SafeTrak Privacy Policy

Last updated: April 14, 2026

SafeTrak Technologies (“SafeTrak”, “we”, “us”, or “our”) operates the SafeTrak workplace safety management platform at safetrak.ca (the “Service”). This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when you use the Service.

This Privacy Policy is intended to comply with applicable Canadian private-sector privacy laws, including the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and Alberta’s Personal Information Protection Act (“PIPA”), to the extent those laws apply to our activities.

By using the Service, you consent to the collection, use, disclosure, and retention of your personal information as described in this Privacy Policy, subject to any legal limits on consent or notice.

1. Scope and roles

This Policy applies to company administrators, managers, workers, and other authorized users who access the Service through an organization account.

You are the Data Controller and SafeTrak acts solely as the Data Processor in respect of any personal information (including employee data, incident reports, and worksite imagery) uploaded by end‑users into the Service. As the Controller, the organization is solely responsible for obtaining all necessary, legally valid consents from employees to be tracked, monitored, and recorded.

2. Information we collect

We may collect the following categories of information, directly from you, from your organization, automatically through your use of the Service, or from third-party providers involved in delivering the Service.

Account and identity information

  • Full name of every enrolled worker.
  • Email address (which may be a work or personal email address, depending on the information you or your organization provides to facilitate account creation and invitations).
  • Job title and role.
  • Password, stored in hashed or encrypted form; we do not store or access your plain-text password.

Organization and billing information

  • Company name, physical address, industry, and phone number (utilized for audit logs and hazard report PDF export functions).
  • Billing contact name and email.
  • Province and country.
  • Subscription status and payment history.
  • Company utility bills (to be collected for the purpose of business identity and address verification).

Content and records you or your organization upload

  • Hazard reports, incident reports, photos, descriptions, and related attachments.
  • Safety Data Sheets, Safe Work Procedures, policies, forms, and similar company files.
  • Employee certificates, expiry dates, training records, role assignments, and related administrative data.
  • Audit logs, workflow records, comments, and other records created in the platform.

Usage and technical information

  • Login timestamps.
  • Session activity.
  • Pages visited and features used.
  • Browser type, device type, operating system.
  • IP address.
  • Diagnostic and error logs.

Notification information

  • Email delivery and engagement data.
  • Push notification tokens and delivery status, where push notifications are enabled.

We do not collect payment card details directly. Payment processing is handled by our payment processor, and we receive limited billing-related information such as payment status and partial card details for reference where applicable.

3. How we collect information

We collect personal information:

  • directly from you when you register, sign in, submit content, contact support, or use the Service;
  • from your employer or organization when they create accounts, add users, assign roles, or upload records;
  • automatically through your use of the Service; and
  • from service providers that help us operate the Service, including payment, hosting, email, storage, and push notification providers.

4. Why we use personal information

We use personal information only for purposes that a reasonable person would consider appropriate in the circumstances, including to:

  • create, administer, and secure accounts;
  • provide hazard reporting, recordkeeping, certificate tracking, document management, audit logs, and related safety administration features;
  • deliver transactional messages such as invitations, password resets, billing notices, certificate expiry alerts, and safety alerts;
  • send push notifications if enabled;
  • process payments and manage subscriptions;
  • maintain, protect, monitor, troubleshoot, and improve the Service;
  • detect, investigate, and prevent fraud, misuse, unauthorized access, and security incidents;
  • comply with legal obligations;
  • enforce our Terms; and
  • protect our rights and the rights of others.

We do not sell personal information. We do not use personal information for third-party advertising or behavioral advertising.

5. Anonymous hazard reporting

The Service allows workers to submit hazard reports that are anonymous to their peers. When a report is submitted using the anonymous feature, the reporter’s identity will not be visible to general workers within the organization.

However, please note that authorized personnel within your organization (such as administrators, management, or compliance officers) may still have access to the reporter’s identity and report details through granular permission controls to facilitate internal investigations. The organization (as the Data Controller) is solely responsible for handling these reports in compliance with all applicable whistleblower protection and anti‑retaliation laws. The organization fully indemnifies SafeTrak against any claims of workplace retaliation, wrongful termination, or hostile work environments that arise from the organization’s internal handling of these reports.

