Universal Reporting Policy
Effective Date: [EFFECTIVE DATE] Last Updated: [LAST UPDATED] Version: 1.0
This Universal Reporting Policy consolidates all reporting obligations, channels, and procedures across the KidStarter ecosystem. It applies to all Users, employees, contractors, partners, and any person who becomes aware of a reportable concern. It forms part of the Agreement (see Terms of Service).
1. Purpose
KidStarter is committed to a culture of transparency, accountability, and swift action. This Policy ensures that every concern — whether it relates to child safety, fraud, data breaches, policy violations, legal compliance, or workplace misconduct — has a clear reporting pathway, defined timelines, and protection for reporters.
2. Reportable Concerns
The following categories of concerns should be reported through the applicable channel:
| Category | Examples | Priority |
|---|---|---|
| Child Safety | CSAM, grooming, solicitation, identifying information exposure, abuse/neglect suspicion | CRITICAL — Immediate |
| Data Breach / Security Incident | Unauthorized access, data exposure, account compromise, system intrusion | CRITICAL — Immediate |
| Fraud | False campaigns, forged documents, impersonation, financial manipulation, donation fraud | HIGH — Within 24 hours |
| Content Violations | Hate speech, harassment, threats, privacy violations, IP infringement | MEDIUM — Within 48 hours |
| Policy Violations | Terms of Service breaches, Community Guidelines breaches, misuse of funds | MEDIUM — Within 48 hours |
| Legal and Regulatory Concerns | AML/sanctions concerns, bribery, corruption, regulatory non-compliance | HIGH — Within 24 hours |
| Discrimination and Harassment | Workplace or platform discrimination, harassment, retaliation | HIGH — Within 24 hours |
| Whistleblower Disclosures | Any wrongdoing by KidStarter, its employees, partners, or contractors | HIGH — Within 24 hours |
| Accessibility Issues | Barriers to access for users with disabilities | STANDARD — Within 5 business days |
| General Complaints | Service quality, billing disputes, account issues | STANDARD — Within 5 business days |
3. Reporting Channels
3.1 For All Users (External)
| Channel | How to Use | Best For |
|---|---|---|
| In-App Report Button | Click "Report" on any Campaign, comment, update, or user profile | Content violations, child safety, harassment |
| Email: [REPORT LINK OR EMAIL] | Send email with details and evidence | All reportable concerns |
| Email: [PRIVACY EMAIL] | Privacy and data protection concerns | Data breaches, privacy violations, data subject requests |
| Email: [SECURITY EMAIL] | Security vulnerabilities and incidents | Security issues, account compromise |
| Email: [DMCA EMAIL] | Intellectual property complaints | Copyright/trademark infringement |
| Email: [SUPPORT EMAIL] | General support and complaints | Billing, account issues, general complaints |
| Urgent Child Safety | Email [REPORT LINK OR EMAIL] with subject "URGENT: CHILD SAFETY" | Immediate child safety threats |
3.2 For Employees and Contractors (Internal)
| Channel | How to Use | Best For |
|---|---|---|
| Internal Reporting System | [INTERNAL TOOL/URL] | All internal concerns, policy violations, misconduct |
| Direct Manager | Verbal or written report to your direct manager | Routine operational concerns |
| Whistleblower Channel | [WHISTLEBLOWER EMAIL OR TOOL] — may be used anonymously | Serious misconduct, legal violations, retaliation concerns |
| Legal Team | [LEGAL EMAIL] | Legal and regulatory concerns, litigation holds |
| DPO (if appointed) | [DPO EMAIL] | Data protection concerns, DPIA requests |
3.3 External Authorities
In addition to internal channels, reports may be made directly to external authorities. KidStarter does not discourage and will not retaliate against reports made to:
| Authority | Jurisdiction | Purpose |
|---|---|---|
| NCMEC CyberTipline (1-800-843-5678 / CyberTipline.org) | US | Child exploitation |
| Internet Watch Foundation (IWF) (iwf.org.uk) | UK | Child exploitation |
| INHOPE Network (inhope.org) | EU/Global | Child exploitation |
| Canadian Centre for Child Protection (cybertip.ca) | Canada | Child exploitation |
| Local Law Enforcement (911/999/112) | All | Imminent danger, criminal activity |
| ICO (ico.org.uk) | UK | Data protection complaints |
| EU Supervisory Authorities (edpb.europa.eu) | EU/EEA | Data protection complaints |
| FTC (ftc.gov) | US | Consumer protection, COPPA |
| Office of the Privacy Commissioner (priv.gc.ca) | Canada | Privacy complaints |
| State Attorneys General | US | State consumer protection/privacy |
| Financial Intelligence Units (FinCEN, NCA, FINTRAC, EU FIUs) | All | Suspicious financial activity |
4. How to Make a Report
4.1 What to Include
To help us investigate effectively, please include as much of the following as possible:
- Your contact information (optional — anonymous reports are accepted for all categories);
- What happened — a clear description of the concern;
- When it happened — dates, times, and timeline;
- Where — URLs, Campaign names, account identifiers, or system locations;
- Who is involved — usernames, account names, or descriptions (do not investigate yourself);
- Evidence — screenshots, emails, documents, transaction references;
- Impact — who is affected and how, especially if minors are involved.
4.2 Anonymous Reporting
All reporting channels accept anonymous reports. However, anonymous reports may limit our ability to investigate fully or to follow up with the reporter. Where possible, we encourage providing at least an email address for follow-up.
