Privacy Policy

1. Introduction

Health & Safety Online (“we,” “our,” “us”) is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website https://health-safety.online/ (the “Site”) or use our services.

This policy complies with applicable data protection laws worldwide, including:

  • General Data Protection Regulation (GDPR) – European Union/European Economic Area
  • UK General Data Protection Regulation (UK GDPR) – United Kingdom
  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) – United States
  • Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada
  • Privacy Act 1988 and Australian Privacy Principles (APPs) – Australia
  • Personal Data Protection Act (PDPA) – Singapore
  • Lei Geral de Proteção de Dados (LGPD) – Brazil
  • Protection of Personal Information Act (POPIA) – South Africa

Please read this policy carefully. By accessing or using our Site or services, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller Information

Data Controller:
Health & Safety Online
[Registered Business Address]
[City, State/Province, Country, Postal Code]

Contact Information:
Email: [privacy@health-safety.online]
Phone: [Phone Number]
Data Protection Officer: [DPO Name and Contact] (if applicable)

EU Representative (if applicable):
[Name and Contact Details]

UK Representative (if applicable):
[Name and Contact Details]

3. Information We Collect

3.1 Personal Information You Provide

We collect information that you voluntarily provide to us:

Contact Information:

  • Name (first and last)
  • Business name and position/title
  • Email address
  • Phone number
  • Mailing address
  • Country of residence

Account Information:

  • Username and password
  • Profile information
  • Communication preferences
  • Language preference

Professional Information:

  • Industry sector
  • Company size
  • Job role and responsibilities
  • Safety certifications held
  • Training history and records

Transaction Information:

  • Payment card details (processed securely through third-party payment processors)
  • Billing address
  • Purchase history
  • Invoice information

Communication Data:

  • Messages sent through contact forms
  • Email correspondence
  • Chat messages
  • Survey responses
  • Webinar registration and attendance
  • Newsletter subscriptions

Service-Specific Information:

  • Safety assessment requests
  • Training enrollment details
  • Consultation requirements
  • Documentation uploads
  • Incident reports (if applicable)

3.2 Information Collected Automatically

Technical Data:

  • IP address
  • Browser type and version
  • Operating system
  • Device identifiers
  • Screen resolution
  • Time zone setting
  • Referring website addresses
  • Pages viewed and navigation paths
  • Time spent on pages
  • Page interaction information

Cookies and Tracking Technologies:

  • Session cookies
  • Persistent cookies
  • Analytics cookies
  • Marketing cookies
  • Pixels and web beacons
  • Local storage

For detailed information about our cookie use, please see Section 7 below.

Location Data:

  • Approximate geographic location based on IP address
  • Precise location (only if you grant permission)

3.3 Information from Third-Party Sources

We may receive information about you from:

  • Public databases and registers
  • Professional certification bodies
  • Social media platforms (if you interact with us there)
  • Business partners and affiliates
  • Marketing and analytics providers
  • Payment processors
  • Background check providers (for employees and contractors)

4. How We Use Your Information

4.1 Legal Bases for Processing (GDPR/UK GDPR)

We process your personal data under the following legal bases:

Consent: When you have given clear consent for us to process your personal data for specific purposes (e.g., marketing communications, cookies).

Contract Performance: Processing necessary to fulfill our contractual obligations to you or to take steps at your request before entering into a contract.

Legal Obligation: Processing necessary to comply with legal or regulatory requirements.

Legitimate Interests: Processing necessary for our legitimate business interests, provided these don’t override your fundamental rights and freedoms.

Vital Interests: Processing necessary to protect someone’s life (rare, but applicable in emergency safety situations).

4.2 Purposes of Processing

We use your information for:

Service Delivery:

  • Providing requested health and safety services
  • Delivering training programs and certifications
  • Conducting workplace assessments
  • Processing registrations and enrollments
  • Managing your account and preferences
  • Providing customer support

Business Operations:

  • Processing payments and managing billing
  • Maintaining accurate business records
  • Improving our services and website
  • Developing new services and features
  • Conducting research and analysis
  • Quality assurance and training

Communications:

  • Responding to inquiries and requests
  • Sending service-related notifications
  • Providing important updates about our services
  • Sending newsletters (with consent)
  • Delivering marketing communications (with consent)
  • Conducting surveys and requesting feedback

Legal and Safety:

  • Complying with legal obligations
  • Establishing, exercising, or defending legal claims
  • Preventing fraud and abuse
  • Ensuring workplace safety and regulatory compliance
  • Maintaining records required by health and safety regulations

