SafeAspect – Privacy Policy

1. Introduction

SafeAspect provides cloud-based workplace health, safety, environment (HSE), compliance management, incident reporting, contractor management, inspection management, risk analysis, and AI-assisted operational intelligence services.

Because the Platform may process operational workplace information, employee-related information, incident records, audit documentation, contractor information, and other business-related records, the Company is committed to implementing commercially reasonable safeguards intended to protect personal data and confidential information.

2. Important Role Distinction – Data Controller and Data Processor

Customer Operational Data

When organizations, employers, contractors, or enterprise customers upload operational, employee, contractor, or workplace-related information into the Platform ("Customer Data"), the customer organization remains the "Data Controller" under applicable privacy laws, including but not limited to:

• Turkish Personal Data Protection Law No. 6698 ("KVKK")
• European Union General Data Protection Regulation ("GDPR")
• Applicable international privacy regulations

In such cases, the Company acts solely as a "Data Processor" or equivalent service provider.

The customer organization is solely responsible for:

• Obtaining required employee or contractor consents;
• Providing legally required notices;
• Establishing lawful processing grounds;
• Managing retention obligations;
• Responding to data subject requests;
• Ensuring lawful international data transfers where applicable.

Account and Platform Data

For information directly related to user accounts, subscriptions, billing, authentication, support requests, and platform administration, the Company may act as a Data Controller.

3. Information We Collect

We may collect, process, store, and use the following categories of information:

A. Account Information

• Name
• Email address
• Company name
• Job title
• Login credentials
• Authentication records
• Subscription details
• Billing information
• Account preferences

B. Operational Customer Data

Users and organizations may upload or process:

• Incident reports
• Workplace observations
• Audit findings
• Contractor information
• Employee records
• Risk assessments
• Inspection reports
• Compliance records
• Safety documentation
• Corrective action records
• Uploaded files and attachments
• Workplace photographs
• AI-generated reports and outputs

C. Technical and Usage Information

We may automatically collect:

• IP addresses
• Browser type
• Device information
• Operating system
• Log records
• Access timestamps
• Session identifiers
• Platform usage analytics
• Security monitoring information

D. Communication Information

• Customer support inquiries
• Emails
• Feedback submissions
• Service communications

4. Special Category and Sensitive Data

The Platform may allow customers to upload workplace incident records or operational information that could contain sensitive or special-category personal data under applicable laws.

Such information may include:

• Workplace injury information
• Occupational health details
• Safety investigation records
• Employee disciplinary information
• Compliance-related records

Users and customer organizations are solely responsible for ensuring that they possess lawful authority and appropriate legal grounds before uploading sensitive or special-category data to the Platform.

The Company does not independently verify whether uploaded information has been lawfully collected or transferred.

5. How We Use Information

We may use information for the following purposes:

• Providing and operating the Platform;
• Delivering AI-assisted analysis and reporting functions;
• Managing accounts and subscriptions;
• Authenticating users;
• Processing payments;
• Providing technical support;
• Monitoring platform security;
• Preventing fraud and abuse;
• Improving system functionality;
• Conducting internal analytics;
• Maintaining service reliability;
• Communicating with users;
• Complying with legal obligations.

We may also use aggregated, anonymized, or irreversibly de-identified information for analytics, operational optimization, security improvement, and platform enhancement purposes.

6. AI Processing and Automated Analysis

The Platform may use artificial intelligence, machine learning systems, automated classification technologies, predictive analytics, and automated report-generation systems to process Customer Data.

Users acknowledge and agree that:

• Uploaded information may be processed by AI systems;
• AI-generated outputs may contain inaccuracies or incomplete assessments;
• AI-generated outputs are intended solely for informational and operational assistance purposes;
• The Platform does not make fully automated legally binding decisions without human review;
• AI-generated outputs do not constitute legal, engineering, medical, regulatory, or professional safety advice.

The Company does not use confidential Customer Data for public AI model training purposes without explicit authorization unless such data has been anonymized, aggregated, or irreversibly de-identified.

7. Legal Basis for Processing

Where required under applicable laws such as GDPR or KVKK, processing activities may rely on one or more lawful bases, including:

• Performance of a contract;
• Compliance with legal obligations;
• Legitimate business interests;
• User consent where required;
• Security and fraud prevention interests;
• Provision of requested services.

Customer organizations acting as Data Controllers remain responsible for identifying lawful bases applicable to Customer Data uploaded to the Platform.

8. Information Sharing and Disclosure

We do not sell personal information.

