BNOSA Privacy Policy

Effective date: 01 July 2026

Last updated: 30 June 2026

BNOSA Ltd (“BNOSA”, “we”, “us”, or “our”) respects privacy and is committed to protecting personal data.

This privacy policy explains how BNOSA collects, uses, stores, protects, shares, and otherwise processes personal data when individuals, customers, users, prospects, or business contacts interact with BNOSA, including when they:

  • visit our website;
  • contact us or request information;
  • request a product demonstration;
  • subscribe to or use the BNOSA platform;
  • create or manage user accounts;
  • use BNOSA modules, workflows, forms, dashboards, reports, or related features;
  • receive onboarding, configuration, training, support, maintenance, or consulting services;
  • make payments or manage subscriptions;
  • communicate with BNOSA by email, forms, meetings, or other channels.

BNOSA provides cloud-based Environmental, Health and Safety (“EHS”) management software and related digital workflow, implementation, training, support, and consulting services for business customers.

Introduction

BNOSA Ltd (“BNOSA”, “we”, “us”, or “our”) respects privacy and is committed to protecting personal data.

This privacy policy explains how BNOSA collects, uses, stores, protects, shares, and otherwise processes personal data when individuals, customers, users, prospects, or business contacts interact with BNOSA, including when they:

  • visit our website;
  • contact us or request information;
  • request a product demonstration;
  • subscribe to or use the BNOSA platform;
  • create or manage user accounts;
  • use BNOSA modules, workflows, forms, dashboards, reports, or related features;
  • receive onboarding, configuration, training, support, maintenance, or consulting services;
  • make payments or manage subscriptions;
  • communicate with BNOSA by email, forms, meetings, or other channels.

BNOSA provides cloud-based Environmental, Health and Safety (“EHS”) management software and related digital workflow, implementation, training, support, and consulting services for business customers.

This Privacy Policy is intended to provide clear information about our processing of personal data, including the purposes of processing, categories of data, sharing, retention, security, and individual rights. Providing privacy information is a core transparency requirement under the UK GDPR.

Who We Are

BNOSA Ltd is a company incorporated in England and Wales.

  • Company Name: BNOSA Ltd
  • Company Number: 16960746
  • Registered Office: 128 City Road, London, United Kingdom, EC1V 2NX
  • Website: www.bnosa.com
  • Privacy Contact Email: privacy@bnosa.com

For privacy-related questions, requests, or complaints, please contact us at privacy@bnosa.com.

Scope of This Privacy Policy

This Privacy Policy applies to personal data processed by BNOSA in connection with:

  • the BNOSA website;
  • BNOSA marketing and business development activities;
  • customer enquiries and demo requests;
  • customer account management;
  • subscription and billing activities;
  • the BNOSA SaaS platform;
  • customer support and technical support;
  • implementation, configuration, onboarding, and training;
  • service monitoring, maintenance, security, and improvement;
  • legal, accounting, tax, compliance, and business administration.

This Privacy Policy does not replace any customer-specific Data Processing Agreement (“DPA”) or contractual data protection terms that may apply between BNOSA and a business customer.

Where there is a conflict between this Privacy Policy and a signed customer agreement or DPA, the customer agreement or DPA will apply to the extent required by law and by the relevant contract.

Our Role: Controller and Processor

BNOSA may act as either a data controller or a data processor, depending on the context.

4.1 When BNOSA acts as a controller

BNOSA acts as a controller when we determine the purpose and means of processing personal data.

This includes, for example, when we process personal data for:

  • operating and managing our website;
  • responding to enquiries;
  • arranging demonstrations;
  • managing customer relationships;
  • creating and administering customer accounts;
  • managing subscriptions and billing;
  • processing payments through payment providers;
  • sending service communications;
  • managing sales, support, and business records;
  • complying with legal, tax, accounting, and regulatory obligations;
  • improving and securing our services.

