Privacy Policy

Version 1.0 — Effective 1 March 2026

EHS Protect Ltd — SC849512 — Registered in Scotland

EHS Protect Ltd ("we", "us", "our") is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, store, and protect personal data when you use the EHS Genesis platform ("Platform") at app.ehsgenesis.com and our website at ehsgenesis.com ("Website").

EHS Protect Ltd is registered in Scotland (Company Number: SC849512) with its registered office at 5 South Charlotte Street, Edinburgh EH2 4AN. We are registered with the Information Commissioner's Office (ICO) under registration number ZC095086.

1. Data Controller and Data Processor Roles

When you visit our Website: We are the data controller for any personal data we collect (such as contact form submissions, cookie data, and email addresses).

When you use our Platform: Your organisation (the "Customer") is the data controller for the personal data processed within the Platform (including employee records, incident data, health data, witness information, and training records). We are the data processor, processing this data on the Customer's behalf and solely in accordance with their instructions.

Affiliate Programme: We are the data controller for personal data collected from affiliate partner applications and the administration of the affiliate programme.

2. What Personal Data We Collect

2.1 Website Visitors

We collect the following data when you visit our Website:

DataPurposeLawful Basis
Name, email, company (contact form)Responding to your enquiryLegitimate interest (Art 6(1)(f))
Name, email, company (demo booking)Scheduling your demonstrationContract performance (Art 6(1)(b))
Cookie identifiers, IP address, browser typeWebsite analytics and functionalityConsent (Art 6(1)(a))
Affiliate referral code (cookie)Attribution for partner programmeLegitimate interest (Art 6(1)(f))

2.2 Platform Users

When you create an Account or are added as a user by your organisation:

DataPurposeLawful Basis
Name, email, job title, phoneAccount creation and accessContract performance (Art 6(1)(b))
Login history, IP address, sessionsSecurity monitoring and auditLegitimate interest (Art 6(1)(f))
Role, department, locationAccess control and permissionsContract performance (Art 6(1)(b))
Profile preferences, languagePersonalising experienceContract performance (Art 6(1)(b))

2.3 Data Processed Within the Platform

Your organisation may upload or create the following categories of personal data within the Platform. Your organisation is the data controller for this data:

CategoryExamplesSpecial Category?
Employee recordsNames, job titles, departments, contact detailsNo
Incident / report dataDescriptions of workplace events, witness namesPotentially
Health and injury dataInjury descriptions, body parts, medical treatment, lost timeYes — Special Category
Witness statementsWritten accounts from witnessesPotentially
Training recordsCourse completions, certificates, competency assessmentsNo
Investigation recordsRoot cause analysis, contributing factors, corrective actionsPotentially
Document metadataAuthors, approvers, reviewersNo

Special Category Data: Health and injury data constitutes Special Category Data under Article 9 of UK GDPR. This is processed under Article 9(2)(b) (employment law obligations — Health and Safety at Work etc. Act 1974, RIDDOR 2013) and Schedule 1, Part 1, Condition 1 of the Data Protection Act 2018 (employment purposes with an Appropriate Policy Document).

2.4 Affiliate Programme Applicants

DataPurposeLawful Basis
Business name, contact name, email, phoneProgramme administrationContract performance (Art 6(1)(b))
Companies House number, VAT numberEligibility and tax complianceLegal obligation (Art 6(1)(c))
Bank account details (encrypted)Commission paymentsContract performance (Art 6(1)(b))

2.5 Billing Data

We do not store payment card details. These are processed and stored by Stripe in accordance with PCI DSS Level 1 standards. See Stripe's privacy policy at stripe.com/privacy.

3. How We Use Personal Data

We use personal data for the following purposes:

  • Providing, operating, and maintaining the Platform
  • Processing subscription payments and managing billing
  • Communicating with you about your Account, subscription, and support requests
  • Sending essential service communications (security alerts, maintenance notifications, Terms updates)
  • Monitoring and improving the security and performance of the Platform
  • Complying with legal obligations (including HMRC tax requirements and regulatory record-keeping)
  • Investigating and preventing fraud, abuse, or security incidents
  • Administering the Affiliate Partner Programme

We do not: sell personal data to third parties, use personal data for advertising without explicit consent, share personal data with third parties for their marketing purposes, or profile individuals for automated decision-making that has legal or significant effects.

4. AI Features and Data Processing

4.1. The Platform includes optional AI features powered by the Anthropic Claude API. AI features are disabled by default and require explicit administrator consent before activation.

4.2. When AI features are used, only the data relevant to the specific feature is sent for processing. Employee names, company names, and personal identifiable information are never sent to the AI provider.

4.3. Anthropic does not store Customer Data and does not use it for model training. Data is processed in transit and discarded after the response is generated. Anthropic's data handling is governed by their commercial API terms, which prohibit training on customer data.

4.4. All AI processing occurs via encrypted HTTPS connections. No AI-generated output constitutes an automated decision — all outputs require human review and approval.

4.5. AI usage is logged in the Platform's audit trail (feature used, by whom, when, tokens consumed) but the content of AI requests and responses is not stored in the audit log.