We may share information only in the following circumstances:

Service Providers and Subprocessors

We may use trusted third-party service providers and subprocessors for:

• Cloud hosting
• Infrastructure services
• Payment processing
• Customer support
• Email delivery
• Security monitoring
• Analytics
• AI processing services
• Data storage

Such providers may process information only as reasonably necessary to provide services to the Company.

Legal Requirements

We may disclose information where required by:

• Applicable laws
• Court orders
• Regulatory authorities
• Governmental requests
• Law enforcement obligations

Business Transfers

Information may be transferred in connection with mergers, acquisitions, restructuring, financing transactions, or asset sales, subject to applicable legal protections.

9. International Data Transfers

The Platform and its service providers may process or store information in multiple jurisdictions.

By using the Platform, Users acknowledge that information may be transferred to and processed in countries outside their own jurisdiction, including jurisdictions that may have different data protection laws.

Where required, the Company may implement commercially reasonable safeguards intended to support lawful international transfers.

Enterprise customers may request additional transfer documentation such as Standard Contractual Clauses (SCCs) where applicable.

10. Data Retention

We retain information for as long as reasonably necessary to:

• Provide services;
• Maintain platform operations;
• Comply with legal obligations;
• Resolve disputes;
• Enforce agreements;
• Maintain security and audit records.

Retention periods may vary depending on:

• Account status;
• Legal obligations;
• Customer instructions;
• Backup cycles;
• Operational needs;
• Regulatory requirements.

The Company may retain certain log records, security information, backup archives, and audit records for legitimate business and legal purposes.

11. Security Measures

The Company implements commercially reasonable administrative, technical, and organizational safeguards intended to protect information processed through the Platform.

Such safeguards may include:

• Encryption measures;
• Access controls;
• Authentication systems;
• Security monitoring;
• Infrastructure protections;
• Backup procedures;
• Internal access restrictions.

However, no platform, network, transmission method, or electronic storage system can be guaranteed as completely secure.

Users acknowledge that cyberattacks, unauthorized access, security incidents, infrastructure failures, or operational disruptions may occur despite reasonable safeguards.

12. User Rights

Depending on applicable laws and jurisdiction, individuals may possess rights regarding their personal information, including:

• Right to access;
• Right to correction;
• Right to deletion;
• Right to restriction of processing;
• Right to object;
• Right to data portability;
• Right to withdraw consent where processing is based on consent.

Requests may be submitted using the contact information provided below.

Where the Company acts solely as a Data Processor on behalf of customer organizations, data subjects may need to direct requests to the relevant customer organization acting as Data Controller.

13. Cookies and Tracking Technologies

The Platform may use cookies, session technologies, authentication technologies, analytics tools, and similar technologies for purposes including:

• User authentication;
• Session management;
• Security;
• Performance optimization;
• Usage analytics;
• Platform functionality.

Users may manage cookie preferences through browser settings where available.

Additional information may be provided through a separate Cookie Policy or cookie consent interface where required by applicable law.

14. Children's Privacy

The Platform is intended solely for business and professional use.

The Platform is not directed toward individuals under the age of 18, and the Company does not knowingly collect personal information from minors.

15. Third-Party Services

The Platform may integrate with or rely upon third-party providers, APIs, hosting services, payment providers, analytics tools, AI service providers, or external integrations.

The Company is not responsible for the independent privacy practices, security practices, or content of third-party services not controlled by the Company.

16. Data Breach Response

In the event of a confirmed security incident involving personal data, the Company may take commercially reasonable measures intended to investigate, mitigate, contain, and respond to the incident.

Where required by applicable law, notifications may be provided to affected parties or regulatory authorities.

Nothing in this Privacy Policy shall be interpreted as a guarantee that security incidents will never occur.

17. User Responsibilities

Users and customer organizations remain solely responsible for:

• Ensuring lawful data collection;
• Obtaining required authorizations;
• Managing employee disclosures;
• Maintaining confidentiality obligations;
• Preventing unauthorized uploads;
• Maintaining appropriate access controls;
• Ensuring lawful international transfers where applicable.

Users shall not upload unauthorized confidential, employer-owned, former employer-owned, client-owned, contractor-owned, or third-party information without lawful authorization.

18. Changes to This Privacy Policy

The Company reserves the right to modify or update this Privacy Policy at any time.

Updated versions become effective upon publication unless otherwise required by applicable law.

Continued use of the Platform after changes become effective constitutes acceptance of the updated Privacy Policy.