4.2 When BNOSA acts as a processor

BNOSA acts as a processor when we process personal data on behalf of a business customer through the BNOSA platform.

For example, where a customer uses BNOSA to manage:

  • hazard assessment;
  • safety observations;
  • incident reports;
  • corrective and preventive actions;
  • inspections;
  • audits;
  • meetings;
  • competence or training records;
  • chemical records;
  • equipment-related records;
  • employee or contractor task assignments;
  • EHS reports and dashboards.

In such cases, the customer is usually the controller of the data entered into the BNOSA platform, and BNOSA processes that data according to the customer’s instructions.

Where BNOSA acts as a processor, processing should be governed by a Data Processing Agreement or equivalent contractual terms. ICO guidance states that controller-processor arrangements require appropriate contractual terms, including equivalent protection when sub-processors are used.

Personal Data We Collect

BNOSA may collect different categories of personal data depending on how you interact with us.

5.1 Website and enquiry data

When you visit our website, complete a form, request a demo, contact us, or communicate with us, we may collect:

  • name;
  • business email address;
  • phone number;
  • company name;
  • job title;
  • country or region;
  • enquiry details;
  • message content;
  • demo request information;
  • communication preferences;
  • IP address;
  • device information;
  • browser type;
  • operating system;
  • referral source;
  • website usage data;
  • cookie and analytics data.

5.2 Customer account and business contact data

When a company becomes a customer or prospective customer, we may collect:

  • company name;
  • company address;
  • billing address;
  • authorized representative details;
  • contract contact details;
  • administrator details;
  • business email addresses;
  • phone numbers;
  • job titles;
  • subscription plan;
  • customer status;
  • customer reference numbers;
  • customer communications;
  • support history;
  • implementation and onboarding details.

5.3 Platform user data

When authorised users use the BNOSA platform, we may process:

  • name;
  • business email address;
  • username or user ID;
  • job title;
  • department;
  • worksite;
  • location;
  • role and permission level;
  • account status;
  • authentication and login records;
  • assigned tasks;
  • actions created or completed;
  • comments;
  • workflow activity;
  • user submissions;
  • reports generated;
  • audit trails;
  • system activity logs.

5.4 EHS operational data entered by customers

Customers and authorised users may enter EHS-related data into the BNOSA platform.

This may include:

  • names of employees, contractors, visitors, or other persons;
  • departments;
  • worksites and locations;
  • safety observations;
  • hazard records;
  • risk assessment information;
  • incident details;
  • injury or event descriptions where entered by users;
  • investigation notes;
  • corrective or preventive actions;
  • inspection findings;
  • audit findings;
  • meeting attendance records;
  • competence or training status;
  • equipment-related records;
  • attachments, documents, or photos uploaded by users;
  • comments and communications within workflows.

Customers are responsible for ensuring that the data they enter into BNOSA is lawful, relevant, accurate, proportionate, and appropriate for the intended EHS purposes.

5.5 Payment and billing data

BNOSA may use Stripe or other payment providers to process payments, subscriptions, invoices, renewals, refunds, and billing activities.

BNOSA does not intend to store full payment card numbers, CVV codes, or complete payment card details on its own systems.

Depending on the payment method used, payment providers may process:

  • cardholder name;
  • billing address;
  • payment method details;
  • transaction details;
  • invoice details;
  • subscription status;
  • fraud prevention data;
  • authentication data;
  • refund or dispute information.

Stripe maintains its own privacy policy and data processing terms, and its DPA governs Stripe’s processing of personal data under its agreement with business users.

5.6 Technical, security, and log data

To operate and protect the BNOSA platform, we may process:

  • IP addresses;
  • login timestamps;
  • session information;
  • browser and device data;
  • operating system information;
  • access logs;
  • authentication logs;
  • error logs;
  • audit logs;
  • security alerts;
  • system performance data;
  • usage and diagnostic data;
  • backup records;
  • support and troubleshooting records.

