Effective Date: March 1, 2026 | Last Updated: March 6, 2026
This Privacy Policy explains how QoreFlow Tech OÜ ("Company", "we", "us") collects, processes, stores, and protects your personal data through the Safety Voice platform ("Platform"). This policy complies with the European Union General Data Protection Regulation (GDPR – 2016/679), the Estonian Personal Data Protection Act, and the Turkish Personal Data Protection Law (KVKK – Law No. 6698).
1. Data Controller
Company: QoreFlow Tech OÜ
Address: Tallinn, Estonia
Email: info@safetyvoice.net
Website: https://safetyvoice.net
2. Personal Data We Collect
2.1 Account Information
- Name, surname, username
- Email address, phone number
- Organization, department, role
- Profile photo (optional)
2.2 Occupational Safety Data
- Hazard reports, photos, and videos
- Inspection records, risk assessments
- Training records, health surveillance data
- PPE (Personal Protective Equipment) records
- Work accident notifications and emergency plans
2.3 Technical Data
- IP address, browser information, device type
- Login timestamps and audit logs
- Cookies and similar tracking technologies
3. Purposes of Data Processing
- Providing and managing Platform services
- Fulfilling occupational health and safety legal obligations
- Processing hazard reports and managing workflows
- AI-powered risk analysis and prediction
- Gamification and user engagement systems
- Statistical analysis and reporting
- Legal compliance (ISO 45001, ISO 27001)
- Ensuring platform security and fraud prevention
4. Legal Bases for Processing (GDPR Article 6)
- Contract performance: providing Platform services
- Legal obligation: OHS legislation, GDPR/KVKK compliance
- Legitimate interest: platform security, analytics, service improvement
- Consent: marketing communications, cookie preferences
5. Data Sharing
Your personal data is not shared with third parties except in the following cases:
- Organization administrators: authorized users within your organization under role-based access control
- Service providers: hosting (Replit), email (Resend), analytics (Cloudflare), AI (Google Gemini), payments (Stripe) — all under GDPR-compliant data processing agreements
- Legal requirement: upon court order or request from competent authorities
6. International Data Transfers
Your data is processed within the European Economic Area (EEA). When transfers outside the EEA are necessary, appropriate safeguards (Standard Contractual Clauses) under GDPR Article 46 are applied.
7. Data Retention Periods
- Account data: while account is active + 30 days after deletion
- OHS records: minimum 15 years as required by law
- Audit logs: 5 years (ISO 27001 compliance)
- Billing data: 10 years (tax legislation)
8. Your Rights
Under GDPR and KVKK, you have the following rights:
- Right of access: request information about your processed data
- Right to rectification: request correction of inaccurate data
- Right to erasure: request deletion of non-legally required data
- Right to restrict processing: request limitation of processing under certain conditions
- Right to data portability: receive your data in a structured format
- Right to object: object to processing based on legitimate interest
To exercise your rights, contact info@safetyvoice.net. We will respond within 30 days.
9. Data Security
- All data encrypted in transit and at rest (TLS 1.3, AES-256)
- Passwords hashed with bcrypt
- ISO 27001 compliant audit logs protected with hash chains
- Role-based access control (RBAC) and PostgreSQL Row-Level Security (RLS)
- CSRF protection, rate limiting, secure session management
- Regular security assessments and penetration testing
10. Children's Privacy
The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from children.
11. Policy Changes
Significant changes to this policy will be communicated via the Platform and email. The current policy is always published on this page.
12. Right to Complain
You may file complaints about our data processing activities with:
- Estonia: Andmekaitse Inspektsioon (Data Protection Inspectorate) — www.aki.ee
- Turkey: Kişisel Verileri Koruma Kurumu (KVKK) — www.kvkk.gov.tr
13. Contact
For privacy-related inquiries:
Email: info@safetyvoice.net
Address: QoreFlow Tech OÜ, Tallinn, Estonia