Mentions Légales

Application mobile iDuerp – Solution DUERP intelligente B2B

OSHAid — Essential Terms (Summary)

Notice. This is a plain-language summary of the OSHAid Terms of Service and the AI & Algorithms Annex, adapted for the U.S. market and OSHA framework. It is not a substitute for the full Terms or the AI Annex, and it is not legal advice. Have qualified U.S. counsel review the full documents before publication.

OSHAid is a B2B mobile application and SaaS service that helps employers structure and maintain their workplace hazard assessments and injury-and-illness-prevention activities, aligned with the U.S. Occupational Safety and Health Act of 1970 and OSHA recordkeeping standards under 29 CFR Part 1904.

OSHAid is a decision-support tool, including artificial-intelligence features that are strictly optional.

OSHAid does not perform regulatory audits, on-site inspections, industrial-hygiene sampling, medical evaluations, or legal review, and it does not provide legal, medical, or regulatory advice.

Suggestions, scores, and recommendations produced by the platform — including AI outputs — are informational only, are based exclusively on the data the Customer provides, and are not decisions. All final decisions remain the Customer's.

Customer responsibility

The Customer — and in particular its officers and managers — remains solely responsible for:

• compliance with the OSH Act, applicable OSHA standards (29 CFR Parts 1904, 1910, 1915, 1917, 1918, 1926, 1928, as applicable), state-plan rules, and any other applicable federal, state, or local health-and-safety law;

• the accuracy and timely update of all data entered into the application;

• the actual implementation of any corrective or preventive actions;

• the health and safety of its workforce;

• the content the Customer enters or uploads into the application.

Use of OSHAid does not constitute a delegation of legal authority and does not shield the Customer or its officers from civil, regulatory, or criminal liability under the OSH Act (including Section 17(e)), state OSHA-plan rules, workers' compensation laws, or other applicable law.

OSHAid is not liable for workplace accidents, OSHA citations or penalties, inspections, workers' compensation claims, EEOC/DOL/NLRB complaints, employee or third-party litigation, or any indirect or consequential damages. Any liability is capped at the amount actually paid for the OSHAid subscription during the twelve (12) months preceding the event giving rise to the claim, to the extent permitted by law.

Artificial intelligence

The AI features:

• are disabled by default;

• require explicit activation by the account owner;

• can be disabled at any time in the application settings;

• never produce automated decisions with legal or otherwise significant effects on any individual without human review.

No automated decision producing legal or significant effects on a person is taken without human validation. The AI features use OpenAI as a downstream sub-processor.

The application never communicates directly with OpenAI: all AI requests are routed exclusively through OSHAid's secured servers.

Only the data strictly necessary to fulfill a request is transmitted. The following are never transmitted to AI providers:

• user names or email addresses;

• personal identifiers;

• passwords, tokens, or authentication credentials;

• financial or payment data;

• device identifiers or IP addresses;

• documents from the Documents module.

Data transmitted to AI providers (OpenAI):

• is used only to produce the requested response;

• is not used to train any public model;

• is not used by the provider for its own purposes.

If AI features are not explicitly activated, no data is sent to any AI provider.

Data and de-identification

Data the Customer enters into the application remains the property of the Customer.

OSHAid may use, analyze, aggregate, and irreversibly de-identify certain data to improve the Service, provided that no individual can be identified — directly or indirectly, including through cross-referencing or metadata.

No identifiable personal information is:

• sold,

• rented,

• shared for advertising purposes,

• used for commercial profiling.

OSHAid does not implement any behavioral-advertising mechanism and does not resell data. OSHAid does not "sell" or "share" personal information within the meaning of the CCPA/CPRA, the Colorado Privacy Act, VCDPA, CTDPA, UCPA, or analogous U.S. state privacy laws.

Distribution

The application may be distributed through the Apple App Store, the Google Play Store, or oshaid.com.

Apple and Google act solely as distribution platforms. They are not responsible for the content or operation of the OSHAid Service. Apple Inc. and its subsidiaries are third-party beneficiaries of the OSHAid Terms with respect to the Apple App Store, as required by Apple's standard licensing terms.

Use of the application constitutes full and unconditional acceptance of the OSHAid Terms of Service, the AI & Algorithms Annex, and the Officer & Director Liability Annex.

⚠️ OSHAid is a decision-support tool. It does not replace human expertise — including that of a Certified Safety Professional, Certified Industrial Hygienist, occupational-medicine provider, or attorney — and it does not replace the legal responsibility of the Customer's officers and directors.

Terms and conditions

Annex A - Artificial Intelligence, Algorithms, and Decision Support

Annexe B - PROTECTION PÉNALE DU DIRIGEANT

Règlement Général sur la Protection des Données (RGPD)

Terms and Conditions

OSHAid SaaS Platform and Mobile Application

Last updated: [Date]

Notice. This document is a US/OSHA-adapted version of the prior French Conditions Générales de Vente. It is provided as a template and is not legal advice. Have qualified U.S. counsel review and tailor it to your corporate form, state of incorporation, customer base, and the specific jurisdictions in which you operate before publishing.

ARTICLE 1 — PROVIDER IDENTITY AND PURPOSE

DUOPP (the "Provider") is the publisher and operator of OSHAid (the "Service"), a software solution available as a mobile application and as a SaaS web platform. OSHAid helps employers structure, manage, and maintain their workplace hazard assessments and injury-and-illness-prevention activities, and supports recordkeeping aligned with U.S. Occupational Safety and Health Administration ("OSHA") expectations under the Occupational Safety and Health Act of 1970 (29 U.S.C. §§ 651 et seq.) and 29 CFR Part 1904.

These Terms and Conditions (the "Terms") set out the contractual terms under which the Provider makes the OSHAid Service available to its business customers (each, the "Customer"), regardless of the channel through which the Service is acquired.

ARTICLE 2 — DISTRIBUTION CHANNELS AND ORDER OF PRECEDENCE

The OSHAid Service may be distributed through:

• the Apple App Store, including Apple Business Manager;

• the Google Play Store, including Managed Google Play;

• directly via oshaid.com, through online subscription or a B2B agreement.

Regardless of the distribution channel, the Provider of the Service is exclusively DUOPP (operating under the OSHAid brand). Third-party platforms (Apple, Google) act solely as technical intermediaries for distribution, payment processing, or subscription management, and are not parties to the service contract between the Customer and the Provider.

These Terms prevail over any other documentation, except for special terms expressly accepted in writing by the Provider. In the event of a conflict between these Terms and a separately signed master services agreement, order form, or statement of work, the separately signed document controls for the matters it covers.

