Security & privacy

How a report stays private until it doesn't have to be.

The product's privacy properties are not a marketing feature. They are the design constraint that makes any of this make sense for the person reporting.

Threshold matching

A single report does not unlock a single report.

When a report is submitted, it is compared against existing reports for the same employer using a structured set of fields — location, time period, role, type of harm — without exposing the narrative text. If the count of matching reports is below the configured threshold for that employer, the report stays sealed: no human at Unhush, no firm, and no organizer can read it.

The matching threshold is set at the employer-or-pattern level, not at the individual report level. This is the single most important property of the system: your report is never the thing that exposes you. If the threshold is reached, it is because other people, independently, described the same situation.

Example threshold of 5 reports

Each dot is a report at the same employer. The first nine remain sealed. Once the fifth match arrives, a group forms — and only then are reporters told that they are not alone.

What this site does not store

An absence list, kept short on purpose.

  • No accounts.

    Reporting does not require a sign-up. A reporter receives a private status link instead of an account, and that link is the only way back in.

  • No analytics on the reporting flow.

    The reporting pages do not run third-party analytics, ad pixels, or session replay. The marketing pages you are reading now also do not.

  • No raw IPs in long-term logs.

    Operational logs are kept short and IP addresses are not retained alongside report contents. Aggregate request volume is what we keep; individual visit history is not.

  • No narrative content below the threshold.

    The text or voice of an unmatched report is encrypted at rest and cannot be read by Unhush staff, by a firm, or by an organizer. Matching is performed against structured fields, not against the narrative.

  • No automatic forwarding.

    Crossing the threshold forms a group. It does not send the group anywhere. Every onward step requires the reporter's explicit, in-flow choice — including the choice to talk to a firm at all.

Legal handoff

How vetted legal partners gain access.

Plaintiff firms and organizers do not browse Unhush. They are introduced to specific matched groups, after specific conditions, and only after the reporters in those groups have opted to be introduced. Access is conditional and revocable.

01 — Vetting

Code of conduct, evidentiary standards.

Partners agree in writing to handling standards for reporters and to evidentiary practices that match the way Unhush packages a group.

02 — Match-bound access

Only the group, never the queue.

A partner sees the group they were introduced to, with employer context and the structure of the matching pattern. They do not browse other reports or other groups.

03 — Reporter-controlled

Every onward step is opt-in.

Identity disclosure, voice or text content, and any direct conversation with the partner happen only when the individual reporter chooses, and can be paused.

04 — Auditable

What was accessed, by whom, when.

Access to a group leaves an audit record visible to Unhush. Misuse ends partner status; ending partner status ends access immediately.

For security researchers & privacy advisors

Tell us what we got wrong.

We want this page, and the system it describes, to be picked apart by people who do this work. If you find a property you would change, write to us. We treat security correspondence as priority mail.

hello@unhu.sh