Anchor Privacy Policy
Effective Date: [PLACEHOLDER: Insert effective date before publishing] Last Updated: [PLACEHOLDER: Insert last-updated date]
1. Introduction
Safety Harmonics, Inc. ("Safety Harmonics," "we," "us," or "our") operates the Anchor platform, an AI-assisted incident documentation, root cause analysis, and organizational learning service ("Anchor" or the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information when you use Anchor.
By using the Service, you agree to the collection and use of information as described in this Privacy Policy.
If you are a customer organization (an "Organization"), you are responsible for the lawful collection and use of your users' data before it enters Anchor. Please see Section 11 (Roles and Customer Responsibilities) for details.
2. Who We Are
Safety Harmonics, Inc. is headquartered at [PLACEHOLDER: Business address — pending ANC-161 registered agent]. For inquiries related to this Privacy Policy, contact us at privacy@safetyharmonics.com.
For customers subject to the GDPR, Safety Harmonics acts as a Data Processor for the incident and operational content you upload to Anchor, and as a Data Controller for account and usage data we collect directly (such as authentication data and analytics).
3. Information We Collect
3.1 Information You Provide
Account and profile data When you register or are added to an Organization, we collect your full name, email address, and profile information synchronized from our authentication provider (Clerk). We may also store a profile photo URL if you have one configured with your identity provider.
Organization data When an Organization registers, we collect the organization's name and configuration settings. Organizations have a hierarchical structure (parent/child agencies) that we store to support multi-agency workflows.
Incident records and content Organizations and their users enter incident documentation into Anchor, including incident title, description, date, location, type, and operational status. This content belongs to the Organization and may contain information that is sensitive, confidential, or regulated.
Debrief session content Anchor provides AI-facilitated post-incident debrief sessions for participants. Participants may include first responders, supervisors, dispatch personnel, witnesses, and subject matter experts. Debrief content includes verbatim conversation transcripts and facilitator notes. This content is treated as the Organization's data.
Evidence sources and imported records Organizations may import dispatch logs, radio transcripts, chat exports, and other records from external systems. These are stored and linked to incidents as evidence sources.
Root cause analyses and action items Facilitators and RCA owners enter root cause analysis content (5-whys chains, findings, action items) and follow-up documentation. This content belongs to the Organization.
Communications with us If you contact Safety Harmonics for support or other purposes, we retain records of those communications.
3.2 Information Collected Automatically
Usage and log data When you use Anchor, we automatically collect log data including your IP address, browser type, operating system, pages visited, features used, error reports, timestamps, and other telemetry. This information is used to operate, secure, and improve the Service.
Cookies and similar technologies We use cookies and similar technologies as described in Section 8 (Cookies and Tracking).
Device information We collect general device and browser information (browser version, OS, screen size) for compatibility and analytics purposes.
3.3 Information from Third Parties
Authentication provider (Clerk) We receive your identity information (name, email, organization membership, and profile photo) from Clerk, our authentication provider, when you sign up or sign in.
Webhook events We receive webhook notifications from Clerk when user accounts or organization memberships are created or updated, which we use to keep your profile synchronized.
4. How We Use Your Information
We use information collected through the Service for the following purposes:
Providing and operating the Service Processing incident records, facilitating debrief sessions, generating AI-assisted analyses, managing RCA workflows, and delivering notifications related to incidents and organizational learning.
AI-assisted features Anchor currently uses the Anthropic API to provide AI-assisted functionality, including automated synthesis of incident timelines, AI-facilitated debrief interviews, root cause analysis guidance, learning proposals, and tag suggestions. A migration to AWS Bedrock (HIPAA-eligible) is planned. See Section 6 (AI-Assisted Features) for details on how your data is handled in these workflows.
Analytics and product improvement We use PostHog to capture identified usage analytics and performance metrics. PostHog associates usage events with your account (name, email, and organization name) to help us understand how the product is used and where to improve it. We do not use Customer Data (incident content, debrief transcripts, or RCA content) to train AI models.
Communications We send transactional email notifications related to incidents (incident created, evidence submitted, synthesis complete, RCA assigned, action item assigned) and optional digest summaries (weekly and quarterly). You can manage your notification preferences in your account settings. Email-level unsubscribe links are planned for a future release.