Analytics and Improvement:

  • Understanding how our Site is used
  • Analyzing user behavior and preferences
  • Testing new features and functionality
  • Optimizing user experience
  • Measuring marketing effectiveness

5. Data Sharing and Disclosure

We may share your information with:

5.1 Service Providers and Processors

Third-party vendors who perform services on our behalf:

  • Cloud hosting providers (e.g., AWS, Google Cloud, Microsoft Azure)
  • Payment processors (e.g., Stripe, PayPal)
  • Email service providers (e.g., Mailchimp, SendGrid)
  • Customer relationship management (CRM) systems
  • Learning management systems (LMS)
  • Analytics providers (e.g., Google Analytics)
  • Marketing automation platforms
  • IT support and security services
  • Document storage and management services

All service providers are contractually obligated to protect your data and use it only for specified purposes.

5.2 Business Partners

  • Training certification bodies
  • Industry associations and professional organizations
  • Co-sponsors of events or webinars
  • Referral partners (only with your consent)

5.3 Legal and Regulatory Authorities

We may disclose information when required by law or to:

  • Government agencies and regulators
  • Law enforcement authorities
  • Courts and tribunals
  • Health and safety enforcement bodies
  • Tax authorities
  • Professional regulatory bodies

5.4 Business Transfers

In connection with any merger, acquisition, restructuring, sale of assets, or bankruptcy, your information may be transferred to successor entities.

5.5 With Your Consent

We may share information with third parties when you have given explicit consent.

6. International Data Transfers

6.1 Cross-Border Transfers

We operate internationally and may transfer your personal data to countries outside your country of residence, including countries that may not provide the same level of data protection.

From the EU/EEA and UK:

When transferring data outside the EU/EEA or UK, we ensure adequate protection through:

  • Adequacy Decisions: Transfers to countries recognized by the EU Commission or UK Government as providing adequate protection
  • Standard Contractual Clauses (SCCs): EU or UK-approved contractual terms with data recipients
  • Binding Corporate Rules: For transfers within multinational corporate groups
  • Certification Mechanisms: Such as EU-U.S. Data Privacy Framework (if applicable)
  • Explicit Consent: Where legally permissible

From Other Jurisdictions:

We comply with applicable cross-border transfer requirements, including:

  • APEC Cross-Border Privacy Rules (for APEC countries)
  • Adequacy assessments under local laws
  • Contractual safeguards
  • Consent mechanisms where required

6.2 Data Storage Locations

Your data may be stored and processed in:

  • [List primary data center locations: e.g., United States, European Union, United Kingdom, Canada, Australia, Singapore]

7. Cookies and Tracking Technologies

7.1 Types of Cookies We Use

Strictly Necessary Cookies:

  • Enable basic site functionality
  • Remember your cookie preferences
  • Maintain secure areas and authentication
  • Cannot be disabled

Performance/Analytics Cookies:

  • Google Analytics
  • Hotjar
  • Measure site performance and usage
  • Help us improve user experience

Functionality Cookies:

  • Remember your preferences
  • Personalize content
  • Enable enhanced features

Targeting/Marketing Cookies:

  • Deliver relevant advertisements
  • Track ad campaign effectiveness
  • Retargeting on other websites
  • Social media integration

7.2 Third-Party Cookies

We use third-party services that may set cookies:

  • Google Analytics and Google Tag Manager
  • Social media platforms (LinkedIn, Facebook, Twitter)
  • YouTube (for embedded videos)
  • Marketing and advertising networks

7.3 Cookie Management

You can control cookies through:

  • Our cookie consent banner
  • Your browser settings
  • Opt-out links provided by third parties
  • Industry opt-out platforms (e.g., Your Online Choices, NAI, DAA)

Browser Controls:

  • Chrome: Settings > Privacy and Security > Cookies
  • Firefox: Settings > Privacy & Security
  • Safari: Preferences > Privacy
  • Edge: Settings > Privacy, Search, and Services

Please note that disabling certain cookies may affect site functionality.

7.4 Do Not Track Signals

Our Site currently does not respond to Do Not Track (DNT) browser signals, but you can control tracking through cookie settings.

7.5 Mobile Device Identifiers

Our mobile applications may collect device identifiers for analytics and functionality. You can manage these through your device settings.

8. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy or as required by law.

