Effective Date: May 06, 2025
Sospita ("we," "us," or "our") is committed to protecting the privacy and security of the data processed through our Digitized Permit to Work and Observation Management System. This Privacy Policy outlines how we collect, use, store, and protect data in compliance with applicable laws, including the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant U.S. and European privacy regulations. Our app is designed to facilitate health and safety implementations in industrial facilities, specifically through digitized Permit to Work (PTW) and Observation Management workflows. We do not collect or process personal data directly from individuals; instead, we process organizational data as directed by the subscribing organization.
1. Scope of This Privacy Policy
This Privacy Policy applies to all users of Sospita, including organizations subscribing to our services and their employees who use the app to manage permits and observations. It covers data processed through our mobile and web applications, hosted on Amazon Web Services (AWS) or Google Cloud Platform (GCP), and payment information processed via Apple App Store or Google Play Store.
2. Data We Collect
Our landing page, hosted on Webflow, may place strictly necessary cookies for technical operation and spam prevention. No tracking or marketing cookies are placed without user consent.
We collect and process the following types of data on our App:
2.1 Organizational Data
Subscription Information: Details about the organization’s subscription, such as organization name, billing contact information (e.g., email address for subscription management), subscription plan, and payment status.
Permit to Work (PTW) Data:Data entered by the organization’s employees or management related to work permits, including permit details, approvals, timestamps, attached documents, and safety-related information. This data is controlled and managed by the subscribing organization.
Observation Data: Data submitted by employees regarding safety observations, including descriptions of unsafe conditions, near-misses, or safe practices, along with associated workflows, corrective actions, and analytics. This data is also controlled by the organization.
2.2 Payment DataApp Store Payments:
Payment information for subscriptions is processed exclusively through Apple App Store or Google Play Store. We do not collect, store, or process payment details such as credit card numbers or bank account information.
2.3 Technical DataUsage Data:
Non-personal data about how the app is used, such as device type, operating system, app version, and interaction logs, to improve performance and user experience.
Analytics Data: Aggregated and anonymized data derived from PTW and observation activities to provide insights to organizations (e.g., trends in observation types or permit completion times).
2.4 No Personal Data Collected Directly:
We do not collect or process personal data directly from individuals. All PTW and observation data is entered and controlled by the organization, which determines the content and usage of such data. If an organization chooses to include personal data (e.g., employee names in permits or observations), the organization is responsible for ensuring compliance with applicable privacy laws.
2.5 Third-Party Services
Our services integrate with third-party platforms, including Google Maps, to provide map-based location features. Google Maps may collect and process certain technical data (such as IP addresses or location data) in accordance with its own privacy policy. We do not control these third-party cookies or data practices. Please refer to Google’s Privacy Policy for further information.
3. How We Use Data:
We use the collected data for the following purposes:
Service Delivery: To provide and maintain the PTW and Observation Management system, including processing permits, managing observation workflows, and generating analytics for organizations.
Subscription Management: To manage organizational subscriptions, including billing, renewals, and account administration.
App Improvement: To analyze usage data and improve the app’s functionality, performance, and user experience.
Compliance and Security: To ensure compliance with legal obligations and protect the security and integrity of our systems and data.
4. Legal Basis for Processing (GDPR Compliance)
Under the GDPR, we process data based on the following legal grounds:
Performance of a Contract: Processing organizational and subscription data is necessary to fulfill our contract with the subscribing organization (GDPR Art. 6(1)(b)).
Legitimate Interests: We process technical and analytics data to improve our services and ensure system security, where such interests are not overridden by individual rights (GDPR Art. 6(1)(f)).
Compliance with Legal Obligations: We may process data to comply with applicable laws, such as tax or financial regulations (GDPR Art. 6(1)(c)).As a data processor for PTW and observation data, we act on the instructions of the subscribing organization (the data controller) and do not determine the purposes or means of processing such data.
5. Data Sharing and Third Parties
We do not sell, trade, or share data for marketing purposes. Data may be shared with the following third parties under strict conditions:
Cloud Service Providers: AWS or GCP, which host our app’s data. Both providers comply with GDPR and CCPA requirements, and we have data processing agreements (DPAs) in place to ensure data protection.