ARTICLE 2B — APPLE APP STORE-SPECIFIC PROVISIONS

When the OSHAid application is downloaded through the Apple App Store:

• The end-user license is entered into exclusively between the Customer and the Provider.

• Apple Inc. and its subsidiaries are third-party beneficiaries of these Terms and may enforce them against the Customer.

• Apple is not responsible for:

  • the content of the application;

  • maintenance or support for the application;

  • any claims relating to the Service;

  • any legal or regulatory obligations tied to the Customer's professional use of the application.

• Any refund request relating to a subscription purchased through the App Store is handled exclusively by Apple in accordance with Apple's own terms.

ARTICLE 2C — GOOGLE PLAY-SPECIFIC PROVISIONS

When the OSHAid application is downloaded through the Google Play Store, distribution, billing, refunds, and subscription management are governed by Google's then-current terms. The contractual relationship for the Service itself remains exclusively between the Customer and the Provider.

ARTICLE 3 — NATURE OF THE SERVICE AND SCOPE

The Customer expressly acknowledges that OSHAid is a software tool that helps the Customer structure, organize, and present information related to workplace hazard assessment, injury-and-illness prevention, and OSHA-aligned recordkeeping.

OSHAid does not perform regulatory audits, on-site inspections, industrial-hygiene sampling, ergonomic assessments, medical evaluations, legal opinions, or third-party certifications. The Service operates solely on information that the Customer enters, uploads, or validates within the platform.

OSHAid's artificial-intelligence features are intended only to provide suggestions, recommendations, and decision support based on automated processing and statistical models. They are not a substitute for professional judgment by qualified safety professionals, occupational physicians, industrial hygienists, or attorneys.

The Service is not a Certified Safety Professional, Certified Industrial Hygienist, attorney, medical provider, or authorized representative under any OSHA standard. It does not file OSHA Form 300, 300A, or 301 logs on the Customer's behalf and does not transmit information to OSHA, state-plan agencies, workers' compensation insurers, or any other regulator.

ARTICLE 4 — NO DECISION-MAKING AUTHORITY; CUSTOMER RESPONSIBILITY

The Customer expressly acknowledges and agrees that the following decisions remain the sole and exclusive responsibility of the Customer:

• identification of workplace hazards;

• evaluation of hazard severity, probability, and exposure;

• prioritization of corrective and preventive actions;

• selection and implementation of engineering, administrative, and PPE controls;

• compliance with OSHA standards (including 29 CFR Parts 1910, 1915, 1917, 1918, 1926, and 1928 as applicable), state-plan equivalents, and any other federal, state, or local health-and-safety law;

• maintenance of OSHA-required recordkeeping (Forms 300, 300A, 301), electronic submission obligations under 29 CFR 1904.41, and posting requirements;

• training, communication, hazard reporting, and incident response.

Recommendations, suggestions, scores, or proposals generated by OSHAid — including those produced by its AI features — are provided for informational purposes only and do not constitute:

• a legal, regulatory, medical, ergonomic, industrial-hygiene, or engineering opinion;

• a guarantee of OSHA compliance or compliance with any other law;

• a representation that the Customer's workplace, equipment, or practices are safe;

• a commitment as to outcome, result, or audit pass rate.

Accordingly, the Provider shall not be liable for any decision the Customer makes, nor for any direct or indirect consequence of the Customer's use of, or failure to use, information generated by the Service.

ARTICLE 5 — DISCLAIMER OF WARRANTIES; LIMITATION OF LIABILITY

5.1 Disclaimer of Warranties

To the fullest extent permitted by applicable law, the Service is provided "AS IS" and "AS AVAILABLE", without warranty of any kind, whether express, implied, or statutory. The Provider expressly disclaims all warranties of merchantability, fitness for a particular purpose, non-infringement, accuracy, completeness, uninterrupted operation, error-free performance, and any warranty arising from course of dealing or usage of trade.

The Provider does not warrant that the Service will identify every hazard present in the Customer's workplace, that AI-generated suggestions will be appropriate for any specific operation, or that use of the Service will result in OSHA compliance, lower workers' compensation costs, or avoidance of citations, fines, or litigation.

5.2 Excluded Damages

To the fullest extent permitted by law, the Provider shall have no liability — whether in contract, tort (including negligence), strict liability, statute, or any other theory — for any of the following, even if advised of the possibility:

• workplace injuries, illnesses, fatalities, or near-misses;

• bodily injury, property damage, or environmental harm;

• OSHA citations, civil penalties, criminal referrals, or abatement orders;

• workers' compensation claims, premium increases, or experience-modifier impacts;

• EEOC, NLRB, DOL, state-plan, or private-action labor or employment claims;

• business interruption, lost profits, lost revenue, lost data, lost goodwill, or loss of business opportunity;

• the Customer's failure to discharge its own legal duties under the OSH Act, state-plan rules, workers' compensation laws, or any other statute or regulation.

5.3 Aggregate Liability Cap

In no event shall the Provider's aggregate liability arising out of or relating to the Service or these Terms — whether in contract, tort, statute, or otherwise — exceed the total amount actually paid by the Customer to the Provider for the Service during the twelve (12) months immediately preceding the event giving rise to the claim. The existence of multiple claims shall not enlarge this cap.

Some jurisdictions do not allow the exclusion of certain warranties or the limitation of certain damages, so portions of this Article 5 may not apply to the Customer; in such jurisdictions the Provider's liability is limited to the maximum extent permitted by law.

ARTICLE 6 — CUSTOMER-PROVIDED DATA

The Customer remains solely responsible for:

• the truth, accuracy, completeness, and currency of all data the Customer enters or uploads;

• the timely update of that data when conditions, processes, equipment, or workforce change;

• the legal basis for collecting and using any personal information the Customer enters about its employees, contractors, or third parties (including any required notices and consents under California's CCPA/CPRA, Illinois' BIPA, and any other applicable U.S. state privacy law);

• compliance with all federal, state, and local laws applicable to the Customer's industry, workforce, and operations.

The Provider does not validate the substantive accuracy of Customer-submitted data and is not liable for errors, omissions, or inconsistencies arising from information the Customer provides.

ARTICLE 7 — USE, ANONYMIZATION, AND COMMERCIALIZATION OF AGGREGATED DATA

The Customer expressly acknowledges and agrees that the Provider may, in the course of operating and improving the Service, use, analyze, aggregate, exploit, and commercialize data derived from use of the Service.

