Privacy Policy — LOTOcontrol
Effective date: [Insert date]
Last updated: [Insert date]
LOTOcontrol Sdn. Bhd. (“LOTOcontrol”, “we”, “us”, or “our”) provides software that digitizes Lockout/Tagout (LOTO) workflows with rolebased access, audit trails, and secure cloud/enterprise deployment options. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our websites, web and mobile applications, onprem/standalone clients, and related services (collectively, the “Services”). It also describes your rights and choices, including those under the EU/UK GDPR and the California CCPA/CPRA.
Contact: support@lotocontrol.com
Registered address: [Insert full registered address]
EU representative (if applicable): [Insert]
UK representative (if applicable): [Insert]
Data Protection Officer (if appointed): [Insert name/email]
What’s unique to LOTOcontrol
Our platform supports safetycritical LOTO operations, including isolation requests, approvals, and audit logs with rolebased controls and secure cloud architecture (e.g., TLS/SSL, WAF, restricted admin access).
Materials for your website already reference a Privacy Policy link in the footer; this document is designed to populate that page
1) Scope & Roles
This Policy applies to:
- Website visitors and prospects (e.g., contact forms, demo requests).
- End users (e.g., Tenant/Client Admins, Managers, Authorities, Requestors, Auditors) who access the Services as part of a client project.
Controller vs. Processor
- For website, marketing, and support data, LOTOcontrol is the controller.
- For client project data within the platform (e.g., user accounts, approvals, audit trails), LOTOcontrol generally acts as a processor on behalf of the client (the controller), pursuant to the applicable agreement(s).
2) Categories of Personal Information We Collect
We collect (i) information you provide, (ii) information from your employer/client, and (iii) data collected automatically.
- Account & Identity Data
Name, business email, role/permissions, organization and project affiliation, credentials (hashed), profile settings. - Operational Safety Records
Isolation/energization requests, assigned approvers, checklists, timestamps, comments/attachments, equipment identifiers, audit trails needed for compliance and investigations. - Device & Usage Data
IP address, device identifiers, browser type, pages or features used, session metadata, diagnostic logs, and security telemetry (e.g., access failures, rate limits). - Support & Communications
Help requests, email content, inapp messages, feedback, call notes. - Cookies & Similar Technologies
Authentication/session, security, preference, and limited analytics cookies (see Cookies below).
We do not intentionally collect sensitive personal information unrelated to the Services (e.g., ethnicity, health data). If clients upload such data in error, we will work with them to remove it.
3) Sources of Personal Information
- Directly from you (account setup, forms, emails).
- From your employer/client (user provisioning, role assignment).
- Automatically through the Services (usage telemetry, logs).
- From service providers (fraud/security tools, hosting, email delivery).
4) Purposes & Legal Bases (GDPR/UK GDPR)
Purposes (all users):
- Provide the Services (authentication, rolebased workflows, approvals, audit logs).
- Security & integrity (access control, incident detection/response, fraud prevention).
- Support & communications (respond to tickets, notices of changes).
- Compliance (OSHA/ISO/IEC alignment support, safety audits, legal obligations).
- Service improvement (diagnostics, feature usage analytics, quality).
Legal bases (EEA/UK users):
- Contract (Art. 6(1)(b)): to deliver and support the Services to your organization.
- Legitimate interests (Art. 6(1)(f)): service security, product improvement, fraud prevention, B2B marketing to existing customers (balanced with your rights).
- Consent (Art. 6(1)(a)): where required for optional cookies/marketing.
- Legal obligation (Art. 6(1)(c)): recordkeeping, safety/regulatory compliance.
Where we act as processor, the client’s lawful basis governs; we process under their instructions and our agreement.
5) Disclosure of Personal Information
We disclose personal information to:
- Your organization and authorized project stakeholders (to operate LOTO workflows).
- Service providers (hosting, security/WAF, email delivery, analytics) under data protection terms; they must not use your data for their own purposes.
- Authorities where required by law or to protect safety, rights, or property.
- Corporate transactions (merger/acquisition), subject to safeguards and notice where required.
We do not sell personal information, and we do not share it for crosscontext behavioral advertising as defined under the CPRA. If this changes, we will update this Policy and provide required optout mechanisms.