Payment Processors: Apple App Store and Google Play Store process all subscription payments. Their privacy policies govern the handling of payment data.
Legal Authorities: We may disclose data if required by law, such as in response to a court order or regulatory request, in compliance with applicable legal standards.
6. Data Storage and SecurityStorage Location:
Data is stored on secure servers in AWS or GCP, with data centers located in regions compliant with GDPR and U.S. privacy laws. Organizations can select their preferred region during setup.
Security Measures: We implement industry-standard security measures, including encryption (in transit and at rest), access controls, regular security audits, and employee training, to protect data from unauthorized access, loss, or alteration.
Retention: Subscription data is retained for the duration of the organization’s subscription and up to 7 years thereafter to comply with tax and financial regulations. PTW and observation data is retained as instructed by the organization, and we delete such data upon the organization’s request or termination of the subscription, unless legally required to retain it.
7. Your Rights (GDPR and CCPA)
7.1 GDPR Rights (European Users)
If you are an individual in the European Economic Area (EEA), you may have the following rights regarding any personal data processed by the organization through our app:
Access: Request access to your personal data.
Rectification: Request correction of inaccurate data.
Erasure: Request deletion of your data, subject to legal retention requirements.
Restriction: Request restriction of data processing in certain circumstances.
Portability: Request a copy of your data in a structured, machine-readable format.
Objection: Object to processing based on legitimate interests.
Withdraw Consent: Withdraw consent where processing is based on consent (though we do not rely on consent for processing).To exercise these rights, contact the subscribing organization, as they are the data controller responsible for your data. We will assist the organization in fulfilling such requests as required by GDPR.
7.2 CCPA Rights (California Residents)
If you are a California resident, you may have the following rights under the CCPA:
Know: Request information about the categories and specific pieces of personal information collected, used, or disclosed.
Delete: Request deletion of personal information, subject to exceptions.
Opt-Out: Opt out of the sale of personal information (not applicable, as we do not sell data).
Non-Discrimination: Not be discriminated against for exercising your rights.As we do not collect personal information directly, please direct CCPA requests to the subscribing organization. We will support the organization in responding to such requests.
7.3 How to Exercise Your Rights
Contact the subscribing organization directly to exercise your rights. If you contact us, we will refer your request to the organization or provide their contact details. You may also contact us at [insert contact email] for assistance.
8. International Data Transfers
For organizations outside the EEA, data may be transferred to AWS or GCP servers in the United States or other regions. We ensure such transfers comply with GDPR through:
Standard Contractual Clauses (SCCs):
Incorporated into our DPAs with AWS and GCP.
Adequacy Decisions:
Where applicable, relying on EU adequacy decisions for certain regions.
Security Safeguards:
Robust encryption and access controls for all data transfers.
9. Children’s Privacy
Our app is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children. If an organization includes data about children, it is their responsibility to comply with applicable laws, such as the Children’s Online Privacy Protection Act (COPPA) in the U.S.
10. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify organizations of significant changes via email or in-app notifications at least 30 days before the changes take effect. The updated policy will be posted on our website at www.sospita.io/privacy.
11. Contact Us
For questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us at:
SOSPITA Yazılım Limited Şirketi
info@sospita.io
For GDPR purposes, our Data Protection Officer can be reached at the above email. For CCPA inquiries, please use the same contact information.
12. Complaints
If you are in the EEA and believe we have not addressed your concerns, you have the right to lodge a complaint with a supervisory authority in your country of residence. A list of EU data protection authorities is available at edpb.europa.eu. For California residents, you may contact the California Attorney General at oag.ca.gov.
This Privacy Policy is designed to ensure transparency and compliance with both European and U.S. privacy laws while reflecting the specific nature of Sospita’s operations
1. PARTIES
This Distance Sales Agreement is executed electronically between the following parties:
BUYER:
Name/Company:
Address:
Phone:
Email:
SELLER:
Company: SOSPITA Yazılım Limited Şirketi
Address: Talaytepe Mah. 4035. Sok. Sunrise Garden Sitesi H blok No:27 Kayapınar/Diyarbakır
Phone: +90 555 462 21 94
Email: info@sospita.io
Company Reg. No: 48415
Tax No: 7750985110
By confirming this agreement, the BUYER acknowledges and accepts the obligation to pay the service fee and applicable taxes.