5.7 Support and technical assistance data

When BNOSA, Google services, RunProf, or other authorised providers support, maintain, troubleshoot, or improve the platform, limited technical or operational data may be processed.

This may include:

  • user account identifiers;
  • issue descriptions;
  • screenshots or attachments provided by users;
  • system logs;
  • error messages;
  • configuration details;
  • customer environment details;
  • support communications;
  • records required to investigate or resolve technical issues.

Access to such data should be limited to authorised personnel and only where necessary for legitimate support, maintenance, security, or service delivery purposes.

How We Collect Personal Data

We may collect personal data:

  • directly from you;
  • from your employer or organisation;
  • from authorised customer administrators;
  • from other users who enter records into the BNOSA platform;
  • automatically through the website, platform, cookies, logs, analytics, monitoring, and security tools;
  • from payment providers such as Stripe;
  • from cloud and infrastructure providers such as Google services;
  • from technical support and development providers such as RunProf;
  • from professional advisers, business partners, or service providers;
  • from publicly available sources where relevant to business verification, sales, or customer relationship management.

Why We Use Personal Data

BNOSA processes personal data for the purposes described below.

7.1 To provide and operate the BNOSA platform

We process personal data to:

  • create and manage customer accounts;
  • authenticate users;
  • manage user roles and permissions;
  • provide access to platform modules;
  • process EHS workflows;
  • generate dashboards and reports;
  • manage tasks, actions, reviews, and approvals;
  • support hazard, observation, incident, audit, inspection, meeting, chemical, competence, and CAPA workflows;
  • maintain customer data;
  • provide platform functionality.

7.2 To provide onboarding, training, support, and consulting

We process personal data to:

  • configure customer environments;
  • provide implementation services;
  • train users;
  • respond to support requests;
  • troubleshoot issues;
  • investigate errors;
  • maintain service quality;
  • communicate with customer contacts and administrators;
  • provide digital transformation or EHS workflow consulting.

7.3 To manage subscriptions, payments, and billing

We process personal data to:

  • manage subscriptions;
  • create invoices;
  • process payments through Stripe or other providers;
  • manage renewals and cancellations;
  • handle refunds and disputes;
  • maintain financial records;
  • comply with tax and accounting obligations.

7.4 To secure and protect the platform

We process personal data to:

  • prevent unauthorised access;
  • detect misuse, spam, abuse, or fraudulent activity;
  • monitor system performance;
  • maintain audit trails;
  • investigate security incidents;
  • manage backups and recovery;
  • protect customer data;
  • maintain platform reliability.

7.5 To communicate with customers and prospects

We process personal data to:

  • respond to enquiries;
  • arrange demos;
  • provide product and service information;
  • send service updates;
  • send account, billing, security, or operational notices;
  • manage customer relationships;
  • send marketing communications where permitted by law.

7.6 To improve BNOSA services

We may process data to:

  • understand usage patterns;
  • improve usability;
  • develop new features;
  • improve reporting and analytics;
  • assess platform performance;
  • identify recurring technical issues;
  • improve support and onboarding.

7.7 To comply with legal and business obligations

We process personal data to:

  • comply with tax, accounting, company, and regulatory obligations;
  • maintain business records;
  • enforce contracts;
  • respond to lawful requests;
  • protect legal rights;
  • manage disputes;
  • conduct audits and compliance checks.

Lawful Bases for Processing

Depending on the context, BNOSA relies on one or more lawful bases under applicable data protection laws.

8.1 Contract

We process personal data where necessary to enter into or perform a contract, including:

  • providing access to the BNOSA platform;
  • managing subscriptions;
  • delivering support and onboarding services;
  • managing customer accounts;
  • processing customer communications.

8.2 Legitimate interests

We may process personal data for legitimate business interests, including:

  • securing the platform;
  • preventing fraud and misuse;
  • improving services;
  • managing customer relationships;
  • responding to B2B enquiries;
  • maintaining support records;
  • analysing device performance;
  • protecting BNOSA’s legal and commercial interests.

