Safety Hub Terms of Use & Subscription Terms

1. Business identity

Safety Hub is provided by Thomas Featherstone trading as Featherstone Safety.

Trading name: Featherstone Safety
Product name: Safety Hub
Legal identity: Thomas Featherstone trading as Featherstone Safety
Website: featherstonesafetyhub.co.uk
Email: thomas@featherstonesafetyhub.co.uk
Telephone: +44 7528 703903
VAT status: Prices are not currently subject to VAT.

If Safety Hub is later operated by a limited company, these terms should be reviewed and updated.

2. Definitions

“Safety Hub”, “the Hub”, “platform”, “service” or “software” means the Safety Hub website, app, dashboard, tools, templates, content, documents, records, reports and related subscription services.

“Featherstone Safety”, “we”, “us” or “our” means Thomas Featherstone trading as Featherstone Safety.

“Customer”, “you” or “your” means the business, organisation, employer, duty holder, account holder or other person using Safety Hub.

“Users” means people given access to Safety Hub by the customer, including employees, managers, contractors or administrators.

“Customer Data” means information, documents, records, personal data, employee details, incident records, training records, risk assessments, COSHH records, actions, uploads and other content entered into or uploaded to Safety Hub by or for the customer.

“Subscription” means a paid plan for access to Safety Hub.

3. Business-to-business basis

Safety Hub is intended for use by businesses, organisations, employers and duty holders. It is not designed as a consumer product for personal household use.

If you are a consumer purchasing Safety Hub for wholly personal purposes, contact us before subscribing, as additional consumer rights and terms may apply under the Consumer Contracts Regulations 2013.

4. What Safety Hub does

Safety Hub is a health and safety management, record-keeping and administration tool. It may help customers manage risk assessment records, COSHH records, training records, toolbox talks, accident and near-miss records, RIDDOR review prompts, monthly safety reviews, audit logs, fire safety records, permit-to-work records, environmental records, task management, compliance-support reminders, document storage and action tracking.

Safety Hub supports compliance management. It does not make a business compliant by itself.

5. No guarantee of compliance

Safety Hub does not guarantee legal compliance, health and safety compliance, ISO certification, audit success, regulator acceptance, insurer acceptance, RIDDOR compliance, accident prevention, removal of statutory duties, or suitability for every business, sector, workplace, activity or risk.

Responsibility for legal compliance remains with the employer, customer, duty holder, responsible person or organisation responsible for the relevant workplace, activity, people, premises, equipment, substances and systems of work.

6. No legal or specialist advice

Safety Hub does not provide legal advice. Safety Hub does not replace competent health and safety advice, professional judgement, site-specific risk assessment, suitable and sufficient controls, legal advice, fire risk assessment by a competent fire risk assessor, asbestos advice, occupational hygiene advice, engineering inspection or certification, electrical inspection or certification, machinery safety assessment, occupational health advice, insurance advice, regulator advice, or certification body advice.

You must seek specialist advice where required.

7. User responsibility

You are responsible for: checking that records, assessments, actions and reports are accurate; adapting templates to your workplace; ensuring documents are suitable and sufficient; entering complete and current information; reviewing records regularly; closing actions appropriately; implementing controls; training and supervising workers; keeping evidence up to date; deciding whether to submit any report to a regulator; and complying with your legal duties.

Safety Hub can assist with administration and visibility, but it cannot run your health and safety system for you without proper human review and implementation.

8. Templates and generated materials

Safety Hub may provide templates, prompts, forms, example wording, draft assessments, toolbox talks, policies or other materials. Templates and example documents must be reviewed and adapted to the specific workplace, task, substances, equipment, people and risks. Generic documents should not be relied upon without suitable review. If a template, prompt or generated item is not suitable for your circumstances, you must amend it or seek appropriate advice.

9. Account registration

• Provide accurate and current information
• Keep login details secure
• Ensure only authorised users access your account
• Tell us promptly about suspected unauthorised access
• Ensure users comply with these terms
• Maintain appropriate internal access controls

You are responsible for activity carried out through your account, unless caused by our breach of these terms.

10. User access and permissions

If Safety Hub allows multiple users, you are responsible for deciding who should have access and what permissions they should have. You must remove access promptly when a user leaves your organisation or no longer needs access. We are not responsible for loss caused by your failure to manage user permissions.

11. Subscription plans

Subscription plans, features and pricing are displayed on the Safety Hub website or agreed in writing. We may offer different plans, features, usage limits, support levels or add-ons.

