SteelSight Legal
SteelSight Privacy Policy
Introduction
SteelSight Systems ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use SteelSight ("the App"), a mobile application for equipment inspection, maintenance logging, and fleet documentation.
SteelSight is a multi-tenant application: the company that licenses SteelSight for you (your "Company") controls the workspace in which your inspection records, photos, and equipment documentation are stored. Your access is scoped to the company or companies you are an active member of.
Information We Collect
Account Information
When your Company creates an account for you, or when you create an account, we collect:
- Email address
- Password (stored as a one-way hash; we never have access to the plaintext)
- Display name and operator name
- Role within each company (operator, supervisor, safety, admin, or developer)
- Company membership records (which companies you belong to and whether the membership is active)
Inspection, Maintenance, and Equipment Data
When you use the App, we collect the records you create on behalf of your Company:
- Inspection checklist responses (pre-use, periodic, monthly, annual, and equipment-specific checklists)
- Maintenance log entries and operator complaint logs
- Equipment records (make, model, serial number, status, certification dates)
- Equipment documentation (PDFs, photos of certificates, manufacturer documents)
- Inspection photos attached to checklist items
- Audit log entries recording who took what action and when
These records belong to your Company. We process them on your Company's behalf to provide the App.
Location Data
With your permission, we capture GPS coordinates when you complete an inspection so that the inspection record reflects where the equipment was inspected. Location capture is for compliance and audit-trail purposes only.
You can disable location access in your device settings at any time. Inspections completed without location simply have no GPS coordinates attached.
Device Information and Diagnostics
We automatically collect a limited set of device and diagnostic data:
- Device type, operating system, and app version
- Crash reports and performance traces (see Third-Party Services — Sentry below)
- Sync metadata (queue size, last-sync timestamps) to support offline-first operation
Biometric Authentication
If you opt in, SteelSight will allow you to unlock the App using Face ID, Touch ID, or your device's equivalent biometric. Biometric data is processed entirely on your device by the operating system's secure enclave. SteelSight does not see, transmit, or store your biometric data.
Camera and Photo Library
With your permission, we access:
- Your device camera to capture inspection photos and equipment documentation photos
- Your photo library to attach existing images to inspection or equipment records
Photos you attach are uploaded to your Company's private storage area (see Data Storage and Security below). We do not access your photo library beyond images you explicitly select.
How We Use Your Information
We use your information to:
- Provide and operate the SteelSight App for your Company
- Authenticate you and authorize your access to your Company's workspace
- Sync inspection, maintenance, equipment, and documentation records between your device and your Company's workspace
- Maintain audit logs required for compliance with occupational health and safety obligations
- Diagnose crashes and improve App reliability
- Respond to support requests and operate the in-app issue-reporting feature
- Send service-related notifications (e.g., synchronization errors, certificate expiry reminders)
We do not:
- Sell your personal information
- Use your data for advertising
- Share one Company's data with another Company
- Use inspection or equipment data to train machine-learning models
Multi-Tenant Isolation
SteelSight is designed so that each Company's data is isolated from every other Company's data:
- Server-side: Postgres Row-Level Security (RLS) policies enforce that every database query is scoped to companies you are an active member of. A user from Company A cannot read, write, or list records that belong to Company B.
- Device-side: Each Company you belong to has its own dedicated SQLite database file on your device. Switching companies switches database files; data is not co-mingled in memory or on disk.
- Storage: Photos and documents are stored in private Supabase Storage buckets and are accessed through short-lived signed URLs scoped to the requesting Company.
If your membership in a Company is deactivated, your local copy of that Company's data is wiped from your device. The Company retains the master copy in its workspace.
Data Storage and Security
Where Your Data Lives
- Local device: per-company encrypted SQLite databases plus operating-system-level secure storage for credentials
- Server: Supabase (PostgreSQL, hosted in Canada) for authoritative records and access control
- Photos and documents: Supabase Storage private buckets (inspection-photos and equipment-documentation), hosted in Canada, accessed via short-lived signed URLs
How We Protect It
- All data in transit is encrypted using TLS
- Credentials are stored using your device's secure storage (iOS Keychain / Android Keystore) and are never written to the standard application database
- Passwords are hashed; we never have access to the plaintext
- Access is governed by RLS policies and signed URLs — bypassing the App does not bypass authorization
- Soft delete with audit logging: deletions are tracked, not silently destroyed, so safety and compliance trails remain intact
Third-Party Services
We rely on a small number of third-party services to operate SteelSight. Each has its own privacy policy:
- Supabase (Canada) — authentication, database, file storage, and sync
- Sentry (United States) — crash reporting, performance monitoring, and in-app user feedback. See Cross-Border Transfers below.