This use is strictly limited to data that has been irreversibly de-identified and aggregated so that it cannot, alone or in combination with reasonably available information, be used to identify any individual — whether an employee, contractor, officer, or any other natural person.

Specifically excluded from any such use is data that could enable individual identification through cross-referencing, contextual inference, metadata, or any other means reasonably accessible to the Provider or to a third party.

Aggregated and de-identified data may be used by the Provider for any lawful purpose, including:

• statistical and benchmark analysis;

• improvement of algorithms and AI models;

• research and development;

• creation of industry indices, benchmarks, and reference data sets;

• publication or commercialization of aggregated, non-identifying datasets to third parties.

The Customer acknowledges that aggregated and de-identified data of this kind does not constitute "personal information" under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), or under analogous state privacy laws (such as VCDPA, CPA, CTDPA, or UCPA), provided that the data has been de-identified consistent with the standards of those statutes and the Provider commits not to attempt to re-identify it.

The Customer expressly waives any claim, ownership right, audit right, or right to compensation in connection with the Provider's use of such aggregated, de-identified data, so long as no information capable of identifying an individual can be reconstructed.

The Provider commits never to use, sell, license, or otherwise commercialize data that identifies an individual without that individual's prior written consent (or the Customer's, where the Customer is the appropriate party to provide it on the individual's behalf).

For HIPAA-regulated data, biometric data subject to BIPA or similar state laws, or data of minors, the Customer agrees not to upload such data to the Service unless the parties have separately executed a written addendum (such as a Business Associate Agreement) authorizing it.

ARTICLE 8 — INTELLECTUAL PROPERTY

The Service — including without limitation the software, source code, algorithms, AI models, evaluation frameworks, user interfaces, databases, trademarks ("OSHAid"), logos, content, documentation, and the look and feel — is protected by U.S. copyright, trademark, trade-secret, and patent law, as well as the corresponding international laws, and remains the exclusive property of the Provider (or its licensors, where applicable).

The Customer is granted only a limited, personal, non-exclusive, non-sublicensable, non-transferable right to use the Service for its internal business purposes during the term of its subscription. The Customer shall not:

• copy, modify, translate, reverse-engineer, decompile, or disassemble the Service, except to the extent expressly permitted by mandatory law;

• resell, sublicense, lease, or make the Service available to any third party except the Customer's authorized employees and contractors;

• use the Service to build a competing product or service, or to train any third-party AI model on the Service's outputs.

The Customer retains all rights in the data and content it uploads to the Service, and grants the Provider a worldwide, non-exclusive, royalty-free license to host, process, transmit, display, and back up that data solely as needed to provide and improve the Service, subject to the de-identification requirements of Article 7.

ARTICLE 9 — FEES AND PAYMENT

Pricing depends on the channel through which the Customer subscribes.

When the subscription is purchased through an app store (Apple or Google), billing, automatic renewal, refunds, and subscription management follow that platform's then-current terms.

When the subscription is entered into through oshaid.com, pricing and payment terms are set out in the applicable online checkout flow, quote, order form, or signed agreement. Unless otherwise stated, fees are exclusive of all sales, use, value-added, GST, or similar taxes, all of which are the Customer's responsibility (other than taxes imposed on the Provider's net income).

Subscriptions purchased directly from the Provider auto-renew for successive periods equal to the initial term unless either party gives written notice of non-renewal at least thirty (30) days before the end of the then-current term. Past-due amounts accrue interest at the lesser of 1.5% per month or the maximum rate permitted by law.

ARTICLE 10 — TERM, SUSPENSION, AND TERMINATION

These Terms remain in effect for the duration of the Customer's subscription.

The Provider may suspend or terminate the Customer's access to the Service, without notice, in the event of:

• a material breach of these Terms (including non-payment after a reasonable cure period);

• use of the Service in a way that violates applicable law, infringes intellectual-property rights, or threatens the security or integrity of the platform or its other users;

• a credible threat of harm to other customers, the public, or the Provider's infrastructure.

Termination does not relieve the Customer of fees accrued before termination. Upon termination, the Customer's access ceases and the Provider may delete the Customer's data after a reasonable retention period, except where retention is required by law.

The provisions of Articles 4, 5, 6, 7, 8, 11, and 12, and any other provisions that by their nature should survive, will survive termination.

ARTICLE 11 — GOVERNING LAW AND DISPUTE RESOLUTION

11.1 Governing Law

These Terms are governed by the laws of the State of [Delaware / Florida / California — to be selected in coordination with U.S. counsel], without giving effect to its conflict-of-laws principles. The U.N. Convention on Contracts for the International Sale of Goods does not apply

.

11.2 Forum

The state and federal courts located in [County, State — to align with §11.1] have exclusive jurisdiction over any dispute arising out of or relating to these Terms or the Service, except that either party may seek injunctive or equitable relief in any court of competent jurisdiction to protect its intellectual-property or confidential information.

11.3 Optional Arbitration / Class-Action Waiver

If the parties agree, disputes may instead be resolved by final, binding arbitration administered by JAMS or the American Arbitration Association (AAA) in [City, State], conducted in English, with one arbitrator. Each party waives any right to participate in a class, collective, or representative action. (Customer should review carefully with counsel — class-action waivers and pre-dispute arbitration clauses with consumer-side or employment-side users are subject to specific U.S. state and federal rules and should be tailored to the customer base.)

11.4 Statute of Limitations

Except for claims for non-payment, any claim arising out of or relating to the Service or these Terms must be brought within one (1) year after the claim accrues, or be permanently barred, to the extent permitted by law.

ARTICLE 12 — ACCEPTANCE

Use of the OSHAid Service, regardless of the distribution channel, constitutes the Customer's full, complete, and unconditional acceptance of these Terms.

IMPORTANT — REGULATORY DISCLAIMER

OSHAid is not a substitute for a Certified Safety Professional, Certified Industrial Hygienist, occupational-medicine provider, attorney, or any OSHA-authorized representative. The Customer remains solely responsible for compliance with the Occupational Safety and Health Act of 1970, all applicable OSHA standards (29 CFR Parts 1904, 1910, 1915, 1917, 1918, 1926, 1928), state-plan rules where applicable, workers' compensation laws, and the safety of its workforce. The Service supports — but does not replace — the Customer's own safety and compliance program.

ANNEX A

Artificial Intelligence, Algorithms, and Decision Support (Contractual annex to the OSHAid Terms and Conditions)

Notice. This document is a US/OSHA-adapted version of the prior French Annexe A. It is provided as a template and is not legal advice. The U.S. AI legal landscape is evolving (NIST AI RMF, state laws such as the Colorado AI Act, NYC Local Law 144, and proposed federal rules); have qualified U.S. counsel review and tailor this annex to OSHAid's actual technical pipeline, customer base, and the states in which the Service operates before publishing.