General Retention Periods:

  • Account Information: Duration of account plus 7 years after closure
  • Training Records: As required by certification bodies (typically 7-10 years)
  • Transaction Records: 7 years for tax and accounting purposes
  • Marketing Data: Until you withdraw consent, then up to 2 years for suppression
  • Website Analytics: 26-50 months depending on the tool
  • Communications: 3-7 years depending on type and legal requirements
  • Safety Assessments: As required by regulations (typically 5-10 years)

Factors Affecting Retention:

  • Legal and regulatory requirements
  • Statute of limitations periods
  • Ongoing business relationships
  • Legitimate business needs
  • Records retention schedules

After retention periods expire, we securely delete or anonymize your data.

9. Your Privacy Rights

Your rights vary depending on your location. Below are rights that may apply to you:

9.1 Rights Under GDPR/UK GDPR (EU/EEA/UK Residents)

Right to Access: Request copies of your personal data and information about how we process it.

Right to Rectification: Request correction of inaccurate or incomplete data.

Right to Erasure (“Right to be Forgotten”): Request deletion of your data in certain circumstances.

Right to Restrict Processing: Request limitation of processing in certain situations.

Right to Data Portability: Receive your data in a structured, commonly used format and transmit to another controller.

Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making: Not be subject to decisions based solely on automated processing that produces legal or significant effects.

Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

Right to Lodge a Complaint: File a complaint with your supervisory authority:

  • EU: Your national data protection authority
  • UK: Information Commissioner’s Office (ICO) – ico.org.uk

9.2 Rights Under CCPA/CPRA (California Residents)

Right to Know: Request disclosure of categories and specific pieces of personal information collected.

Right to Delete: Request deletion of personal information (with exceptions).

Right to Correct: Request correction of inaccurate personal information.

Right to Opt-Out: Opt-out of the “sale” or “sharing” of personal information.

Right to Limit Use of Sensitive Personal Information: Limit use of sensitive personal information.

Right to Non-Discrimination: Not receive discriminatory treatment for exercising privacy rights.

Notice at Collection: We provide notice about data collection at or before collection.

Authorized Agents: You may designate an authorized agent to make requests on your behalf.

We do not sell personal information as traditionally defined, but we may share information for targeted advertising purposes.

9.3 Rights Under PIPEDA (Canada)

  • Right to access your personal information
  • Right to challenge accuracy and request corrections
  • Right to withdraw consent
  • Right to file complaints with the Privacy Commissioner of Canada

9.4 Rights Under Australian Privacy Act

  • Right to access your personal information
  • Right to request correction
  • Right to complain to the Office of the Australian Information Commissioner (OAIC)

9.5 Rights Under Other Jurisdictions

Residents of other jurisdictions may have similar rights under applicable local laws. Contact us to exercise rights available to you.

9.6 Exercising Your Rights

To exercise any of these rights:

Email: [privacy@health-safety.online]
Mail: [Postal Address]
Online Form: [Link to Privacy Request Form]

We will respond to verified requests within legally required timeframes (typically 30-45 days).

Verification: We may request additional information to verify your identity before processing requests.

10. Security Measures

We implement appropriate technical and organizational measures to protect your data:

Technical Safeguards:

  • SSL/TLS encryption for data transmission
  • Encryption of data at rest
  • Secure authentication mechanisms
  • Multi-factor authentication for sensitive access
  • Regular security testing and vulnerability assessments
  • Firewall protection and intrusion detection
  • Secure backup systems
  • Anti-malware and antivirus protection

Organizational Safeguards:

  • Employee training on data protection
  • Confidentiality agreements with staff and contractors
  • Access controls and least privilege principles
  • Regular security audits
  • Incident response procedures
  • Business continuity and disaster recovery plans
  • Vendor security assessments

Physical Safeguards:

  • Secure data center facilities
  • Access control systems
  • Environmental controls
  • Surveillance systems

Despite these measures, no internet transmission is completely secure. We cannot guarantee absolute security but continuously work to enhance protection.

11. Data Breach Notification

In the event of a data breach that poses risk to your rights and freedoms:

  • We will notify affected individuals without undue delay
  • We will notify relevant supervisory authorities within 72 hours (where required)
  • Notifications will include nature of breach, likely consequences, and measures taken
  • We maintain incident response procedures to minimize breach impact

12. Children’s Privacy

Our services are not directed to individuals under 16 years of age (or under 13 in the United States). We do not knowingly collect personal information from children.

If we become aware that we have collected information from a child without parental consent, we will take steps to delete that information. Parents or guardians who believe we may have collected information from a child should contact us immediately.