2. DEFINITIONS
Ministry: The Ministry of Trade of the Republic of Türkiye
Law: Law No. 6502 on Consumer Protection
Regulation: Regulation on Distance Contracts
Service: Subscription-based access to SaaS
Agreement: This Distance Sales Agreement
SaaS: Software as a Service
Website: www.sospita.io
3. SUBJECT OF THE AGREEMENT
This agreement regulates the rights and obligations regarding the subscription-based software service ordered by the BUYER via the SELLER’s website or mobile application.
4. SERVICE DETAILS
Service: Digital Permit to Work and Observation Management System
Delivery: Online account activation
Duration: Monthly / Annual subscription
License: Non-transferable; only valid for the subscribing user or organization
5. SERVICE FEE AND INVOICE
Service Fee: [VAT included ₺/€/USD]
Payment Method: Credit card / digital store
Invoice: Sent electronically
6. DELIVERY AND ACCESS
Delivery is completed via account activation. No physical delivery is made.
7. RIGHT OF WITHDRAWAL
The BUYER loses the right of withdrawal once access to the digital service is provided (Regulation Art.15/ğ). If no access has been granted, withdrawal is permitted within 14 days.
8. NON-WITHDRAWAL CONDITIONS
If access to the digital service has already been provided, the withdrawal right cannot be exercised.
9. DEFAULT AND LEGAL CONSEQUENCES
In case of non-payment, the BUYER accepts liability for any interest and legal obligations per their agreement with their financial institution.
10. JURISDICTION
Disputes shall be resolved by Consumer Arbitration Committees or Consumer Courts located in the BUYER’s place of residence.
11. ENFORCEMENT
By confirming this agreement online, the BUYER is deemed to have accepted all its provisions
Sospita offers digital software services through a subscription-based model.
Users can subscribe to monthly or annual plans via our website or mobile applications.
Delivery of Services: Upon successful payment, users gain immediate access to the subscribed software plan. No physical delivery is involved.
Right of Withdrawal: In accordance with consumer protection laws, individual users (non-commercial) may cancel their subscription within 14 days of purchase, provided they have not used the service beyond basic login and viewing.
Cancellation Policy:
Subscriptions may be cancelled at any time through the user account panel.
Cancelled subscriptions will not renew for the next billing cycle.
No refunds are provided for partial use or mid-cycle cancellations.
Renewals & Billing: Subscriptions automatically renew unless cancelled. Users will be notified before renewal and can manage their billing settings.
Commercial Clients: Custom contracts may apply for organizations. Please refer to your enterprise agreement or contact us.
SOSPITA Yazılım Limited Şirketi (“SOSPITA”, “we”, “us”, or “our”) is committed to protecting personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the Turkish Personal Data Protection Law (KVKK), and other relevant legislation.This policy outlines how we collect, use, store, and protect personal data:
1. Data Controller
SOSPITA Yazılım Limited Şirketi acts as the data controller for personal data collected during the provision of our services.
2. Purposes of Processing
Personal data may be processed for:
Providing and improving our software and services
Customer support and communication
Compliance with legal obligations
Security and fraud prevention
3. Legal Basis for Processing
We rely on the following legal bases to process personal data:
Performance of a contract
Compliance with legal obligations
Legitimate interests
Consent (where required)
4. Data Transfers
We may transfer personal data to servers hosted within Türkiye, the EU, or other jurisdictions that provide adequate protection, in line with data protection laws.
5. Data Security
We implement reasonable administrative, technical, and physical safeguards to protect personal data against unauthorized access, loss, or alteration.
6. Data Retention
Personal data is retained only as long as necessary to fulfill the purposes described above, or as required by applicable law.
7. Data Subject Rights
Data subjects may exercise their rights of access, rectification, erasure, objection, or data portability by contacting us at info@sospita.io
8. Contact
For any questions or concerns about this policy, please contact:
SOSPITA Yazılım Limited Şirketi
info@sospita.io
