Privacy Policy

3.1 When We Are Data Controller

We act as controllers for: marketing and lead data, website visitor analytics, social media interactions, our own employees’ data, and account-level business contact data.

• •Privacy inquiries & rights requests: privacy@dosasafety.com
• •Legal notices: legal@dosasafety.com
• •Mailing: 2215 Independence Dr, Suite 6101, New Braunfels, TX 78132, United States
• •EU Representative (GDPR Art. 27): legal@dosasafety.com
• •UK Representative (UK GDPR Art. 27): legal@dosasafety.com
• •Data Protection Officer (DPO): legal@dosasafety.com
• •Brazil LGPD DPO (Encarregado): legal@dosasafety.com
• •India DPDPA Grievance Officer: legal@dosasafety.com
• •South Africa Information Officer (POPIA): legal@dosasafety.com

4.1 Worker & Employee Personal Data [Processor Role]

• •Identity data: full name, employee ID, job title, department, site/facility location
• •Contact data: work email, work phone, emergency contact information
• •Occupational health data: injury and illness details, body parts affected, medical treatment received, work restrictions, return-to-work status
• •Safety training records: certifications held, training completion status, competency assessments
• •Behavioral / observation data: safety observations, near-miss reports, behavioral safety assessments
• •Contractor and visitor data: name, company, site access records, induction completions
• •Biometric / access data [if applicable]: site access card identifiers, electronic signatures on safety documents

4.2 Safety Incident & Injury Records [OSHA-Regulated]

• •Incident type, date, time, and location (GPS coordinates if submitted)
• •Description of events, root cause analysis, and corrective actions
• •Injury/illness classification (recordable, first aid, lost time, restricted duty, fatality)
• •Medical details: diagnosis, treatment type, physician/medical facility (where provided)
• •Workers' compensation claim references
• •Witness statements and investigation findings
• •Photos, videos, and attachments uploaded to incident records
• •OSHA Form 300, 300A, and 301 equivalents generated by the Platform

4.3 Equipment Inspection & Audit Logs

• •Equipment identifiers: asset ID, serial number, equipment type, location
• •Inspection results: pass/fail status, deficiency descriptions, severity ratings
• •Inspector identity and credentials; corrective action assignments and completion timestamps
• •Regulatory permit references (pressure vessel certificates, crane inspection certs, etc.)
• •Audit findings, non-conformance reports, and remediation plans
• •Timestamped digital signatures on inspection records

4.4 OSHA / Regulatory Compliance Data

• •OSHA 300 Log entries, 300A summaries, and 301 incident reports
• •Regulatory inspection records and citation histories
• •Permit-to-work and job hazard analysis documentation
• •Chemical / MSDS / SDS records and hazardous substance inventories
• •EHS program documentation; CAPA tracking; Management of Change (MOC) records

4.5 Account & Platform User Data

• •Account registration: name, work email, job title, organization name
• •Authentication credentials: password (hashed/salted), MFA tokens
• •Platform activity logs: login timestamps, features accessed, records created/modified, export activity
• •Role-based permission assignments; API access keys and integration configurations

4.6 Lead-Generation & Marketing Contact Data [Controller Role]

• •Contact form submissions: name, work email, company, job title, phone number, inquiry details
• •Demo and free-trial requests: organization type, industry sector, employee count, use case
• •Downloadable content gating: name, email, company, role
• •Webinar and event registrations
• •Social media interactions: profile handles, comments, direct messages, reactions on our official pages
• •Email marketing engagement: open rates, click-through rates, unsubscribe actions (pseudonymized)
• •Advertising platform data: LinkedIn Lead Gen Forms, Meta Lead Ads, Google Ads conversion data

