Privacy Policy

Updated on April 2, 2026.

This is a statement pursuant to the EU’s General Data Protection Regulation (2016/679; GDPR) on the processing of personal data.

This privacy policy covers the following services provided by Duckling Codehouse Oy:

  • the MyBioethics mobile application
  • the MyBioethics.com website (including subdomain get.mybioethics.com).

The services are hereinafter referred to collectively as the “Service”.

For context and additional detail, please also review the related Terms of Use of the Service.  

1. Controller  

Name: Duckling Codehouse Oy

Business ID: 3182841-7

Address: Pirkankatu 21 A 9, 33230 Tampere, Finland

Email address:  info@mybioethics.com

2. The purpose and basis for personal data processing

The personal data saved in Duckling Codehouse Oy’s customer registers are processed for the following purposes:

  • enabling the use of the Service
  • the maintenance and development of the Service
  • using the data collected in the Service for academic research purposes in cooperation with research teams and projects (in anonymized form)
  • studying and analysing the use of the Service and compiling statistics related to its use
  • the implementation of legal rights and obligations, and for data protection purposes and preventing the abuse of the Service

The legal bases for processing are:

  • Contractual relationship: Processing necessary to provide the Service to registered users (account management, content hosting, notifications).
  • Consent: Voluntary submissions such as bioethics stories, feedback, and requests to join the mailing list or hall of fame. Data subjects may withdraw consent at any time.
  • Legitimate interest: Security monitoring, spam prevention, abuse detection, and service analytics.

Data subjects have the right to withdraw their consent at any time, provided that the processing of their personal data is based on consent. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

3. The personal data processed

The controller collects only personal data which is relevant and necessary for the purposes of use specified in this privacy statement.

The content of the register may consist of the following data:

  • name;
  • email address;
  • the data subject’s home country;
  • password, user ID and any nickname used in the Service;
  • data saved in the context of using the Service, such as
  • the time when the application was last used
  • details on the type of a device and its operating system
  • the type and version of the data subject’s browser;
  • IP address;
  • communication taking place via the Service, such as discussions, comments and participation in polling/the responses given, personal bioethics stories containing text and images;
  • any contacts made towards the controller, including requests to be included in the mailing list for MyBioethics research updates, or, to be listed in the hall of fame, and any feedback given.         

4. Data sources

Any data provided by data subjects themselves and any data collected and formed in connection to the Service’s use.

5. Cookies and related services

The Service uses cookies and related services as indicated in more detail in 5.1. The data obtained by the cookies and related services is used to improve the functionality of the Service as well as to analyse user experiences and improve them. If you want to, you can block the use of cookies through your browser settings. However, please note that if you block the use of all cookies, this may have an impact on the functioning of the Service. For further information on how to manage cookies, go to, e.g.: https://aboutcookies.org/.

The Service uses services provided by third parties. The services of third parties are subject to their own terms and conditions and data protection policies. You can read more about each service provider’s operations as well as cookie and data protection policies on their respective websites.

5.1 More detailed description of the cookies and related services we use

5.1.1 Wordfence service

We use Wordfence service to protect the MyBioethics.com website from misuse and security breaches. To this end, the service monitors technical user behavior and the origins of the website visitors (for example their IP addresses). It is particularly noteworthy that Wordfence utilizes global network to protect websites from malicious activity. You can review the Privacy Policy of Wordfence (https://www.wordfence.com/privacy-policy/).

5.1.2 Google’s reCAPTCHA service

We use Google’s reCAPTCHA v2 service to prevent spam on our website. You can review the Privacy Policy (https://policies.google.com/privacy) and the Terms of Use (https://policies.google.com/terms) of this service.

5.1.3 WPForms service

To facilitate consistent user experience and functioning of the MyBioethics.com website, WPForms will connect user profiles with the forms used on the website. Besides this, WPForms assigns every user a UUID (Universally Unique Identifier). The UUID is a random number that does not contain any user information, and is stored in a cookie in the user’s browser. The UUID will further help to connect different form entries by the same user together. WPForms also collects users’ IP addresses and general information regarding the types of their browsers and operating systems. WPForms will be particularly utilized to publicly show anonymous user votes regarding ethical cases, which will be further categorized by country depending on the profiles of the users who have voted.

