Effective Date: May 06, 2025
SOSPITA Yazılım Limited Şirketi (“Sospita”, “we”, “us”, “our”) is committed to protecting personal data and ensuring compliance with the EU General Data Protection Regulation (GDPR), the Turkish Personal Data Protection Law (KVKK), and other applicable privacy regulations.
This Privacy Policy explains how we collect, use, store, and protect personal data processed through our Sospita-SafeGuard platform, including e-Permit-to-Work, Risk Assessment, and Observation Management workflows.
1. Roles Under GDPR
1.1 Sospita as Data Processor (Platform Data)
For all data entered into the Sospita-SafeGuard platform (PTW, risk assessments, observations, user accounts), Sospita acts as a Data Processor.
The subscribing organization acts as the Data Controller and determines what data is processed and for what purpose.
1.2 Sospita as Data Controller (Website, Marketing, Billing)
We act as a Data Controller for:
* Website visitors
* Support inquiries
* Demo requests
* Marketing communication
* Billing and subscription administration
2. Personal Data We Process
2.1 Platform Users (On behalf of the Organization)
- Name, surname
- Email address
- Role (admin, user)
- Organization affiliation
- Account activity and audit logs
- Workflow actions (permits, approvals, observations, comments)
- Uploaded documents/photos (if included in PTW or observation records)
All such data is determined and controlled by the subscribing organization.
2.2 Technical and Security Data
Collected automatically during platform use:
- IP address
- Device/browser type
- Operating system
- Login times
- Error logs and performance metrics
Used to secure, maintain, and improve the platform.
2.3 Payment and Subscription Data
- Organization contact details
- Subscription plan
- Billing information
Payments are handled via:
- IYZICO
- Apple App Store
- Google Play Store
We do not process credit card or bank information.
2.4 Website Cookies & Analytics
- Essential cookies (no consent required)
- Google Analytics (IP anonymized; no personal data tracking)
See our Cookie Notice for details.
3. Purposes of Processing
We process data to:
* Provide and operate the Sospita-SafeGuard platform
* Authenticate users and enforce access control
* Execute PTW, RA, and observation workflows
* Maintain audit trails and safety compliance
* Improve performance and reliability
* Manage customer subscriptions and provide support
* Comply with legal and regulatory obligations
* Ensure system security and prevent fraud
No data is sold or shared for advertising.
4. Legal Bases for Processing (GDPR)
Platform (Processor role)
* Performance of a contract (Art. 6(1)(b))
* Legitimate interest of the Controller for safety management (Art. 6(1)(f))
* Legal obligation where applicable (incident reporting, safety records)
Website & Marketing (Controller role)
* Consent (non-essential cookies)
* Legitimate interest (security, analytics, communication)
5. Data Hosting & International Transfers
EU-Only Hosting for Platform Data
All platform data is stored exclusively in the European Union, using:
* Amazon Web Services (AWS) – EU (Frankfurt & Ireland)
* Google Cloud Storage – EU region
Backups remain inside the EU.
We do not transfer platform data outside the EEA unless explicitly requested by the customer and protected by Standard Contractual Clauses (SCCs).
6. Subprocessors
Sospita uses the following GDPR-compliant service providers:
Infrastructure
AWS Europe – hosting, compute, database
GCP Europe – media storage
Email Delivery
SendGrid – transactional emails
Analytics
Google Analytics (basic, IP anonymization enabled)
Subprocessors are listed and updated at www.sospita.io/legal#subprocessors-en
7. Data Security
We employ industry-standard security measures, including:
* Encryption in transit (TLS 1.2/1.3)
* Encryption at rest (AES-256)
* Role-based access control (RBAC)
* Multi-tenant data isolation
* Secure authentication and password hashing
* Audit logs for all workflow actions
* Daily encrypted backups (EU-only)
* Least-privilege administrative access
8. Data Retention
Platform Data
* Retained for the duration of the organization’s subscription
* Deleted or returned within 60 days after termination
* Backups retained for 30 days
* Audit logs retained for 2 years
Website Data
* Contact form submissions: up to 12 months
* Cookie data: per cookie policy
Retention can be adjusted per the Controller’s written instructions.