- Apple App Store / Google Play (United States) — app distribution
- Expo / Expo Application Services (United States) — build distribution and over-the-air updates
SteelSight does not currently use any AI, machine-learning, OCR, or recommendation services. SteelSight does not currently use third-party analytics or advertising SDKs. If we add any such service in the future, we will update this Privacy Policy and, where required, request your consent before enabling it.
Cross-Border Transfers and Sentry
Most of your data — authentication, inspection records, photos, equipment documentation, audit logs — is stored on infrastructure located in Canada.
Crash reports, performance traces, and in-app feedback submitted through the App are sent to Sentry, which processes this data in the United States. Crash payloads can incidentally include the information needed to debug a problem (a stack trace, the screen you were on, an error message). Sentry does not receive your password, your photos, your inspection contents, or your biometric data.
Cross-border transfers are made under PIPEDA's accountability principle and, for residents of Alberta, in compliance with the Personal Information Protection Act (PIPA). You may contact us at privacy@steelsightsystems.ca to ask which categories of your data have been sent to a service operating outside Canada.
Data Sharing
We share information only in the following circumstances:
- Within your Company: members of a Company can see records that belong to that Company, scoped by their role (e.g., an operator does not see administrative actions performed by an admin)
- Service providers: limited to the third parties listed above, under data-processing agreements that require equivalent protection
- Legal requirements: if compelled by a valid legal process, or to investigate fraud or protect the rights, property, or safety of our users
- Business transfers: if SteelSight Systems is acquired or merged, your information may transfer as part of that transaction; we will notify Companies before any such transfer takes effect
We do not share your information with another Company without your or your Company's explicit authorization.
Data Retention
Inspection Records and Audit Logs
Alberta Occupational Health and Safety Code requires that inspection records be retained for a minimum of three (3) years from the date of the inspection, and longer for certain equipment classes. SteelSight retains inspection records, maintenance logs, and audit-log entries for at least the period required by applicable occupational health and safety legislation in your jurisdiction.
Soft-deleted records (records you or your Company marked as deleted) remain in the audit trail for the required retention period before being permanently removed.
Account Information
Active accounts retain their data for the duration of the account.
If your Company deactivates your membership, your local device copy is wiped within 24 hours of the next sync; the Company-side record persists for the legally required retention period.
If you delete your SteelSight account entirely, your account profile is removed within 30 days, but inspection records you created on behalf of a Company remain under that Company's control for the legally required retention period.
Diagnostic Data
Crash reports and performance traces in Sentry are retained for up to 90 days and then automatically purged.
Your Rights
Subject to applicable law, you have the right to:
- Access: request a copy of the personal information we hold about you
- Correct: ask us to correct inaccurate information
- Delete: request deletion of your account and associated profile data, subject to retention obligations described above
- Export: receive a portable copy of your inspection and maintenance records
- Withdraw consent: revoke camera, photo-library, or location permissions in your device settings at any time
- Object: object to specific processing activities (such as diagnostic reporting), in which case some App features may be limited
Canadian Privacy Rights (PIPEDA / Alberta PIPA)
If you are located in Canada, you have additional rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for residents of Alberta, the Personal Information Protection Act (PIPA), including:
- The right to know why your personal information is being collected
- The right to expect your personal information to be used only for the purposes for which it was collected
- The right to file a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Information and Privacy Commissioner of Alberta
To exercise any of these rights, contact us at privacy@steelsightsystems.ca. We respond within 30 days.
Children's Privacy
SteelSight is a professional tool intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, contact privacy@steelsightsystems.ca and we will delete it.
Beta Disclosure
SteelSight is currently distributed as a closed beta. Beta builds display a watermark indicating their non-production status. Beta users may submit in-app feedback through the report-an-issue feature; submissions may include a brief description, the current screen, the App's recent state, and an optional screenshot. Feedback is processed in the same way as crash reports (see Third-Party Services — Sentry).
Changes to This Policy
We may update this Privacy Policy from time to time. When we make a material change, we will update the "Last updated" date above and notify you in-app or by email before the change takes effect. Continued use of the App after the effective date constitutes acceptance of the updated Policy.
Contact Us
For privacy-related questions or to exercise your rights:
- Privacy inquiries: privacy@steelsightsystems.ca
- App support: steelsightsupport@steelsightsystems.ca
- Legal: legal@steelsightsystems.ca
SteelSight Systems is based in the Province of Alberta, Canada.