QEHS Ethos — Mobile App Privacy

The QEHS Ethos app collects only what a tenant administrator has configured for the modules you submit records to. Common fields include free-text descriptions, photo evidence, GPS coordinates (when a Composer location field opts into geolocation), audio recordings, and signatures.

Account data: your email address, encrypted password, and a device-bound bearer token are stored in the platform database. The token is hashed (SHA-256); the plain value lives only in the iOS Keychain or Android Keystore on your device.

Diagnostic data: the app does NOT include third-party analytics. Crash reports surface only via the platform server logs (SigNoz), with personally identifiable information redacted before write.

Records you submit through the app are visible inside your tenant workspace to other users with the relevant module-role permissions, exactly as they would be on the web app. The mobile client does not introduce additional sharing surfaces.

Push notifications travel through the Expo push service (https://exp.host), which forwards to Apple Push Notification Service (APNS) on iOS and Firebase Cloud Messaging (FCM) on Android. Push payloads contain a title, body, and deep-link path; sensitive record data is NOT placed in the push payload.

Voice-to-text transcription, when used, sends the audio file to the configured Whisper provider (OpenAI API in default deployments, or a self-hosted whisper.cpp instance on tenant clusters). The audio bytes pass through in-memory and are not persisted by QEHS; the resulting transcript is stored as the field value.

Camera (NSCameraUsageDescription): required to capture incident + observation evidence. Used only when you tap a "Take photo" / "Record video" control.

Photo library: required if you choose to attach existing photos from your gallery. Used only when you tap "Pick from library".

Microphone (NSMicrophoneUsageDescription): required for the audio block + voice-to-text. Used only while a recording is in progress.

Location (NSLocationWhenInUseUsageDescription / ACCESS_FINE_LOCATION): required for Composer fields with geolocation enabled. Used only when you tap "Use my GPS".

No background access is requested. Every permission is opt-in at first use; you can revoke them at any time in iOS Settings → QEHS Ethos, or Android Settings → Apps → QEHS Ethos → Permissions.

Records, drafts, and attachments follow the retention policy your tenant administrator has configured on the web app. The mobile app does not extend this retention.

Drafts: a single in-flight draft per (user, module) lives on the server until you submit or discard it. Local drafts (in MMKV on the device) survive app launches but are wiped when you uninstall or sign out.

Bearer tokens: access tokens expire after 15 minutes; refresh tokens after 30 days (rolling — every refresh extends). Revoking a session on the web invalidates the mobile session immediately.

You have the right to access, correct, delete, port, and restrict processing of your personal data, in line with GDPR (EEA + UK), CCPA / CPRA (California), LGPD (Brazil), and India DPDP 2023. Mobile-specific data is covered by the same rights as the rest of the platform — see the full Privacy Policy at /legal/privacy for the exercise mechanism.

Push tokens can be removed by signing out, uninstalling the app, or revoking the device row from your account settings on the web. Removed tokens stop receiving notifications immediately.

Data Protection Officer: dpo@qehs.com. EU representative + UK representative addresses are listed in the full Privacy Policy.

Mobile-specific issues (push tokens, app crashes, permission prompts): support@qehs.com.