Version 1.0 — Effective 1 March 2026
EHS Protect Ltd — SC849512 — Registered in Scotland
EHS Protect Ltd ("we", "us", "our") is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, store, and protect personal data when you use the EHS Genesis platform ("Platform") at app.ehsgenesis.com and our website at ehsgenesis.com ("Website").
EHS Protect Ltd is registered in Scotland (Company Number: SC849512) with its registered office at 5 South Charlotte Street, Edinburgh EH2 4AN. We are registered with the Information Commissioner's Office (ICO) under registration number ZC095086.
When you visit our Website: We are the data controller for any personal data we collect (such as contact form submissions, cookie data, and email addresses).
When you use our Platform: Your organisation (the "Customer") is the data controller for the personal data processed within the Platform (including employee records, incident data, health data, witness information, and training records). We are the data processor, processing this data on the Customer's behalf and solely in accordance with their instructions.
Affiliate Programme: We are the data controller for personal data collected from affiliate partner applications and the administration of the affiliate programme.
We collect the following data when you visit our Website:
| Data | Purpose | Lawful Basis |
|---|---|---|
| Name, email, company (contact form) | Responding to your enquiry | Legitimate interest (Art 6(1)(f)) |
| Name, email, company (demo booking) | Scheduling your demonstration | Contract performance (Art 6(1)(b)) |
| Cookie identifiers, IP address, browser type | Website analytics and functionality | Consent (Art 6(1)(a)) |
| Affiliate referral code (cookie) | Attribution for partner programme | Legitimate interest (Art 6(1)(f)) |
When you create an Account or are added as a user by your organisation:
| Data | Purpose | Lawful Basis |
|---|---|---|
| Name, email, job title, phone | Account creation and access | Contract performance (Art 6(1)(b)) |
| Login history, IP address, sessions | Security monitoring and audit | Legitimate interest (Art 6(1)(f)) |
| Role, department, location | Access control and permissions | Contract performance (Art 6(1)(b)) |
| Profile preferences, language | Personalising experience | Contract performance (Art 6(1)(b)) |
Your organisation may upload or create the following categories of personal data within the Platform. Your organisation is the data controller for this data:
| Category | Examples | Special Category? |
|---|---|---|
| Employee records | Names, job titles, departments, contact details | No |
| Incident / report data | Descriptions of workplace events, witness names | Potentially |
| Health and injury data | Injury descriptions, body parts, medical treatment, lost time | Yes — Special Category |
| Witness statements | Written accounts from witnesses | Potentially |
| Training records | Course completions, certificates, competency assessments | No |
| Investigation records | Root cause analysis, contributing factors, corrective actions | Potentially |
| Document metadata | Authors, approvers, reviewers | No |
Special Category Data: Health and injury data constitutes Special Category Data under Article 9 of UK GDPR. This is processed under Article 9(2)(b) (employment law obligations — Health and Safety at Work etc. Act 1974, RIDDOR 2013) and Schedule 1, Part 1, Condition 1 of the Data Protection Act 2018 (employment purposes with an Appropriate Policy Document).
| Data | Purpose | Lawful Basis |
|---|---|---|
| Business name, contact name, email, phone | Programme administration | Contract performance (Art 6(1)(b)) |
| Companies House number, VAT number | Eligibility and tax compliance | Legal obligation (Art 6(1)(c)) |
| Bank account details (encrypted) | Commission payments | Contract performance (Art 6(1)(b)) |
We do not store payment card details. These are processed and stored by Stripe in accordance with PCI DSS Level 1 standards. See Stripe's privacy policy at stripe.com/privacy.
We use personal data for the following purposes:
We do not: sell personal data to third parties, use personal data for advertising without explicit consent, share personal data with third parties for their marketing purposes, or profile individuals for automated decision-making that has legal or significant effects.
4.1. The Platform includes optional AI features powered by the Anthropic Claude API. AI features are disabled by default and require explicit administrator consent before activation.
4.2. When AI features are used, only the data relevant to the specific feature is sent for processing. Employee names, company names, and personal identifiable information are never sent to the AI provider.
4.3. Anthropic does not store Customer Data and does not use it for model training. Data is processed in transit and discarded after the response is generated. Anthropic's data handling is governed by their commercial API terms, which prohibit training on customer data.
4.4. All AI processing occurs via encrypted HTTPS connections. No AI-generated output constitutes an automated decision — all outputs require human review and approval.
4.5. AI usage is logged in the Platform's audit trail (feature used, by whom, when, tokens consumed) but the content of AI requests and responses is not stored in the audit log.
