Privacy Policy

Last updated: 16 March 2026

1. Who We Are

HIRA-4D ("we", "us", "our") is a multi-tenant Environment, Health & Safety (EHS) intelligence platform operated from Basel, Switzerland. We provide hazard identification, risk assessment, and compliance management tools to organisations across multiple industries.

We act as a data processor on behalf of our customers (the data controllers) for worker and workplace safety records, and as a data controller for account and usage information.

2. What Personal Information We Collect

Account Information: Name, email address, organisation name, role, and authentication credentials managed through our identity provider (Clerk).

Worker Records: Employee names, job titles, department assignments, training records, health surveillance data, and incident reports — entered by your organisation's administrators.

Usage Data: Pages visited, features used, session duration, browser type, and IP address for platform improvement and security monitoring.

What We Do NOT Collect:

We do not collect biometric data
We do not collect financial information (payments are handled entirely by Stripe)
We do not collect data from children under 16
We do not use cookies for advertising or cross-site tracking

3. How We Use Personal Information

We use personal information to:

Provide and maintain the HIRA-4D platform and its EHS features
Authenticate users and enforce role-based access controls
Generate risk assessments, compliance reports, and safety analytics
Send critical security and service notifications
Improve platform performance and reliability through aggregated usage analytics

We do NOT use personal information to:

Sell or rent data to third parties
Display targeted advertising
Build user profiles for marketing purposes
Train AI models on customer data (AI features process data in-session only, with no retention)

4. Where We Store Data

All customer data is stored in Zurich, Switzerland (Supabase eu-central-2 region). This includes database records, file attachments, backups, and audit logs.

Data at rest is encrypted with AES-256. Data in transit is protected by TLS 1.3. Database backups are encrypted and stored in the same Zurich region.

Note for Australian customers: By using HIRA-4D, you acknowledge that your data is stored in Switzerland. Switzerland holds an EU adequacy decision and maintains data protection standards comparable to or exceeding those required under Australian Privacy Principle 8 (APP 8) for cross-border disclosure.

5. Who We Share Data With

We share data only with the following subprocessors, each bound by data processing agreements:

Supabase — Database hosting (Zurich, Switzerland)
Clerk — Authentication and identity management (USA, SOC 2 Type II)
Vercel — Application hosting and edge delivery (global, no PII stored)
Stripe — Payment processing (USA, PCI DSS Level 1)

We may disclose data to law enforcement only when required by a valid legal order under Swiss or Australian law. We will notify affected customers unless legally prohibited from doing so.

We do NOT:

Sell personal information to any third party
Share data with advertising networks
Allow subprocessors to use customer data for their own purposes

6. Data Retention

Active Accounts: Data is retained for the duration of your subscription and is available for export at any time.

Audit Logs: Immutable, hash-chained audit records are retained for 7 years to meet regulatory requirements.

Health Surveillance Records: Retained for up to 30 years where required by occupational health regulations (e.g., asbestos exposure, chemical monitoring).

Deleted Accounts: Upon account deletion, all customer data is removed from production systems within 90 days and from encrypted backups within 180 days.

7. Your Rights

You have the right to:

Access — Request a copy of all personal information we hold about you
Correct — Request correction of inaccurate or incomplete data
Delete — Request deletion of your personal data (subject to legal retention obligations)
Portability — Receive your data in a structured, machine-readable format (CSV, JSON)

To exercise any of these rights, contact us at info@ohconsultant.com.au. We will respond within 30 days.

You may also lodge a complaint with:

Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au
Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — www.edoeb.admin.ch

8. Australian Privacy Principles Compliance

For Australian customers, we comply with the following Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth):

APP 1 (Open and transparent management): This policy documents our data practices clearly and is publicly accessible.
APP 3 (Collection of solicited personal information): We collect only information necessary to provide EHS platform services.
APP 5 (Notification of collection): Users are informed at the point of data collection about what is collected and why.
APP 6 (Use or disclosure): Personal information is used only for the primary purpose for which it was collected.
APP 8 (Cross-border disclosure): Data is stored in Switzerland, which maintains data protection standards comparable to Australian requirements. A Data Processing Agreement governs all cross-border transfers.
APP 11 (Security): We implement AES-256 encryption, TLS 1.3, role-based access controls, and regular security assessments.
APP 12 (Access): Individuals may request access to their personal information at any time.
APP 13 (Correction): Individuals may request correction of inaccurate data at any time.

9. Notifiable Data Breaches

In the event of a data breach that is likely to result in serious harm, we will notify affected customers and relevant authorities within 72 hours of becoming aware of the breach.

Notifications will be sent to:

The Office of the Australian Information Commissioner (OAIC) for breaches affecting Australian individuals, in accordance with the Notifiable Data Breaches (NDB) scheme
The Federal Data Protection and Information Commissioner (FDPIC) for breaches affecting Swiss or EU individuals
All affected data controllers (your organisation) via email and in-platform notification

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to account administrators and displayed as an in-platform notification at least 30 days before taking effect.

The "Last updated" date at the top of this page indicates when the most recent revision was published. Continued use of the platform after changes take effect constitutes acceptance of the revised policy.

11. Contact

For privacy-related enquiries or to exercise your data rights:

Email: info@ohconsultant.com.au
Address: [Company Name], Basel, Switzerland