5.1 EU / UK GDPR Lawful Bases

• •Contract performance (Art. 6(1)(b)): Platform delivery, account management, subscription billing, Customer onboarding
• •Legitimate interests (Art. 6(1)(f)): Fraud prevention, platform security, product improvement, B2B direct marketing to existing contacts — subject to documented balancing tests
• •Legal obligation (Art. 6(1)(c)): Tax compliance, financial records, lawful government requests; supporting Customers' OSHA recordkeeping obligations
• •Consent (Art. 6(1)(a)): Email marketing to new prospects, non-essential cookies, retargeting advertisements
• •Special-category data (Art. 9(2)(b)): Processing occupational health and injury data necessary for the Customer's obligations in employment and social security law

6.1 Platform Operations (Processor Role)

• •Hosting, storing, and retrieving safety records, incident reports, inspection logs, and compliance documentation
• •Powering dashboards, analytics, trend analysis, and regulatory reporting features
• •Generating OSHA 300/300A/301 logs and equivalent compliance reports
• •Sending automated platform notifications: overdue inspections, corrective action deadlines, compliance calendar reminders
• •Enabling data export for Customers to fulfill their own regulatory reporting obligations
• •Facilitating audit trails and tamper-evident recordkeeping for regulatory purposes

6.2 Our Own Business Operations (Controller Role)

• •Managing user accounts, subscriptions, and billing
• •Providing customer support and platform onboarding
• •Sending platform service communications (security alerts, maintenance notices, policy updates)
• •Conducting product analytics to improve features and user experience (pseudonymized)
• •Fraud detection, security monitoring, and abuse prevention
• •Complying with legal and regulatory obligations

8.1 Within Customer Organizations

Platform data is accessible to authorized users within that Customer organization as configured by the Customer. DoSA Safety Enhancements Inc has no control over internal sharing decisions.

8.2 Service Providers & Sub-Processors

Vetted vendors operating under DPAs, including: cloud infrastructure (AWS/GCP/Azure), payment processors (PCI-DSS Level 1 certified), email delivery, CRM and marketing automation, customer support tooling, analytics providers, and security monitoring. Full sub-processor list at dosasafety.com/sub-processors.

8.3 Regulatory & Legal Authorities

We may disclose data when required by valid legal process. We will notify the relevant Customer of such requests to the extent permitted by law. Customers remain solely responsible for their own regulatory disclosure obligations.

8.4 Business Transfers

In a merger, acquisition, or asset sale, safety and personal data may be transferred. Customers will receive at least 60 days’ notice, with the right to export and delete their data before transfer.

11.1 Workers & Individual Users (via Your Employer)

If your employer uses DoSA Safety to manage your safety records, your employer is the data controller for that data. To exercise your data rights regarding your incident records, training history, or safety observations, please contact your employer’s EHS or HR team directly.

11.2 EU / UK Users (GDPR / UK GDPR)

• •Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17 — subject to OSHA retention), Restriction (Art. 18)
• •Data Portability (Art. 20): receive your data in structured machine-readable format
• •Object to processing (Art. 21): including direct marketing (absolute right)
• •Withdraw consent at any time without affecting prior lawful processing
• •Complaint to your national supervisory authority (e.g., ICO in UK)

Response time: 30 days (extendable by 60 days for complex requests).

11.3 California Residents (CCPA / CPRA)

• •Right to Know, Right to Delete, Right to Correct, Right to Opt-Out of Sale/Sharing (we do not sell PI)
• •Right to Limit Use of Sensitive PI; Right to Non-Discrimination
• •Authorized Agent requests accepted at privacy@dosasafety.com

Response time: 45 days (one 45-day extension with notice).

11.4 Other Jurisdictions

• •Brazil (LGPD): Access, correction, anonymization, portability, deletion — complaint to ANPD
• •Canada (PIPEDA / Law 25): Access, correction, withdrawal of consent — complaint to OPC
• •Australia (Privacy Act): Access, correction — complaint to OAIC
• •South Africa (POPIA): Access, correction, deletion, objection — complaint to the Information Regulator
• •India (DPDPA): Access, correction, erasure — grievance redressal via Grievance Officer