Unless stated otherwise: prices are in pounds sterling; Prices are not currently subject to VAT.; subscriptions are billed monthly or annually according to the plan selected. Subscription access continues until cancelled, suspended or terminated in accordance with these terms.

12. Free trials

Where a free trial is offered, the trial terms will be displayed at signup or agreed in writing, including: trial length, whether a payment card is required, when billing starts, what features are included, whether the trial converts automatically to a paid subscription, and how to cancel before billing starts.

If a trial converts automatically to a paid subscription, this is clearly stated at signup. You are responsible for cancelling before the end of the trial if you do not want to continue.

13. Billing and payment

You must provide accurate billing information and keep payment details up to date. By subscribing, you authorise us or our payment provider to take recurring payments according to your selected plan. If payment fails, we may retry payment, contact you, suspend access, or recover unpaid fees. You remain responsible for fees properly due.

14. Cancellation

You can cancel your subscription via your account billing portal or by contacting us at thomas@featherstonesafetyhub.co.uk.

Cancellation stops future renewal but does not automatically refund fees already paid. Your access may continue until the end of the current paid billing period unless your account is terminated earlier for breach.

15. Refunds

Refunds are not normally provided for partial months, unused features, unused time, forgotten cancellations, or failure to use the service. We may provide a refund at our discretion or where required by law. Refunds are not available for accounts terminated due to serious misuse, unlawful use or material breach, unless required by law.

16. Changes to plans, pricing and features

We may update plans, pricing, features, limits or support arrangements from time to time. For existing paid subscriptions, we will aim to give reasonable notice of material pricing changes. If you do not accept a pricing change, you may cancel before the change takes effect. We may make changes to features where needed for security, legal, operational, supplier, technical or product-improvement reasons.

17. Acceptable use

You must not use Safety Hub to:

• Break the law or assist unlawful activity
• Upload unlawful, harmful, abusive, defamatory, discriminatory or infringing content
• Upload malware, viruses or malicious code
• Attempt unauthorised access to systems or data
• Interfere with the security or operation of the platform
• Reverse engineer, scrape or copy the platform except as permitted by law
• Resell or make Safety Hub available to third parties without permission
• Misrepresent Safety Hub outputs as legal advice, regulator approval, insurer approval or certification body approval
• Use the platform for a business other than the customer organisation without permission
• Overload, attack or disrupt the service
• Upload data you do not have the right to use

We may suspend or terminate accounts used in breach of this section.

18. Customer Data

You retain ownership of Customer Data. You grant Featherstone Safety the rights needed to host, process, display, back up, transmit and use Customer Data for the purpose of providing Safety Hub and related support. You are responsible for ensuring Customer Data is accurate, lawful, appropriate, up to date and does not infringe third-party rights. You should not upload unnecessary sensitive information unless needed for legitimate health and safety management purposes.

19. Personal data and data protection

Each party must comply with applicable data protection law including UK GDPR. Where you decide what personal data is entered into Safety Hub and why, you are normally the controller. Where Featherstone Safety processes personal data on your behalf through Safety Hub, Featherstone Safety acts as processor. The Data Processing Schedule in Part 2 below applies. You must ensure you have a lawful basis for entering personal data and provide appropriate privacy information to workers and other individuals whose data is entered.

20. Special category or sensitive data

Safety Hub may be used to record incident, accident, training, fitness, health and safety or workplace information that could include sensitive or special category personal data. You are responsible for deciding what information is necessary and lawful to record. You must avoid uploading excessive, irrelevant or unnecessary personal data. Where sensitive information is uploaded, you must ensure appropriate safeguards and access controls are in place.

21. Security

We take reasonable technical and organisational measures to protect Safety Hub. No online service is completely secure or uninterrupted. You are responsible for: using strong passwords; managing user permissions; keeping devices secure; training users; removing access when users leave; and reporting suspected security issues promptly.

22. Backups and export

We may maintain backups for operational, security or continuity purposes. You remain responsible for maintaining your own copies of important business records. You should export and retain records needed for legal, insurance, audit or business continuity purposes before cancellation or termination. We are not responsible for your failure to export or retain records unless caused by our breach of these terms.

23. Availability and support

Safety Hub is provided on an “as available” basis. We aim for a reliable service but do not guarantee uninterrupted or error-free access. Access may be interrupted by maintenance, updates, technical faults, internet or hosting issues, cyber incidents, third-party provider issues, emergency security work, or events outside our reasonable control. Support arrangements may depend on your plan.

24. Third-party providers

Safety Hub relies on third-party providers for hosting, authentication, payment processing, email delivery, database services and storage. We are not responsible for third-party provider failures outside our reasonable control.