6) International Data Transfers
Depending on deployment and tenancy, data may be processed in Singapore and other locations of our providers. We implement appropriate safeguards for transfers from the EEA/UK, such as EU Standard Contractual Clauses (SCCs) and the UK IDTA/Addendum, plus technical/organizational measures.
Clients using onprem/standalone deployments may localize data within their environment per contract.
7) Data Retention
We retain personal information only for as long as necessary to provide the Services, meet legal/safety obligations, resolve disputes, and enforce agreements. Retention may be governed by client contract and safety regulations. Typical ranges:
Data Category | Illustrative Retention (configurable) |
Account & role data | Life of contract + [X] months |
Operational LOTO records & audit logs | Life of contract + [X–Y] years (to meet audit/safety needs) |
Security logs | [X–Y] months |
Backups | Rolling [X–Y] days |
[Replace X/Y with your approved durations in consultation with counsel and clients.]
8) Security
We apply industrystandard controls to protect personal information, including TLS/SSL in transit, rolebased access, firewalling/WAF, and restricted administrative access on infrastructure. Security is a shared responsibility between LOTOcontrol and clients (especially for onprem/standalone use).
9) Cookies & Similar Technologies
We use:
- Strictly necessary cookies (authentication/session, security).
- Preference cookies (UI, locale).
- Limited analytics (service quality and feature usage, deidentified/aggregated where possible).
Where required by law, we obtain consent for nonessential cookies via a consent banner. You can control cookies in your browser; rejecting some may affect core functionality.
10) Your Rights (GDPR/UK GDPR)
Subject to conditions and exemptions, EEA/UK users may:
- Access your data and obtain a copy.
- Rectify inaccurate or incomplete data.
- Erase data (“right to be forgotten”).
- Restrict or object to processing (including certain profiling).
- Portability: receive data in a structured, commonly used format.
- Withdraw consent where processing is based on consent.
To exercise rights, contact support@lotocontrol.com. We will verify requests and respond within statutory timeframes. You also have the right to lodge a complaint with a supervisory authority in your country.
11) California Privacy Rights (CCPA/CPRA)
Notice at Collection — Categories & Purposes. We collect the following categories for the purposes described in Sections 2–5:
- Identifiers (name, email, IP), Professional/Employment information (role, organization), Internet/Network activity (usage logs), and Inferences (limited, for service improvement).
- We do not collect Sensitive Personal Information for inferring characteristics.
Disclosure Practices. We do not sell personal information and do not share it for crosscontext behavioral advertising. We disclose to service providers and your organization for business purposes (service delivery, security, compliance).
Your CPRA Rights. California residents can:
- Know (access) categories and specific pieces of personal information.
- Delete personal information, with safety/regulatory exceptions.
- Correct inaccurate information.
- Optout of sale/share (not applicable today).
- Limit use of Sensitive Personal Information (not applicable today).
- Nondiscrimination for exercising rights.
Submit requests via support@lotocontrol.com. If we cannot verify your identity, we may request additional information.
12) Children’s Privacy
The Services are not directed to children. We do not knowingly collect personal information from individuals under 16 (or under 13 in the U.S.). If you believe a child has provided personal information, contact us and we will take appropriate steps to delete it.
13) Automated DecisionMaking
Our workflows automate routing and notifications, but final approvals and safetycritical actions involve authorized human users. We do not make solely automated decisions producing legal or similarly significant effects without human involvement.
14) ThirdParty Links & Integrations
Our websites or tenant environments may link to thirdparty sites or integrate with customer systems. Their privacy practices are governed by their policies. Please review those before providing personal information.
15) Processor Terms & Subprocessors
When acting as a processor, we process client data under a Master Services Agreement and/or Data Processing terms with the client. To request our current data protection terms and subprocessor list, contact support@lotocontrol.com.
16) Changes to this Policy
We may update this Policy to reflect changes in law or our practices. We will post updates on this page with a new “Last updated” date and, where required, provide additional notice.
17) How to Contact Us
- Email: support@lotocontrol.com
- Postal: [Insert full registered address]
- EU/UK Representative (if applicable): [Insert contact]