We share personal data only with the following categories of recipients, and only to the extent necessary:
| Recipient | Purpose | Safeguards |
|---|---|---|
| IONOS SE (hosting) | Infrastructure hosting | German company, EU data centres, GDPR compliant |
| Anthropic (AI provider) | AI feature processing (opt-in only) | Commercial API terms, no storage, no training |
| Stripe (payments) | Subscription payment processing | PCI DSS Level 1, EU/UK data processing |
| Resend (email) | Transactional email delivery | Data processing agreement in place |
| Professional advisers | Legal, accounting, audit | Professional duty of confidentiality |
| Law enforcement | Where required by law or court order | Only in response to valid legal process |
We do not transfer personal data outside the UK and EEA except as described above. Where transfers occur (e.g., Anthropic's API processing), appropriate safeguards are in place including Standard Contractual Clauses and/or UK IDTA (International Data Transfer Agreement).
A full list of our third-party sub-processors, including the data they process and the safeguards in place, is available on our Sub-Processors page.
We implement the following technical and organisational measures to protect personal data:
7.1. All Platform data is hosted on IONOS infrastructure. IONOS SE is a German-owned company (part of United Internet AG, listed on the Frankfurt Stock Exchange) with data centres in Frankfurt, Germany, and London, United Kingdom.
7.2. No Customer Data is hosted on US-owned cloud infrastructure (Amazon Web Services, Microsoft Azure, or Google Cloud Platform). This means your data is not subject to the US CLOUD Act, FISA Section 702, or Executive Order 12333.
7.3. IONOS is subject to the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). The UK has an EU adequacy decision for data protection, permitting seamless data flow between the UK and EEA.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (active) | Duration of Subscription | Contract performance |
| Account data (after cancellation) | 90 days, then deleted | Recovery period |
| Health and safety records | As configured by Customer (min 3 years, up to 40 years for exposure records) | Legal obligation |
| Audit trail records | 7 years | ISO 27001 / legal record-keeping |
| Billing records | 7 years | Legal obligation (HMRC) |
| Website contact forms | 2 years | Legitimate interest |
| Affiliate programme records | 7 years from termination | HMRC / Bribery Act compliance |
| Cookie data | As specified in Cookie Policy | Consent |
Customers can configure data retention periods within the Platform under Admin > GDPR > Data Retention. Certain minimum retention periods are enforced where required by law.
Under UK GDPR, you have the following rights. To exercise any of these rights, contact us at privacy@ehsgenesis.com.
Right of Access (Article 15): You may request a copy of the personal data we hold about you.
Right to Rectification (Article 16): You may request that we correct inaccurate personal data.
Right to Erasure (Article 17): You may request that we delete your personal data, subject to our legal retention obligations.
Right to Restriction (Article 18): You may request that we restrict the processing of your personal data in certain circumstances.
Right to Data Portability (Article 20): You may request your personal data in a structured, commonly used, machine-readable format. The Platform provides data export functionality under Admin > GDPR > Data Export.
Right to Object (Article 21): You may object to processing based on legitimate interests.
Automated Decision-Making (Article 22): We do not make automated decisions that have legal or significant effects on individuals. AI features are advisory only and require human review.
We will respond to all rights requests within one calendar month of receipt. If you are a Platform user and wish to exercise rights regarding data processed within the Platform, please contact your organisation's administrator in the first instance — they are the data controller for that data.
10.1. In the event of a personal data breach, we will notify the relevant supervisory authority (Information Commissioner's Office) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
10.2. Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals without undue delay.
10.3. We will notify affected Customers of any breach relating to their Customer Data without undue delay, providing sufficient information to enable the Customer to meet its own regulatory notification obligations.
11.1. We primarily process personal data within the UK and EEA. Where personal data is transferred outside the UK and EEA, we ensure appropriate safeguards are in place:
| Transfer | Safeguard |
|---|---|
| Anthropic (AI processing — US) | UK IDTA / Standard Contractual Clauses |
| Stripe (payment processing) | UK IDTA / Stripe's Binding Corporate Rules |
| Resend (email delivery) | Data Processing Agreement |
11.2. The UK has an EU adequacy decision, meaning data flows between the UK and EEA do not require additional safeguards.
The Platform is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided personal data through the Platform, please contact us at privacy@ehsgenesis.com and we will take steps to delete that information.
We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or by a prominent notice within the Platform at least 30 days before the changes take effect. We maintain a version history of this policy.
If you have a complaint about how we handle your personal data, please contact us first at privacy@ehsgenesis.com. We will do our best to resolve the matter.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113
Data Protection Contact
Email: privacy@ehsgenesis.com
EHS Protect Ltd
Registered in Scotland — Company Number: SC849512
Registered Office: 5 South Charlotte Street, Edinburgh EH2 4AN