25. Payment provider

Payments are processed by Stripe. We do not store full card details. Payment processing is subject to Stripe’s own terms and privacy information. Stripe is a certified PCI DSS Level 1 payment processor.

26. Intellectual property

Safety Hub, including its software, design, branding, workflows, structure, templates, content, documents, prompts, reports, text, graphics, code and know-how, belongs to Featherstone Safety or its licensors. You are granted a limited, non-exclusive, non-transferable right to use Safety Hub for your internal business purposes during an active subscription. You must not copy, resell, licence, reproduce, publish, reverse engineer, scrape, duplicate or commercially exploit Safety Hub or its content without written permission.

27. Feedback and suggestions

If you provide feedback, ideas or suggestions about Safety Hub, we may use them to improve the service without owing payment or obligation to you.

28. Suspension

We may suspend access if: payment fails; you breach these terms; we suspect unauthorised access or unlawful/harmful use; continued access creates security, legal, operational or reputational risk; or we are required to do so by law or a provider. Where reasonable, we will try to notify you before or shortly after suspension.

29. Termination

We may terminate your account or subscription if you materially breach these terms, fail to pay, misuse Safety Hub, upload unlawful or harmful content, infringe our intellectual property, or we discontinue the service. You may terminate by cancelling your subscription. On termination, your right to use Safety Hub ends.

30. Data after cancellation or termination

After cancellation or termination, access to Customer Data may be limited or removed. We may retain data for a reasonable period for backup, legal, accounting, security, dispute or regulatory purposes. You should export important records before cancellation or termination. We may delete inactive or terminated account data after a reasonable retention period. Specific retention periods are detailed in our Privacy Policy.

31. Disclaimers

Safety Hub is a management and record-keeping tool. It does not replace competent health and safety advice, legal advice, professional judgement or the employer’s statutory duties. Users remain responsible for checking that records, assessments, actions and reports are accurate, suitable, sufficient and kept up to date. Safety Hub outputs are only as reliable as the information entered by users.

32. Limitation of liability

Nothing in these terms limits or excludes liability where it would be unlawful to do so, including liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation.

Subject to that, Featherstone Safety will not be liable for: indirect or consequential loss; loss of profit, revenue, business, anticipated savings, goodwill or data; loss caused by inaccurate or outdated Customer Data; loss caused by your failure to implement suitable controls; loss caused by misuse of Safety Hub; loss caused by reliance on generic templates without suitable review; loss caused by third-party providers outside our reasonable control; or loss caused by downtime or interruption outside our reasonable control.

Our total aggregate liability arising out of or in connection with Safety Hub shall be limited to the subscription fees paid by you for Safety Hub in the 12 months before the event giving rise to the claim. If you have paid less than 12 months of fees, the cap shall be the amount actually paid up to the date of the claim.

33. Indemnity

You agree to indemnify Featherstone Safety against losses, claims, costs, damages or expenses arising from: your unlawful use of Safety Hub; inaccurate, incomplete or misleading Customer Data; your failure to implement controls or recommendations; your breach of these terms; or your unlawful processing or uploading of personal data.

34. Changes to these terms

We may update these terms from time to time. For material changes, we will aim to give reasonable notice. Continued use of Safety Hub after updated terms take effect means you accept the updated terms. If you do not agree, you should stop using Safety Hub and cancel your subscription.

35. Complaints

If you are unhappy with Safety Hub, contact us at thomas@featherstonesafetyhub.co.uk. We will acknowledge complaints within 5 working days and aim to respond substantively within 20 working days.

36. Force majeure

We will not be liable for delay or failure caused by events outside our reasonable control, including hosting issues, supplier failure, internet failure, power failure, cyber incident, illness, accident, extreme weather, war, terrorism, epidemic, pandemic, government action or other circumstances beyond our control.

37. Severance

If any part of these terms is found to be invalid or unenforceable, the remaining parts will continue to apply.

38. No waiver

If we do not enforce a right immediately, this does not mean we have waived that right.

39. Governing law and jurisdiction

These terms are governed by the laws of England and Wales. The courts of England and Wales will have jurisdiction, unless mandatory law provides otherwise.

40. Contact

Thomas Featherstone trading as Featherstone Safety
Email: thomas@featherstonesafetyhub.co.uk
Telephone: +44 7528 703903

DPS 1. Roles of the parties

The customer is the controller of Customer Personal Data entered into Safety Hub. The customer determines the purposes and means of processing that data. Featherstone Safety is the processor — it processes Customer Personal Data only on behalf of and on the instructions of the customer in order to provide Safety Hub, unless required by law to act otherwise.

