Behavioural Safety

Privacy Policy

Last updated: 12 April 2026

1. Who We Are

This privacy policy explains how Hi Vis Safety Ltd, trading as Behavioural Safety, collects, uses, and protects your personal data when you use our platform at behaviouralsafety.org.

Hi Vis Safety Ltd is a company registered in England and Wales (company number 16385867). For the purposes of applicable data protection legislation, we are the Data Controller in respect of account data and the Data Processor in respect of Survey Data collected on behalf of consultants.

2. What Data We Collect

2.1 Consultant Accounts

When you register as a consultant, we collect:

  • Name and email address
  • Password (stored securely using one-way hashing - we never store plaintext passwords)
  • Company name, logo, and branding preferences
  • Country/region selection (UK, US, Canada, or Australia)
  • Subscription tier and payment information (processed by Stripe; we do not store card details)

2.2 Survey Respondents

When employees complete a survey, we collect anonymous responses only. Specifically:

  • Survey answers (Likert scale ratings or conformity scores)
  • Optional free-text comments
  • Demographic data: job role, department, experience level, and sex - collected solely to enable group-level analysis (e.g., management vs. frontline comparisons)

We do not collect names, email addresses, IP addresses, or any other information that could identify individual survey respondents.

2.3 Client Portal Users

When a consultant invites a client to view survey results, we collect the client's name and email address for the purpose of creating their portal access.

2.4 Website Visitors

We do not use analytics cookies, tracking pixels, or any third-party tracking technology on our website. We do not collect any data from casual visitors.

3. Why We Process Your Data (Lawful Bases)

Under UK GDPR and the Data Protection Act 2018, we process personal data on the following lawful bases:

Consultant account data

Contract performance (Article 6(1)(b) UK GDPR) - processing is necessary to provide the platform services you have subscribed to.

Survey response data

Legitimate interest (Article 6(1)(f) UK GDPR) - processing is in the legitimate interest of the consultant's client organisation to assess and improve workplace safety culture. Survey data is anonymous and cannot be linked to identifiable individuals.

Client portal data

Contract performance (Article 6(1)(b) UK GDPR) - processing is necessary to provide portal access as part of the survey service.

4. Data Retention

  • Active accounts: Data is retained for the duration of your active subscription plus 30 days after account closure.
  • Survey data: Retained while the consultant's account is active. Deleted within 30 days of account closure, or sooner upon request.
  • Anonymised benchmark data: Retained indefinitely. Fully anonymised and aggregated data does not constitute personal data under GDPR.
  • Payment records: Retained for 7 years in accordance with HMRC requirements.
  • Account data (name, email, branding): Deleted within 30 days of account closure.

5. Who We Share Data With

We do not sell, rent, or trade your personal data to any third party. We share data only with the following service providers, each of whom processes data on our behalf:

Amazon Web Services (AWS)

Cloud hosting and database infrastructure. All data is stored in the EU (Stockholm, Sweden - eu-north-1 region).

Stripe

Payment processing. Stripe processes card details directly - we never see or store full card numbers.

Resend

Transactional email delivery (account notifications, survey invitations, password resets).

OpenAI

AI-powered insights generation. Anonymous survey data is sent to OpenAI for analysis. OpenAI does not store or train on data submitted via our API (per their data processing terms).

6. International Data Transfers

All survey data and account data is stored within the European Union on AWS infrastructure in Stockholm, Sweden (eu-north-1).

Where data is transferred outside the EU/UK (for example, to Stripe or OpenAI in the United States), such transfers are protected by appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office and/or the European Commission.

7. Your Rights Under UK GDPR

If you are located in the UK or European Economic Area, you have the following rights under the UK General Data Protection Regulation and the Data Protection Act 2018:

  • Right of access - request a copy of the personal data we hold about you
  • Right to rectification - request correction of inaccurate or incomplete data
  • Right to erasure - request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing - request that we limit how we use your data
  • Right to data portability - request your data in a structured, machine-readable format
  • Right to object - object to processing based on legitimate interests

To exercise any of these rights, contact us via the in-platform Support inbox or at behaviouralsafety.org. We will respond within one calendar month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Additional Rights for US Users (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know - request disclosure of the categories and specific pieces of personal information we have collected
  • Right to delete - request deletion of personal information we have collected
  • Right to opt out of sale - we do not sell personal information to third parties
  • Right to non-discrimination - we will not discriminate against you for exercising your CCPA rights

We do not sell, share (for cross-context behavioural advertising), or use personal information for targeted advertising purposes. We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

Do Not Sell My Personal Information

We do not sell personal data. We have never sold personal data and have no plans to do so. If you wish to exercise your CCPA rights (including the right to know, the right to delete, or any other right under the CCPA), please contact us via the in-platform Support inbox.

9. Additional Rights for Australian Users

If you are located in Australia, your personal information is protected under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). In addition to the rights described above, you have the right to:

  • Request access to and correction of your personal information under APP 12 and APP 13
  • Make a complaint to the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached
  • Opt out of receiving direct marketing communications at any time

We take reasonable steps to ensure that any overseas disclosure of personal information (including to our hosting provider in the EU) complies with the APPs.

10. Additional Rights for Canadian Users

If you are located in Canada, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. You have the right to access, correct, and withdraw consent for the processing of your personal information. To exercise these rights, contact us via the in-platform Support inbox.

11. Cookies

We use a single session cookie that is strictly necessary for the operation of the platform. This cookie is set by our authentication system (NextAuth) to maintain your login session.

We do not use:

  • Analytics cookies (no Google Analytics or similar)
  • Advertising or tracking cookies
  • Third-party cookies
  • Fingerprinting or similar tracking technologies

Because we only use a strictly necessary session cookie, we do not require cookie consent under the Privacy and Electronic Communications Regulations 2003 (PECR).

12. Children

The Behavioural Safety platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest (AES-256)
  • One-way password hashing (bcrypt)
  • Database hosted in a private VPC with no direct public access
  • Role-based access controls within the platform
  • Regular security updates and dependency patching

14. Changes to This Policy

We may update this privacy policy from time to time. Where changes are significant, we will notify registered users via the platform or by email. The "last updated" date at the top of this page indicates when the policy was most recently revised. Continued use of the platform after changes are posted constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions about this privacy policy or wish to exercise your data protection rights, please contact us:

Hi Vis Safety Ltd - Company registered in England and Wales (company number 16385867)
Trading as Behavioural Safety - behaviouralsafety.org

Related documents

Privacy notice for survey respondentsSub-processor listPersonal data breach policyData Processing Agreement (DPA)
← Back to home