🛡️ Staff Rules & Safeguarding Policy

Last Updated: April 5, 2026

This document is publicly visible. Transparency about how our staff operate is a core part of our commitment to user safety.

ℹ️ Why this is public

We publish our staff rules so that users know exactly what standards we hold our team to. If a staff member ever behaves in a way that contradicts these rules, users can reference this document when reporting the issue. Transparency is a safeguarding measure in itself.

Staff Roles and Access Levels
General Conduct Rules
Safeguarding Architecture
Rules Specific to Minor Users
Point Awards and Financial Incentives
Data Access and Privacy
Communication with Users
Moderation Standards
Reporting Obligations
Whistleblowing
Consequences for Violations
Staff Vetting and Disqualifying Criteria
How to Report a Staff Member
Sexual Misuse of User Content
Conflict of Interest and Owner Conduct

1. Staff Roles and Access Levels

RateMyBody uses a numeric account level system to control what different staff members can do. Higher levels mean more access and more responsibility.

Level	Role	Capabilities
Level 10–49	Moderator / General Admin	Content moderation (approve, remove, flag uploads); user account actions (warn, suspend, ban); access to admin panel; view reports queue; action non-minor tickets. Cannot: Action minor-flagged tickets; manually award points to users under 18; access Safeguarding Lead functions.
Level 50–99	Safeguarding Lead	All Level 10 capabilities, plus: action minor-related tickets/reports (two-person review required); manually award points to minor users (logged, requires reason); review minor-flagged content; NCMEC/law enforcement liaison. Maximum of 2 people hold this role at any time.
Level 100	Owner / Super Admin	Full platform access. Still bound by all safeguarding rules — no exceptions at any level.

2. General Conduct Rules

All staff members at every level are required to follow these rules at all times, both on and off the platform.

Professionalism: Treat all users with respect. Do not mock, belittle, or demean users in any staff channel, admin panel note, or any other context
Impartiality: Apply rules consistently and without favouritism. Do not give preferential treatment (faster approvals, point bonuses, reduced moderation) to friends, partners, or users you have a personal interest in
No personal relationships with users: Staff are prohibited from entering into sexual, romantic, or intimate relationships with any user of the platform, regardless of claimed consent. The power imbalance between a staff member and a user makes genuine consent questionable
Off-platform conduct: Staff conduct off the platform can still reflect on RateMyBody and result in termination. In particular, any off-platform behaviour that harms users or minors is treated as a serious violation regardless of whether RateMyBody's systems were used
No sharing of user data: Staff may never share user data (IPs, emails, private content, location info) with any third party other than law enforcement via proper legal process
No abuse of access: Admin panel access is for platform moderation only. Browsing private user content for personal gratification, stalking users, or using mod tools to retaliate against users is a termination offence
Conflicts of interest: If you have a personal relationship with a user whose content or account is under review, you must recuse yourself and hand the case to another staff member
No sexual use of user content: Staff are strictly prohibited from using platform content (photos, videos, uploads) for personal sexual gratification. Accessing user content through admin tools or the public site for the purpose of masturbation or any other sexual act is a gross misconduct offence — see Section 14
Confidentiality: Do not share details of moderation decisions, internal discussions, or user information with outside parties
Disclosure of criminal history: Any staff member who has a prior conviction for a sexual offence, or who becomes the subject of an investigation for a sexual offence, must disclose this to platform management immediately. Failure to disclose is grounds for immediate termination. A prior conviction for a sexual offence involving a minor is an absolute disqualifier for any staff role — see Section 13

3. Safeguarding Architecture

RateMyBody has put in place structural safeguards to prevent staff from abusing their access, particularly in relation to minor users. These are not just policy rules — many are enforced at system level.

