Safen Privacy Policy

Last Updated: January 24, 2026

1. Introduction

Distillery University LLC dba Safen ("we," "us," or "our") respects your privacy and is committed to protecting the personal data you entrust to us. This Privacy Policy explains how we collect, use, and share information when you use the Safen software platform (the "Service").

2. The Distinction Between "User" and "Employee" Data

It is critical to understand that we process two distinct types of data:

• Account Information: Data about you, the Subscriber (e.g., the Safety Manager's email, billing address). We act as a Data Controller for this information.

• Employee Health Data: Data you upload about your workforce (e.g., names, dates of birth, audiometric test results). We act as a Data Processor (and Business Associate under HIPAA) for this information.

3. Information We Collect

A. Information You Provide

• Account Registration: Name, email address, company name, and password.

• Billing Information: Credit card details and billing addresses are collected and processed directly by our payment processor (Stripe). We do not store full credit card numbers on our servers.

• Customer Data (PHI): To function, Safen requires you to upload employee records, including audiograms, noise exposure levels, and demographic data. This data is encrypted and stored strictly in accordance with our Business Associate Agreement (BAA).

B. Information Collected Automatically

• Usage Logs: We collect server logs including IP addresses, browser types, and timestamps to monitor the security and performance of our infrastructure.

• Cookies: We use HTTP-only cookies to maintain your secure session. We may use analytics cookies to understand how features are being used, but we do not use tracking pixels to sell your data to advertisers.

4. How We Use Your Information

We use the data collected for the following purposes:

1. To Provide the Service: Calculating Standard Threshold Shifts (STS), generating OSHA-compliant reports, and managing hearing conservation rosters.
2. Security: Detecting and preventing fraudulent use or unauthorized access (e.g., audit logging).
3. Communication: Sending transactional emails (e.g., "Reset Password," "Compliance Alert").
4. Legal Compliance: Meeting our obligations under HIPAA, OSHA, and other applicable laws.

5. Sharing of Information (Subprocessors)

We do not sell your data. We share data only with specific third-party vendors ("Subprocessors") required to operate our infrastructure. We have executed Business Associate Agreements (BAAs) with all vendors handling PHI:

6. Security & HIPAA Compliance

We implement administrative, physical, and technical safeguards to protect your data, including:

• Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

• Access Control: Strict role-based access control and Multi-Factor Authentication (MFA) for administrative access.

• Audit Logging: We maintain immutable logs of all data access and modifications.

7. Your Data Rights

• Access & Correction: You may access and update your Account Information directly within the Service settings.

• Deletion: You may request the deletion of your account. Note that we may be required by law (e.g., tax laws or HIPAA audit trails) to retain certain records for a specific period after termination.

• Employee Rights: If you are an employee of a Safen customer and wish to exercise your rights regarding your health data, please contact your employer (our subscriber) directly. We cannot modify health records without the employer's authorization.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date.

9. Contact Us

If you have questions about this policy or our privacy practices, please contact:

Privacy Officer Distillery University LLC dba Safen
108 E. Weile Ave. #3, Spokane WA  99208
Email: rockwell@safen.io