DPS 2. Processing purpose

Featherstone Safety processes Customer Personal Data for the following purposes only:

• Providing, operating and maintaining the Safety Hub platform and its features
• Storing, displaying, updating and retrieving Customer Data entered by the customer
• Generating reports, audit logs and compliance records on the customer's behalf
• Managing user accounts, permissions and access controls
• Sending platform notifications and service communications
• Processing subscription and billing information
• Providing customer support and investigating reported issues
• Maintaining platform security, integrity and availability
• Complying with legal obligations where required

Featherstone Safety will not process Customer Personal Data for any purpose other than those listed above, or as documented by the customer, or as required by law.

DPS 3. Duration of processing

Processing continues for the duration of the customer’s active subscription. Following cancellation or termination, Customer Personal Data will be retained for up to 30 days to allow the customer to export records, after which it may be permanently deleted or anonymised. Backup copies may be retained for up to 90 days before permanent deletion. Featherstone Safety may retain data for longer where required by law, regulation, accounting obligations, or to defend legal claims.

DPS 4. Nature of processing

Processing activities may include: collection and recording of personal data entered by users; storage on cloud infrastructure; display and retrieval by authorised users; transmission between the customer’s browser and the platform servers; automated generation of reports, summaries and compliance records; access control management; backup and replication; deletion or anonymisation at the end of the service; and processing for support, security and maintenance purposes.

DPS 5. Categories of personal data

Personal data processed through Safety Hub may include:

Standard personal data

• Names, job titles and roles
• Work email addresses and contact details
• User login credentials and authentication records
• Training completion dates, certificate details and expiry dates
• Action ownership and assignment records
• Signatures or electronic acknowledgements
• Audit log entries (including user identity and timestamps)
• Notes and free-text fields entered by users
• Documents and files uploaded to the platform

Potentially sensitive personal data

Depending on how the customer uses Safety Hub, the following categories may also be processed. The customer is responsible for determining whether processing such data is necessary and lawful:

• Accident and injury records, including the nature and circumstances of injuries (may include health data)
• Near-miss reports, incident investigations and witness statements
• RIDDOR-related injury and incapacity records
• Health surveillance or occupational health records, if uploaded
• Information about workers' physical condition relevant to manual handling or DSE assessments

DPS 6. Categories of data subjects

Data subjects whose personal data may be processed include:

• Customer employees and workers
• Contractors, agency workers and temporary staff
• Managers, directors and responsible persons
• Trainees and persons subject to training records
• Injured persons and witnesses named in incident records
• Visitors to the customer's premises named in incident or induction records
• Safety Hub account holders and users

DPS 7. Subprocessors

Featherstone Safety uses the following subprocessors. By accepting this schedule, the customer provides general authorisation for the use of these subprocessors:

This subprocessor list will be updated when subprocessors are added or changed. See DPS 12 for the subprocessor-change notice procedure.

DPS 8. Hosting region

The Safety Hub platform is served via Vercel’s global edge infrastructure. Customer Data (personal data entered into the platform) is stored in the Supabase database, which runs on AWS eu-west-1 (Ireland) — within the European Economic Area. No Customer Personal Data is stored outside the UK or EEA.

DPS 9. International transfers

Featherstone Safety does not transfer Customer Personal Data outside the United Kingdom or European Economic Area. The Supabase database is hosted in AWS eu-west-1 (Ireland, EEA). Vercel, Stripe and Microsoft 365 operate within the UK/EEA for relevant processing. No transfer mechanism is required for these services in relation to Customer Personal Data.

If a future subprocessor change would involve processing Customer Personal Data outside the UK/EEA, Featherstone Safety will give at least 30 days’ notice (see DPS 12), confirm the transfer mechanism in use (adequacy decision, IDTA or SCCs), and update this clause before the change takes effect.

DPS 10. Technical and organisational security measures

Featherstone Safety implements the following security measures, which may be updated as the platform develops:

Access controls

• Role-based access control — customers can assign different permission levels to users
• Account authentication required to access the platform
• Workspace isolation — customer data is scoped to the customer's own workspace and is not accessible to other customers
• Access to production systems restricted to authorised personnel only

Encryption

• All data in transit encrypted using TLS (HTTPS)
• Data at rest encrypted by the hosting infrastructure (Supabase/AWS and Vercel)
• Authentication tokens and credentials not stored in plaintext

Availability and resilience

• Platform hosted on infrastructure with redundancy and high-availability capabilities
• Automated backups maintained by the database provider (Supabase) — see DPS 11

Monitoring and incident management

• Audit logging of user actions within the platform
• Security incidents and suspected breaches investigated and escalated as per DPS 13

Supplier controls

• Subprocessors selected on the basis of adequate security practices
• Subprocessors subject to their own security certifications and compliance programmes

These measures are proportionate to the nature of the data processed. The customer is responsible for its own endpoint security, user credential management and internal access controls.

