Privacy Policy
Tellus EHS ("Tellus," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Tellus EHS Platform, including our website at tellusehs.com, web application, mobile applications, and all related services (collectively, the "Service").
By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1. Information You Provide
- Account Information: Name, email address, job title, phone number, and password when you create an Account.
- Company Information: Company name, industry, company type, address, number of employees, and site/location details provided during onboarding.
- Chemical and Safety Data: Safety data sheets (SDS), chemical inventories, product catalogs, quantity records, and related information uploaded or entered into the Service.
- Compliance Data: HazCom plans, compliance checklists, regulatory assessments, and audit records created within the Service.
- Training Data: Course content, assignment records, quiz responses, completion records, and certification information.
- Payment Information: Billing name, billing address, and payment method details. Payment card information is processed by our third-party payment processor and is not stored on our servers.
- Communications: Messages you send to us via email, support requests, or feedback forms.
1.2. Information Collected Automatically
- Usage Data: Pages visited, features used, actions taken, timestamps, session duration, and clickstream data within the Service.
- Device Information: Browser type, operating system, device type, screen resolution, and unique device identifiers.
- Log Data: IP address, access times, referring URLs, and error logs.
- Cookies and Similar Technologies: We use cookies, local storage, and similar technologies to maintain sessions, remember preferences, and analyze usage. See Section 7 for details.
1.3. Information from Third Parties
- Authentication Providers: If you sign in through a third-party identity provider, we receive your name, email, and authentication tokens as permitted by that provider.
- Regulatory Databases: We may retrieve publicly available regulatory and chemical hazard information from government and industry databases to enrich the Service.
2. How We Use Your Information
We use the information we collect to:
| Purpose | Legal Basis |
|---|---|
| Provide, operate, and maintain the Service | Performance of contract |
| Process your Subscription and payments | Performance of contract |
| Parse and analyze safety data sheets (SDS) | Performance of contract |
| Generate AI-powered compliance recommendations, training content, and HazCom plans | Performance of contract |
| Manage chemical inventories, quantities, and regulatory compliance tracking | Performance of contract |
| Send transactional communications (account verification, password resets, billing receipts, compliance alerts) | Performance of contract |
| Provide customer support | Performance of contract / Legitimate interest |
| Analyze usage to improve and develop the Service | Legitimate interest |
| Create aggregated, anonymized analytics and benchmarking data | Legitimate interest |
| Detect, prevent, and address security issues, fraud, and abuse | Legitimate interest / Legal obligation |
| Comply with legal obligations and respond to lawful requests | Legal obligation |
| Send product updates and marketing communications (with your consent where required) | Consent / Legitimate interest |
3. How We Share Your Information
We do not sell your personal information. We share information only in the following circumstances:
3.1. Within Your Organization
Authorized Users within your Company can access Company Data according to the role-based permissions configured by your Company administrator. For example, a site manager may see chemical inventories for their assigned sites.
3.2. Service Providers
We engage trusted third-party service providers who process data on our behalf, including:
- Cloud hosting and infrastructure (data storage and compute)
- Authentication services (identity verification and session management)
- Payment processors (billing and subscription management)
- Email delivery services (transactional and notification emails)
- AI and machine learning services (SDS parsing, content generation, compliance analysis)
- Analytics services (usage analytics and performance monitoring)
All service providers are contractually obligated to protect your data and use it only for the purposes we specify.
3.3. Legal Requirements
We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to: (a) comply with applicable law; (b) protect the rights, property, or safety of Tellus, our users, or the public; or (c) detect, prevent, or address fraud, security, or technical issues.
3.4. Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity. We will notify you of any such change and any choices you may have regarding your information.
3.5. With Your Consent
We may share your information for purposes not described in this Privacy Policy with your explicit consent.
4. Data Security
We implement industry-standard technical and organizational measures to protect your information, including:
- Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Access Controls: Role-based access controls, multi-tenant data isolation, and least-privilege principles.
- Authentication: Secure authentication with support for strong password requirements.
- Infrastructure: Hosted on secure, SOC 2-compliant cloud infrastructure with regular security assessments.
- Monitoring: Continuous monitoring for unauthorized access, anomalies, and security incidents.
- Incident Response: Documented incident response procedures with timely notification to affected users.