5. Response Timelines
| Priority | Acknowledgment | Investigation Commencement | Resolution Target |
|---|---|---|---|
| CRITICAL (child safety, data breach) | Within 2 hours during business hours; ASAP outside | Immediate | As fast as possible; interim measures within 24 hours |
| HIGH (fraud, legal, discrimination) | Within 24 hours | Within 24 hours | 14 business days (complex cases may take longer) |
| MEDIUM (content violations, policy breaches) | Within 48 hours | Within 3 business days | 14 business days |
| STANDARD (accessibility, general complaints) | Within 5 business days | Within 5 business days | 30 business days |
Reporters will be updated on the status of their report at reasonable intervals. Due to confidentiality and legal constraints, we may not be able to share all details of an investigation.
6. Investigation Process
6.1. Triage: All reports are logged, assigned a priority, and routed to the appropriate team (Trust & Safety, Security, Legal, HR, or Compliance).
6.2. Conflict of Interest: No person who is the subject of a report, or who has a conflict of interest, may participate in the investigation.
6.3. Evidence Preservation: Relevant data, content, and logs are preserved immediately upon receipt of a report.
6.4. Investigation: The assigned team investigates the report, which may include: document review, system log analysis, interviews, third-party verification, and consultation with legal counsel.
6.5. Decision: A determination is made based on the evidence and applicable policies and law. Decisions are documented.
6.6. Action: Appropriate enforcement actions are taken (see Community Guidelines Section 8 for the graduated enforcement framework).
6.7. Notification: The reporter is notified of the outcome to the extent permitted by law and confidentiality obligations. The subject of the report is notified of any action taken against them.
6.8. Escalation: Critical matters are escalated to senior leadership, legal counsel, and/or external authorities as appropriate.
7. Whistleblower Protections
7.1 Scope
KidStarter's whistleblower protections apply to all Users, employees, contractors, partners, volunteers, and any person who reports a concern in good faith, whether through internal or external channels.
7.2 No Retaliation
KidStarter strictly prohibits retaliation against any person who:
- Reports a concern in good faith, even if the report is ultimately not substantiated;
- Cooperates with an investigation;
- Refuses to participate in conduct they reasonably believe violates law or policy.
Retaliation includes but is not limited to: termination, demotion, suspension, harassment, intimidation, threats, discrimination, account restrictions, or any other adverse action.
7.3 Regulatory Compliance
KidStarter's whistleblower protections are designed to comply with:
- EU Whistleblower Directive (Directive (EU) 2019/1937) — including requirements for internal reporting channels, confidentiality, feedback, and protection from retaliation;
- UK Public Interest Disclosure Act 1998 (PIDA) — protecting qualifying disclosures made by workers;
- US Federal Whistleblower Protections — including Sarbanes-Oxley (where applicable), Dodd-Frank, and applicable state whistleblower laws;
- Canadian Whistleblower Protections — including federal Public Servants Disclosure Protection Act and applicable provincial legislation.
7.4 Confidentiality
The identity of a whistleblower is treated as confidential and will not be disclosed without the reporter's consent, except where disclosure is required by law or is necessary for the investigation (in which case the reporter will be informed in advance where possible).
7.5 Bad Faith Reports
Protections do not extend to reports made in bad faith, with knowledge that the report is false, or for the purpose of harassing or retaliating against another person. Making a knowingly false report may result in disciplinary action or account termination.
8. Mandatory Reporting Obligations
8.1 Child Safety
KidStarter and its employees are committed to reporting suspected child abuse, neglect, and exploitation in accordance with mandatory reporting laws in all jurisdictions where we operate. See Safety & Child Protection Policy Section 4.
8.2 Financial Crime
KidStarter files Suspicious Activity Reports (SARs) with applicable Financial Intelligence Units where required. See Anti-Fraud Policy Section 4.4.
8.3 Data Breaches
KidStarter reports personal data breaches to supervisory authorities and affected individuals where required. See Incident Response & Breach Notice Summary.
9. Record Keeping
9.1. All reports, investigations, decisions, and actions are documented and retained for a minimum of 7 years or longer where required by law.
9.2. Records are stored securely with restricted access, available only to authorized personnel and, where required, supervisory authorities.
10. Training and Awareness
10.1. All KidStarter employees and contractors receive training on this Policy upon onboarding and at least annually thereafter.
10.2. Training covers: how to recognize reportable concerns, how to report, response timelines, whistleblower protections, mandatory reporting obligations, and handling of sensitive information.
11. Governance and Oversight
11.1. The Trust & Safety Lead (or equivalent) has overall responsibility for the operation of this Policy, including report triage, investigation oversight, and escalation.
11.2. The Legal Team provides guidance on legal obligations, regulatory reporting, and whistleblower protections.
11.3. Senior Leadership receives periodic reports on reporting volumes, trends, response times, and enforcement outcomes.
11.4. This Policy is reviewed at least annually and updated to reflect changes in law, regulation, and operational experience.
12. Cross-References
This Policy should be read in conjunction with:
- Safety & Child Protection Policy
- Community Guidelines / Acceptable Use
- Content Moderation & Reporting Policy
- Anti-Fraud Policy
- Incident Response & Breach Notice Summary
- KYC/KYB & Screening Notice
- Privacy Notice
- Complaints Procedure
13. Contact
Report a Concern: [REPORT LINK OR EMAIL] Child Safety (Urgent): [REPORT LINK OR EMAIL] — Subject: "URGENT: CHILD SAFETY" Security Incidents: [SECURITY EMAIL] Privacy: [PRIVACY EMAIL] Whistleblower Channel: [WHISTLEBLOWER EMAIL OR TOOL] General Support: [SUPPORT EMAIL]