9. Data Subject Rights
If your organization uses Sospita-SafeGuard, you may request through your employer:
* Access to your data
* Correction of inaccurate data
* Deletion (subject to safety/legal retention)
* Restriction of processing
* Portability
* Objection to processing
Sospita supports the Controller in fulfilling these requests.
To assist, contact: info@sospita.io
10. Data Breach Notification
In the event of a personal data breach affecting the platform:
* Sospita will notify the Data Controller without undue delay and within 72 hours of becoming aware of the breach.
* We will provide details on scope, impact, risks, and mitigation steps.
11. Changes to This Policy
We may update this Privacy Policy to reflect legal or operational changes.
Significant changes will be communicated to organizations at least 30 days before they take effect.
Updated versions will always be available at: www.sospita.io/legal#privacy-en
12. Contact Information
SOSPITA Yazılım Limited Şirketi
Email: info@sospita.io
This Distance Sales Agreement (“Agreement”) is made electronically between the following parties, in accordance with the Turkish Law on Consumer Protection No. 6502 and the Regulation on Distance Contracts, and is applicable to international buyers as well.
1. PARTIES
BUYER:
The individual or legal entity completing the online subscription order through the Sospita website or mobile applications. Buyer details (name, address, phone, email) are collected at checkout and form part of this Agreement.
By approving this Agreement electronically, the Buyer acknowledges the obligation to pay the subscription fee and applicable taxes.
SELLER:
Company: SOSPITA Yazılım Limited Şirketi
Address: Talaytepe Mah. 4035. Sok. Sunrise Garden Sitesi H blok No:27 Kayapınar/Diyarbakır
Phone: +90 555 462 21 94
Email: info@sospita.io
Company Reg. No: 48415
Tax No: 7750985110
By confirming this agreement, the BUYER acknowledges and accepts the obligation to pay the service fee and applicable taxes.
2. DEFINITIONS
Ministry: The Ministry of Trade of the Republic of Türkiye
Law: Law No. 6502 on Consumer Protection
Regulation: Regulation on Distance Contracts
Service: Subscription-based access to SaaS
Agreement: This Distance Sales Agreement
SaaS: Software as a Service
Website: www.sospita.io
3. SUBJECT OF THE AGREEMENT
This Agreement regulates the rights and obligations of the parties in relation to the Buyer’s subscription to the digital software service offered by the Seller (SOSPITA-SafeGuard) through the Seller’s website or mobile applications.
4. SERVICE DETAILS
Service: Digital Permit to Work (PTW), Risk Assessment, and Observation Management SaaS Platform
Delivery Method: Online account activation—no physical delivery
Subscription Term: Monthly or annual plans
License: Non-transferable; valid only for the subscribing individual or organization
5. SERVICE FEE AND INVOICE
Subscription Fee: As displayed on the checkout page (VAT included)
Payment Method: Credit card, online payment systems, or app store purchases
Invoice: Delivered electronically to the Buyer’s email address
6. DELIVERY AND ACCESS
Once payment is successfully completed, service delivery is fulfilled by activating the Buyer’s account. No physical shipment is made.
7. RIGHT OF WITHDRAWAL
According to Article 15/ğ of the Regulation on Distance Contracts.
* The Buyer loses the right of withdrawal once access to the digital service is provided.
* If access has not been granted, the Buyer may withdraw within 14 days of purchase.
International buyers: These terms apply except where local mandatory consumer rights provide additional protection.
8. CASES WHERE WITHDRAWAL IS NOT POSSIBLE
The right of withdrawal cannot be exercised if:
* The Buyer’s account has already been activated
* The Buyer has accessed or used the digital service
9. BUYER DEFAULT AND LEGAL CONSEQUENCES
In cases of non-payment or payment reversal, the Buyer is responsible for any interest, banking charges, or legal consequences arising from their financial institution.
10. DISPUTE RESOLUTION
For Buyers in Türkiye:
Disputes will be handled by Consumer Arbitration Committees or Consumer Courts located in the Buyer’s place of residence.
