How ENSURE collects, uses, and protects your data. Plain language, no surprises.
ENSURE ("we", "us") provides cloud-based Health, Safety & Environment (HSE) management software. This policy explains how we handle personal data of users of our platform and visitors to our website.
If you have any questions, contact us at privacy@ensureqhse.com.
We do not sell your data. We do not use your operational data to train AI models.
Where GDPR applies, we process personal data under the following bases: (a) performance of a contract: to deliver the service you signed up for; (b) legitimate interests: to secure and improve the platform; (c) legal obligation: to comply with applicable law; (d) consent: where you have given it (e.g. marketing).
We share data only with the sub-processors necessary to run the service. Each one is contractually bound to handle data with appropriate security and confidentiality.
| Sub-processor | Purpose | Data region |
|---|---|---|
| Supabase | Database, authentication, file storage, edge functions | EU (eu-west-1, Ireland) |
| Vercel | Web hosting and CDN for the marketing site and app shell | Global edge, primary region: EU |
| Cloudflare | DNS resolution and domain registrar | Global anycast network |
| Resend | Transactional email delivery (notifications, contact form replies) | EU |
| Anthropic | AI features only: hazard analysis (JHA) and SDS extraction. We use the Anthropic API tier; submitted data is not used for model training by default. | United States |
| OpenAI | AI features only: text embeddings for recurrence detection and Ask-ENSURE conversational search, and Legal Register clause extraction. We use the OpenAI API tier; submitted data is not used for model training by default. | United States |
We will notify customers in writing at least 30 days before adding or replacing a sub-processor that has access to customer data. Removing a sub-processor does not require notice.
Data is stored on infrastructure operated by our sub-processors. Where possible, we select EU regions to keep data within the EEA. Transfers outside the EEA, where they occur, are protected by Standard Contractual Clauses.
We retain operational data for as long as your account is active. If you close your account, we delete personal data within 90 days, except where we are legally required to retain it (e.g. invoicing records).
You have the right to access, correct, export, restrict, or delete your personal data, and to object to certain processing. To exercise these rights, email privacy@ensureqhse.com. You also have the right to lodge a complaint with your local data protection authority.
We use TLS in transit, encryption at rest, row-level security in the database, and a least-privilege access model. No system is perfect. If you discover a vulnerability, please report it to security@ensureqhse.com.
ENSURE is not intended for use by children under 16. We do not knowingly collect data from children.
If we make material changes, we will notify account holders by email and update the "Last updated" date above.