We will only rely on legitimate interests where those interests are not overridden by the rights and freedoms of individuals.

8.3 Legal obligations

We process personal data where necessary to comply with legal obligations, including:

  • tax records;
  • accounting obligations;
  • company records;
  • regulatory requirements;
  • lawful requests from authorities;
  • data protection obligations.

8.4 Consent

We may rely on consent where required, including for:

  • certain cookies or tracking technologies;
  • optional marketing communications;
  • specific processing activities where consent is legally required.

Where we rely on consent, it may be withdrawn at any time.

8.5 Customer instructions

Where BNOSA acts as a processor, we process customer-controlled personal data according to the customer’s documented instructions, unless required by law or otherwise permitted.

Special Category Data and Sensitive EHS Information

The BNOSA platform is designed for EHS management. Customers may enter data relating to workplace safety, incidents, observations, investigations, corrective actions, competence, training, or other operational matters.

Some EHS records may contain sensitive information, including information relating to injuries, health, medical status, or safety incidents, depending on what the customer or authorised user enters into the platform.

BNOSA does not require customers to enter unnecessary sensitive personal data.

Customers should avoid entering health, medical, or other sensitive information unless it is necessary, lawful, proportionate, and relevant to EHS purposes.

Where special category data is processed, the customer is generally responsible for identifying the lawful basis and additional condition for processing that data.

BNOSA will apply appropriate technical and organisational measures to protect such data, including access controls, security monitoring, and role-based permissions where available.

Customer Responsibilities

Customers using BNOSA are responsible for:

  • ensuring they have the lawful basis for entering personal data into the platform;
  • informing employees, contractors, visitors, and other individuals about relevant data processing;
  • ensuring that personal data entered into BNOSA is accurate, relevant, and not excessive;
  • avoiding unnecessary sensitive personal data;
  • assigning appropriate user roles and permissions;
  • removing access for users who no longer require it;
  • managing internal confidentiality and access controls;
  • responding to data subject requests where the customer is the controller;
  • ensuring that uploaded files, images, attachments, and comments comply with applicable law;
  • determining internal retention requirements for EHS records;
  • ensuring compliance with employment, health and safety, data protection, and local regulatory requirements.

BNOSA is not responsible for the legality, accuracy, or completeness of customer-entered data, except where BNOSA is legally responsible as a controller or processor under applicable law and contract.

Use of Google Services

BNOSA uses Google services to host, secure, store, monitor, maintain, and operate the BNOSA platform.

These services may include, depending on the final technical configuration:

  • Google Cloud Platform;
  • Firebase;
  • Cloud Storage;
  • databases;
  • authentication services;
  • hosting services;
  • monitoring and logging tools;
  • backup and recovery services;
  • security-related services;
  • infrastructure and operational services.

Google may process data and customer data on behalf of BNOSA for purposes such as:

  • hosting the platform;
  • storing platform records;
  • managing infrastructure;
  • supporting user authentication;
  • maintaining availability;
  • monitoring performance;
  • detecting technical issues;
  • supporting backups;
  • protecting the platform;
  • maintaining service security and reliability.

Google acts as a service provider or sub-processor in relation to these cloud services. Google Cloud and Firebase publish data processing terms for customer data and security obligations.

BNOSA remains responsible for:

  • determining the purposes of processing where BNOSA acts as a controller;
  • processing customer-controlled platform data according to customer instructions where BNOSA acts as processor;
  • configuring the BNOSA platform securely;
  • managing user permissions and access controls;
  • ensuring appropriate contractual agreements with Google services;
  • ensuring appropriate safeguards for international transfers where required.

BNOSA does not authorise Google to use customer data entered into the BNOSA platform for BNOSA-unrelated advertising purposes.