For international Buyers:
Disputes shall be resolved under the applicable consumer laws of the Buyer’s country, unless mandatory law dictates otherwise.Disputes shall be resolved by Consumer Arbitration Committees or Consumer Courts located in the BUYER’s place of residence.
11. ENFORCEMENT
By confirming this Agreement electronically during the subscription process, the Buyer agrees to all its terms.This Agreement is stored electronically and made available upon request.
Subscription & Cancellation Policy — Sospita-SafeGuard
Effective Date: 2025-05-08
Sospita-SafeGuard is a subscription-based digital platform offering AI-powered Permit to Work, Risk Assessment, and Observation Management services. This policy explains subscription terms, renewals, cancellations, and refund rules applicable to individual and organizational users.
1. Delivery of Digital Services
Upon successful payment, users receive immediate access to their selected subscription plan through the web or mobile application.
No physical product is delivered.
2. Subscription Plans
Users may subscribe to:
Monthly plans
Annual plans
Enterprise plans (custom contract required)
Prices are displayed in EUR unless otherwise stated. VAT may apply based on the customer’s location.
3. Automatic Renewal
All subscriptions renew automatically at the end of each billing period unless cancelled before the renewal date.
We send renewal reminders (where legally required) before charging the next cycle.
4. Payment Methods
Depending on the platform, payments may be processed through:
Apple App Store
Google Play Store
Credit card providers
Bank transfer (for Enterprise plans)
All payments are handled securely by certified payment processors.
5. Right of Withdrawal (EU & UK Consumers)
In accordance with the EU Consumer Rights Directive (CRD):
Individual (non-business) consumers may cancel their subscription within 14 days of purchase provided they have not substantially used the service.
Simple login or viewing does not count as substantial use.
Once the service is actively used (creating permits, uploading data, inviting users, etc.), the right of withdrawal no longer applies.
Organizational and commercial customers are not eligible for the 14-day withdrawal right.
6. Cancellation Policy
Users may cancel anytime via the account dashboard.
* Cancellation prevents future renewals.
* No refunds are issued for the current billing cycle.
* Access continues until the end of the current period.
Enterprise clients follow the terms in their custom agreement.
7. Refund Policy
Refunds are only issued in the following cases:
* Duplicate payments
* Technical failures directly caused by Sospita preventing service access and not resolved within a reasonable time
* Legally required consumer refund obligations
Refunds are not provided for:
* Mid-cycle cancellations
* Lack of useIncorrect plan purchases
* Requests after service was substantially used
8. Free Trials
If a free trial is offered:
* No charges are made until the trial ends
* Users may cancel anytime during the trial to avoid billing
* Once billed, the refund rules above apply
9. Data Retention After Cancellation
After subscription termination:
* User access ends at the end of the billing cycle
* Organizations may request data export
* Data is retained for up to 90 days unless otherwise required by law
* Enterprise clients may negotiate custom retention terms
10. Contact
For subscription or billing questions:
📧 info@sospita.io
SOSPITA Yazılım Limited Şirketi (“SOSPITA”, “we”, “us”, or “our”) is committed to protecting personal data in compliance with the EU General Data Protection Regulation (GDPR), the Turkish Personal Data Protection Law (KVKK), and other applicable privacy laws.
This Privacy Policy explains how we collect, use, store, and protect personal data when providing our software and services.
1. Roles Under GDPR
1.1 Data Processor
For personal data processed through the SOSPITA-SafeGuard platform (Permit-to-Work, Risk Assessments, Observations), SOSPITA acts as a Data Processor. Our customers (organizations using Sospita-SafeGuard) act as Data Controllers and determine the purposes and means of processing.
1.2 Data Controller
SOSPITA acts as a Data Controller only for:
- Website visitors
- Demo / trial requests
- Marketing communication
- Vendor and partner relationships
2. Categories of Personal Data Processed
Depending on how the user interacts with our services, we may process:
Platform (Sospita-SafeGuard)
- Name, surname
- Email address
- Organizational role (admin, user)
- Login timestamps and audit logs
- Permit, risk assessment, checklist, and observation records created by users
- Files uploaded to the platform (photos, documents, etc.)
