Privacy Policy

Key facts: We collect only what is necessary to operate the service. We never sell your data. You can request deletion at any time. Data is stored on Render and Neon infrastructure with encryption at rest. We never use your data for advertising or AI model training.

1. Data we collect

Account data

Name, email address, phone number, role, organisation name. Collected when you register or are added by your Tenant Admin.

HSE operational data

Hazards, incidents, NCRs, corrective actions, audit records, permits, observations, toolbox talks, and other HSE records you create within the Platform. This data belongs to you and your organisation.

HR / Workforce data

Employee profiles, attendance records, leave requests, training records, performance evaluations, payroll data, and contractor information you create within the Workforce workspace. Sensitive HR fields (salary, bank details, statutory IDs) are encrypted at rest.

Usage data

Page views, feature usage, login timestamps, IP addresses, and device/browser information. Used for security monitoring, abuse prevention, and product improvement only.

2. How we use your data

To provide and operate the OpsLix platform across HSE and HRM workspaces
To send incident escalation, training reminders, and HR notifications via email and (where enabled) SMS or WhatsApp
To generate operational analytics and reports within your tenant account
To diagnose technical issues when you request support (with your explicit approval)
To comply with legal and regulatory obligations

We do not use your data for advertising, third-party marketing, or AI model training.

3. Data sharing

We share your data only with the following sub-processors, each bound by data processing agreements:

Render — cloud application hosting
Neon — managed PostgreSQL database
Cloudflare — CDN, DDoS protection, edge security
Twilio (SendGrid) — transactional email delivery

We do not share data with any other third parties. We do not sell data under any definition (including the CCPA broad definition of "sale").

4. Your rights

Depending on your jurisdiction, you have the right to:

Access the personal data we hold about you
Correct inaccurate or incomplete data
Request deletion of your data (right to erasure)
Export your data in a portable format
Object to or restrict processing in certain circumstances
Withdraw consent where processing is based on consent
Lodge a complaint with your local data protection authority

Submit requests to privacy@safetyproworld.com. We respond within 30 days.

5. Data retention

Active tenant data is retained for the duration of your subscription. On account termination, data is retained for 30 days for export, then permanently deleted. Audit logs and security records are retained for 5 years to comply with regulatory requirements (including ISO 27001 and SOC 2 evidence).

6. Security

We implement industry-standard security measures including:

TLS 1.3 encryption for all data in transit
AES-256 encryption for data at rest, with field-level encryption for sensitive HR data (salary, bank details, statutory IDs)
JWT-based authentication with short-lived access tokens and rotating refresh tokens
Step-up authentication for sensitive workspaces (Workforce, Admin) and sensitive actions (payroll, audit findings, incident investigations)
Row-level security on all tenant data
Role-based access control with comprehensive audit logging
Regular security assessments; ISO 27001 and SOC 2 certifications in progress

7. Regional compliance

EU / UK: GDPR / UK GDPR — we act as Data Processor. Standard Contractual Clauses for cross-border transfers. DPA available on request.
India: DPDP Act 2023 — we follow data fiduciary obligations including notice, consent, and breach reporting.
Saudi Arabia: PDPL — data transfers comply with PDPL cross-border requirements.
UAE: Federal PDPL and DIFC / ADGM data protection frameworks where applicable.
USA: CCPA / CPRA, state privacy laws, and (where applicable) HIPAA for healthcare tenants.
Singapore: PDPA. Australia: Privacy Act 1988. Brazil: LGPD.

8. Data residency

OpsLix is committed to providing regional data residency where required by law or by tenant procurement. For tenants with strict data residency requirements (e.g., Saudi Arabia data must remain in-region), contact us at enterprise@safetyproworld.com for regional hosting options.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to Tenant Admins at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

10. Contact

Data Protection queries: privacy@safetyproworld.com