Role of RunProf in Technical Support and Development

BNOSA uses RunProf as a technical development, maintenance, and support provider.

RunProf may assist BNOSA with:

  • software development;
  • system configuration;
  • bug fixing;
  • technical support;
  • troubleshooting;
  • maintenance;
  • testing;
  • deployment support;
  • platform improvements;
  • security-related technical work;
  • infrastructure or application support;
  • investigation of technical issues raised by customers or users.

Where necessary for these purposes, authorised RunProf personnel may have limited access to certain data, systems, logs, configurations, or support information.

Such access should be limited to what is necessary for the relevant support, development, maintenance, or security purpose.

RunProf is expected to act under BNOSA’s instructions and subject to appropriate confidentiality, security, and data protection obligations.

Where RunProf processes personal data on behalf of BNOSA, RunProf will be treated as a service provider or subcontractor, and appropriate contractual data protection terms should be in place.

BNOSA remains responsible for ensuring that RunProf’s access is properly controlled, monitored, and limited according to the nature of the service provided.

Sharing Personal Data

BNOSA may share personal data with the categories of recipients described below.

13.1 Cloud and infrastructure providers

We may share or process data through cloud and infrastructure providers, including Google services, for hosting, storage, database, authentication, monitoring, backup, and security purposes.

13.2 Technical development and support providers

We may share limited personal data with authorised technical service providers, including RunProf, where necessary for development, support, maintenance, troubleshooting, testing, deployment, security, or service improvement.

13.3 Payment providers

We may share billing and payment-related data with payment providers such as Stripe for:

  • payment processing;
  • subscription management;
  • invoicing;
  • fraud prevention;
  • refunds;
  • disputes;
  • regulatory compliance;
  • transaction monitoring.

13.4 Communication and email providers

We may use email, messaging, or notification providers to send:

  • account notifications;
  • password or access communications;
  • security alerts;
  • service updates;
  • support communications;
  • billing communications;
  • marketing communications where permitted.

13.5 Analytics, monitoring, and security providers

We may use analytics, monitoring, error tracking, logging, or security tools to:

  • monitor performance;
  • detect system errors;
  • improve reliability;
  • investigate incidents;
  • detect unauthorised access;
  • improve the platform.

13.6 Professional advisers

We may share data with:

  • accountants;
  • auditors;
  • lawyers;
  • tax advisers;
  • consultants;
  • insurers;
  • other professional advisers.

13.7 Authorities and regulators

We may disclose personal data where required or permitted by law, including to:

  • courts;
  • regulators;
  • tax authorities;
  • law enforcement agencies;
  • government bodies.

13.8 Business transfers

If BNOSA is involved in a merger, acquisition, investment, restructuring, sale of assets, or similar transaction, personal data may be shared with relevant parties as part of the transaction, subject to appropriate confidentiality and legal safeguards.

Sub-processors and Service Providers

Where BNOSA acts as a processor for customer-controlled platform data, BNOSA may use sub-processors to provide parts of the service.

Key sub-processor or service provider categories may include:

  • Google Cloud / Firebase / Google services — Purpose: hosting, storage, database, authentication, monitoring, backups, security. Data potentially processed: account data, platform data, technical logs, uploaded files, EHS operational records.
  • RunProf — Purpose: development, technical support, maintenance, troubleshooting, configuration, testing. Data potentially processed: limited account data, platform data, support data, logs, technical information where necessary.
  • Stripe — Purpose: payments, subscriptions, invoices, refunds, fraud prevention, billing. Data potentially processed: billing details, transaction data, payment status, subscription data.
  • Email or communication providers — Purpose: transactional emails, service notices, customer communications. Data potentially processed: names, email addresses, message content, notification data.
  • Analytics or monitoring providers — Purpose: usage analytics, performance monitoring, error tracking, security monitoring. Data potentially processed: technical logs, usage data, device/browser data, error data.
  • Accounting or professional service providers — Purpose: tax, accounting, legal, compliance support. Data potentially processed: billing records, customer business details, invoices, contract data.

