Back
Ethix

Privacy Policy

Last updated: March 5, 2026

1. Introduction

Ethix, operated by Joneslabs (“we,” “us,” or “our”), provides a multi-tenant ethics reporting and compliance management platform. This Privacy Policy explains how we collect, use, disclose, and protect information when you use the Ethix platform, including our website, reporting tools, embeddable widgets, and related services (collectively, the “Service”).

By using the Service, you agree to the collection and use of information in accordance with this policy. If you are submitting a report on behalf of your employer’s ethics program, your employer’s organization (“Customer”) is the data controller for the report content, and Ethix acts as a data processor.

2. Information We Collect

2.1 Report Submissions

When you submit an ethics report, we collect the information you provide in the report form, which may include:

  • Category of concern
  • Narrative description of the incident
  • Date, location, and individuals involved
  • Supporting evidence (file attachments, if provided)
  • Email address (only if you voluntarily provide it; reports may be submitted anonymously)

Anonymous reports do not require any personally identifiable information. We do not attempt to identify anonymous reporters.

2.2 Case Secret Tokens

Upon submission, you receive a unique case secret token. This token is the sole credential used to access your report. We do not associate case secrets with browser fingerprints, device identifiers, or user accounts.

2.3 Authenticated Users

For case managers, organization administrators, attorneys, and platform administrators who sign in via SSO or email authentication, we collect:

  • Name and email address
  • Organization membership and role
  • Authentication provider identifiers (e.g., WorkOS user ID)
  • Session data (encrypted, cookie-based)

2.4 Automatically Collected Information

We automatically collect limited technical information to operate and secure the Service:

  • IP address (logged in audit records for security and compliance purposes)
  • Browser type and operating system
  • Pages visited and actions taken within the Service
  • Timestamps of access

We do not use third-party analytics trackers, advertising pixels, or social media tracking scripts on the reporting interface.

3. How We Use Your Information

We use the information we collect to:

  • Process and route ethics reports to authorized reviewers within the applicable Customer organization
  • Enable two-way communication between reporters and case managers
  • Send notifications about case status updates (if an email address is provided)
  • Maintain immutable audit trails as required by regulatory frameworks (SOX Section 301, EU Whistleblower Directive)
  • Detect and prevent fraud, abuse, and unauthorized access
  • Improve and maintain the security of the Service

We do not use report content for advertising, marketing, model training, or any purpose unrelated to the ethics compliance function.

4. Data Sharing and Disclosure

We share information only in the following circumstances:

4.1 With the Customer Organization

Report content is shared with authorized personnel within the Customer organization that operates the reporting channel you used, including designated case managers, organization administrators, and (if configured) the linked attorney. Access is controlled on a case-by-case basis.

4.2 With Linked Attorneys

If a Customer organization has linked an attorney or law firm, escalated reports may be shared with that attorney under attorney-client privilege protections. Attorney access is logged in the audit trail.

4.3 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request. We will notify the affected Customer organization unless prohibited by law.

4.4 Service Providers

We use a limited number of service providers to operate the platform (e.g., cloud hosting, email delivery, authentication). These providers are contractually bound to use data only for providing services to us and are subject to confidentiality obligations.

We do not sell, rent, or trade personal information to third parties.

5. Data Security

We employ the following measures to protect your data:

  • Encryption at rest: All sensitive data (reporter identity, case narrative, attachments, internal notes) is encrypted using AES-256 with per-tenant encryption keys
  • Encryption in transit: All connections use TLS 1.2 or higher
  • Tenant isolation: Each Customer organization’s data is logically isolated using row-level security policies; encryption keys are separated per tenant
  • BYOK support: Enterprise customers may supply their own encryption keys via AWS KMS, Azure Key Vault, or HashiCorp Vault
  • Audit logging: All access to reports, messages, and personally identifiable information is recorded in immutable, hash-chained audit logs
  • Access control: Role-based access control with case-level permissions; only assigned reviewers and the reporter (via case secret) can access case details

6. Data Retention

Report data is retained in accordance with the Customer organization’s configured retention policy. The default retention period is seven (7) years, consistent with common regulatory requirements. Customer organizations may configure shorter or longer retention periods.

Audit logs are retained for the full retention period and cannot be modified or deleted. When the retention period expires, report data is securely deleted, but audit log summaries may be retained for compliance purposes.

Legal holds may override standard retention policies when applicable.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

7.1 For Reporters

  • Access: You may access your report at any time using your case secret
  • Correction: You may provide updated or corrected information through the case messaging thread
  • Deletion: Requests for deletion of report data are subject to the Customer organization’s retention policy and any applicable legal hold requirements

7.2 For Authenticated Users

  • Access and portability: You may request a copy of your personal data by contacting your organization administrator or our support team
  • Correction: You may update your account information through your organization’s SSO provider or by contacting your administrator
  • Deletion: Account deletion requests should be directed to your organization administrator. Audit log entries associated with your actions are retained for compliance purposes

7.3 GDPR and EU Residents

If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation, including the right to lodge a complaint with your local data protection authority. The Customer organization is the data controller; Ethix acts as a data processor under a Data Processing Agreement.

8. Anonymous Reporting Protections

We are committed to protecting the anonymity of reporters who choose not to identify themselves:

  • No account creation or authentication is required to submit a report
  • We do not use browser fingerprinting, tracking pixels, or persistent cookies on the reporting interface
  • IP addresses are recorded in audit logs for security purposes but are not used to identify anonymous reporters and are not shared with Customer organizations
  • Case secrets are the sole access credential and are not linked to any user identity

9. Cookies and Tracking

The Service uses only essential cookies required for functionality:

  • Session cookie: An encrypted, HTTP-only session cookie for authenticated users. This cookie is not set for anonymous reporters.

We do not use advertising cookies, third-party analytics services, or cross-site tracking on any part of the Service.

10. Children’s Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information.

11. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States. We implement appropriate safeguards for international transfers, including Standard Contractual Clauses where required by applicable law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Customer organizations of material changes via email or in-platform notification at least thirty (30) days before the changes take effect. The “Last updated” date at the top of this page indicates the most recent revision.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Ethix by Joneslabs

Email: [email protected]

Web: ethix.joneslabs.org