Privacy Policy

Status: Version 1.1 effective 2026-05-14. These revisions are an internal editorial pass intended to make the document complete and accurate. The text remains under outside-counsel review. Material legal positions (entity definition, liability cap carve-outs, AI Article 22 disclosures, Transfer Impact Assessment) are flagged for counsel and may change before final publication.

QEHS is a software-as-a-service platform for Quality, Environment, Health, and Safety management. It is currently operated by the founder as a sole proprietorship pending entity formation. The operating entity and contact details will be confirmed in this section before public launch; until that confirmation, the founder is the named controller for all personal data described in this policy.

For all data-protection matters, contact privacy@qehsethos.com. We aim to acknowledge within 2 business days and respond substantively within 30 days, extendable by up to 2 months for complex requests with notice to you.

This policy covers personal data processed by QEHS across the marketing website (qehsethos.com), the product application (app.qehsethos.com and tenant subdomains), our mobile apps, and any support, sales, or community channels we operate.

It does not cover personal data that our customers process inside their tenants — for that, the customer acts as data controller and QEHS as data processor under the Data Processing Addendum (DPA). The DPA governs that relationship and incorporates the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum.

Account identifiers: name, work email, employer name, role, preferred language, authentication credentials (hashed), and multi-factor authentication tokens.

Product telemetry: feature usage, error reports, session metadata, IP address, browser and device identifiers. Used to secure the service and improve product quality.

Support correspondence: messages, attachments, and metadata you provide when contacting hello@qehsethos.com or via the in-product support channel.

Billing metadata: company billing address, VAT or tax identifier, invoice history. Payment card details are handled by Stripe and never touch QEHS systems.

Marketing visitors: cookie and device metadata subject to consent (see Cookie Policy), IP-derived country, and any information you voluntarily submit via forms.

Contract: to deliver the product to account holders and respond to support requests.

Legitimate interest: to secure the service, detect fraud, prevent abuse, and improve the product. We balance this interest against your rights and offer opt-outs where appropriate.

Consent: for marketing emails, non-essential cookies, and any optional telemetry. You can withdraw consent at any time without affecting prior processing.

Legal obligation: tax, accounting, and regulatory retention obligations under applicable law.

Special-category data (GDPR Article 9): tenant data may include occupational health and safety information that qualifies as special-category data. Customers are the controller for that data; QEHS processes it on documented instructions only, under the DPA.

You have the right to access, rectify, erase, port, restrict, and object to processing of your personal data, and to lodge a complaint with your supervisory authority. To exercise any right, contact privacy@qehsethos.com.

We will verify your identity before responding to a rights request. If we believe a request is manifestly unfounded or excessive we may charge a reasonable fee or refuse to act, and will tell you why.

Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

If you are a California resident, you have these additional rights: the right to know what personal information we collect and how we use it; the right to delete personal information we hold about you; the right to correct inaccurate information; the right to opt out of sale or sharing of personal information; the right to limit the use of sensitive personal information; and the right to non-discrimination for exercising any of these rights.

We do not sell personal information for monetary consideration. We do not knowingly share personal information with third parties for cross-context behavioural advertising.

We honour the Global Privacy Control signal as a legally binding opt-out of sale or sharing under CPRA. See the Cookie Policy for technical details.

To exercise California rights, contact privacy@qehsethos.com with subject line "California Rights Request". We do not require account creation to submit a request. Authorised agents may act on your behalf with written authorisation.

At launch, customer data is hosted in the United States on infrastructure operated by Hostinger (VPS) and AWS (object storage). We plan to offer EU-region hosting as a configurable option for Enterprise tenants on a forward roadmap and will update this policy when that option is generally available.

Cross-border transfers (engineering and support access from outside the data hosting region, or transfers to our sub-processors) rely on the EU Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, or equivalent recognised transfer mechanisms.

A Transfer Impact Assessment covering transfers from the EU/UK to the United States is in preparation. Pending completion, transfers proceed on the basis of the Standard Contractual Clauses alone. The completed assessment will be available on request and published in the Trust Center.

QEHS includes AI-assisted features for incident classification, anomaly detection, root-cause suggestion, predictive risk scoring, natural-language queries, and report summarisation. Whether a specific feature constitutes solely automated decision-making with legal or similarly significant effects under GDPR Article 22 is currently under legal review. Until that review concludes, all AI outputs are presented as advisory suggestions for human review and are not used to make automated decisions about you.

If a feature is determined to fall within Article 22, we will update this section to identify the feature, the logic involved, the significance and envisaged consequences, and your right to obtain human intervention, express your point of view, and contest the decision.

QEHS is intended for use in workplace and occupational settings and is not directed to children. We do not knowingly collect personal data from anyone under 18. Account creation requires the user to confirm they are 18 or older. If you believe we have collected data from a minor, contact privacy@qehsethos.com and we will delete it.

Visitors to the marketing website (qehsethos.com) without an account are subject to the cookie consent banner, which we display regardless of age. Where local law sets a minimum age for consent to information-society services (13–16 across EU member states; 13 under COPPA in the United States), we honour that age.

Tenant data: retained for the life of the subscription plus 90 days after termination, then purged unless a legal hold applies. Customers are responsible for exporting any data subject to mandatory retention obligations (for example, OSHA 29 CFR 1910.1020 medical-records retention, UK RIDDOR records, or other regulatory regimes that apply to the customer) before the 90-day window closes. QEHS does not provide legal advice on customer retention obligations.

Marketing leads: retained for up to 24 months from last interaction, then deleted or anonymised.

Support correspondence: 3 years from closure of the ticket.

Billing records: 7 years to satisfy applicable tax and accounting retention obligations.

Backups: encrypted backups follow a 30-day rolling retention. Personal data that has been deleted from primary storage will persist in backups for up to 30 days before being overwritten in normal rotation.

QEHS is in the process of appointing a GDPR Article 27 representative in the European Union and a UK GDPR Article 27 representative in the United Kingdom. Until appointed, EU and UK data subjects may contact privacy@qehsethos.com directly to exercise rights or raise concerns. The representative contact details will be added to this section before any deliberate marketing or sales activity targeting EU or UK data subjects commences.

You have the right to lodge a complaint with a supervisory authority. EU data subjects may contact the data protection authority in their member state or country of habitual residence. UK data subjects may contact the Information Commissioner's Office (ICO). California residents may contact the California Privacy Protection Agency. Brazilian data subjects may contact the Autoridade Nacional de Proteção de Dados (ANPD). Indian data subjects may contact the Data Protection Board of India once it is constituted under the DPDP Act 2023.

We would appreciate the opportunity to address your concerns directly before you involve a regulator — write to privacy@qehsethos.com.

We may update this policy to reflect changes in our practices, technology, or law. We will post any material change here, update the "effective date" above, and where the change affects how we process your personal data we will give you reasonable notice (at least 30 days for material changes affecting paid customers) before the change takes effect. Continued use of the service after a posted change means you accept the updated policy.

For all privacy and data-protection matters: privacy@qehsethos.com.

For general inquiries: hello@qehsethos.com.