BNOSA will seek to ensure that sub-processors and service providers are subject to appropriate confidentiality, security, and data protection obligations.

Where required, BNOSA will provide customers with additional information about sub-processors through a sub-processor list, customer agreement, DPA, or other appropriate mechanism.

International Transfers

BNOSA may use service providers, including Google services, Stripe, RunProf, and other technical or business providers, that may process personal data outside the United Kingdom or outside the country where the customer or user is located.

Depending on service configuration, support, redundancy, security, backup, payment processing, infrastructure, and operational requirements, personal data may be processed in or accessed from different jurisdictions.

Where international transfers of personal data occur, BNOSA will rely on appropriate safeguards required under applicable data protection laws, which may include:

  • adequacy regulations;
  • standard contractual clauses;
  • UK International Data Transfer Addendum or Agreement;
  • Data Processing Agreements;
  • contractual confidentiality and security obligations;
  • technical and organisational security measures;
  • other lawful transfer mechanisms.

BNOSA does not state that all data is stored exclusively in the United Kingdom unless this is expressly confirmed in a customer agreement or technical configuration.

Where customers require specific data residency arrangements, these should be agreed separately in writing and validated against the technical configuration of Google services, Firebase, databases, storage, backups, logs, support access, and related infrastructure.

Google Cloud provides information and contractual mechanisms relevant to UK GDPR, EU GDPR, and Swiss FDPA compliance.

Data Security

BNOSA takes appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration, destruction, or disclosure.

These measures may include:

  • secure cloud infrastructure;
  • role-based access controls;
  • authentication controls;
  • account management controls;
  • access logging;
  • audit trails;
  • encryption in transit where applicable;
  • encryption at rest where supported and configured;
  • backups and recovery measures;
  • monitoring and alerting;
  • error logging;
  • least-privilege access principles;
  • confidentiality obligations;
  • technical support access control;
  • secure development practices;
  • vulnerability management;
  • incident response processes;
  • periodic review of user access and permissions.

BNOSA uses Google services to support hosting, infrastructure security, monitoring, storage, backup, and operational resilience.

BNOSA remains responsible for secure configuration of the application, role permissions, customer access controls, development practices, support processes, and operational governance.

Customers are responsible for:

  • keeping login credentials confidential;
  • ensuring only authorised users access the platform;
  • promptly disabling users who no longer require access;
  • assigning appropriate permissions;
  • avoiding unnecessary sharing of sensitive information;
  • using secure devices and networks.

No system can be guaranteed to be completely secure. However, BNOSA aims to maintain appropriate safeguards consistent with the nature of the data and the risks involved.

Data Retention

BNOSA retains personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention periods depend on:

  • the type of data;
  • the purpose of processing;
  • customer contract terms;
  • customer instructions;
  • legal and regulatory requirements;
  • tax and accounting obligations;
  • dispute resolution requirements;
  • security and audit requirements;
  • backup and recovery needs.

Typical retention approach:

  • Website enquiries — Retained while the enquiry is active and for a reasonable follow-up period.
  • Demo request data — Retained for sales, follow-up, and business relationship purposes unless deletion is requested and legally possible.
  • Customer account data — Retained during the customer relationship and a reasonable period after termination.
  • Billing and invoice records — Retained as required for tax, accounting, and legal obligations.
  • Platform operational data — Retained according to customer agreement, customer settings, or applicable legal requirements.
  • User accounts — Retained while required for platform access, audit, security, and customer administration.
  • Support records — Retained while needed for service history, issue resolution, quality control, and disputes.
  • Security records — Retained for a limited period required for security, audit, troubleshooting, and compliance.
  • Backup data — Retained according to backup cycles and technical recovery requirements.
  • Marketing preferences — Retained until unsubscribe, objection, or deletion where legally possible.