- Device information for security logging
Website & Marketing
- Name and contact details submitted through forms
- IP address and browser information (via cookies — see Cookie Notice)
We do not process special categories of data (health data, biometrics, etc.) unless explicitly provided by the customer for operational purposes.
3. Purposes of Processing
We process personal data for:
Platform Operations
* Providing, customizing, and improving the Sospita-SafeGuard platform
* User authentication and access control
* Workflow execution (PTW, Risk Assessments, Observations)
* Security logging, auditing, and fraud prevention
* Backup and disaster recovery
Customer Relationship
* Account creation and support
* Billing and subscription management
* Service notifications and updates
Legal Compliance
* Fulfilling regulatory obligations (e.g., safety recordkeeping requirements)
* Responding to lawful requests by authorities
4. Legal Basis for Processing
We process personal data under:
For Sospita-SafeGuard platform
* Performance of a contract (GDPR Art. 6(1)(b))
* Legitimate interest of the customer to manage workplace safety processes (GDPR Art. 6(1)(f))
For website and marketing
* Consent (GDPR Art. 6(1)(a)) when required
* Legitimate interest for essential analytics and service improvement
5. Data Hosting and Transfers
All platform data is hosted exclusively in the European Union using secure cloud infrastructure (AWS Europe).
Backups are stored in the same region.
We do not transfer customer data outside the EU unless:
* the customer explicitly requests it, or
* adequate safeguards are in place (Standard Contractual Clauses or equivalent).
6. Subprocessors
To deliver our services, we use carefully selected subprocessors such as:
* Amazon Web Services (AWS) – EU-based cloud hosting
* Google Cloud Storage – media storage (EU region)
* Email service providers (e.g., SendGrid / AWS SES)
* Payment providers (e.g., Iyzico, Stripe if applicable)
* Analytics/security monitoring tools
A full list is available upon request and will be updated transparently.
All subprocessors are bound by GDPR-compliant data protection agreements.
7. Data Security
We implement robust administrative, technical, and physical safeguards, including:
* Encryption in transit (TLS 1.2/1.3)
* Encryption at rest (AES-256)
* Role-based access control (RBAC)
* Multi-tenant isolation
* Secure authentication
* Regular backups and redundancy
* Audit logs and access monitoring
* Security patching and vulnerability management
8. Data Retention
We retain personal data:
* As long as the customer account remains active
* As required by law or safety recordkeeping obligations
* As necessary to resolve disputes or enforce agreements
After termination, we delete or anonymize customer data following a documented retention schedule unless the Data Controller instructs otherwise.
9. Data Subject Rights
Data subjects have the right to:
* Access their personal data
* Request correction or deletion
* Restrict or object to processing
* Request data portability
Requests must be submitted via the customer organization (Data Controller).
SOSPITA will support the controller in fulfilling these requests.
You may contact us for assistance at info@sospita.io.
10. Breach Notification
In case of a personal data breach, SOSPITA will:
* Notify the Data Controller without undue delay
* Assist the Controller in meeting GDPR’s 72-hour notification obligation
* Provide details of impact, risks, and mitigation measures
11. Contact
SOSPITA Yazılım Limited Şirketi
Email: info@sospita.io
1. Hosting & Infrastructure
Amazon Web Services (AWS) Europe
Purpose: Application hosting, database, backups
Region: EU (Frankfurt, Ireland)
Google Cloud Platform (GCP) – EU Region
Purpose: Media file storage
Region: EU
2. Email & Communication
SendGrid
Purpose: Transactional emails
Location: EU-compliant under SCCs
3. Analytics
Google Analytics (Basic)
Purpose: Anonymous usage statistics
Notes: IP anonymization enabled; no personal data tracking
4. Other subprocessors (if used during support)
* GitHub (source code)
* Slack / Teams (internal support communication)
These services do not store production data unless explicitly provided by the customer.
