How we protect your anonymity

1. Overview

LEAK ("the Platform", "we", "us") is a whistleblowing service designed to allow individuals to submit sensitive information to investigative journalists without revealing their identity. This Privacy Policy explains what data we collect, how we use it, and the technical measures we take to protect you.

This platform is operated in the public interest. We collect the minimum possible data required to route your submission to a journalist and allow secure follow-up communication. We do not monetise your data, share it with advertisers, or retain it beyond what is necessary.

2. What we do not collect

The following information is never collected or stored by LEAK:

• →Your name, email address, phone number, or any other personal identifier
• →Your IP address — we do not log IP addresses at any point during submission or case lookup
• →Your device fingerprint, browser type, or operating system details for tracking purposes
• →Cookies or tracking pixels linked to your identity
• →Your Case Code in plaintext — only a one-way cryptographic hash is stored

3. What we do collect

When you submit a case, the following data is stored:

• →The content of your submission — encrypted using end-to-end encryption before storage (see Section 5)
• →The category and Nigerian state you selected
• →Any files you attached, after metadata stripping (see Section 6)
• →A bcrypt hash of your Case Code — a one-way fingerprint used to verify you later
• →The date and time the submission was created
• →A newsroom assignment (which partner organisation received your submission)

When you send or receive messages via the platform, those messages are also stored encrypted and are only decryptable by the assigned journalist and, where applicable, you via your Case Code.

4. Your Case Code

When you submit, LEAK generates a unique four-word Case Code (e.g. bridge-farm-cold-night). This code is your only identifier. It works like a password — it lets you return to check your submission status and communicate with your journalist.

The raw Case Code is never stored. The moment it is generated, only a bcrypt hash (a one-way transformation) is written to the database. Even if our database were fully compromised, no one could reverse the hash to recover your code or link it back to you.

If you lose your Case Code, we cannot recover it for you. There is no account recovery mechanism by design.

5. Encryption

All submission content (your description, and all messages in the conversation thread) is encrypted using NaCl box encryption (TweetNaCl, XSalsa20-Poly1305) before being written to our database. Encryption uses the server's public key together with an ephemeral keypair generated fresh for each message.

This means:

• →The content stored in the database is ciphertext — unreadable without the private key
• →Platform operators and database administrators cannot read your submission
• →Only the journalist assigned to your case can decrypt and read the content
• →The nonce (random value used in encryption) is stored alongside the ciphertext but is useless without the private key

The server's keypair is generated once at setup and stored only in the server environment. It is never committed to version control or exposed publicly.

6. File metadata stripping

Files you upload (images, PDFs, documents) can contain hidden metadata that may identify you — for example, the GPS coordinates of where a photo was taken, the author field of a Word document, or the device serial number embedded in an image.

LEAK automatically strips this metadata before storing any file:

• →Images (JPEG, PNG, TIFF, WebP): EXIF data, GPS tags, and device metadata are removed using the Sharp image processing library
• →PDF files: Document properties including author, creator, subject, and modification history are cleared
• →All other file types are stored as uploaded — we recommend removing metadata manually before uploading

Files are stored in a private, access-controlled bucket. They are not publicly accessible. Only authenticated journalists at the assigned newsroom can download them.

7. Audit logs

LEAK maintains an internal audit trail of significant events on each submission — for example, when it was received, when it was assigned, and when a journalist downloaded a file. This log is used to ensure accountability among journalists using the platform.

Audit log entries may include a hashed (not raw) version of the journalist's IP address for internal security purposes. Audit logs are never exposed to whistleblowers or the public.

8. Data retention

We retain submission data for as long as the case is active and for a reasonable period thereafter to allow published investigations to be supported with source records if challenged.

Submissions marked as Archived or Rejected by a journalist are eligible for deletion after 12 months. You may request early deletion of your submission by contacting a partner newsroom directly with your Case Code as proof of ownership.

9. Third-party services

LEAK relies on the following third-party infrastructure:

• →Supabase (PostgreSQL database and file storage) — hosted on AWS EU West (Ireland). Supabase does not have access to encrypted content.
• →Vercel or equivalent Next.js hosting provider — processes HTTP requests. Server logs are governed by the hosting provider's own privacy policy.

We do not use any analytics services, advertising networks, or social media tracking pixels.

10. Your rights

Because LEAK does not link your submission to an identity, we cannot respond to data subject access requests in the traditional sense — we have no way to verify who you are. If you need to exercise rights over your submission specifically, your Case Code serves as proof of ownership.

If you believe your submission should be deleted or corrected, contact the assigned newsroom. Journalists at partner newsrooms are subject to their own editorial privacy standards.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Continued use of the platform after an update constitutes acceptance of the revised policy.

12. Contact

LEAK is operated in partnership with its four partner newsrooms. If you have questions about this Privacy Policy or how your data is handled, you may reach out through any of the partner newsroom's editorial contact channels.