ARTICLE A1 — PURPOSE OF THIS ANNEX

This Annex defines the conditions under which the OSHAid solution incorporates artificial-intelligence ("AI") features, automated algorithms, and computational models, and sets out the limits of, and the parties' respective responsibilities for, the use of those features.

This Annex is an integral part of the OSHAid Terms and Conditions (the "Terms"). In the event of a conflict between this Annex and the body of the Terms with respect to AI-related matters, this Annex controls.

ARTICLE A2 — DEFINITION OF OSHAid AI

Within the OSHAid Service, "AI" refers to the set of automated processing techniques used, among other things, to:

• analyze data entered by the Customer;

• analyze media content (photographs, videos, audio notes) the Customer uploads;

• apply statistical models and configurable business rules;

• generate suggestions, recommendations, hazard scores, or prioritizations.

These techniques rely on:

• proprietary algorithmic models;

• configurable rule sets;

• statistical learning conducted exclusively on data that has been aggregated and irreversibly de-identified so that it cannot, alone or in combination with reasonably available information, identify any individual.

No personal information that identifies an individual is used to train or fine-tune OSHAid's AI models.

For clarity: OSHAid does not deploy facial-recognition, biometric-identification, emotion-recognition, polygraph-style, or worker-monitoring AI; it does not score individual employees; and it is not designed to make hiring, firing, promotion, discipline, compensation, or scheduling decisions about workers.

ARTICLE A3 — SOLE PURPOSE: DECISION SUPPORT

The Customer expressly acknowledges that the AI features built into OSHAid are intended solely to assist the Customer's analysis and organization of workplace hazards and prevention activities.

Outputs produced by the AI (suggestions, hazard scores, prioritizations, proposed action plans) are decision-support inputs, not automated decisions within the meaning of any U.S. federal or state law (including without limitation the CCPA/CPRA, the Colorado AI Act, the Colorado Privacy Act, Virginia VCDPA, Connecticut CTDPA, Utah UCPA, NYC Local Law 144, or any forthcoming federal AI rule).

No decision is taken automatically by OSHAid without human review and validation by the Customer. The Customer always retains the ability to accept, modify, override, or ignore any AI output.

ARTICLE A4 — NO WARRANTY; INFORMATIONAL NATURE OF AI OUTPUTS

The Customer acknowledges that AI outputs:

• depend directly on the data the Customer provides;

• may be incomplete, approximate, or imperfect;

• may evolve over time as models are retrained or rules updated;

• may "hallucinate" or generate text that sounds authoritative but is incorrect, particularly for generative-AI-style suggestions.

Suggestions provided by OSHAid do not constitute, and shall not be relied upon as:

• a guarantee of compliance with the OSH Act, OSHA standards, state-plan rules, workers' compensation law, or any other federal, state, or local law;

• a guarantee of completeness or accuracy of any hazard assessment;

• a legal, regulatory, medical, ergonomic, industrial-hygiene, or engineering opinion;

• a contractual commitment as to outcome, audit pass rate, or claim avoidance.

To the fullest extent permitted by law, the Provider disclaims all warranties — express, implied, or statutory — regarding AI outputs, including warranties of merchantability, fitness for a particular purpose, accuracy, completeness, and non-infringement.

ARTICLE A5 — CUSTOMER'S EXCLUSIVE DECISION-MAKING RESPONSIBILITY

The Customer remains solely and exclusively responsible for:

• interpreting AI outputs;

• decisions made on the basis of those outputs;

• whether and how to implement any suggested action;

• the final evaluation of workplace hazards;

• compliance of its hazard assessment with the OSH Act, applicable OSHA standards (29 CFR Parts 1904, 1910, 1915, 1917, 1918, 1926, 1928, as applicable), state-plan rules, workers' compensation laws, and any other applicable federal, state, or local law;

• all data, content, and materials uploaded into OSHAid — including those submitted to the AI features (text, photos, videos, audio, or any other medium) — and in particular the lawful collection and use of any personal information they may contain.

The Provider shall not be liable for any direct or indirect consequence of a Customer decision made on the basis of AI output, including without limitation workplace injuries, OSHA citations, workers' compensation claims, EEOC or DOL actions, or claims by employees or third parties.

ARTICLE A6 — NO GUARANTEE OF BIAS-FREE OUTPUT; TECHNICAL LIMITS

The Customer acknowledges that OSHAid's algorithms:

• rely on statistical models;

• may reflect biases inherent in their training data, including historical biases in safety reporting, language differences, regional differences, and industry-specific reporting norms;

• cannot guarantee neutrality, completeness, or freedom from error.

The Provider does not warrant that AI outputs are free of bias, error, or omission, and the Provider strongly recommends human review by qualified safety personnel (such as an employer's safety committee, a Certified Safety Professional, or a Certified Industrial Hygienist) of every meaningful AI output before action is taken.

The Provider monitors AI performance and bias on a reasonable, periodic basis consistent with the principles of the NIST AI Risk Management Framework, but does not commit to any specific accuracy threshold.

ARTICLE A7 — EVOLUTION OF ALGORITHMS AND MODELS

The Customer accepts that the algorithms, scoring models, business rules, and AI features may evolve over time, including to:

• improve performance;

• incorporate newly aggregated data;

• respond to new regulatory expectations (such as state AI rules, NIST guidance, or OSHA technical updates);

• improve the user experience.

These evolutions do not constitute a material modification of the contract and do not give rise to any compensation. Where a change materially reduces a documented Service capability that the Customer was paying for, the Provider will give reasonable notice and, where applicable, a credit consistent with the order form or master agreement.

ARTICLE A8 — DATA USED FOR TRAINING AND IMPROVEMENT

The Customer expressly authorizes the Provider to use data derived from the Customer's use of the Service, only after aggregation and irreversible de-identification, for the following purposes:

• training and improvement of AI algorithms and models;

• research and development;

• creation of industry models, indices, and benchmarks;

• benchmarking and statistical analysis.

This processing excludes any data that could identify, directly or indirectly, an individual — whether through cross-referencing, contextual inference, or metadata analysis.

Data used for these purposes does not constitute "personal information" within the meaning of the California Consumer Privacy Act (as amended by the CPRA), the Colorado Privacy Act, Virginia VCDPA, Connecticut CTDPA, Utah UCPA, or other analogous U.S. state privacy laws, provided that the data has been de-identified consistent with the standards of those statutes and the Provider commits not to attempt to re-identify it.

