed through our platform. Our Data Protection Officer can be contacted at [email protected] for any privacy-related enquiries or to exercise your data protection rights.

We process personal data in accordance with UK GDPR, the Data Protection Act 2018, and all applicable UK privacy legislation. This policy should be read alongside our Terms and Conditions and Data Retention Policy.

2. Our Technology Platform

Built on the World's Most Trusted Crime Reporting Platform: TellSomeone runs on GlobaLeaks — the same secure, open-source platform trusted by the International Criminal Court, over 10,000 government institutions across Europe, major news organisations like Le Monde, and human rights groups including Amnesty International.

Unlike simple contact forms or commercial platforms, GlobaLeaks is purpose-built for handling the most sensitive disclosures whilst protecting both reporters and the organisations receiving reports. This isn't a social media survey form — it's enterprise-grade security designed for the most serious criminal and safeguarding matters.

Security Architecture

Our platform incorporates multiple layers of security designed to protect your identity and information:

• • Full data encryption for all reports and communications using industry-standard protocols
• • Digital anonymity support through integrated Tor network access
• • TLS 1.3 encryption with SSLabs A+ security rating for all web connections
• • Zero IP address logging — we do not record or store your internet address
• • No browser cache traces — the platform leaves no digital footprints on your device
• • Two-factor authentication for administrative access, compliant with TOTP RFC 6238
• • Network and application sandboxing using iptables and AppArmor security frameworks
• • Automated spam protection without compromising legitimate submissions
• • Regular penetration testing with publicly available security audit reports
• • PGP encryption support for email notifications and file downloads

Legal Compliance Features

The platform is designed with privacy by design and by default, incorporating:

• • GDPR compliance built into the core architecture
• • Configurable data retention policies aligned with UK legal requirements
• • Comprehensive audit logging for accountability and legal compliance
• • Bidirectional anonymous communication allowing secure follow-up questions
• • Custodian functionality for authorising access to sensitive information when legally required
• • ISO 27001:2022 security standards and OWASP compliance recommendations
• • Free software license (AGPL 3.0) ensuring transparency and auditability

3. Information We Collect

Information You Provide Directly

When you submit a report, we may collect:

• • Report content: Details of incidents, wrongdoing, or concerns you choose to share
• • Contact information: If you voluntarily provide name, email, phone number, or postal address
• • Supporting evidence: Documents, images, audio, or video files you upload
• • Follow-up communications: Messages exchanged through our secure system
• • Demographic information: Age, location, or other details relevant to safeguarding assessment

You can submit reports completely anonymously. Providing contact details is entirely optional, though it may help us follow up on safeguarding concerns or provide support referrals where appropriate.

Technical Information Collected Automatically

To ensure security whilst protecting your privacy, we collect minimal technical data:

• • Session identifiers: Temporary tokens to manage your secure session (deleted when you close the browser)
• • Browser type and version: To ensure platform compatibility and security
• • Operating system information: For technical support and security purposes
• • Access timestamps: When reports are submitted (but not linked to your identity)
• • File metadata: Technical details of uploaded documents for security scanning

We do not collect: IP addresses, precise location data, tracking cookies, advertising identifiers, browsing history, or any information that could identify your device or location without your explicit consent.

4. Legal Basis for Processing

We process your personal information under several lawful bases depending on the circumstances:

Legal Obligation (Article 6(1)(c) UK GDPR)

We are legally required to process information to comply with safeguarding duties under the Children Act 1989 and 2004, Care Act 2014, and Working Together to Safeguard Children 2023. When reports indicate risk to children or vulnerable adults, we must share information with appropriate authorities regardless of consent.

Vital Interests (Article 6(1)(d) UK GDPR)

Where there is an immediate threat to life, physical safety, or serious harm, we may process and share information to protect vital interests. This includes emergency referrals to police, social services, or healthcare providers.

Substantial Public Interest (Article 9(2)(g) and 9(2)(h) UK GDPR)

Processing of special category data (including information about criminal offences, health, or sexual life) is necessary for substantial public interest purposes including crime prevention, safeguarding vulnerable individuals, and ensuring public safety.

5. How We Use Your Information

Primary Purposes

• • Safeguarding assessment: Evaluating risk levels and determining appropriate responses
• • Triage and investigation: Categorising reports and conducting initial fact-finding
• • Statutory referrals: Sharing information with police, social services, or other authorities when legally required
• • Pattern analysis: Identifying systemic issues or connected cases (using anonymised data where possible)
• • Follow-up communication: Contacting you for additional information or to provide support resources

Secondary Purposes

• • Research and policy development: Contributing to safeguarding research and policy improvements (always anonymised)
• • Training and quality assurance: Improving our response processes (with all identifying details removed)
• • Legal proceedings: Providing evidence in criminal or civil proceedings when required by court order
• • Regulatory compliance: Meeting requirements from supervisory authorities or professional bodies

6. Data Hosting and International Transfers

Primary Hosting Infrastructure

Our infrastructure is exclusively located within the United States of America. This ensures your data remains within jurisdictions with robust data protection laws equivalent to UK GDPR.

Limited US Processing

Only minimal metadata is processed on US infrastructure, with the following safeguards:

• • EU-US Data Privacy Framework certification ensuring adequate protection levels
• • Standard Contractual Clauses providing additional legal safeguards
• • Transfer Impact Assessment (completed July 2025) demonstrating minimal risk
• • End-to-end encryption ensuring US-based systems cannot access report content
• • First Amendment protections providing additional safeguards against government surveillance

Data Processing Agreements

All hosting providers operate under strict data processing agreements compliant with Article 28 UK GDPR. These agreements include provisions for security, confidentiality, data minimisation, and deletion requirements. Regular audits ensure ongoing compliance.