Where BNOSA acts as a processor, deletion or return of customer data will be handled according to the customer agreement, DPA, or documented customer instructions.

Some data may remain in backups for a limited period before being overwritten or securely deleted according to BNOSA’s backup practices.

Cookies and Similar Technologies

BNOSA’s website and platform may use cookies and similar technologies to:

  • operate the website and platform;
  • maintain sessions;
  • authenticate users;
  • remember preferences;
  • improve performance;
  • analyse website use;
  • support security;
  • detect errors;
  • support service improvement;
  • support marketing or analytics where permitted.

Cookies may include:

  • essential cookies;
  • security cookies;
  • preference cookies;
  • analytics cookies;
  • performance cookies;
  • marketing cookies, if used.

Essential cookies are necessary for the website or platform to function.

Non-essential cookies, such as analytics or marketing cookies, will be used only where permitted by applicable law and, where required, with consent.

Users can manage cookies through browser settings or through our cookie preference tool where available.

BNOSA may provide a separate Cookies Policy with more details about the cookies and tracking technologies used.

Marketing Communications

BNOSA may send business-to-business communications about:

  • BNOSA products and services;
  • platform updates;
  • EHS digital transformation topics;
  • product demonstrations;
  • events or webinars;
  • relevant content;
  • service announcements.

Where required, we will obtain consent before sending marketing communications.

You can opt out of marketing communications at any time by:

  • clicking the unsubscribe link in our emails; or
  • contacting us at privacy@bnosa.com.

Even if you opt out of marketing communications, BNOSA may still send important service, account, billing, legal, security, or operational notices.

Automated Decision-Making

BNOSA does not intend to make decisions that produce legal or similarly significant effects on individuals solely through automated processing.

The BNOSA platform may provide:

  • dashboards;
  • reports;
  • reminders;
  • overdue action indicators;
  • workflow status;
  • risk visibility;
  • analytics;
  • trend reports;
  • task notifications;
  • performance indicators.

These outputs are intended to support customer decision-making and do not replace human judgement.

Customers remain responsible for reviewing platform outputs and making operational, employment, safety, disciplinary, legal, or compliance decisions.

Analytics and Future AI Features

BNOSA may use analytics to help customers understand:

  • recurring hazards;
  • overdue actions;
  • repeated observations;
  • inspection trends;
  • incident trends;
  • CAPA performance;
  • meeting action status;
  • workflow performance;
  • operational improvement opportunities.

If BNOSA introduces AI or advanced analytics features in the future, BNOSA will aim to ensure that:

  • processing is lawful, fair, and transparent;
  • unnecessary personal data is not used;
  • access controls are applied;
  • outputs are explainable where reasonably possible;
  • customers remain responsible for final decisions;
  • material changes to processing are reflected in the Privacy Policy, customer contracts, or other notices where required.

BNOSA will not use customer-entered EHS operational data for unrelated advertising purposes.

Payment Processing Through Stripe

BNOSA may use Stripe to process payments, subscriptions, invoices, refunds, disputes, and related billing activities.

When a payment is made, payment information may be collected and processed directly by Stripe.

BNOSA does not intend to store full payment card details on its own systems.

BNOSA may receive limited payment-related information from Stripe, including:

  • customer billing details;
  • payment status;
  • invoice status;
  • subscription status;
  • transaction references;
  • refund status;
  • dispute status;
  • partial card details such as card brand and last four digits where applicable.

BNOSA uses this information for:

  • subscription management;
  • billing;
  • accounting;
  • fraud prevention;
  • customer support;
  • legal compliance;
  • dispute handling.

Stripe processes personal data in accordance with its own privacy policy and contractual data processing terms.

Data Subject Rights

Depending on applicable law and the context of processing, individuals may have rights including:

  • the right to access personal data;
  • the right to correct inaccurate personal data;
  • the right to request deletion;
  • the right to restrict processing;
  • the right to object to processing;
  • the right to data portability;
  • the right to withdraw consent where processing is based on consent;
  • the right to complain to a data protection authority.

