Sospita Privacy Policy

Effective Date: May 06, 2025

Sospita ("we," "us," or "our") is committed to protecting the privacy and security of the data processed through our Digitized Permit to Work and Observation Management System. This Privacy Policy outlines how we collect, use, store, and protect data in compliance with applicable laws, including the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant U.S. and European privacy regulations. Our app is designed to facilitate health and safety implementations in industrial facilities, specifically through digitized Permit to Work (PTW) and Observation Management workflows. We do not collect or process personal data directly from individuals; instead, we process organizational data as directed by the subscribing organization.

1. Scope of This Privacy Policy

This Privacy Policy applies to all users of Sospita, including organizations subscribing to our services and their employees who use the app to manage permits and observations. It covers data processed through our mobile and web applications, hosted on Amazon Web Services (AWS) or Google Cloud Platform (GCP), and payment information processed via Apple App Store or Google Play Store.

2. Data We Collect

We collect and process the following types of data:

2.1 Organizational Data

  • Subscription Information: Details about the organization’s subscription, such as organization name, billing contact information (e.g., email address for subscription management), subscription plan, and payment status.

  • Permit to Work (PTW) Data: Data entered by the organization’s employees or management related to work permits, including permit details, approvals, timestamps, attached documents, and safety-related information. This data is controlled and managed by the subscribing organization.

  • Observation Data: Data submitted by employees regarding safety observations, including descriptions of unsafe conditions, near-misses, or safe practices, along with associated workflows, corrective actions, and analytics. This data is also controlled by the organization.

2.2 Payment Data

  • App Store Payments: Payment information for subscriptions is processed exclusively through Apple App Store or Google Play Store. We do not collect, store, or process payment details such as credit card numbers or bank account information.

2.3 Technical Data

  • Usage Data: Non-personal data about how the app is used, such as device type, operating system, app version, and interaction logs, to improve performance and user experience.

  • Analytics Data: Aggregated and anonymized data derived from PTW and observation activities to provide insights to organizations (e.g., trends in observation types or permit completion times).

2.4 No Personal Data Collected Directly

We do not collect or process personal data directly from individuals. All PTW and observation data is entered and controlled by the organization, which determines the content and usage of such data. If an organization chooses to include personal data (e.g., employee names in permits or observations), the organization is responsible for ensuring compliance with applicable privacy laws.

3. How We Use Data

We use the collected data for the following purposes:

  • Service Delivery: To provide and maintain the PTW and Observation Management system, including processing permits, managing observation workflows, and generating analytics for organizations.

  • Subscription Management: To manage organizational subscriptions, including billing, renewals, and account administration.

  • App Improvement: To analyze usage data and improve the app’s functionality, performance, and user experience.

  • Compliance and Security: To ensure compliance with legal obligations and protect the security and integrity of our systems and data.

4. Legal Basis for Processing (GDPR Compliance)

Under the GDPR, we process data based on the following legal grounds:

  • Performance of a Contract: Processing organizational and subscription data is necessary to fulfill our contract with the subscribing organization (GDPR Art. 6(1)(b)).

  • Legitimate Interests: We process technical and analytics data to improve our services and ensure system security, where such interests are not overridden by individual rights (GDPR Art. 6(1)(f)).

  • Compliance with Legal Obligations: We may process data to comply with applicable laws, such as tax or financial regulations (GDPR Art. 6(1)(c)).

As a data processor for PTW and observation data, we act on the instructions of the subscribing organization (the data controller) and do not determine the purposes or means of processing such data.

5. Data Sharing and Third Parties

We do not sell, trade, or share data for marketing purposes. Data may be shared with the following third parties under strict conditions:

  • Cloud Service Providers: AWS or GCP, which host our app’s data. Both providers comply with GDPR and CCPA requirements, and we have data processing agreements (DPAs) in place to ensure data protection.

  • Payment Processors: Apple App Store and Google Play Store process all subscription payments. Their privacy policies govern the handling of payment data.

  • Legal Authorities: We may disclose data if required by law, such as in response to a court order or regulatory request, in compliance with applicable legal standards.

6. Data Storage and Security

  • Storage Location: Data is stored on secure servers in AWS or GCP, with data centers located in regions compliant with GDPR and U.S. privacy laws. Organizations can select their preferred region during setup.

  • Security Measures: We implement industry-standard security measures, including encryption (in transit and at rest), access controls, regular security audits, and employee training, to protect data from unauthorized access, loss, or alteration.

  • Retention: Subscription data is retained for the duration of the organization’s subscription and up to 7 years thereafter to comply with tax and financial regulations. PTW and observation data is retained as instructed by the organization, and we delete such data upon the organization’s request or termination of the subscription, unless legally required to retain it.

7. Your Rights (GDPR and CCPA)

7.1 GDPR Rights (European Users)

If you are an individual in the European Economic Area (EEA), you may have the following rights regarding any personal data processed by the organization through our app:

  • Access: Request access to your personal data.

  • Rectification: Request correction of inaccurate data.

  • Erasure: Request deletion of your data, subject to legal retention requirements.

  • Restriction: Request restriction of data processing in certain circumstances.

  • Portability: Request a copy of your data in a structured, machine-readable format.

  • Objection: Object to processing based on legitimate interests.

  • Withdraw Consent: Withdraw consent where processing is based on consent (though we do not rely on consent for processing).

To exercise these rights, contact the subscribing organization, as they are the data controller responsible for your data. We will assist the organization in fulfilling such requests as required by GDPR.

7.2 CCPA Rights (California Residents)

If you are a California resident, you may have the following rights under the CCPA:

  • Know: Request information about the categories and specific pieces of personal information collected, used, or disclosed.

  • Delete: Request deletion of personal information, subject to exceptions.

  • Opt-Out: Opt out of the sale of personal information (not applicable, as we do not sell data).

  • Non-Discrimination: Not be discriminated against for exercising your rights.

As we do not collect personal information directly, please direct CCPA requests to the subscribing organization. We will support the organization in responding to such requests.

7.3 How to Exercise Your Rights

Contact the subscribing organization directly to exercise your rights. If you contact us, we will refer your request to the organization or provide their contact details. You may also contact us at [insert contact email] for assistance.

8. International Data Transfers

For organizations outside the EEA, data may be transferred to AWS or GCP servers in the United States or other regions. We ensure such transfers comply with GDPR through:

  • Standard Contractual Clauses (SCCs): Incorporated into our DPAs with AWS and GCP.

  • Adequacy Decisions: Where applicable, relying on EU adequacy decisions for certain regions.

  • Security Safeguards: Robust encryption and access controls for all data transfers.

9. Children’s Privacy

Our app is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children. If an organization includes data about children, it is their responsibility to comply with applicable laws, such as the Children’s Online Privacy Protection Act (COPPA) in the U.S.

10. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify organizations of significant changes via email or in-app notifications at least 30 days before the changes take effect. The updated policy will be posted on our website at www.sospita.io/privacy.

11. Contact Us

For questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us at:

SOSPITA Yazılım Limited Şirketi
info@sospita.io

For GDPR purposes, our Data Protection Officer can be reached at the above email. For CCPA inquiries, please use the same contact information.

12. Complaints

If you are in the EEA and believe we have not addressed your concerns, you have the right to lodge a complaint with a supervisory authority in your country of residence. A list of EU data protection authorities is available at edpb.europa.eu. For California residents, you may contact the California Attorney General at oag.ca.gov.

This Privacy Policy is designed to ensure transparency and compliance with both European and U.S. privacy laws while reflecting the specific nature of Sospita’s operations.