Privacy Policy
How HavenOPS, Inc. collects, uses, stores, and protects personal data across the HavenOPS Operational Readiness Platform.
01Scope & roles
This Privacy Policy applies to the HavenOPS platform, marketing website, and related services operated by HavenOPS, Inc. (“HavenOPS,” “we,” “us”). It explains how HavenOPS handles personal information that we control — primarily information about visitors to havenops.io, prospective customers, and the administrators who manage HavenOPS subscriptions.
Operational data submitted into the platform by a HavenOPS customer — including workforce records, uploaded documents, training content, and any Protected Health Information (PHI) — is customer-controlled. HavenOPS acts as a processor (and, where applicable, a HIPAA business associate) of that data under our Data Processing Agreement and, where applicable, a Business Associate Agreement. Individuals whose data is controlled by a HavenOPS customer should direct privacy requests to that customer first.
02Information we collect
We collect the following categories of information:
- Customer account data. Name, business email, role, organization, facility, phone (optional), and authentication identifiers used to provision and secure HavenOPS accounts.
- Usage analytics. IP address, device and browser characteristics, referring pages, page-level interactions, feature usage, and error telemetry used to secure, operate, and improve the platform.
- Uploaded documents. Policies, procedures, forms, evidence, and other files that customers or their authorized users upload into the platform.
- Training content. Curricula, quizzes, acknowledgments, and workforce completion records produced or captured through the Learning Studio.
- Communications. Support tickets, demo requests, procurement inquiries, sales correspondence, and marketing preferences.
- Marketing website data. Form submissions (contact, demo, trust packet, solution design, operational value estimator), cookies, and analytics events.
03Cookies & similar technologies
The HavenOPS marketing website uses a limited set of cookies and similar technologies to keep the site functional, understand aggregate usage, and measure marketing effectiveness. Categories in use:
- Strictly necessary. Session, security, and preference cookies required to operate the site.
- Analytics. First- and third-party analytics used to understand aggregate traffic and page performance. Analytics data is not used to identify individual visitors.
- Marketing measurement. Conversion tags used to attribute demo requests, contact inquiries, and Trust Packet downloads.
A detailed Cookie Policy is in preparation and will be linked from the Legal & Trust Center. Where required, we honor global privacy control (GPC) signals and provide in-region consent controls.
04How we use information
- Operate, secure, monitor, and improve the HavenOPS platform and website.
- Provision accounts, deliver customer support, onboard customers, and manage the commercial relationship.
- Meet contractual, audit, and legal obligations, including HIPAA obligations where applicable.
- Send service, security, and administrative communications. Marketing emails require opt-in and include unsubscribe controls.
- Detect, investigate, and prevent security incidents, fraud, and abuse.
05Legal bases (EEA / UK / Swiss residents)
Where GDPR/UK GDPR applies, we rely on contract performance, our legitimate interests (security, fraud prevention, service improvement, direct communications with existing customers), legal obligation, and — where required — consent. You have the right to access, rectify, delete, restrict, port, or object to the processing of your personal data. Requests can be submitted to privacy@havenops.io. You may also lodge a complaint with your local supervisory authority.
06Third-party processors
We share personal information only with vetted sub-processors that support hosting, infrastructure, database services, email delivery, error monitoring, analytics, and customer support. Sub-processors are contractually bound to protect the data they process and to use it only for the purposes we authorize. A current sub-processor list is available on request via legal@havenops.io, and a public Subprocessor page is in preparation. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.
07Security safeguards
We apply defense-in-depth controls including tenant-isolated row-level security, append-only audit trails, encryption in transit (TLS 1.2+) and at rest (AES-256 or provider-managed equivalent), principle-of-least-privilege access, multi-factor authentication for administrative access, continuous monitoring, and documented incident response. See the Security overview and the Security Trust Packet for details.
08Data retention
Customer Data is retained for the term of the subscription plus a defined wind-down period documented in the DPA (typically thirty (30) days), after which we delete or de-identify it in accordance with the DPA and applicable law. Marketing website submissions are retained for the period required to respond to the inquiry and, where consented, to send follow-up communications. Security, audit, and diagnostic logs are retained per our records-retention schedule.
09Customer & individual rights
- Request access to, correction of, or deletion of personal data we control about you.
- Restrict or object to certain processing, including direct marketing.
- Withdraw consent where processing is based on consent, without affecting prior processing.
- Receive a portable copy of personal data you provided to us, where technically feasible.
- Appeal a decision on your request through our internal review process.
10HIPAA considerations
When a customer uses HavenOPS to process PHI, HavenOPS acts as a business associate and executes a Business Associate Agreement (BAA) with that customer. Under the BAA, HavenOPS uses and discloses PHI only as permitted by the BAA and HIPAA, applies required administrative, physical, and technical safeguards, reports incidents involving PHI in accordance with the BAA, and returns or destroys PHI at termination. HIPAA privacy rights (access, amendment, accounting of disclosures, restrictions) are exercised through the covered-entity customer, not directly with HavenOPS.
11AI processing disclosures
- HavenOPS uses AI-assisted features to support training generation, workflow recommendations, compliance readiness signals, summaries, and operational guidance.
- Human review is required before any AI output is used for operational, clinical, compliance, billing, or workforce decisions.
- Customer PHI and Customer Confidential Data are not used to train foundation models operated by HavenOPS or its sub-processors.
- Where AI features send data to sub-processors, that transfer is governed by written data-protection terms, sub-processor lists, and, where applicable, the BAA.
- Additional detail is available in the AI Transparency and Responsible AI Statement in the Legal & Trust Center.
12International transfers
Where personal data leaves its origin region, we use Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards. EU/UK/Swiss addenda are available on request via legal@havenops.io.
13Children
HavenOPS is a business-to-business platform and is not directed to children under sixteen (16). We do not knowingly collect personal information from children through the platform or marketing website.
14Changes to this policy
Material changes will be announced at least thirty (30) days in advance to subscription administrators via email and posted here with an updated effective date and version number. Continued use of the platform or website after the effective date constitutes acceptance of the updated policy.
15Contact information
Privacy inquiries: privacy@havenops.io. Legal correspondence: legal@havenops.io. Security reports: security@havenops.io.
Questions, redlines, or procurement coordination: legal@havenops.io. For data-protection inquiries reach privacy@havenops.io.