The Customer agrees not to upload to OSHAid:

• protected health information ("PHI") subject to HIPAA, unless the parties have separately executed a Business Associate Agreement;

• biometric identifiers subject to BIPA (Illinois), Texas CUBI, Washington biometric law, or analogous laws, without separate written authorization;

• personal information of minors (under 13 / under 16 as applicable) subject to COPPA;

• "sensitive personal information" within the meaning of CPRA in volumes or contexts beyond those reasonably necessary for hazard assessment.

ARTICLE A9 — COMMERCIALIZATION OF AGGREGATED DATA

The Customer expressly accepts that the Provider may use, monetize, publish, and commercialize data derived from use of the Service exclusively in aggregated, de-identified form, with third parties (research institutes, partners, customers, industry bodies, publishers, and other commercial actors).

This use is strictly limited to data that cannot, directly or indirectly, identify any individual — whether an employee, a manager, or any other person.

The Customer expressly waives any claim of ownership, compensation, or oversight in connection with such use, so long as no individually identifiable information can be reconstructed.

The Provider commits never to use, sell, license, or commercialize data that identifies an individual.

For the avoidance of doubt: the Provider does not "sell" or "share" personal information about the Customer's employees within the meaning of the CCPA/CPRA, and uses Customer data only as a service provider to the Customer or, in aggregated/de-identified form, for the Provider's own analytics and product improvement.

ARTICLE A10 — REGULATORY ALIGNMENT

The Provider operates the AI features of OSHAid consistent with the principles of:

• the NIST AI Risk Management Framework (NIST AI RMF 1.0, January 2023, and subsequent updates);

• generally applicable U.S. federal guidance, including FTC enforcement principles regarding accuracy, fairness, and non-deceptive marketing of AI;

• applicable state AI laws, including (where applicable) the Colorado AI Act (effective February 2026), New York City Local Law 144 (where the Service interacts with employment-decision use cases — which OSHAid does not), and analogous frameworks in other states;

• principles of transparency, human oversight, contestability, and security.

The Customer acknowledges that:

• OSHAid is not a "high-risk AI system" within the meaning of the Colorado AI Act or analogous U.S. state laws, because the Service does not make, and is not designed to make, "consequential decisions" about employment, housing, education, financial services, healthcare, or other consequential matters concerning individuals;

• the Service is a workplace-safety decision-support tool and is not, by design, an "automated employment decision tool" ("AEDT") within the meaning of NYC Local Law 144 — the Customer agrees not to use the Service as an AEDT for hiring, firing, promotion, or other employment decisions;

• the Service does not deploy biometric identification, emotion recognition, social scoring, or worker surveillance.

If the Customer chooses to extend OSHAid output into employment, disciplinary, or other consequential decisions about specific individuals, the Customer is solely responsible for any associated AI-law compliance, impact assessment, notice, opt-out, anti-discrimination, and recordkeeping obligations

ARTICLE A11 — THIRD-PARTY AI PROVIDERS, DATA TRANSMISSION, AND CUSTOMER AUTHORIZATION

When the Customer activates AI features

• only data strictly necessary to fulfill the request is transmitted to third-party AI providers;

• transmitted data may include:

  • hazard descriptions,

  • technical evaluations of equipment, processes, or workstations,

  • photographs depicting work conditions or equipment;

• no name, email address, user identifier, financial data, or authentication credentials are transmitted to third-party AI providers;

• third-party AI providers act solely as the Provider's technical sub-processors / service providers under written agreements that prohibit further use of Customer data;

• transmitted data is not used to train any public model or improve any external system: the Provider's third-party AI vendors are contractually required to disable such training on Customer data;

• data is processed only to produce the requested response and is retained by the third-party provider only for the period strictly necessary, consistent with the third-party's published data-handling policy as referenced in the Provider's then-current sub-processor list at [oshaid.com/subprocessors] (or equivalent);

• the Customer may disable AI features at any time in the application settings.

The Provider maintains a current list of AI sub-processors and will give the Customer reasonable advance notice of any material change in writing or via in-product notification, consistent with the Provider's CCPA/CPRA service-provider obligations and any applicable Data Processing Addendum executed with the Customer

ARTICLE A12 — EXPRESS ACCEPTANCE

Acceptance of the Terms constitutes full and unconditional acceptance of this Annex

IMPORTANT — REGULATORY DISCLAIMER

OSHAid's AI features do not replace a Certified Safety Professional, a Certified Industrial Hygienist, an attorney, or an occupational-medicine provider. The Customer remains solely responsible for the safety of its workforce and for compliance with the Occupational Safety and Health Act of 1970, all applicable OSHA standards (29 CFR Parts 1904, 1910, 1915, 1917, 1918, 1926, 1928), state-plan rules, workers' compensation laws, and any other federal, state, or local law applicable to its operations.

If a piece of AI output ever feels wrong for the situation in front of you, trust the human in the loop, not the algorithm, and seek qualified professional advice before acting.

ANNEX B

Officer and Director Liability (Contractual annex to the OSHAid Terms and Conditions)

Last updated: [Date]

Notice. This document is a US/OSHA-adapted version of the prior French Annexe B – Protection pénale du dirigeant. It is provided as a template and is not legal advice. Officer and director liability under U.S. workplace-safety law is highly fact-specific and varies by state; have qualified U.S. counsel review and tailor this annex to OSHAid's actual customer base, the corporate structure of the Customer entities, and the jurisdictions in which the Service is used before publishing.

ARTICLE B1 — PURPOSE OF THIS ANNEX

This Annex sets out the limits of OSHAid's role and reaffirms the legal responsibilities of the Customer's officers, directors, and managers in connection with workplace safety, the OSH Act, OSHA recordkeeping, and the Customer's hazard-assessment program.

It is intended to give legal clarity to the contractual relationship between OSHAid (the "Provider") and the Customer with respect to the personal liability of the Customer's officers, directors, and other responsible persons.

This Annex is an integral part of the OSHAid Terms and Conditions (the "Terms"). In the event of a conflict between this Annex and the body of the Terms with respect to officer or director liability, this Annex controls.

ARTICLE B2 — PRINCIPLE OF PERSONAL RESPONSIBILITY

The Customer acknowledges that, under U.S. federal and state workplace-safety law — including the Occupational Safety and Health Act of 1970 (the "OSH Act", 29 U.S.C. §§ 651 et seq.) and applicable OSHA standards — responsibility for employee health and safety rests primarily with:

• the employer entity;

• the company's officers and directors;

• managers, supervisors, and any other persons with operational responsibility for safety;

• any individual designated by the employer as a "responsible person," "competent person," or safety official under a specific OSHA standard.