🏗️ Built-In System Controls

Minor ticket access restriction: Only Safeguarding Leads (level 50+) can view, claim, or action any ticket or moderation task tagged as involving a user under 18. General admin staff are blocked from these queues at system level
Two-person review mandate: Any action on a minor-related case (content removal, account action, NCMEC report) requires approval from both Safeguarding Leads. No single staff member can complete a minor-related action alone
Manual point award block: The API endpoint for manual point awards (admin-give-points) checks the target user's date of birth. If the target user is under 18, the request is rejected for any staff below level 50. All attempts (including blocked ones) are written to the error log
Immutable audit log: All admin actions are written to an append-only log with staff ID, timestamp, action taken, and target user/content ID. Staff cannot edit or delete log entries. Logs are retained for a minimum of 2 years
Weekly log review: Platform ownership reviews the admin action log weekly for anomalies — unusual point awards, repeated access to a single user's profile, pattern actions that may indicate targeted behaviour

4. Rules Specific to Minor Users

🚨 Zero Tolerance: Sexual Contact with Minor Users

The following is an absolute, unconditional prohibition. There are no exceptions at any level, under any circumstances:

No staff member may engage in sexual, romantic, or intimate contact with any user under the age of 18 — on-platform, off-platform, in person, or via any communication channel.

"The minor initiated it" is not a defence. Under Finnish Criminal Code Chapter 20, EU Directive 2011/93/EU, and the law of virtually every jurisdiction, a minor cannot legally consent to sexual activity with an adult. The staff member's position of authority makes this especially clear. Any staff member who proceeds with sexual contact initiated by a minor commits a criminal offence and will face full criminal prosecution. RateMyBody will not shield them.

Required Response when a Minor Behaves Inappropriately

If a minor user sends you sexual messages, shares sexual content with you, or otherwise initiates inappropriate contact, you are required to:

Stop immediately — do not respond, do not engage, do not encourage
Do not delete anything — preserve all communications as evidence
Report to both Safeguarding Leads immediately — within 1 hour of the incident
Document the incident — time, what was sent/said, username of the minor, platform used
Do not contact the minor again — all further interaction must go through the Safeguarding Leads

Failing to report such an incident is itself a violation of these rules and may constitute a criminal offence (failure to report) depending on jurisdiction.

Additional Minor-Specific Rules

Do not access a minor user's profile, account data, or content beyond what is required for a specific, logged moderation task
Do not view minor-flagged content for any reason other than moderation. Viewing such content for personal purposes may constitute an offence under child protection law
Do not discuss minor users' details, appearance, or content with other staff members except in the context of a formal moderation case
Do not contact a minor user through any channel — all communication with minor users must be system-generated platform notices only
Any content you encounter that you reasonably believe constitutes CSAM must be reported to the Safeguarding Lead immediately, who will file a CyberTipline report with NCMEC within 24 hours as required by law

5. Point Awards and Financial Incentives

The manual point award system exists to correct errors and recognise exceptional contributions. It is not a tool for rewarding individual users you have a personal relationship with.

⚠️ Point Award Rules

No points to minor users unless you are a Safeguarding Lead (level 50+) and the award is logged with a mandatory reason note. General admin staff are technically blocked from doing this — any attempt is logged
No points to users you have a personal relationship with — friends, partners, or users you are in regular personal contact with
No points in exchange for anything — whether content, favours, communication, or any other quid pro quo arrangement. Exchanging points for photos or other content from users is a serious violation and, if the user is a minor, a criminal offence
Reason required: All manual point awards must include a clear reason note. "Just because" or vague reasons are not acceptable
All manual awards are in the points log and are reviewed by management. Unusual patterns will be investigated

6. Data Access and Privacy

Access only the user data necessary for the moderation task at hand. Do not browse user profiles, IPs, or private content outside of a moderation context
Never share, export, or copy user data (emails, IPs, private content) outside of the platform except as required by law enforcement requests via official legal process
Admin access to uploaded content (including private/deleted content in backups) is for moderation and legal compliance only
Do not use admin access to find personal information about users you have a personal interest in
GDPR applies to your handling of user data. You are personally liable for misuse of user data accessed through your admin role

7. Communication with Users

🚫 No Private Direct Messages to Users

Staff do not privately message individual users through any channel — not through the platform's messaging system, not through social media, not through personal contact details. All communication with users is conducted through system-generated platform notices or official email via the platform's contact system.

