Privacy Notice
About this Privacy Notice
This Privacy Notice explains how personal data is collected, used, stored, and protected when you use the reporthate.scot online service.
You should read this Privacy Notice alongside:
- The reporthate.scot Terms and Conditions
- The reporthate.scot Cookies Statement
What is reporthate.scot?
reporthate.scot is an online platform that allows individuals to report hate-related incidents occurring in Scotland.
The service is designed to:
- Make reporting easier and more accessible
- Allow users to report anonymously if they choose
- Capture information about hate incidents that may not meet the legal threshold of a crime
- Support better understanding of hate through anonymised data
- Provide signposting to relevant support organisations
reporthate.scot is not an emergency service and does not replace reporting to Police Scotland.
Who we are
reporthate.scot is operated by:
- Organisation Name:
- REPORTHATE.SCOT CIC
- Legal Status:
- Community Interest Company
- Contact Email:
- info@reporthate.scot
For data protection purposes, reporthate.scot acts as the Data Controller.
What personal data we collect
Depending on how you use the service, we may collect the following:
Personal Data
- Name (optional)
- Email address (required for all submissions, see Email verification below)
- Phone number (optional)
- Location of the incident (e.g. postcode or area)
- Date and time of incident
- Description of the incident
Special Category Personal Data (optional)
Users may voluntarily provide information relating to:
- Race or ethnicity
- Religion or belief
- Disability
- Sexual orientation
- Gender identity
- Other protected characteristics
You are not required to provide special category data to submit a report.
How we use your data
We use personal data to:
- Receive and process hate-related incident reports
- Understand patterns and trends in hate incidents
- Produce anonymised statistics and reports
- Contact you only where you have asked us to do so
- Signpost you to relevant support services
We do not sell personal data or use it for marketing.
Who we share your data with
We use a small number of trusted service providers (data processors) to run the platform. They process data only on our instructions and under contract:
- Supabase - secure database and file storage (EU, Ireland)
- Vercel - website hosting and content delivery
- Clerk - authentication for the administrative area
- Resend - sending verification and notification emails
- Upstash - rate limiting to protect the service from abuse
- PostHog - privacy-friendly, cookieless usage analytics
- Stripe - processing donations, if you choose to donate
- Sentry - error monitoring to keep the service reliable
- VirusTotal - scanning uploaded evidence for malware
Where you have given consent, anonymised report data may also be shared with relevant organisations such as councils and support services so they can better understand and respond to hate in Scotland.
We may also disclose information where we are required to do so by law.
Anonymity and sharing choices
When submitting a report, you can choose:
- To submit anonymously
- Whether your report may be shared with relevant organisations
- Whether anonymised data may be used for research or reporting
Your choices are respected and recorded.
Email verification
All submissions require a working email address. We use it to send a one-time verification link so we can confirm the submission is from a real person and protect the service from automated abuse.
For named reports, the email address forms part of your contact details and is stored in line with the retention period set out below. For anonymous reports, the email address is used solely to verify the submission and is not stored alongside or linked to the report.
Lawful basis for processing
Under UK GDPR, our lawful bases are:
Personal Data
- Article 6(1)(e) - task carried out in the public interest
- Article 6(1)(a) - consent (where applicable)
Special Category Data
- Article 9(2)(g) - substantial public interest
- Data Protection Act 2018, Schedule 1 - preventing and addressing discrimination and hate
Data storage and security
- Data is stored securely in Supabase PostgreSQL (EU region) with access restricted to authorised personnel
- All data transmissions use HTTPS encryption
- Uploaded evidence is stored in a private, siloed storage bucket with signed URLs
- Row Level Security policies enforce role-based data access at the database level
International data transfers
Your personal data is primarily stored within the European Economic Area (our database and file storage are hosted in Ireland). Some of our service providers are based outside the UK and EEA, including in the United States. Where personal data is transferred internationally, we rely on appropriate safeguards under UK data protection law, such as adequacy regulations or standard contractual clauses.
Data retention
Personal data is retained only for as long as necessary.
Indicative retention periods:
- Identifiable reports: 60 months
- Anonymised data: retained longer for statistical purposes
Retention schedules will be reviewed regularly.
Your rights
Under UK GDPR, you have the right to:
- Be informed
- Access your data
- Rectify inaccuracies
- Request erasure
- Restrict processing
- Object to processing
- Withdraw consent
To exercise your rights, contact: info@reporthate.scot
Complaints
If you are unhappy with how your data has been handled, you may complain to:
Information Commissioner's Office (ICO)