This responsibility is personal and non-transferable. It applies regardless of whether the Customer uses a software tool, an external advisor, or a digital solution such as OSHAid. The Customer further acknowledges that:

• under OSH Act Section 17(e), a willful violation that causes the death of an employee can result in criminal misdemeanor liability;

• under the federal "responsible corporate officer" doctrine, individuals in positions of authority may be personally exposed for regulatory violations even absent direct participation;

• many states (including California, New York, and others) have additional criminal-liability statutes (involuntary manslaughter, reckless endangerment, willful violation of state-plan rules) that may apply to corporate officers in connection with workplace fatalities or serious injuries;

• certain U.S. Department of Justice policies prioritize individual accountability for corporate misconduct, including in workplace-safety matters.

Administrators and safety leads designated by the Customer ("Pilots" or "Safety Administrators") act under the authority of the Customer's employer entity and are fully empowered to act on behalf of the employer within the OSHAid platform. Their actions, configurations, and approvals bind the Customer.

ARTICLE B3 — NO DELEGATION OF LIABILITY TO OSHAid

The Customer expressly acknowledges that use of the OSHAid Service:

• does not constitute a delegation of legal authority or responsibility;

• does not transfer any criminal, civil, or regulatory liability to OSHAid;

• does not constitute legal counsel, regulatory advice, occupational-medicine advice, or industrial-hygiene services.

OSHAid acts solely as a provider of a software tool that helps the Customer structure and document its hazard-assessment activities. OSHAid does not substitute for the Customer's officers, directors, designated administrators, or Safety Administrators, or for the legal obligations imposed on them by U.S. federal, state, or local law.

ARTICLE B4 — OSHAid'S LIMITED ROLE IN HAZARD PREVENTION

The Customer acknowledges that:

• OSHAid does not define the Customer's prevention or safety policies;

• OSHAid does not verify that prevention or corrective measures are actually implemented;

• OSHAid does not perform on-site inspections, walk-throughs, audits, sampling, or industrial-hygiene measurements;

• OSHAid does not provide regulatory validation of the Customer's hazard assessment, OSHA Form 300/300A/301 logs, or any other compliance document;

• OSHAid does not represent the Customer before OSHA, state-plan agencies, workers' compensation insurers, or any other regulator.

The features offered by OSHAid — including AI-generated suggestions — exist only to help the Customer formalize and follow up on the actions the Customer itself decides to take.

ARTICLE B5 — MANDATORY HUMAN REVIEW; CUSTOMER OVERSIGHT

The Customer acknowledges that every decision regarding workplace health and safety must be:

• the result of analysis by qualified humans;

• validated by the Customer's officers, directors, or other duly authorized representatives;

• effectively implemented in the workplace.

No OSHAid feature takes any automated decision that imposes legal or significant obligations on the Customer or its officers. The Customer is responsible for designing and operating its own internal review and approval workflows, including supervisory sign-offs, safety committee review where applicable, and documentation under 29 CFR Part 1904.

ARTICLE B6 — NO GUARANTEE OF PROTECTION FROM ENFORCEMENT

The Customer expressly acknowledges that use of OSHAid:

• does not guarantee the absence of OSHA citations, civil penalties, criminal referrals, or any other enforcement action;

• is not insurance and does not substitute for workers' compensation, employment-practices, directors-and-officers, or any other insurance coverage;

• cannot be invoked as an automatic defense to civil, regulatory, or criminal liability of the Customer or its officers and directors.

A hazard assessment generated or structured through OSHAid remains a working document whose validity depends on whether it actually reflects the conditions on the ground, whether the actions documented are actually carried out, and whether the document complies with applicable law.

ARTICLE B7 — CUSTOMER'S DUTY OF DILIGENCE

The Customer's officers, directors, and Safety Administrators commit to:

• regularly verifying the accuracy and currency of the hazard assessment, action plan, and supporting records in OSHAid;

• ensuring that prevention and abatement measures remain appropriate to actual workplace conditions and the OSH Act's General Duty Clause;

• adapting actions as risks evolve, equipment changes, or new hazards are identified;

• consulting qualified professionals when needed, including but not limited to occupational-medicine providers, Certified Safety Professionals (CSP), Certified Industrial Hygienists (CIH), workers' compensation specialists, and qualified attorneys;

• complying with applicable federal, state, and local recordkeeping, posting, and reporting obligations (including 29 CFR 1904 and the electronic-submission requirements of 29 CFR 1904.41 where applicable).

OSHAid is not liable for any failure of the Customer or its officers to exercise this duty of diligence.

ARTICLE B8 — PROOF AND AUDIT TRAIL: LIMITED SCOPE

The traceability, time-stamp, version-history, and audit-log features offered by OSHAid are intended to:

• help the Customer organize and retain its information;

• facilitate internal review, supervision, and consultation.

They do not constitute:

• conclusive or admissible legal proof of OSHA compliance, of compliance with state-plan rules, or of compliance with any other law;

• evidence that any documented measure was actually implemented in the workplace;

• a defense to civil, regulatory, or criminal liability.

The Customer remains responsible for collecting, retaining, and producing the underlying field-level evidence (training records, inspection notes, photographs, repair invoices, witness statements, OSHA logs, etc.) and for preserving such evidence consistent with 29 CFR Part 1904 retention requirements and any applicable litigation-hold obligations.

ARTICLE B9 — NO JOINT AND SEVERAL LIABILITY

The Customer acknowledges that no joint, joint-and-several, vicarious, or shared liability of any kind — civil, regulatory, or criminal — may be asserted against OSHAid arising from the Customer's use of the Service.

Any enforcement action, civil claim, regulatory proceeding, criminal investigation, or disciplinary matter directed at the Customer or its officers, directors, or employees shall not give rise to any liability of OSHAid, except in the case of gross negligence or willful misconduct directly attributable to the Provider and proven by the claimant in a court of competent jurisdiction.

For the avoidance of doubt: OSHAid is not the Customer's employer, agent, joint employer, alter ego, or "controlling employer" within the meaning of OSHA's multi-employer worksite policy or any analogous doctrine, and nothing in the Service or in these Terms creates such a relationship.

ARTICLE B10 — EXPRESS ACCEPTANCE AND ENFORCEABILITY

This Annex is expressly accepted by the Customer at the time of subscription or use of the OSHAid Service.