Any staff member found to be privately messaging users — especially minor users — will be in breach of this policy and subject to immediate review. There is no legitimate reason for a staff member to privately contact a user.

When a moderation decision needs to be communicated to a user, do so via the platform's official account notice or automated email system — not via personal message
Do not provide users with your personal contact details (phone number, personal email, social media handles) under any circumstances
Do not accept private communications from users through personal channels. If a user contacts you personally claiming to be a platform user, redirect them to the official contact form and report the contact internally
If a user is threatening, abusive, or distressing in their communications via the platform's contact system, escalate to a more senior staff member — do not engage personally

8. Moderation Standards

Apply the rules neutrally: Moderation decisions must be based on the content and the policy, not on who uploaded it, how many followers they have, or your personal opinion of them
Document borderline decisions: When you remove content that is borderline, leave a note explaining your reasoning. This protects both you and the platform in the event of an appeal
Do not over-moderate: Removing content that clearly does not violate any rule is also a violation of these standards. Both over-moderation and under-moderation must be avoided
Appeals must be reviewed fairly: If a user appeals a moderation decision, review it on its merits with fresh eyes. Do not reject appeals out of defensiveness
Speed: Reported content must be actioned within the SLA in the table below. Minor-flagged content is the highest priority

Content Type	Target Response Time	Who Actions It
CSAM / suspected minor content	Within 1 hour	Safeguarding Leads only (both must review)
Non-consensual / revenge content	Within 2 hours	Any moderator (level 10+)
Hate speech / illegal content	Within 4 hours	Any moderator (level 10+)
Standard content reports	Within 24 hours	Any moderator (level 10+)
Low-priority flags (spam, duplicates)	Within 48 hours	Any moderator (level 10+)

9. Reporting Obligations

As a staff member with access to user-generated content, you have legal reporting obligations that go beyond platform policy.

CSAM: If you encounter content you reasonably believe is CSAM (sexual content involving a minor), you must report it to the Safeguarding Lead immediately. The Safeguarding Lead is legally required to file a CyberTipline report with NCMEC within 24 hours under 18 U.S.C. § 2258A. Knowingly failing to report CSAM is a criminal offence in the US and many other jurisdictions
Immediate threat to life: If you encounter content that indicates an imminent threat to a person's life (suicide plan, explicit threat), escalate immediately to the platform owner and contact emergency services if you have any identifying information
Staff misconduct: If you witness another staff member violating these rules — especially if it involves a minor — you are required to report it immediately. See the Whistleblowing section below
Legal requests: If you receive a legal request (subpoena, court order, police request) relating to platform data, immediately notify the platform owner. Do not respond to legal requests unilaterally

10. Whistleblowing

If you observe a fellow staff member violating these rules, you are expected to report it. This is especially critical where minors are involved.

⚠️ You Must Report Colleague Misconduct

Silence in the face of a colleague's misconduct — particularly misconduct involving a minor — can constitute complicity. You will not face retaliation for making a good-faith report about a colleague's behaviour. Retaliation against a whistleblower is itself a serious violation of these rules.

Report colleague misconduct to the platform owner directly via a private channel outside the normal admin tools
Preserve any evidence (screenshots, logs, messages) before reporting
If the misconduct involves the platform owner themselves, you may report it directly to Finnish law enforcement (KRP) or, for US-based situations, the FBI's Internet Crime Complaint Center (IC3)
If the misconduct involves a minor, also report it to NCMEC CyberTipline at CyberTipline.org regardless of whether internal reporting has taken place

