Privacy Policy

1. Who we are

ENSURE ("we", "us") provides cloud-based Health, Safety & Environment (HSE) management software. This policy explains how we handle personal data of users of our platform and visitors to our website.

If you have any questions, contact us at privacy@ensure-hse.com.

2. Data we collect

Account data

• Name, email address, role, and company you are associated with
• Authentication credentials (handled by our identity provider, Supabase Auth)

Operational data

• Records you create in the platform: incidents, CAPAs, NCRs, risk assessments, JHAs, permits, training records, inspections, KPIs, chemicals, contractors, and related attachments
• Timestamps and audit trail for changes you make

Technical data

• IP address, browser type, device, and pages visited (for security and abuse prevention)
• Cookies strictly necessary for authentication and session management

3. How we use your data

• To provide the service and the features you sign up for
• To authenticate you and keep your account secure
• To communicate with you about your account, security issues, and service updates
• To comply with our legal obligations

We do not sell your data. We do not use your operational data to train AI models.

4. Legal basis (GDPR)

Where GDPR applies, we process personal data under the following bases: (a) performance of a contract — to deliver the service you signed up for; (b) legitimate interests — to secure and improve the platform; (c) legal obligation — to comply with applicable law; (d) consent — where you have given it (e.g. marketing).

5. Sharing and sub-processors

We share data only with sub-processors necessary to run the service:

• Supabase — database, authentication, storage, and edge functions
• Vercel — web hosting
• Resend — transactional email delivery

Each sub-processor is contractually bound to handle data with appropriate security and confidentiality.

6. Where your data is stored

Data is stored on infrastructure operated by our sub-processors. Where possible, we select EU regions to keep data within the EEA. Transfers outside the EEA, where they occur, are protected by Standard Contractual Clauses.

7. Retention

We retain operational data for as long as your account is active. If you close your account, we delete personal data within 90 days, except where we are legally required to retain it (e.g. invoicing records).

8. Your rights

You have the right to access, correct, export, restrict, or delete your personal data, and to object to certain processing. To exercise these rights, email privacy@ensure-hse.com. You also have the right to lodge a complaint with your local data protection authority.

9. Security

We use TLS in transit, encryption at rest, row-level security in the database, and a least-privilege access model. No system is perfect — if you discover a vulnerability, please report it to security@ensure-hse.com.

10. Children

ENSURE is not intended for use by children under 16. We do not knowingly collect data from children.

11. Changes to this policy

If we make material changes, we will notify account holders by email and update the "Last updated" date above.