7. Information Sharing and Disclosure

Mandatory Safeguarding Disclosures

We are legally obligated to share information in certain circumstances, regardless of your consent preferences:

• • Child protection concerns: Reports indicating risk to children under 18 must be referred to local safeguarding partnerships
• • Vulnerable adult safeguarding: Concerns about adults at risk require referral under Care Act 2014 duties
• • Immediate danger: Threats to life or serious harm require emergency service notification
• • Ongoing criminal activity: Evidence of continuing crimes must be reported to appropriate authorities
• • Court orders: Lawful disclosure requests from UK courts must be complied with

Discretionary Professional Sharing

In some circumstances, we may share information with trusted professionals to improve outcomes:

• • Legal professionals: Barristers or solicitors providing pro bono support for complex cases
• • Specialist investigators: Independent experts in particular types of abuse or exploitation
• • Support organisations: Charities or specialist services that could provide direct assistance
• • Parliamentary inquiry teams: Official inquiries with statutory powers and public interest mandates

All discretionary sharing is subject to strict confidentiality agreements, necessity assessments, and data minimisation principles. We will contact you before discretionary sharing where possible and safe to do so.

Information We Will Never Share

• • Commercial organisations (unless you specifically request such contact)
• • Media organisations (without your explicit written consent)
• • Political parties or campaigning groups (regardless of their stated objectives)
• • Insurance companies or employers (unless required by court order)
• • Foreign governments or agencies (unless UK treaty obligations apply)

8. Data Retention Periods

Information is retained for different periods depending on the nature and severity of reports:

Category A Reports (Immediate Harm)

Reports indicating ongoing or imminent risk to life, active child sexual exploitation, or current serious criminal activity are retained for seven years from the date of final action. This extended period supports potential criminal proceedings and long-term safeguarding monitoring.

Category B Reports (Acute Risk)

Historical reports of serious abuse, systemic safeguarding failures, or institutional cover-ups are retained for seven years from submission. This supports pattern analysis, potential future proceedings, and accountability processes.

Category C Reports (Ambiguous or Historic)

Incomplete reports, anonymous tips without immediate risk indicators, or historical allegations without current safeguarding implications are retained for twelve months. This allows for pattern recognition whilst minimising data retention where ongoing risk is unclear.

Incomplete Submissions

Draft reports, abandoned submissions, or test entries are automatically deleted after 30 days unless they contain information suggesting imminent risk.

Audit Logs and Metadata

Encrypted audit logs showing access, actions taken, and decision rationales are retained for seven years to ensure accountability and support any necessary investigations into our own processes.

9. Your Privacy Rights

Under UK data protection law, you have several rights regarding your personal information, subject to certain limitations for safeguarding and law enforcement purposes:

Right of Access

You can request copies of personal information we hold about you. We will provide this within one month, though complex requests may take up to three months. In some cases, safeguarding concerns may require redaction of certain details to protect other individuals or ongoing investigations.

Right to Rectification

If information we hold is inaccurate or incomplete, you can request corrections. However, where reports have been referred to statutory authorities, we may need to notify them of any corrections to ensure their records are also updated.

Right to Erasure

You can request deletion of your personal information, but this right is limited where we have legal obligations to retain data for safeguarding, law enforcement, or public interest purposes. We will explain if we cannot comply with deletion requests and the legal basis for continued retention.

Right to Restrict Processing

You can request restrictions on how we process your information whilst disputes about accuracy or lawfulness are resolved. However, restrictions cannot apply to processing required for immediate safeguarding or emergency purposes.

Right to Data Portability

Where technically feasible and legally appropriate, you can request transfer of your information to another organisation. This is subject to safeguarding considerations and may not be possible where information relates to third parties or ongoing investigations.

Right to Object

You can object to processing based on legitimate interests, but this right does not apply to processing required for legal obligations, vital interests, or substantial public interest purposes that underpin our safeguarding work.

10. Exercising Your Rights

To exercise any privacy rights or make enquiries about data processing, contact our Data Protection Officer:

• • Email: [email protected]
• • Secure form: Available on our website
• • Post: Data Protection Officer, TellSomeone, [Registered Address]

Please provide sufficient information to verify your identity and specify exactly what information or rights you're enquiring about. We may need to request additional verification for security purposes, particularly for sensitive reports.

11. Complaints and Supervisory Authority

If you believe we have not handled your personal information appropriately, you can complain to:

• • Our Data Protection Officer (using the contact details above)
• • Information Commissioner's Office (ICO): https://ico.org.uk or telephone 0303 123 1113
• • European Data Protection Authorities if you are located in the EU

You have the right to lodge a complaint without first contacting us, though we welcome the opportunity to resolve concerns directly where possible.

12. Security Measures and Breach Response

We implement comprehensive technical and organisational security measures including:

• • Regular security audits by independent penetration testing specialists
• • 24/7 monitoring for suspicious activity or attempted breaches
• • Incident response procedures for immediate containment and investigation
• • Staff security training and background checking for all personnel
• • Backup and disaster recovery systems across multiple secure locations

In the unlikely event of a data breach that poses risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, unless encryption or other safeguards mean there is no realistic risk of harm.

13. Changes to This Privacy Policy

We review this Privacy Policy annually and update it when necessary to reflect changes in law, technology, or our operational practices. Significant changes will be highlighted prominently on our website and, where possible, we will notify active users directly.

Previous versions of this policy are archived and available on request for transparency and accountability purposes.