11. Consequences for Violations

Violation	Consequence
Minor policy breach (e.g., rudeness, poor documentation)	Written warning; retraining required
Favouritism / biased moderation	Formal warning; actions reviewed and potentially reversed; access level review
Sharing user data without authorisation	Immediate suspension pending investigation; potential termination; referral to data protection authority (GDPR)
Private messaging a user	Immediate suspension; investigation; likely termination
Sexual/romantic relationship with an adult user	Immediate termination
Manual point award in exchange for content or favours	Immediate termination; if user was a minor, criminal referral to law enforcement
Any sexual contact with a minor user	Immediate termination; criminal referral to KRP, NCMEC, Europol, and local law enforcement; full cooperation with prosecution. No exceptions.
Failure to report CSAM	Immediate termination; criminal referral (legally obligated report)
Retaliating against a whistleblower	Immediate termination
Sexual use of user content (masturbation, saving for sexual purposes, sharing for sexual purposes)	Immediate termination; permanent ban from all staff roles; if content involved a minor, criminal referral to KRP, NCMEC, and local law enforcement
Owner or senior staff entering a relationship with a user without disclosure and recusal	Formal review by independent Safeguarding Lead; mandatory recusal from all moderation; possible termination depending on severity

13. Staff Vetting and Disqualifying Criteria

🚫 Absolute Disqualifiers — These Persons May Never Hold Any Staff Role

Because RateMyBody has minor users on the platform, the following are permanent absolute disqualifiers for any staff or volunteer role at any access level, with no exceptions and no appeals:

Any conviction for a sexual offence involving a minor — including child sexual abuse, possession or distribution of CSAM, grooming, child exploitation, statutory rape/sexual abuse of a minor, or any equivalent offence in any jurisdiction worldwide, regardless of when the conviction occurred or whether the sentence has been served
Any conviction for production, distribution, or possession of child sexual abuse material (CSAM) in any jurisdiction
Any current Sexual Harm Prevention Order, Sexual Risk Order, or equivalent court order in any jurisdiction that restricts access to children or online platforms
Active investigation for any of the above offences — staff must disclose immediately if they become subject to such an investigation; their role is suspended pending the outcome

⚠️ Vetting Process

RateMyBody does not currently run formal DBS/background checks on all staff, but reserves the right to do so. The following apply to all prospective and current staff:

Self-disclosure requirement: All prospective staff must confirm in writing before taking on any role that they do not fall within any disqualifying category listed above. Making a false declaration is grounds for immediate termination and may be reported to law enforcement
Ongoing disclosure obligation: If a current staff member is charged with or convicted of any disqualifying offence after joining, they must inform platform management within 24 hours. Their access will be suspended immediately pending review
Discovery after appointment: If we discover after appointment — through any means including message disclosures, user reports, or external information — that a staff member falls within a disqualifying category, they will be immediately terminated and all their actions during their tenure will be reviewed. Any access they had to minor user data, messages, or tickets will be treated as a potential safeguarding incident and investigated accordingly
Reporting to authorities: Discovery that a staff member is a convicted sex offender who concealed this to gain elevated access to a platform with minors will be reported to Finnish KRP, NCMEC (if applicable), and local law enforcement in the staff member’s jurisdiction as a matter of course

These rules exist because a platform with minor users has a heightened duty of care. Allowing a known sex offender to hold a staff role — particularly one with access to minor user data, messages, or moderation queues — would represent a catastrophic safeguarding failure and potential criminal liability for the platform.

12. How to Report a Staff Member

If you are a user who believes a RateMyBody staff member has behaved improperly, you have several options:

🚨 If you are a minor who has been contacted or harmed

Tell a trusted adult immediately and contact your local police. Do not wait. You can also report via our Report Abuse Form — but police first.

Report Abuse Form: Use our Report Abuse Form and select "Staff Misconduct" as the category. Reports are handled with highest priority and full confidentiality
Email: abuse@ratemybody.net — mark the subject as "Staff Misconduct Report"
Finnish Police: poliisi.fi — for criminal matters involving Finnish-based staff
NCMEC CyberTipline: CyberTipline.org — if the misconduct involves sexual content and a minor
Europol: europol.europa.eu — for EU-based situations

14. Sexual Misuse of User Content

🚨 Absolute Prohibition: Using User Content for Sexual Gratification

Staff members at every level — including owners, administrators, Safeguarding Leads, and moderators — are strictly prohibited from using any user-uploaded content (photos, videos, profile images) for personal sexual gratification. This includes but is not limited to:

Masturbating to user photos or videos, whether accessed through admin tools or the public site
Downloading or saving user content for sexual purposes
Screenshotting user content for sexual purposes
Sharing user content with third parties for sexual purposes
Repeatedly or systematically browsing specific users' content in a pattern consistent with sexual gratification rather than moderation duties

Why This Rule Exists

Users upload content to RateMyBody to receive ratings and feedback from the community. They do not consent to their content being used as pornographic material by the people entrusted with moderating and protecting the platform. Staff hold a position of trust and elevated access. Using that position to sexually exploit user content is a fundamental breach of that trust.