13. Third-Party Links and Services

Our Site may contain links to third-party websites, applications, or services not operated by us. We are not responsible for the privacy practices of third parties. We encourage you to review their privacy policies before providing any information.

Social Media Integration:

When you interact with our social media pages or use social media features on our Site (e.g., “Like” buttons), the social media provider may collect information about you. Their privacy policies govern this collection.

14. Marketing Communications

14.1 Consent and Opt-In

We send marketing communications only with your consent or where permitted by law. You can opt-in through:

  • Checkbox consent during account creation
  • Newsletter subscription forms
  • Event registrations
  • Request for information forms

14.2 Opt-Out Methods

You can unsubscribe from marketing at any time:

  • Click “unsubscribe” links in emails
  • Adjust email preferences in your account settings
  • Contact us at [privacy@health-safety.online]
  • Reply “STOP” to SMS messages (if applicable)

Processing Time: We will process opt-out requests within 10 business days.

Service Communications: You cannot opt-out of essential service-related communications (e.g., account notifications, transactional emails).

15. Automated Decision-Making and Profiling

We may use automated decision-making in limited circumstances:

Website Personalization:

  • Recommending relevant content based on browsing behavior
  • Customizing user experience

Marketing:

  • Segmenting audiences for targeted communications
  • Personalizing marketing content

Fraud Prevention:

  • Automated fraud detection systems

You have the right to:

  • Request human review of automated decisions
  • Express your point of view
  • Contest the decision

We do not use automated decision-making for decisions that produce legal or similarly significant effects without human intervention.

16. Sensitive Personal Information

We generally do not collect sensitive personal information (special categories of data) unless necessary for specific services.

Sensitive information may include:

  • Health data (for occupational health services)
  • Biometric data (if using certain security systems)
  • Background check information

When we process sensitive data, we obtain explicit consent or rely on other lawful bases such as legal obligations in employment or occupational health contexts.

17. Business Contact Information

In some jurisdictions, business contact information (e.g., work email, office phone) may receive different treatment under privacy laws. We handle business contact information in accordance with applicable regulations.

18. Jurisdiction-Specific Information

18.1 European Economic Area and United Kingdom

Supervisory Authorities:

  • EU: Contact your national data protection authority
  • UK: Information Commissioner’s Office (ICO) – https://ico.org.uk

Data Protection Officer: [Contact details if applicable]

Legal Basis Summary: See Section 4.1

International Transfers: See Section 6

18.2 California, United States

Shine the Light: California residents may request information about disclosure of personal information to third parties for direct marketing purposes.

CCPA Metrics: We will provide annual statistics on privacy requests upon inquiry.

Financial Incentives: We do not offer financial incentives for collecting personal information.

18.3 Canada

PIPEDA Compliance: We comply with PIPEDA’s accountability, consent, and access principles.

Privacy Commissioner: Office of the Privacy Commissioner of Canada – https://www.priv.gc.ca

18.4 Australia

APP Compliance: We comply with Australian Privacy Principles.

Commissioner: Office of the Australian Information Commissioner – https://www.oaic.gov.au

18.5 Brazil

LGPD Compliance: We comply with Lei Geral de Proteção de Dados.

Data Protection Officer: [Contact if applicable]

ANPD: National Data Protection Authority – https://www.gov.br/anpd

18.6 Singapore

PDPA Compliance: We comply with Personal Data Protection Act.

PDPC: Personal Data Protection Commission – https://www.pdpc.gov.sg

18.7 South Africa

POPIA Compliance: We comply with Protection of Personal Information Act.

Information Officer: [Contact details]

Regulator: Information Regulator – https://www.justice.gov.za/inforeg/

19. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of Changes:

  • Revised “Last Updated” date at the top
  • Prominent notice on our Site for material changes
  • Email notification for significant changes (where we have your contact information)
  • For EU/EEA/UK users, we will obtain fresh consent if required

Previous Versions: Previous versions are available upon request.

20. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

Privacy Team:
Email: [privacy@health-safety.online]

Response Time: We aim to respond to all inquiries within 10 business days.

21. Complaints and Dispute Resolution

If you have concerns about our privacy practices:

  1. Contact us first using the information above
  2. Supervisory authority: File a complaint with your data protection authority
  3. Alternative dispute resolution: [Include if applicable, e.g., EU-U.S. Data Privacy Framework dispute resolution]

We are committed to resolving complaints fairly and promptly.

Acknowledgment

By using our Site or services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.