5. Data Sharing

We share personal data only with the following categories of recipients, and only to the extent necessary:

RecipientPurposeSafeguards
IONOS SE (hosting)Infrastructure hostingGerman company, EU data centres, GDPR compliant
Anthropic (AI provider)AI feature processing (opt-in only)Commercial API terms, no storage, no training
Stripe (payments)Subscription payment processingPCI DSS Level 1, EU/UK data processing
Resend (email)Transactional email deliveryData processing agreement in place
Professional advisersLegal, accounting, auditProfessional duty of confidentiality
Law enforcementWhere required by law or court orderOnly in response to valid legal process

We do not transfer personal data outside the UK and EEA except as described above. Where transfers occur (e.g., Anthropic's API processing), appropriate safeguards are in place including Standard Contractual Clauses and/or UK IDTA (International Data Transfer Agreement).

A full list of our third-party sub-processors, including the data they process and the safeguards in place, is available on our Sub-Processors page.

6. Data Security

We implement the following technical and organisational measures to protect personal data:

Technical Measures

  • AES-256 encryption for sensitive personal data (PII Vault)
  • Encryption in transit (HTTPS/TLS on all connections)
  • Argon2 password hashing
  • JWT access tokens (15-minute expiry) with HttpOnly refresh tokens
  • Multi-tenant database isolation
  • API rate limiting and security headers
  • SQL injection protection via parameterised queries

Organisational Measures

  • Role-based access control with 6 system roles and 8 functional roles
  • Comprehensive audit trail — every state-changing operation logged
  • Immutable audit logs — cannot be edited or deleted by any user
  • Data breach notification procedures (72-hour ICO notification)
  • Regular security reviews and dependency auditing

7. Data Hosting and Sovereignty

7.1. All Platform data is hosted on IONOS infrastructure. IONOS SE is a German-owned company (part of United Internet AG, listed on the Frankfurt Stock Exchange) with data centres in Frankfurt, Germany, and London, United Kingdom.

7.2. No Customer Data is hosted on US-owned cloud infrastructure (Amazon Web Services, Microsoft Azure, or Google Cloud Platform). This means your data is not subject to the US CLOUD Act, FISA Section 702, or Executive Order 12333.

7.3. IONOS is subject to the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). The UK has an EU adequacy decision for data protection, permitting seamless data flow between the UK and EEA.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

Data CategoryRetention PeriodBasis
Account data (active)Duration of SubscriptionContract performance
Account data (after cancellation)90 days, then deletedRecovery period
Health and safety recordsAs configured by Customer (min 3 years, up to 40 years for exposure records)Legal obligation
Audit trail records7 yearsISO 27001 / legal record-keeping
Billing records7 yearsLegal obligation (HMRC)
Website contact forms2 yearsLegitimate interest
Affiliate programme records7 years from terminationHMRC / Bribery Act compliance
Cookie dataAs specified in Cookie PolicyConsent

Customers can configure data retention periods within the Platform under Admin > GDPR > Data Retention. Certain minimum retention periods are enforced where required by law.

9. Your Rights

Under UK GDPR, you have the following rights. To exercise any of these rights, contact us at privacy@ehsgenesis.com.

Right of Access (Article 15): You may request a copy of the personal data we hold about you.

Right to Rectification (Article 16): You may request that we correct inaccurate personal data.

Right to Erasure (Article 17): You may request that we delete your personal data, subject to our legal retention obligations.

Right to Restriction (Article 18): You may request that we restrict the processing of your personal data in certain circumstances.

Right to Data Portability (Article 20): You may request your personal data in a structured, commonly used, machine-readable format. The Platform provides data export functionality under Admin > GDPR > Data Export.

Right to Object (Article 21): You may object to processing based on legitimate interests.

Automated Decision-Making (Article 22): We do not make automated decisions that have legal or significant effects on individuals. AI features are advisory only and require human review.

We will respond to all rights requests within one calendar month of receipt. If you are a Platform user and wish to exercise rights regarding data processed within the Platform, please contact your organisation's administrator in the first instance — they are the data controller for that data.

10. Data Breach Notification

10.1. In the event of a personal data breach, we will notify the relevant supervisory authority (Information Commissioner's Office) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

10.2. Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals without undue delay.

10.3. We will notify affected Customers of any breach relating to their Customer Data without undue delay, providing sufficient information to enable the Customer to meet its own regulatory notification obligations.

11. International Data Transfers

11.1. We primarily process personal data within the UK and EEA. Where personal data is transferred outside the UK and EEA, we ensure appropriate safeguards are in place:

TransferSafeguard
Anthropic (AI processing — US)UK IDTA / Standard Contractual Clauses
Stripe (payment processing)UK IDTA / Stripe's Binding Corporate Rules
Resend (email delivery)Data Processing Agreement

11.2. The UK has an EU adequacy decision, meaning data flows between the UK and EEA do not require additional safeguards.

12. Children's Data

The Platform is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided personal data through the Platform, please contact us at privacy@ehsgenesis.com and we will take steps to delete that information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or by a prominent notice within the Platform at least 30 days before the changes take effect. We maintain a version history of this policy.

14. Complaints

If you have a complaint about how we handle your personal data, please contact us first at privacy@ehsgenesis.com. We will do our best to resolve the matter.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Website: ico.org.uk

Telephone: 0303 123 1113

15. Contact

Data Protection Contact

Email: privacy@ehsgenesis.com

EHS Protect Ltd

Registered in Scotland — Company Number: SC849512

Registered Office: 5 South Charlotte Street, Edinburgh EH2 4AN