To exercise your rights, contact us at privacy@bnosa.com.

We may need to verify your identity before responding.

Where BNOSA processes personal data on behalf of a customer, we may refer the request to the relevant customer because the customer may be the controller of the data.

We will respond to rights requests in accordance with applicable data protection law.

Complaints

If you have concerns about how BNOSA handles personal data, please contact us first so we can try to resolve the issue.

You may also have the right to complain to the UK Information Commissioner’s Office (“ICO”) or another relevant supervisory authority.

The ICO is the UK regulator for data protection and information rights. Organisations that process personal information may need to pay a data protection fee unless exempt.

Data Breaches and Security Incidents

If BNOSA becomes aware of a personal data breach or relevant security incident, we will assess the incident and take appropriate steps.

These steps may include:

  • investigating the incident;
  • containing the incident;
  • assessing affected data;
  • notifying affected customers where BNOSA acts as processor;
  • notifying regulators where legally required;
  • notifying affected individuals where legally required;
  • taking corrective and preventive actions;
  • improving controls to reduce recurrence.

Where BNOSA acts as a processor, we will notify the relevant customer in accordance with the applicable customer agreement or DPA.

Children’s Data

BNOSA services are intended for business use and are not directed at children.

BNOSA does not knowingly collect personal data from children through its website or platform for consumer purposes.

If a customer uses BNOSA in a context involving young workers, trainees, interns, apprentices, or other individuals under applicable employment or safety rules, the customer is responsible for ensuring lawful processing and appropriate safeguards.

Customer Data and Service Data

For clarity:

Customer Data means data entered, uploaded, generated, or processed by customers and authorised users within the BNOSA platform.

Service Data means data generated through the use, operation, administration, support, monitoring, security, billing, and maintenance of the BNOSA platform.

BNOSA may process both Customer Data and Service Data to provide, secure, maintain, support, improve, and administer the BNOSA services.

Where Customer Data is controlled by the customer, BNOSA processes such data as processor according to the customer agreement or DPA.

Where BNOSA determines the purposes and means of processing Service Data, BNOSA may act as controller.

Data Processing Agreement for Customers

Where BNOSA processes personal data on behalf of business customers, BNOSA may provide a Data Processing Agreement.

The DPA should address:

  • subject matter of processing;
  • duration of processing;
  • nature and purpose of processing;
  • types of personal data;
  • categories of data subjects;
  • customer rights and obligations;
  • BNOSA’s processor obligations;
  • confidentiality;
  • security measures;
  • sub-processors;
  • international transfers;
  • assistance with data subject requests;
  • assistance with security and breach obligations;
  • deletion or return of data;
  • audit and compliance information.

This is important because BNOSA’s platform will commonly process data controlled by its customers, while BNOSA and its providers, including Google services and RunProf, may support the processing as part of the service delivery chain.

Changes to This Privacy Policy

BNOSA may update this Privacy Policy from time to time.

We may update it to reflect:

  • legal or regulatory changes;
  • platform changes;
  • changes in service providers;
  • changes in security or operational practices;
  • changes in payment, hosting, support, or analytics arrangements.

If we make material changes, we may notify customers by email, platform notice, website notice, or another appropriate method.

The “Last Updated” date at the top of this Privacy Policy indicates when it was last revised.

Continued use of BNOSA after the updated Privacy Policy becomes effective means that the updated Privacy Policy applies, subject to applicable law and customer agreements.

Contact Us

For questions, requests, or complaints about this Privacy Policy or BNOSA’s handling of personal data, please contact:

  • BNOSA Ltd
  • Company Number: 16960746
  • Registered Office: 128 City Road, London, EC1V 2NX, United Kingdom
  • Website: www.bnosa.com
  • Privacy Email: privacy@bnosa.com
BNOSA Privacy Policy | BNOSA