5.1.4 Comments

When visitors leave comments on the MyBioethics.com website, we collect the data shown in the comments form and also the visitor’s IP address and browser user agent string to help spam detection. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your chosen public name, or nickname, together with your profile picture (if you have such) is visible to the public in the context of your comment.

5.1.5 Media with embedded location data

If you upload images to the Service, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the MyBioethics.com website can download and extract any location data from images on the website.

5.1.6 Embedded content from other services

Please also note that parts of our Service may include embedded content (e.g. videos, images, articles, etc.) from other services. Embedded content from other services, most notably websites, behaves in the exact same way as if the visitor had visited these services. These services may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with the embedded content. Generally speaking, we avoid using such embedded content and seek to notify you of its use when it happens.

5.1.7 Other relevant aspects regarding cookies and related services

If you have an account and you log in to the MyBioethics.com website, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. By default, your login cookies will persist for one year. If you log out of your account, the login cookies will be removed.

We will also use a set of cookies to register your interaction with our cookie policy. These cookies will expire in one year.

6. Data collection relating particularly to the MyBioethics mobile application

The full nature of the Service is that it integrates the MyBioethics.com website and the MyBioethics mobile application together. Thus, it is integral to address both parts of the Service at the same time. For the sake of clarity, however, this section addresses data collection relating more directly to the MyBioethics mobile application.

When data subjects install the MyBioethics mobile application either through Apple App Store (for iOS) or Google Play Store (for Android), they consent to the terms of these services. Particularly noteworthy is that this means consenting to the policies these services have regarding gathering data on application installations and other such general usage relating to the application.

The Service utilizes OneSignal service for sending notifications for the mobile devices of the data subjects who have installed the MyBioethics mobile application. You can review the Privacy Policy of OneSignal (https://onesignal.com/privacy_policy). You can turn off the notifications from your mobile device settings or by uninstalling the application. To support OneSignal service, we will also utilize Firebase service by Google. You can review the Privacy Policy of Firebase (https://firebase.google.com/support/privacy).

The Service utilizes Airtable service to support background functionality of the application (regarding content delivery). You can review the Privacy Policy of Airtable (https://airtable.com/privacy).

The Service utilizes Cloudinary service to support background functionality of the application (regarding content delivery). You can review the Privacy Policy of Cloudinary (https://cloudinary.com/privacy).

Personal bioethics stories submitted through the MyBioethics mobile application and published after moderation on the MyBioethics.com website contain text and potentially also images by data subjects. This content will be shown publicly and associated with an alias the user can choose when submitting a story. Please see 5.1.5 to take into account that you should avoid uploading images that contain embedded location data.

Furthermore, based on the user’s request and qualifications set by the Service, the user’s alias can be shown publicly in the hall of fame on the MyBioethics.com website, together with the date the alias was added.

Please also note that the MyBioethics mobile application will save locally to your mobile device your application settings as well as locally keep track of your usage of the application to offer you more consistent user experience. This data is not accessible to us and it will typically be deleted when you delete the application from your mobile device. This also means that if you install the application again, for example to a new device, you will need to adjust your settings again. This does not, however, affect your activity on the MyBioethics.com website (such as dilemma voting).

7. Disclosure of the data       

Personal data may be disclosed for legitimate purposes. Such disclosure is subject to the requirements of the valid personal data legislation. Personal data are not disclosed outside of service providers and partners working for the controller except in accordance with an agreement, separate consent and/or explicit regulations.

The data may be disclosed to partners and subcontractors involved in the implementation of the Service, for example, such as the providers of internet and email services, payment services and those involved in application’s marketing. In addition, the collected data may be disclosed to parties participating in the analysis of the data.

The controller may disclose personal data for the purposes of scientific studies. Such studies may rely on both quantitative and qualitative methodologies. In such cases, the personal data are processed in accordance with the provisions concerning research purposes in the EU’s GDPR and the national data protection legislation. For research purposes, the data is anonymised, i.e. rendered into a format from which individuals cannot be identified.

The data subjects’ data may also be disclosed in the manner required by competent authorities or other parties, based on valid legislation, or for the purpose of monitoring and ensuring compliance with the Service’s terms of use and for ensuring the safety of the Service.

Personal data are not disclosed to third parties for their marketing purposes. Third-party service providers involved in the implementation of the Service (see Sections 5 and 6) process data solely on behalf of the controller and in accordance with their own privacy policies.”