While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
5. Data Retention
We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
| Data Type | Retention Period |
|---|---|
| Account and profile information | Duration of Account + 30 days after deletion |
| Company Data (SDS, inventories, plans, training records) | Duration of Subscription + 30 days after termination |
| Payment and billing records | 7 years (tax and legal compliance) |
| Usage and analytics data | 24 months in identifiable form; indefinitely in aggregated/anonymized form |
| Audit and compliance logs | 7 years (regulatory record-keeping requirements) |
| Support communications | 3 years after resolution |
After the applicable retention period, data is permanently deleted or irreversibly anonymized.
6. Your Rights and Choices
Depending on your jurisdiction, you may have the following rights regarding your personal information:
6.1. Access and Portability
You can access your personal information through your Account settings. You may export your Company Data at any time using the Service's built-in export features.
6.2. Correction
You can update your Account information directly through the Service. If you need assistance, contact us at privacy@tellusehs.com.
6.3. Deletion
You may request deletion of your Account and personal information by contacting privacy@tellusehs.com. Note that:
- Some data may be retained as required by law (e.g., billing records, audit logs).
- Deletion of your Account does not automatically delete Company Data; a Company administrator must request Company-level data deletion.
6.4. Opt-Out of Marketing
You can opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email or by updating your notification preferences in the Service.
6.5. Cookie Preferences
You can manage cookie preferences through your browser settings or through our cookie consent mechanism. See Section 7.
6.6. Data Processing Objections
Where we process your data based on legitimate interest, you may object to such processing. We will cease processing unless we have compelling legitimate grounds that override your interests.
7. Cookies and Tracking Technologies
7.1. Types of Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Authentication, session management, security | Session / persistent |
| Functional | User preferences, language, theme settings | Persistent (up to 1 year) |
| Analytics | Usage patterns, feature adoption, performance monitoring | Persistent (up to 2 years) |
7.2. Managing Cookies
You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent the Service from functioning properly.
7.3. Do Not Track
The Service does not currently respond to "Do Not Track" browser signals. We honor opt-out preferences expressed through our cookie consent mechanism.
8. Multi-Tenant Data Isolation
The Service is a multi-tenant platform. We implement strict data isolation between Company workspaces:
- Each Company's data is logically isolated using unique Company identifiers.
- Authorized Users can only access data within Companies to which they have been granted access.
- Cross-Company data access is technically prevented at the application and database layer.
- Company administrators control user access through role-based permissions.
9. AI and Automated Processing
9.1. How AI Processes Your Data
The Service uses AI and machine learning to:
- Parse and extract information from uploaded safety data sheets (SDS).
- Generate HazCom plan content based on your company and chemical data.
- Create training course content tailored to your workplace hazards.
- Evaluate compliance posture and generate recommendations.
- Identify PPE requirements based on chemical hazard classifications.
9.2. Your Data and AI Training
- We do not use your Company Data to train general-purpose AI models.
- AI processing occurs within the context of your Company's workspace to provide the Service.
- Aggregated, anonymized insights may be used to improve AI model accuracy for all users.
9.3. Human Oversight
AI-generated outputs are presented as recommendations and drafts. The Service includes review and approval workflows to ensure human oversight of AI-generated content before it is finalized for compliance purposes.
10. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will take steps to delete it promptly. If you believe we have inadvertently collected such information, please contact us at privacy@tellusehs.com.
11. International Data Transfers
The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.
Where required by applicable law, we implement appropriate safeguards for international data transfers, such as Standard Contractual Clauses (SCCs) approved by relevant authorities.
12. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know: You may request details about the categories and specific pieces of personal information we have collected.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
- Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise these rights, contact us at privacy@tellusehs.com. We will verify your identity before processing your request.
13. European Privacy Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):
- Right of Access (Art. 15)
- Right to Rectification (Art. 16)
- Right to Erasure (Art. 17)
- Right to Restriction of Processing (Art. 18)
- Right to Data Portability (Art. 20)
- Right to Object (Art. 21)
- Right to Withdraw Consent (Art. 7)
To exercise these rights, contact our Data Protection contact at privacy@tellusehs.com. You also have the right to lodge a complaint with your local data protection authority.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Notify you by email or through a prominent notice in the Service at least 30 days before the changes take effect.
Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Tellus EHS — Privacy Email: privacy@tellusehs.com General Support: support@tellusehs.com Website: tellusehs.com
For data protection inquiries from the EEA/UK, you may also contact our Data Protection contact at the email above.