This is especially serious when the content belongs to a minor user. Any sexual use of content depicting a person under 18 — regardless of whether the content itself is non-nude or clothed — may constitute a criminal offence under child exploitation laws in multiple jurisdictions.

Detection and Enforcement

Access pattern monitoring: Admin panel access logs are reviewed for anomalous patterns — repeated views of the same user's photos, extended browsing sessions with no moderation actions taken, accessing photos outside of active moderation queues
Peer reporting: Any staff member who becomes aware that a colleague is sexually using user content must report it immediately under the Whistleblowing policy (Section 10). Failing to report is complicity
Self-reporting: Any staff member who has engaged in this behaviour is strongly urged to resign immediately and self-report to platform management

Consequences

Immediate termination with no right of appeal
Permanent ban from any staff or volunteer role on RateMyBody
Full review of the staff member's access history to identify all content they accessed
If any accessed content involved a minor user: mandatory referral to KRP, NCMEC, and local law enforcement
Users whose content was accessed will be notified where appropriate and legally permissible

15. Conflict of Interest and Owner Conduct

⚠️ Applies to All Staff Including Owners and Founders

No person is above this policy. Site owners, founders, and senior administrators are subject to the same conduct rules as every other staff member. Ownership of the platform does not grant a personal exemption from safeguarding obligations or ethical standards.

Romantic or Sexual Relationships with Users

As stated in Section 2, staff are prohibited from entering into sexual, romantic, or intimate relationships with any user of the platform. This rule applies with equal force to site owners and founders.

If a relationship has already begun or is discovered after the fact, the following mandatory steps apply:

Immediate disclosure to the Safeguarding Lead(s) and at least one other senior staff member
Full recusal from any moderation or administrative decision that could affect the partner's account, content, reports, or interactions
Audit of prior actions: All moderation decisions made on the partner's account or content by the staff member must be independently reviewed for favouritism or preferential treatment
No access to partner's data: The staff member may not access the partner's profile data, IP address, email, private messages, or upload history through admin tools
Ongoing monitoring: The Safeguarding Lead will periodically review whether the relationship is creating moderation bias, user trust concerns, or safeguarding risks

Why Owner Relationships Are Especially Problematic

Ultimate access: An owner typically has unrestricted access to all user data, messages, IP addresses, photos, and moderation tools. This creates a severe power imbalance with any user they date
No effective oversight: Other staff may feel unable to challenge or report the owner's conduct, making internal safeguards ineffective
User trust: If users learn the site owner is dating a user, it damages confidence that moderation is impartial and that their data is handled properly
Legal exposure: The relationship may constitute a GDPR risk if the owner accesses the partner's personal data outside of legitimate platform purposes

If a User Under 18 Is Involved

If any staff member — including any owner or founder — enters into a sexual or romantic relationship with a user under 18, all provisions of Section 4 apply in full. There is no owner exemption. This is a criminal matter and will be reported to law enforcement immediately.

Whistleblowing Protection for Reporting Owner Conduct

Staff members who report concerns about owner or senior staff conduct are protected under Code 10 (Whistleblowing). If you feel unable to report internally because the person you need to report is the owner, you may:

Contact a Safeguarding Lead directly
Use the anonymous staff reporting channel (if available)
Report externally to the relevant data protection authority or law enforcement

📖 Related Policies

This policy is reviewed and updated regularly. Staff members are required to re-read and acknowledge updated versions. Users can report outdated or incomplete sections via the contact form.