When new users register for the Service, their account details (public name, username, and e-mail address) become reserved for the Service. This means that other users who might try to register with any of the same details will see an error indicating that these details have already been registered for the Service. The same mechanism applies to the password reset functionality of the Service.

8. Transfer of personal data outside the EU or the EEA

Parts of the Service’s technical infrastructure are provided by companies based in the United States, including Wordfence, Google (reCAPTCHA, Firebase), OneSignal, Airtable, and Cloudinary. Personal data may be transferred to these providers as part of the normal operation of the Service. These providers’ data protection practices and transfer mechanisms are described in their own privacy policies (see Sections 5 and 6 for links).

The controller minimizes international data transfers by collecting only data necessary for the Service’s operation. Where personal data is disclosed for research purposes, it is anonymized prior to any transfer.

9. Protection of personal data

The controller processes the data in a manner aiming to ensure the appropriate safety of the personal data, including their protection against unauthorised processing as well as loss, destruction or damage.

The controller applies the appropriate technical and organisational measures to ensure the achievement of this objective, including the use of firewalls, encryption techniques and safe device data, appropriate access control, the careful administration of credentials for information systems and instructions provided to the personnel taking part in the processing of personal data.

10. Data subjects’ rights

Right of access

Data subjects have the right to check the data on themselves saved in the registers. This right can be denied on the basis of grounds provided for in the law.

Right to rectification

Data subjects have the right to demand the rectification of inaccurate data.

Right to erasure (‘right to be forgotten’)

Data subjects have the right to demand the erasure of their data. The controller may only erase the data concerning a data subject whose storage period is not based on a valid customer relationship or legislation.

Right to restriction of processing                                     

Data subjects have the right to request that processing of their data be restricted in a situation where, for instance, a data subject disputes the accuracy of their personal data.

Right to data portability

Data subjects have the right to obtain, in a machine-readable format, any data they themselves have provided to the controller.

Right to lodge a complaint with a supervisory authority

Data subjects have the right to lodge a complaint with a supervisory authority if the controller has failed to comply with the applicable data protection regulations in its operations.    

11. Storage of data     

User accounts and profiles (name, email, country, user ID, nickname): Retained for as long as the user’s account remains registered with the Service. Users may request account deletion at any time (see Section 10). Upon account deletion, account data is deleted within 30 days, except where retention is required by law.

User-generated content (bioethics stories, discussion comments, dilemma votes, survey responses): Retained for the operational lifetime of the Service, as this content constitutes the core function of the Service. Published stories associated with a user-chosen alias may remain publicly visible after account deletion, as they are pseudonymous. Users may request removal of their own content at any time. Upon account deletion, remaining attributable content may be pseudonymized (e.g., username replaced with a generic label).

IP addresses collected with comments and form submissions: Retained for a maximum of 12 months, then deleted. IP addresses are collected for spam detection and abuse prevention purposes.

Contact requests and feedback: Retained for a maximum of 36 months, then deleted.

Security logs (Wordfence): Live traffic data retained for a maximum of 30 days. See Wordfence Privacy Policy: https://www.wordfence.com/privacy-policy/

Cookies: Login cookies persist for one year or until logout. Cookie consent cookies expire after one year. See Section 5.1.7 for details.

Mobile application local data: Stored on the user’s device only and deleted when the application is uninstalled. Not accessible to the controller (see Section 6).

Third-party service providers (OneSignal, Firebase, Airtable, Cloudinary, Google reCAPTCHA): Data processed by these services is subject to their own retention policies. See Sections 5 and 6 for links to their privacy policies.

Data used for scientific research (see Section 7): Data disclosed for research purposes is anonymized prior to disclosure. Anonymized data, from which individuals cannot be identified, is not subject to GDPR retention limits.

Storage periods comply with applicable legislation and any instructions issued by the authorities.

12. Changes to the privacy statement

Due to the continuous development of the Service, we reserve the right to change this privacy statement by publishing new versions of it. The changes can also be based on amendments to legislation pertaining to data protection. Should the data protection policies change in a material way, the controller announces the changes in advance in the Service and, if necessary, requests the consent of data subjects. Users are advised to familiarise themselves with the content of the privacy statement at regular intervals.

13. Contact information

Requests pertaining to the registers and data subjects’ rights should be sent via our support contact form or email to info@mybioethics.com or by mail to Duckling Codehouse Oy, Pirkankatu 21 A 9, 33230 Tampere, Finland. Data subjects should include their contact details, but not their personal identification number.