6. How we disclose information

We do not sell or rent personal information. We disclose personal information only as described below.

Within your organization

Depending on their role and permissions, your organization’s administrators and managers may access, view, edit, export, delete, or manage employee information, certificates, hazard reports, audit logs, company files, and related records. Your organization controls those permissions within its account.

Service providers

We share information with service providers that assist us in operating the Service, such as:

  • Supabase for database and file storage;
  • Vercel for hosting;
  • Stripe for payments;
  • Resend for email delivery; and
  • Firebase for push notifications.

These providers may process data on our behalf and are contractually required to protect it and use it only for the services they provide to us, subject to their own technical and legal requirements.

Legal and protective disclosures

We may disclose personal information if we believe, in good faith, that disclosure is necessary to:

  • comply with law, regulation, legal process, or a government request;
  • enforce our Terms or other agreements;
  • investigate or prevent fraud, abuse, or security issues; or
  • protect the rights, property, safety, or security of SafeTrak, our users, or others.

Business transactions

If we are involved in a merger, acquisition, financing, reorganization, insolvency, sale of assets, or similar transaction, personal information may be disclosed as part of that transaction, subject to appropriate confidentiality protections and any notice required by law.

7. Storage, hosting, and security

Your information may be stored and processed on secure infrastructure used by our service providers. We use reasonable administrative, technical, and physical safeguards designed to protect personal information against loss, unauthorized access, disclosure, alteration, and destruction. We maintain a comprehensive Data Processing Addendum (DPA) compliant with PIPEDA and PIPA that binds SafeTrak to maintain specific safeguards, including encryption in transit and at rest, formalized incident response programs, and regular penetration testing.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for using a strong password, safeguarding your credentials, and notifying us promptly if you suspect unauthorized access.

8. Data retention

We retain personal information only as long as reasonably necessary to fulfill the purposes for which it was collected, to meet legal, accounting, tax, audit, security, backup, dispute-resolution, and fraud-prevention requirements, and to enforce our agreements.

When an account is cancelled or terminated:

  • access may continue until the end of the applicable billing period;
  • we may provide a limited read-only grace period of up to 30 days for export or transition purposes; and
  • after that period, we may delete, anonymize, or irreversibly de-identify personal information from active systems, subject to longer retention for legal, audit, security, or backup purposes.

We may retain backup copies for a limited period after deletion before they are overwritten or purged in the ordinary course of our backup cycle.

9. Access and correction requests

Because SafeTrak acts strictly as a Data Processor, end‑user employees seeking to exercise their privacy rights to access, correct, or delete their personal information must direct their Data Subject Access Requests (DSARs) directly to their employer (the Data Controller). SafeTrak will only process these requests upon the authorized instructions of the Data Controller.

10. Consent and withdrawal

Where we rely on consent, you may withdraw your consent for certain uses, subject to legal, contractual, or operational limits. If you withdraw consent for data that is necessary for the Service to function, some features may no longer be available.

Withdrawal of consent does not affect:

  • information already disclosed to your organization;
  • data that must be retained by law;
  • data that we are legally permitted to retain or process for security, fraud prevention, dispute resolution, or contractual enforcement.

11. Cookies and similar technologies

We use essential cookies and similar technologies to keep you signed in, maintain your session, and make the Service work properly. We may also use limited analytics and error-monitoring tools to understand aggregate usage and improve performance. We do not use advertising cookies or cross-site behavioral tracking.

12. Children’s privacy

The Service is not intended for individuals under 18 years of age, and we do not knowingly collect personal information from children. If we learn that a child has provided personal information, we will take reasonable steps to delete it, subject to legal retention requirements.

13. Cross-border processing

Although SafeTrak currently serves users in Canada only, your personal information may be processed or stored outside your province or outside Canada by us or our service providers. When that happens, the information may be subject to the laws of those jurisdictions and may be accessible to courts, law enforcement, or regulatory authorities in those locations.

14. Changes to this policy

We may update this Privacy Policy from time to time. If we make a material change, we will update the “Last updated” date and provide notice through the Service or by email where appropriate. Continued use of the Service after the effective date of an updated policy means you accept the updated policy to the extent permitted by law.

15. Contact us

SafeTrak Technologies
Alberta, Canada
support@safetrak.ca

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada.