Your data is yours.
We don't sell it or share it.

This Privacy Policy describes how Setyr LLC (“Setyr,” “we,” “us,” or “our”) handles information in connection with the Setyr industrial safety platform and our website (together, the “Service”). It applies to information we process as a business when you visit our site or contact us, and to information we process on behalf of our customers when they use the platform. By using the Service, you acknowledge the practices described here.

1. Who this policy covers, and our two roles

Setyr plays two different roles depending on the data involved, and the distinction matters:

• As a “controller” (a business deciding how data is used): for information from our public website, from people who contact us, and from the administrators who set up accounts — for example, a sign-up email address or a message you send us through our contact form.
• As a “processor” (a service provider acting on a customer’s instructions): for the operational data inside a customer’s workspace — the Lockout/Tagout procedures, work orders, equipment, and records about that customer’s workers. That data belongs to the customer (typically the worker’s employer). We process it to provide the Service, under the customer’s direction and our agreement with them. If you are a worker whose employer uses Setyr, your employer — not Setyr — decides what is recorded about you and how long it is kept; please direct requests about that data to your employer.

2. Information we collect

Information you or your organization provide

• Account and profile information: names, work email addresses, job roles, assigned permissions, and authentication details for the people who use the platform.
• Safety and operational records: Lockout/Tagout procedures, work orders, equipment and isolation-point details, permits, group-box and lock records, step confirmations, training and qualification records, and any photos, notes, or documents uploaded as part of those records.
• Communications: information you send us when you contact us, request a demo, or ask for support — such as your name, email, company, and the contents of your message.

Information collected automatically

• Usage and device information: standard technical data such as IP address, browser type, pages or screens accessed, and timestamps, used to operate, secure, and troubleshoot the Service.
• Security and audit logs: records of significant actions in the platform (for example, sign-ins, permission changes, and safety-record confirmations). These logs are part of what makes the Service trustworthy as a compliance record, and they are append-only by design.
• Cookies and similar technologies: we use cookies that are necessary for the Service to function — for example, to keep you signed in and to protect against fraud and abuse. We do not use advertising or cross-site tracking cookies. See Section 7.

We do not intentionally collect special categories of sensitive personal information, and we ask that customers not upload such information into the platform except where it is genuinely required for a safety record (for example, a training certification).

3. How we use information

We use information only for the following purposes:

• To provide and operate the Service — authenticate users, deliver features, and keep your safety records available to the people you authorize.
• To secure the Service — detect, prevent, and investigate fraud, abuse, unauthorized access, and security incidents.
• To support you — respond to your questions, troubleshoot issues, and provide customer support.
• To improve the Service — understand how the platform is used so we can fix problems and make it work better, using aggregated or de-identified information wherever possible.
• To communicate with you — send service-related messages such as security alerts, account notices, and changes to terms or this policy.
• To meet legal obligations — comply with applicable law and enforce our agreements.

We do not use the safety and operational records inside a customer’s workspace for our own purposes, for advertising, or to train any product on another customer’s data. We use that data to provide the Service to that customer.

4. We do not sell or share your data

This is a commitment, not a hedge. Setyr does not sell personal information, and does not “share” personal information for cross-context behavioral advertising, as those terms are defined under applicable U.S. state privacy laws. We do not disclose your personal information to third parties for their own independent use.

The only parties who ever touch your data, and the only reasons they do, are:

• Infrastructure and service providers who host and operate the Service on our behalf (for example, cloud hosting, database, file storage, and email delivery). These providers act only as our subprocessors, under contractual obligations to protect the data, use it solely to provide their service to us, and not use it for any other purpose. They are not permitted to sell or repurpose it.
• Your own organization — the users, administrators, and oversight roles your employer or account administrator has authorized to see the relevant records.
• Legal and safety requirements — where we are required by law, subpoena, or valid legal process, or where disclosure is necessary to protect the rights, safety, or property of Setyr, our customers, or the public. We will limit any such disclosure to what is required.
• A business transfer — if Setyr is involved in a merger, acquisition, financing, or sale of assets, information may transfer as part of that transaction. We will require any successor to honor this policy, and we will notify affected customers of any material change in who controls their data.

A current list of our subprocessors is available on request at privacy@setyr.com.

5. How we protect information

Security is foundational to a safety-records platform. Our measures include:

• Per-tenant data isolation — each customer’s data is kept in a separate data store rather than pooled into one shared database filtered by an account column, so separation between customers is structural rather than a matter of query filtering.
• Role-based access control — permissions are enforced on the server and scoped to the site or enterprise a user belongs to, so people see and do only what their role allows.
• Encryption — data is encrypted in transit, and stored on infrastructure that encrypts data at rest.
• Signed, short-lived file access — uploaded photos and documents are served through expiring signed links rather than open URLs, so access to evidence is deliberate, not incidental.
• A tamper-evident audit record — execution history is append-only; confirmations and reversals are added as new entries rather than silently overwritten.
• Authentication controls — including support for single sign-on (SSO/SAML) and two-factor authentication.

No system is perfectly secure, and we cannot guarantee absolute security. We work to protect your information using measures appropriate to its sensitivity, and we maintain processes to respond to security incidents.

6. How long we keep information

For data we process on a customer’s behalf, we retain it for as long as the customer’s account is active or as needed to provide the Service, and then as directed by the customer and our agreement with them. Safety and compliance records are often retained by the customer to meet their own regulatory obligations.

For data we hold as a business — such as website inquiries and account contact details — we keep it only as long as needed for the purpose it was collected, to comply with our legal obligations, resolve disputes, and enforce our agreements, after which we delete or de-identify it. Note that because our audit records are append-only, certain entries are designed to be preserved as a faithful history rather than edited or removed.

7. Cookies and tracking

We use only the cookies and similar technologies necessary to operate the Service — principally to keep you signed in and to protect against fraud and abuse. We do not use advertising cookies, and we do not allow third parties to track you across other websites through our Service. Because we do not engage in cross-site advertising tracking, we treat “Do Not Track” and Global Privacy Control signals as consistent with how we already operate: we don’t sell or share your information regardless.

8. Your choices and rights

Depending on where you live and your relationship with us, you may have rights to access, correct, delete, or obtain a copy of your personal information, and to object to or restrict certain processing. Because we do not sell or share personal information, there is nothing to opt out of in that respect — but you may still exercise your other rights.

If you are a worker whose employer uses Setyr: the records about you in the platform are controlled by your employer. Please direct access, correction, or deletion requests to your employer, who can fulfill them directly or instruct us to assist.

For information we control (website and contact data), you can reach us at privacy@setyr.com to make a request. We will verify your request and respond as required by applicable law. We will not discriminate against you for exercising your rights.

9. U.S. state privacy disclosures

Some U.S. states (including California, and others with comprehensive privacy laws) give residents specific rights. To summarize how we operate with respect to those laws:

• We do not sell personal information and have not done so.
• We do not share personal information for cross-context behavioral advertising.
• The categories we collect, our purposes, and the limited recipients are described in Sections 2–4 above.
• Residents may exercise applicable rights to know, access, correct, and delete, and may appeal a decision where the law provides for it, by contacting us at privacy@setyr.com.
• You may use an authorized agent to submit a request, subject to our verification of the agent’s authority.

10. Where information is processed

Setyr operates the Service using cloud infrastructure located in the United States. If you access the Service from outside the United States, you understand that your information will be processed in the United States, where data-protection laws may differ from those in your location.

11. Children’s privacy

The Service is a workplace tool intended for businesses and their authorized workers. It is not directed to children, and we do not knowingly collect personal information from anyone under 16. If you believe a child’s information has been provided to us, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice (for example, by email or an in-product notice). Your continued use of the Service after an update takes effect means you acknowledge the revised policy.

13. How to contact us

If you have questions about this policy or how we handle your information, or to make a privacy request, contact us at:

Setyr LLC
Attn: Privacy
PO Box 8567
Eagle Mountain, Utah 84005
privacy@setyr.com

This Privacy Policy is governed by the laws of the State of Utah, without regard to its conflict-of-laws rules.