Security and fraud prevention We use log data and usage patterns to detect, investigate, and prevent unauthorized access, fraud, and abuse.
Legal compliance We process information as required to comply with applicable law, respond to lawful requests, and enforce our Terms of Service.
5. How We Share Your Information
We do not sell your personal information. We share information as follows:
Sub-processors and service providers We engage third-party service providers to help operate Anchor. These providers act as Data Processors and are contractually bound to use data only to provide services to us. Our current sub-processors are:
| Processor | Purpose | Data shared | Max classification |
|---|---|---|---|
| Supabase | Database and storage | All application data | RESTRICTED |
| Clerk | Authentication and identity | User identity, org membership | CONFIDENTIAL |
| Vercel | Hosting, serverless infrastructure, and web analytics | Application logs, code, page view/performance metrics | CONFIDENTIAL |
| Anthropic | AI inference (current) | AI feature inputs (incident content, debrief transcripts, RCA content) | RESTRICTED |
| AWS (Amazon Bedrock) | AI inference (planned — HIPAA-eligible, pending activation) | AI feature inputs (incident content, debrief transcripts, RCA content) | RESTRICTED |
| Resend | Transactional email delivery | Recipient email, subject, body | CONFIDENTIAL |
| PostHog | Product analytics | Usage events, user identity (email, name, org name) | CONFIDENTIAL |
| Cloudflare | Optional web analytics (enabled in production if configured) | Page views, performance metrics | INTERNAL |
We maintain a current sub-processor list at https://safetyharmonics.com/legal/sub-processors. We will provide at least 30 days' advance notice of material changes to our sub-processors.
Your organization Users within an Organization can view content created by other users in their Organization, subject to role-based access controls. We do not share one Organization's data with any other Organization.
Legal requirements We may disclose information if we believe in good faith that disclosure is required by law, regulation, court order, or to respond to a lawful request by public authorities, including for law enforcement or national security purposes.
Business transfers If Safety Harmonics is involved in a merger, acquisition, sale of assets, or other corporate transaction, personal information may be transferred to the successor entity. We will notify you in advance and give you the opportunity to exercise any applicable rights.
With your consent We may share information for purposes not listed here with your explicit consent.
6. AI-Assisted Features
Anchor currently uses the Anthropic API to provide AI-assisted features including synthesis, debrief facilitation, RCA guidance, learning proposals, and tag suggestions. A migration to AWS Bedrock (HIPAA-eligible) is planned and will be announced when activated.
What is sent to the AI provider When you use AI-assisted features, the relevant incident content, evidence sources, debrief transcripts, and/or RCA data is transmitted to the AI inference provider to generate the requested output. This content may include sensitive or regulated information depending on your Organization's use case.
Model training Anthropic does not use API customers' input or output data to train its models. After migration, AWS Bedrock will process data solely to generate the requested output under the AWS Customer Agreement.
Safety Harmonics does not use Customer Data to train AI models. Incident content, debrief transcripts, RCA analyses, and other Customer Data are processed solely to generate the requested output. They are not used to improve Anchor's AI features or any third-party AI system.
HIPAA and regulated data — interim restriction The Anthropic API (current provider) does not offer a HIPAA Business Associate Agreement (BAA). Until the migration to AWS Bedrock is complete, customers must not submit Protected Health Information (PHI) to AI-assisted features. Once AWS Bedrock is activated, Safety Harmonics will execute AWS's BAA and customers with an executed BAA with Safety Harmonics may submit PHI to AI-assisted features. Organizations subject to HIPAA should contact hipaa@safetyharmonics.com for the current compliance status before enabling AI features.
AI-generated content AI-generated output (synthesis narratives, timeline summaries, RCA suggestions, learning proposals) is derived from and reflects the classification of its source inputs. AI-generated content is stored alongside your incident data with full audit trail metadata (model name, prompt version, token counts, timestamps).
7. Data Retention
Active accounts We retain Customer Data (incident records, debriefs, RCAs, and related content) for the duration of your Organization's active subscription, plus any post-termination data return period described below.
