Privacy Policy

Updated on July 14, 2022.

This is a statement pursuant to the EU’s General Data Protection Regulation (2016/679; GDPR) on the processing of personal data.

This privacy policy covers the following services provided by Duckling Codehouse Oy:

  • the MyBioethics mobile application
  • the website (including subdomain

The services are hereinafter referred to collectively as the “Service”.

For context and additional detail, please also review the related Terms of Use of the Service.  

1. Controller  

Name: Duckling Codehouse Oy

Business ID: 3182841-7

Address: Pirkankatu 21 A 9, 33230 Tampere, Finland

Email address:

2. The purpose and basis for personal data processing

The personal data saved in Duckling Codehouse Oy’s customer registers are processed for the following purposes: 

  • enabling the use of the Service;
  • the maintenance and development of the Service;
  • using the data collected in the Service for academic research purposes in cooperation with research teams and projects;
  • customer relationship management;
  • studying and analysing the use of the Service and compiling statistics related to its use;
  • customer marketing and other equivalent uses;
  • the implementation of legal rights and obligations, and for data protection purposes and preventing the abuse of the Service.

The legal basis for the processing of the personal data is the consent of a data subject as well as the contractual relationship between the data subject and the controller.  

Data subjects have the right to withdraw their consent at any time, provided that the processing of their personal data is based on consent.

3. The personal data processed

The controller collects only personal data which is relevant and necessary for the purposes of use specified in this privacy statement.

The content of the register may consist of the following data:

  • name;
  • email address;
  • the data subject’s home country;
  • password, user ID and any nickname used in the Service;
  • data saved in the context of using the Service, such as
  • the time when the application was last used
  • details on the type of a device and its operating system
  • the type and version of the data subject’s browser;
  • IP address;
  • communication taking place via the Service, such as discussions, comments and participation in polling/the responses given, personal bioethics stories containing text and images;
  • any contacts made towards the controller, including requests to be included in the mailing list for MyBioethics research updates, or, to be listed in the hall of fame, and any feedback given; and
  • any other data collected at a data subject’s consent.              

4. Data sources

Any data provided by data subjects themselves and any data collected and formed in connection to the Service’s use.

5. Cookies and related services

The Service uses cookies and related services as indicated in more detail in 5.1. The data obtained by the cookies and related services is used to improve the functionality of the Service as well as to analyse user experiences and improve them. If you want to, you can block the use of cookies through your browser settings. However, please note that if you block the use of all cookies, this may have an impact on the functioning of the Service. For further information on how to manage cookies, go to, e.g.:

The Service uses services provided by third parties. The services of third parties are subject to their own terms and conditions and data protection policies. You can read more about each service provider’s operations as well as cookie and data protection policies on their respective websites.

5.1 More detailed description of the cookies and related services we use

5.1.1 Wordfence service

We use Wordfence service to protect the website from misuse and security breaches. To this end, the service monitors technical user behavior and the origins of the website visitors (for example their IP addresses). It is particularly noteworthy that Wordfence utilizes global network to protect websites from malicious activity. You can review the Privacy Policy of Wordfence (

5.1.2 Google’s reCAPTCHA service

We use Google’s reCAPTCHA v2 service to prevent spam on our website. You can review the Privacy Policy ( and the Terms of Use ( of this service.

5.1.3 WPForms service

To facilitate consistent user experience and functioning of the website, WPForms will connect user profiles with the forms used on the website. Besides this, WPForms assigns every user a UUID (Universally Unique Identifier). The UUID is a random number that does not contain any user information, and is stored in a cookie in the user’s browser. The UUID will further help to connect different form entries by the same user together. WPForms also collects users’ IP addresses and general information regarding the types of their browsers and operating systems. WPForms will be particularly utilized to publicly show anonymous user votes regarding ethical cases, which will be further categorized by country depending on the profiles of the users who have voted.


When visitors leave comments on the website, we collect the data shown in the comments form and also the visitor’s IP address and browser user agent string to help spam detection. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: After approval of your comment, your chosen public name, or nickname, together with your profile picture (if you have such) is visible to the public in the context of your comment.

5.1.5 Media with embedded location data

If you upload images to the Service, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

5.1.6 Embedded content from other services

Please also note that parts of our Service may include embedded content (e.g. videos, images, articles, etc.) from other services. Embedded content from other services, most notably websites, behaves in the exact same way as if the visitor had visited these services. These services may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with the embedded content. Generally speaking, we avoid using such embedded content and seek to notify you of its use when it happens.

5.1.7 Other relevant aspects regarding cookies and related services

If you have an account and you log in to the website, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. By default, your login cookies will persist for one year. If you log out of your account, the login cookies will be removed.

We will also use a set of cookies to register your interaction with our cookie policy. These cookies will expire in one year.

6. Data collection relating particularly to the MyBioethics mobile application

The full nature of the Service is that it integrates the website and the MyBioethics mobile application together. Thus, it is integral to address both parts of the Service at the same time. For the sake of clarity, however, this section addresses data collection relating more directly to the MyBioethics mobile application.

When data subjects install the MyBioethics mobile application either through Apple App Store (for iOS) or Google Play Store (for Android), they consent to the terms of these services. Particularly noteworthy is that this means consenting to the policies these services have regarding gathering data on application installations and other such general usage relating to the application.