DPS 11. Backups

The Supabase database infrastructure provides automated backups. Backup frequency and retention periods are determined by the Supabase plan in use. At the time of writing, Supabase provides daily backups with point-in-time recovery available on Pro and higher plans. Backup copies are encrypted and stored within the same infrastructure region as the primary database.

Backups are maintained for operational continuity and disaster recovery purposes. They are not a substitute for the customer’s own record-keeping and export obligations. The customer should export any records required for legal, audit, insurance or business continuity purposes before cancellation or termination.

DPS 12. Subprocessor-change notice

Featherstone Safety will give the customer at least 30 days’ prior notice before adding or replacing a subprocessor that will process Customer Personal Data. Notice will be given by email to the account holder’s registered email address and/or by a notice published at featherstonesafetyhub.co.uk/hub-terms#dps.

The customer has the right to object to the new subprocessor within the notice period on legitimate data protection grounds by contacting us at thomas@featherstonesafetyhub.co.uk. If Featherstone Safety cannot accommodate the objection, the customer may terminate its subscription without penalty within the notice period.

If the customer does not object within the notice period, it is taken to have accepted the change.

DPS 13. Personal data breach notification

If Featherstone Safety becomes aware of a personal data breach affecting Customer Personal Data, it will:

• Notify the customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach (mirroring the customer's own ICO notification window)
• Provide, as soon as reasonably available: a description of the nature of the breach; the approximate number of data subjects and records affected; the likely consequences; and the measures taken or proposed to address the breach
• Co-operate with the customer in investigating the breach and taking remedial steps
• Not make any public statement about the breach affecting Customer Personal Data without the customer's consent, unless required by law

Featherstone Safety’s breach notification obligation is limited to breaches of Customer Personal Data processed on behalf of the customer. The customer remains responsible for notifying the ICO and affected data subjects within its own legal timescales under UK GDPR Article 33 and 34.

To report a suspected security incident, contact: thomas@featherstonesafetyhub.co.uk

DPS 14. Deletion and export

On cancellation or termination of the customer’s subscription:

• The customer's account and Customer Data will remain accessible for up to 30 days following the end of the subscription to allow data export
• The customer should use the available export features to download any records required for legal, insurance, audit or business continuity purposes before the 30-day period expires
• After 30 days, Customer Personal Data may be permanently deleted or anonymised, subject to any applicable retention obligations
• Backup copies will be purged within 90 days of the primary data deletion cycle
• Featherstone Safety will, on request made before deletion, confirm in writing that deletion has been completed

Featherstone Safety may retain data longer where required by law, regulation, accounting obligations, to defend legal claims, or for legitimate security or operational purposes.

DPS 15. Audit rights

The customer may request reasonable information from Featherstone Safety to demonstrate compliance with this Data Processing Schedule. Requests must be made in writing to thomas@featherstonesafetyhub.co.uk.

Featherstone Safety will respond to reasonable information requests within 30 days. Where a more detailed audit or inspection is requested, the following conditions apply:

• The customer must give at least 30 days' written notice
• Audits may be carried out by the customer or a mutually agreed independent third party, subject to appropriate confidentiality obligations
• Audits must not compromise the security or confidentiality of other customers' data or systems
• Any audit must be limited in scope to processing activities relevant to the customer's own data
• The customer bears any costs of the audit unless the audit reveals a material breach by Featherstone Safety
• Featherstone Safety may require the auditor to sign a non-disclosure agreement before commencing

DPS 16. Processor obligations summary

Featherstone Safety will, as processor:

• Process Customer Personal Data only on documented customer instructions (or as required by law)
• Ensure persons authorised to process data are subject to confidentiality obligations
• Implement the technical and organisational security measures set out in DPS 10
• Assist the customer with data subject access requests, erasure requests and other UK GDPR rights, to the extent reasonably possible
• Assist the customer in meeting its obligations under UK GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation)
• Notify the customer without undue delay (and within 72 hours where feasible) of any personal data breach affecting Customer Personal Data
• Give at least 30 days' notice before adding or replacing subprocessors
• Make information available to demonstrate compliance with this schedule, and co-operate with reasonable audits
• Delete or return Customer Personal Data at the end of the service, subject to retention obligations