It is fully enforceable against the Customer and its representatives, officers, directors, designated administrators, Safety Administrators, employees, agents, successors, and assigns, and inures to the benefit of OSHAid and its affiliates.

If any provision of this Annex is held unenforceable in a particular jurisdiction, the remaining provisions remain in full force, and the unenforceable provision shall be reformed to the minimum extent necessary to make it enforceable while preserving the parties' intent.

IMPORTANT — REGULATORY DISCLAIMER

OSHAid is a decision-support tool. It does not substitute for the Customer's officers and directors, for the legal obligations imposed on them by the OSH Act, OSHA standards, state-plan rules, workers' compensation laws, or any other applicable law, or for the human expertise (Certified Safety Professional, Certified Industrial Hygienist, occupational-medicine provider, qualified attorney) needed to manage workplace health and safety responsibly.

OSHAid — Privacy Policy

Notice. This document is a US-adapted version of the prior French RGPD Politique de Confidentialité. It is provided as a template and is not legal advice. The U.S. privacy landscape is a patchwork of state laws (CCPA/CPRA, CPA, VCDPA, CTDPA, UCPA, TDPSA, ORCPA, MTCDPA, FDBR, IDDPA, TIPA, ICDPA, DEPDPA, MNCDPA, NJDPA, MODPA, NHDPA, RIDPA, NEDPA, KYDPA, etc.) plus federal sectoral rules (HIPAA, COPPA, GLBA, FERPA) and state biometric rules (BIPA, CUBI, Washington). Have qualified U.S. counsel review and tailor this policy to the actual data flows of the Service before publishing.

1. IDENTITY OF THE BUSINESS / SERVICE PROVIDER

In the context of using the OSHAid solution:

• The Customer (the employer / business using OSHAid) acts as the Business under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), and as the Controller under analogous U.S. state privacy laws, with respect to personal information about its employees, contractors, applicants, or other third parties that the Customer processes through the Service.

• OSHAid (operated by DUOPP, the "Provider") acts exclusively as a Service Provider under the CCPA/CPRA, and as a Processor under analogous state laws, on behalf of the Customer for personal information processed in the application for the Customer's hazard-assessment and safety-management activities.

Clarification. The Provider may process certain personal information as a Business / Controller for its own purposes, strictly limited to operating the Service (account creation and access management, billing, customer support, security, logging, fraud prevention, legal compliance, and product improvement on aggregated and de-identified data).

In every case:

• The Provider does not sell or share personal information for cross-context behavioral advertising, within the meaning of the CCPA/CPRA or any analogous state law.

• The Provider does not run targeted advertising.

• The Provider does not use personal information for marketing profiling.

2. SCOPE

This Privacy Policy applies to all processing performed through:

• the OSHAid mobile application;

• the OSHAid SaaS web platform;

• the related services and APIs,

regardless of the distribution channel (Apple App Store, Google Play Store, or oshaid.com).

3. CATEGORIES OF PERSONAL INFORMATION PROCESSED

In the course of providing the Service, OSHAid may process, on behalf of the Customer, the following categories of personal information (using CCPA/CPRA category labels):

• Identifiers — workplace identifiers such as job title, role, department, work email used to access the application;

• Professional or employment-related information — function, work unit, supervisor, work location, work shifts;

• Workplace-hazard information — exposure descriptions, prevention actions, training status, incident notes;

• Audio, visual, or similar information — workplace photos, videos, and audio notes captured to document hazards;

• Internet or other electronic-network activity information — limited technical metadata related to the Customer's use of the Service (login times, device type, app version, security logs).

⚠️ The Customer is solely responsible for the content it enters into, or captures with, the application. OSHAid cannot verify or filter the exact nature of the information the Customer chooses to record. The Customer must apply the principle of data minimization and confine input to what is necessary for hazard-assessment and prevention purposes.

Sensitive personal information

The Customer agrees not to enter or upload into the application:

• health information regulated by HIPAA (PHI), unless the parties have separately executed a Business Associate Agreement;

• biometric identifiers regulated by BIPA (Illinois), Texas CUBI, Washington biometric law, or analogous state law, without separate written authorization;

• personal information of minors under 13 (or under 16 where applicable) within the meaning of COPPA;

• personal information of applicants for employment, in volumes or contexts that would convert OSHAid into an "automated employment decision tool" under NYC Local Law 144 or similar laws;

• "sensitive personal information" within the meaning of the CCPA/CPRA (precise geolocation, racial or ethnic origin, religious beliefs, citizenship/immigration status, union membership, communications content, financial-account access credentials, health, sexual orientation), beyond what is strictly required for hazard assessment and only with appropriate notice and any required consent.

The Customer is solely responsible for any departure from these limits.

4. PURPOSES OF PROCESSING

Personal information is processed exclusively for the following purposes:

• structuring, managing, and following up on workplace hazard assessments and injury-and-illness-prevention activities;

• documentation of workplace hazards and corrective actions;

• audit-trail and recordkeeping support consistent with 29 CFR Part 1904;

• customer support, troubleshooting, and product maintenance;

• security of the Service and protection against fraud and abuse.

When the Customer activates AI features, submitted data is used solely to produce the requested AI output (see Section 7).

No monetization of personal information

The Provider:

• does not sell personal information;

• does not rent personal information;

• does not share personal information for cross-context behavioral advertising;

• does not perform commercial profiling;

• does not integrate any third-party advertising SDK;

• does not deploy any tracking mechanism for marketing purposes.

No personal information is shared with advertising networks, data brokers, or targeting platforms.

5. LEGAL BASIS / HOW WE USE INFORMATION

For processing carried out on behalf of the Customer, the Customer determines the legal basis for the processing under applicable U.S. state law (typically, the employment relationship, the legitimate business interest of operating a workplace-safety program, and OSHA-mandated recordkeeping obligations).

For processing carried out by the Provider as a Business / Controller for the operation of the Service, the legal basis is one or more of the following:

• performance of the contract with the Customer;

• compliance with applicable law and OSHA-related recordkeeping or reporting requirements;

• legitimate operating interests of the Provider (security, fraud prevention, technical improvement, customer support).

6. AGGREGATED AND DE-IDENTIFIED DATA

The Provider may use certain data after:

• aggregation, and

• irreversible de-identification consistent with the standards of the CCPA/CPRA and analogous state laws.

Such data:

• cannot identify any individual, directly or indirectly;

• no longer constitutes personal information under U.S. state privacy laws.

It may be used for:

• statistical analysis;

• improvement of algorithms and AI models;

• research and development;

• industry benchmarks and reference data sets.