The Service utilizes OneSignal service for sending notifications for the mobile devices of the data subjects who have installed the MyBioethics mobile application. You can review the Privacy Policy of OneSignal ( You can turn off the notifications from your mobile device settings or by uninstalling the application. To support OneSignal service, we will also utilize Firebase service by Google. You can review the Privacy Policy of Firebase (

The Service utilizes Airtable service to support background functionality of the application (regarding content delivery). You can review the Privacy Policy of Airtable (

The Service utilizes Cloudinary service to support background functionality of the application (regarding content delivery). You can review the Privacy Policy of Cloudinary (

Personal bioethics stories submitted through the MyBioethics mobile application and published after moderation on the website contain text and potentially also images by data subjects. This content will be shown publicly and associated with an alias the user can choose when submitting a story. Please see 5.1.5 to take into account that you should avoid uploading images that contain embedded location data.

Furthermore, based on the user’s request and qualifications set by the Service, the user’s alias can be shown publicly in the hall of fame on the website, together with the date the alias was added.

Please also note that the MyBioethics mobile application will save locally to your mobile device your application settings as well as locally keep track of your usage of the application to offer you more consistent user experience. This data is not accessible to us and it will typically be deleted when you delete the application from your mobile device. This also means that if you install the application again, for example to a new device, you will need to adjust your settings again. This does not, however, affect your activity on the website (such as dilemma voting).

7. Disclosure of the data       

Personal data may be disclosed for legitimate purposes. Such disclosure is subject to the requirements of the valid personal data legislation. Personal data are not disclosed outside of service providers and partners working for the controller except in accordance with an agreement, separate consent and/or explicit regulations.

The data may be disclosed to partners and subcontractors involved in the implementation of the Service, for example, such as the providers of internet and email services, payment services and those involved in application’s marketing. In addition, the collected data may be disclosed to parties participating in the analysis of the data.

The controller may disclose personal data for the purposes of scientific studies. Such studies may rely on both quantitative and qualitative methodologies. In such cases, the personal data are processed in accordance with the provisions concerning research purposes in the EU’s GDPR and the national data protection legislation. For research purposes, the data is anonymised, i.e. rendered into a format from which individuals cannot be identified.

The data subjects’ data may also be disclosed in the manner required by competent authorities or other parties, based on valid legislation, or for the purpose of monitoring and ensuring compliance with the Service’s terms of use and for ensuring the safety of the Service.

Personal data are not explicitly disclosed to third parties for their marketing purposes. However, please note that personal data might be transmitted to the third parties as they participate in the implementation of the Service as outlined in this privacy policy, and part of this data might be used for marketing purposes by the third parties.

Please also note that when new users register for the Service, their account details (public name, username, and e-mail address) become reserved for the Service. This means that other users who might try to register with any of the same details will see an error indicating that these details have already been registered for the Service. The same mechanism applies to the password reset functionality of the Service.

8. Transfer of personal data outside the EU or the EEA

In principle, personal data are not transferred outside the EU or the European Economic Area. If this is nevertheless done, the transfer is carried out in accordance with the decision on the adequacy of data protection given by the European Commission.

9. Protection of personal data

The controller processes the data in a manner aiming to ensure the appropriate safety of the personal data, including their protection against unauthorised processing as well as loss, destruction or damage.

The controller applies the appropriate technical and organisational measures to ensure the achievement of this objective, including the use of firewalls, encryption techniques and safe device data, appropriate access control, the careful administration of credentials for information systems and instructions provided to the personnel taking part in the processing of personal data.

10. Data subjects’ rights

Right of access

Data subjects have the right to check the data on themselves saved in the registers. This right can be denied on the basis of grounds provided for in the law.

Right to rectification

Data subjects have the right to demand the rectification of inaccurate data.

Right to erasure (‘right to be forgotten’)

Data subjects have the right to demand the erasure of their data. The controller may only erase the data concerning a data subject whose storage period is not based on a valid customer relationship or legislation.

Right to restriction of processing                                     

Data subjects have the right to request that processing of their data be restricted in a situation where, for instance, a data subject disputes the accuracy of their personal data.

Right to data portability

Data subjects have the right to obtain, in a machine-readable format, any data they themselves have provided to the controller.

Right to lodge a complaint with a supervisory authority

Data subjects have the right to lodge a complaint with a supervisory authority if the controller has failed to comply with the applicable data protection regulations in its operations.    

11. Storage of data     

The controller stores personal data in the register until the basis for the processing of the personal data comes to an end. Storage periods nevertheless comply with the valid legislation and any instructions issued by the authorities.

12. Changes to the privacy statement

Due to the continuous development of the Service, we reserve the right to change this privacy statement by publishing new versions of it. The changes can also be based on amendments to legislation pertaining to data protection. Should the data protection policies change in a material way, the controller announces the changes in advance in the Service and, if necessary, requests the consent of data subjects. Users are advised to familiarise themselves with the content of the privacy statement at regular intervals.

13. Contact information

Requests pertaining to the registers and data subjects’ rights should be sent via our support contact form or email to or by mail to Duckling Codehouse Oy, Pirkankatu 21 A 9, 33230 Tampere, Finland. Data subjects should include their contact details, but not their personal identification number.