Account and profile data Profile and account information is retained for the life of the account and for a reasonable period after account closure to satisfy audit obligations.
Post-termination Following termination of your subscription, you have 60 days to export your data. After this period, Customer Data is deleted from production systems. Backup deletion follows our backup retention schedule (typically within 90 days after deletion from production).
Regulated data If your Organization is subject to retention obligations under applicable law (e.g., HIPAA's minimum 6-year retention requirement for PHI records, or state EMS records laws), you are responsible for configuring your data practices accordingly. Safety Harmonics does not automatically delete data subject to legal holds.
Analytics and logs Usage logs and analytics events are retained for up to 12 months, after which they are aggregated or deleted.
Email records Transactional email metadata (delivery receipts, bounce and complaint events) is retained per our email provider's standard terms (approximately 90 days).
Soft deletes Most deletions within the Anchor interface are soft-deletes (the record is flagged as deleted but retained in the database for audit purposes). Permanent deletion requires an explicit data deletion request.
8. Cookies and Tracking
Cookies we set
| Cookie | Purpose | Duration |
|---|---|---|
anchor-theme | Stores your dark/light/system theme preference | Indefinite (until cleared) |
| Clerk session cookie | Manages your authenticated session | Session or per Clerk's policy (~30 days) |
| PostHog analytics cookie | Enables usage analytics and session continuity | ~1 year |
Third-party analytics We use PostHog for product analytics. PostHog JS captures page views, feature usage events, and AI model performance metrics. Session recording is enabled with full text masking — no incident content, debrief text, or other sensitive content is captured in session recordings. PostHog collects your email and name when you sign in to associate usage with your account.
Vercel Speed Insights (always enabled): Core Web Vitals and performance metrics are sent to Vercel.
Vercel Analytics (always enabled): Page view events and navigation timing are sent to Vercel. No personally identifiable information is included in these events.
Cloudflare Web Analytics (optional, enabled in production if configured): Page views and performance metrics are sent to Cloudflare. No cross-site tracking or fingerprinting is performed.
Managing cookies You can control cookies through your browser settings. Disabling session cookies will prevent you from using the Service. Disabling analytics cookies will not affect your ability to use the Service.
9. Security
We implement technical and organizational measures designed to protect your information:
- Encryption in transit: TLS 1.2+ on all connections.
- Encryption at rest: AES-256 encryption managed by Supabase (all hosted tiers).
- Access controls: Role-based access control (RBAC) and Row Level Security (RLS) enforce tenant isolation at the database level. Each user can only access their Organization's data.
- Authentication: Managed by Clerk using industry-standard session management.
- Debrief access tokens: One-time access tokens for debrief participants are stored hashed (bcrypt, cost factor 12).
- Security headers: Strict Content Security Policy, X-Frame-Options: DENY, HSTS, and other defensive headers are enforced.
- Application-level encryption: Planned for the highest-sensitivity fields (CJIS-category data); not yet implemented. See our Data Handling Policy for current status.
No security measure is perfectly impenetrable. If you believe your account or data has been compromised, contact us immediately at security@safetyharmonics.com.
10. International Data Transfers
Anchor is hosted on infrastructure in the United States (Supabase, Vercel, AWS). If you are located outside the United States, your data will be transferred to and processed in the United States.
For customers in the European Economic Area, United Kingdom, or Switzerland, we rely on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs): We execute SCCs (EU Commission 2021 Decision) with customers and sub-processors where required for GDPR-compliant data transfers.
- Our Data Processing Agreement (DPA) includes appropriate safeguards for international transfers.
11. Roles and Customer Responsibilities
Safety Harmonics processes Customer Data as a Data Processor acting on your instructions. Your Organization is the Data Controller for the incident content, debrief transcripts, and other operational records you upload to Anchor.
As Data Controller, your Organization is responsible for:
- Ensuring you have a lawful basis to collect and process the personal data of incident participants, including debrief participants.
- Providing appropriate notice to individuals whose data you enter into Anchor.
- Honoring requests from individuals to access, correct, or delete their personal data in your Anchor records.
- Ensuring your use of Anchor complies with applicable law, including HIPAA if your Organization is a Covered Entity.