The Provider commits not to attempt to re-identify aggregated or de-identified data and to contractually require any recipient to observe the same restriction. No identifiable personal information is monetized.

7. ARTIFICIAL INTELLIGENCE

OSHAid's AI features are decision-support only. They do not produce automated decisions that have legal or otherwise significant effects on any individual within the meaning of the CCPA/CPRA, the Colorado AI Act, or analogous state laws.

Transmission to AI service providers

When AI features are activated:

• only data strictly necessary to fulfill the request is transmitted (data minimization);

• data that may be transmitted includes:

  • hazard descriptions,

  • technical evaluations of equipment, processes, or workstations,

  • workplace photographs,

  • strictly necessary metadata;

• data that is never transmitted to AI providers includes:

  • names,

  • email addresses,

  • user identifiers,

  • passwords or authentication tokens,

  • financial or payment information,

  • device identifiers or IP addresses,

  • documents from the Documents module.

The Provider's AI sub-processors:

• act solely as Service Providers / Processors under written contract;

• process data only to fulfill the requested response;

• acquire no autonomous right to use the data;

• may not use the data for their own purposes;

• are contractually prohibited from using transmitted data to train any public model or to improve any external system independent of the requested service.

No content filtering

The Provider cannot prevent a user from voluntarily entering personal information into the application. The Customer remains solely responsible for content submitted to the AI features.

Specific opt-in

Activation of AI features requires an explicit action by the Customer in the application. Without voluntary activation, no data is transmitted to any AI provider. The Customer may deactivate AI features at any time.

8. SUB-PROCESSORS / SERVICE PROVIDERS

The Provider engages technical sub-processors (hosting, security, infrastructure, AI) to operate the Service.

These sub-processors:

• act on the Provider's documented written instructions;

• are bound by strict confidentiality and security obligations consistent with the CCPA/CPRA service-provider requirements and analogous state-law obligations;

• have no independent right of use over Customer data.

The Provider maintains a current list of sub-processors at [oshaid.com/subprocessors] (or equivalent) and will give the Customer reasonable advance notice of any material change consistent with any Data Processing Addendum executed with the Customer.

9. DATA LOCATION AND CROSS-BORDER TRANSFERS

OSHAid hosts Customer data primarily in the United States.

Some sub-processors may operate from outside the United States (notably for AI services or global infrastructure providers). Where personal information of EU/UK/Swiss data subjects flows through OSHAid (for example, a U.S. Customer's overseas affiliate), such transfers are framed by:

• Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, where applicable;

• the EU-U.S. Data Privacy Framework (and UK / Swiss extensions), where the Provider or its sub-processors participate;

• supplementary technical and organizational measures (encryption in transit and at rest, access controls, logging).

For purely domestic U.S. data flows, the Provider applies the security and confidentiality protections described in Section 11.

10. RETENTION

Personal information is retained:

• for the duration of the contract with the Customer;

• and thereafter, deleted or returned to the Customer in accordance with the Customer's documented instructions;

• subject to legal retention obligations (including, where applicable, 29 CFR 1904 OSHA recordkeeping retention, which can require retaining injury and illness records for five (5) years after the calendar year they cover, and applicable workers' compensation, employment, and tax retention rules);

• subject to applicable litigation-hold obligations.

Technical backups may persist for a limited period after deletion, after which they are overwritten in the ordinary course.

11. DATA SECURITY

The Provider implements technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction, including:

• encryption in transit and at rest;

• role-based access controls and least-privilege principles;

• audit logging and security monitoring;

• vendor-risk and sub-processor diligence;

• incident-response and breach-notification procedures consistent with applicable U.S. federal and state breach-notification laws (which require notice to affected individuals and, in many states, to state attorneys general or other regulators within statutory deadlines).

No method of transmission over the Internet or method of electronic storage is 100% secure, and the Provider does not warrant absolute security.

12. CONSUMER RIGHTS

Depending on the state in which an individual resides, U.S. state privacy laws may grant the following rights to the Customer's employees, contractors, or other individuals whose personal information is processed through OSHAid:

• the right to know / access what personal information is processed;

• the right to correct inaccurate personal information;

• the right to delete personal information;

• the right to portability (receive a copy in a portable format);

• the right to opt out of the sale or sharing of personal information (the Provider does not sell or share);

• the right to opt out of certain forms of automated decision-making and profiling, where applicable;

• the right to limit the use of sensitive personal information (CCPA/CPRA);

• the right to non-discrimination for exercising any of the above rights.

Because OSHAid acts as a Service Provider / Processor on behalf of the Customer for most of the personal information in the application, these rights are exercised through the Customer (the Business / Controller). The Provider will reasonably assist the Customer in responding to verified consumer requests, consistent with any executed Data Processing Addendum.

For personal information that the Provider processes as a Business / Controller for its own operations, individuals may submit requests directly to the Provider using the contact details below.

13. PRIVACY CONTACT

OSHAid Privacy Contact 📧 [privacy@oshaid.com] (placeholder — set to your final contact) 📮 DUOPP / OSHAid, [Mailing address — to be added]

For California residents: an authorized agent may submit requests on behalf of a California consumer with appropriate written authorization.

For state-specific appeals (Colorado, Virginia, Connecticut, and other states that require an internal appeal process for denied consumer requests), the Provider provides a written response within the timeframes mandated by the applicable state law.

14. CHANGES TO THIS POLICY

The Provider may update this Policy to reflect:

• changes in applicable law;

• changes in technology and infrastructure;

• changes in Service features.

Material changes will be communicated to the Customer via the application or by email at least 30 days before they take effect, except where a shorter notice is required by law.

15. ACCEPTANCE

Use of the Service constitutes acknowledgment of this Privacy Policy. Where required by law, separate consent will be sought before activating optional features (including AI features) or before processing categories of data that require specific opt-in.

IMPORTANT — REGULATORY DISCLAIMER

OSHAid is a workplace-safety decision-support tool. The Customer remains responsible for compliance with all applicable U.S. federal and state privacy laws governing the personal information it inputs into the Service, including (without limitation) CCPA/CPRA, the Colorado, Virginia, Connecticut, Utah, Texas, Oregon, Montana, Florida, Indiana, Tennessee, Iowa, Delaware, Minnesota, New Jersey, Maryland, New Hampshire, Rhode Island, Nebraska, and Kentucky privacy acts, plus federal sectoral laws (HIPAA, COPPA, GLBA, FERPA) and state biometric laws (BIPA, CUBI, Washington) where applicable.

Follow us