1. Who We Are
COSHH.app is a UK-based workplace chemical safety platform that helps businesses generate COSHH (Control of Substances Hazardous to Health) risk assessments. We are the data controller for the personal information we process. If you have any questions about this policy, contact us at [email protected].
2. What Data We Collect
We collect the following categories of personal data:
- Account information: Name, email address, hashed password
- Business data: Workplace names, addresses, industry sectors
- Chemical data: Chemical names, manufacturers, CAS numbers, hazard information, label images
- COSHH reports: Risk assessments, control measures, emergency procedures
- Payment data: Processed securely by Stripe — we do not store card details
- Usage data: Pages visited, features used (via Google Analytics with anonymised IP)
- Chat messages: Conversations with our AI safety chatbot (Premium users)
3. Lawful Basis for Processing
Under UK GDPR, we process your data on the following legal bases:
- Contract: To provide you with COSHH reports and chemical safety services you have requested
- Legitimate interest: To improve our services, ensure security, and prevent fraud
- Consent: For marketing communications and product recommendations based on your chemical usage data — you can withdraw consent at any time
- Legal obligation: To comply with applicable laws and regulations
4. How We Use Your Data
- Generating COSHH risk assessment reports
- Extracting chemical safety data from label images using AI
- Providing Safety Data Sheet (SDS) information
- Managing your account and subscription
- Processing payments via Stripe
- Improving our AI models and service quality (using anonymised data only)
- Sending marketing communications about relevant chemical safety products (only with your explicit consent)
5. Data Processors
We share your data with the following third-party processors who act under our instructions:
- Abacus.AI: Cloud hosting, AI processing, database storage
- Stripe: Payment processing (PCI-DSS compliant)
- Google Analytics: Anonymous website usage analytics
6. Data Retention
We retain your personal data for as long as your account is active. Chemical data and COSHH reports are kept for as long as you maintain an account to ensure continuity of your safety records. If you delete your account, all associated data is permanently removed within 30 days. Payment records may be retained for up to 7 years for tax and legal compliance.
7. Your Rights Under UK GDPR
You have the following rights:
- Right of access: Request a copy of all data we hold about you
- Right to rectification: Correct any inaccurate personal data
- Right to erasure: Request deletion of all your data (available via your Profile page)
- Right to restrict processing: Limit how we use your data
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interest
- Right to withdraw consent: Withdraw marketing consent at any time via your Profile page
To exercise any of these rights, contact us at [email protected] or use the “Delete My Data” option in your Profile settings.
8. Cookies
We use essential cookies required for the website to function (authentication, session management). We also use Google Analytics cookies to understand how visitors use our site — these are only set with your consent. You can manage your cookie preferences at any time via the cookie banner.
9. Data Security
We implement appropriate technical and organisational measures to protect your data, including encrypted connections (HTTPS/TLS), hashed passwords (bcrypt), secure cloud infrastructure, and access controls.
10. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.
11. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of any significant changes via email or a prominent notice on our website.