Safety Harmonics will assist you in meeting your obligations as described in our Data Processing Agreement (DPA).
12. Your Privacy Rights
GDPR rights (EEA, UK, Switzerland residents) If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate personal data.
- Right to erasure: Request deletion of your personal data, subject to legal retention obligations.
- Right to restriction: Request that we limit processing of your personal data in certain circumstances.
- Right to data portability: Receive your personal data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time.
To exercise these rights, contact us at privacy@safetyharmonics.com. We will respond within 30 days (extendable by up to an additional 30 days for complex requests). If you believe we have not addressed your concern, you may lodge a complaint with your local data protection authority.
CCPA/CPRA rights (California residents) If you are a California resident, you have the following rights:
- Right to know: Request disclosure of the personal information we collect, use, disclose, and sell about you in the preceding 12 months.
- Right to delete: Request deletion of your personal information, subject to legal exceptions.
- Right to correct: Request correction of inaccurate personal information.
- Right to opt out of sale or sharing: We do not sell personal information in the traditional sense. We do not share personal information for cross-context behavioral advertising. See Section 13 (Do Not Sell or Share).
- Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond those permitted under CPRA.
- Non-discrimination: We will not discriminate against you for exercising your privacy rights.
To submit a request under CCPA/CPRA, contact us at privacy@safetyharmonics.com. We will respond within 45 days (extendable by up to an additional 45 days). We will verify your identity before fulfilling your request.
For rights requests related to Customer Data (incident records, debrief content): Because Safety Harmonics processes this data on behalf of your Organization, requests from individual participants should be directed to your Organization (the Data Controller). We will assist your Organization in honoring those requests.
13. Do Not Sell or Share
Safety Harmonics does not sell personal information to third parties.
Safety Harmonics does not share personal information for cross-context behavioral advertising.
California residents may submit a "Do Not Sell or Share" request at privacy@safetyharmonics.com. Because we do not engage in these activities, no action will be required, but we will confirm your request in writing.
14. HIPAA Notice
Anchor is designed for use by first responder and public safety organizations. Some customers may be Covered Entities under HIPAA (e.g., EMS agencies that create, receive, or maintain Protected Health Information). In that capacity, Safety Harmonics acts as a Business Associate under HIPAA.
If your Organization is a HIPAA Covered Entity: Contact hipaa@safetyharmonics.com to execute a Business Associate Agreement (BAA) before using Anchor to store or process Protected Health Information (PHI). Safety Harmonics offers a BAA as a standard exhibit with every customer that qualifies as a Covered Entity or Business Associate under HIPAA.
AI features and PHI: Anchor's AI-assisted features currently use the Anthropic API, which does not offer a HIPAA BAA. Customers must not submit PHI to AI-assisted features until the planned migration to AWS Bedrock is complete. After migration, customers who have executed a BAA with Safety Harmonics may use AI-assisted features with PHI-containing content consistent with the terms of that agreement. Contact hipaa@safetyharmonics.com for the current migration status.
Infrastructure: Supabase (database) and Clerk (authentication) offer BAAs on qualifying plans. Safety Harmonics executes these as part of its HIPAA compliance program. AWS Bedrock (AI inference) will also be covered once activated. The current AI provider (Anthropic API) does not offer a BAA.
15. Children's Privacy
Anchor is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided personal information to us, contact us at privacy@safetyharmonics.com and we will promptly delete it.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice via:
- Email to the primary contact on your Organization's account, and/or
- A prominent notice in the Anchor interface.
For non-material changes (such as editorial corrections or clarifications), the updated policy will be effective when posted. The "Last Updated" date at the top of this policy will always reflect the most recent revision.
Your continued use of the Service after the effective date of any update constitutes acceptance of the revised Privacy Policy.
17. Contact Us
For questions, concerns, or requests related to this Privacy Policy:
Safety Harmonics, Inc. [PLACEHOLDER: Mailing address — pending ANC-161 registered agent] privacy@safetyharmonics.com
Privacy Contact: privacy@safetyharmonics.com
For data subject rights requests: privacy@safetyharmonics.com For HIPAA BAA inquiries: hipaa@safetyharmonics.com For security incidents: security@safetyharmonics.com