Privacy Policy
Last updated July 13, 2026
This Privacy Policy explains how Epitaph LLC (“we,” “us,” or “our”) collects, uses, discloses, and protects personal information in connection with Scribe, our environmental-health-and-safety (EHS) recordkeeping platform for employers (the “Service”). It applies to individuals in the United States; the Service is offered to U.S. organizations only.
1. Our role: your employer is the controller of injury records
Epitaph LLC operates the Service. Much of what the Service holds — injury and illness records, incident investigations, corrective actions, hours-worked figures, and related photos — is created by our business customers (employers) and their personnel. For that content, the customer employer decides what is collected and why: the employer is the controller/business, and we act as a service provider / processorthat processes the data on the employer’s behalf and under its instructions.
If your employer gave you access to the Service, direct requests about the content of injury or incident records to your employer — for example, to see or correct your own OSHA injury record. We will assist the employer as its processor. We separately act as a business/controller for the limited account, billing, support, and usage data we need to run the Service, described below.
2. Information we collect
The Service holds the following categories of information:
- Employee & account identity — name, work email, role (Admin, Manager, or General User), the organization and establishment you belong to, your assigned manager, and your password (stored only in hashed form by our authentication provider).
- Injury & illness details, including limited health information — the fields an employer records under OSHA recordkeeping rules, such as those on OSHA Form 301 (Injury and Illness Incident Report): what the employee was doing, how the injury/illness occurred, the body part affected, the object or substance that harmed the employee, treatment given, the physician or other health-care professional, and the facility where treatment was provided, along with whether the employee was hospitalized or treated in an emergency room, and the case classification (days away, restricted duty, or transfer).
- Incident narratives, cases & corrective actions — investigation notes, root-cause findings, case status, and follow-up corrective actions.
- Photos & attachments — images and documents uploaded to a report or case as evidence.
- Hours-worked data — establishment hours and employee counts used to compute incident rates (TRIR, DART).
- Account, billing & usage data — your plan and seat counts, billing contact, and usage/device/log data (IP address, browser and device information, pages and features used, timestamps, and actions taken in the Service). Card details are collected and stored directly by our payment processor (Stripe); we never receive or store full card numbers.
- Communications — messages you send us (for example, support or sales inquiries) and your contact details.
3. How we use information
We use information to:
- provide, operate, maintain, and secure the Service for the employer;
- authenticate users and enforce role-based access and the PII walls that keep injury detail visible only to authorized roles within an organization;
- generate OSHA 300/300A/301 outputs, incident-rate metrics, exports, and reports at the employer’s direction;
- where an organization on an eligible plan enables it, generate AI-assisted safety summaries from aggregated, de-identified safety metrics (individual injury PII is not sent — see “How we disclose information”);
- process subscriptions and send transactional email (invitations, password resets, and alert digests);
- monitor reliability, diagnose and debug errors, and detect, prevent, and address fraud, abuse, or security issues;
- comply with legal obligations and enforce our agreements; and
- communicate with you about the Service.
4. OSHA recordkeeping, retention, and immutability
Employers use the Service to support their injury-and-illness recordkeeping duties under 29 CFR Part 1904. Because those records must be maintained for the year in which they were recorded plus five years (29 CFR 1904.33), and because an accurate log depends on a reliable history, the Service is designed so injury records are not hard-deleted: edits are captured as an amendment trail and the underlying record is preserved (an immutable evidence design). We therefore retain injury and illness records indefinitely, at the customer’s instruction, for at least the period the customer’s recordkeeping obligations require, and do not delete individual records on employee request; requests to amend or remove a record are directed to the employer, who controls the record.
The Service supports the recordkeeping privacy protections in OSHA’s rules. For privacy-concern casesunder 29 CFR 1904.29(b)(6)–(10) — such as injuries to intimate body parts, sexual assaults, mental-illness cases, HIV/hepatitis/tuberculosis cases, needlestick and sharps injuries, and other cases the employee asks to keep private — the employee’s name is withheld from the shared 300 Log view, consistent with 1904.29(b)(9). The Service also supports the employee-and-representative access rightsin 29 CFR 1904.35 (access to the 300 Log, and to an employee’s own 301 Incident Report).
5. Health information and HIPAA
Scribe is not a HIPAA covered entity or business associate, and using the Service does not make Epitaph LLC one. OSHA-required employer injury and illness records are generally not protected health information under HIPAA when held by an employer for recordkeeping purposes. Even so, we treat the injury/illness and limited health details in the Service as sensitive information regardless: they are protected by database row-level tenant isolation, role-based PII walls, organization-enforceable multi-factor authentication, an append-only audit log, private storage with server-mediated signed URLs, and encryption in transit and at rest. See our Security overview.
6. How we disclose information
We do not sell personal information. We disclose it only as described here:
- Service providers (subprocessors) who process data on our behalf to run the Service — hosting, database and file storage, email delivery, payments, and error monitoring. See our Subprocessors list.
- At the employer’s direction — when an organization enables an integration it configures (for example, a webhook), we send the data it specifies to that destination. Injury detail is kept out of webhook and notification payloads (title, type, and link only).
- AI-assisted summaries — when an organization on an eligible plan generates a safety summary, only aggregated, de-identified safety metrics are sent to our AI subprocessor to draft the summary. Individual injury PII is not sent, and the feature runs only when a manager or admin invokes it.
- Legal, safety, and rights — when required by law or legal process, or to protect the rights, property, or safety of our users, the public, or us.
- Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.
We do not sell personal information, and we do not share it for cross-context behavioral advertising.
7. Anonymous safety reporting
Where an organization enables it, an employee may submit a safety concern anonymously. When they do, the Service hides the reporter’s identity from managers, admins, exports, notifications, and the audit log; the identity is sealed and recoverable only through a restricted administrative process for a legitimate legal or safety escalation. Anonymous reporting is available for safety concerns only — injury and illness records require an identified employee to meet OSHA recordkeeping requirements.
8. Cookies and similar technologies
We use strictly-necessary cookies only — to keep you signed in and to secure requests; the Service does not function without them. We do not use advertising or cross-site tracking cookies, and we do not need a consent banner for the cookies we set. We also use a privacy-conscious error-monitoring tool (Sentry) to capture diagnostics when something breaks. Because we do not sell or share personal information or use cross-context advertising, browser signals such as Global Privacy Control have nothing to opt out of for that purpose.
9. Data retention
Injury, illness, case, and audit records are retained as described in Section 4 — for the life of the organization’s account and at least as long as the customer’s recordkeeping obligations require. Account and profile data is kept while the account is active. When an organization closes its account, its data is deleted in the ordinary course after any post-termination export window in its agreement; residual copies may persist in backups (Supabase point-in-time recovery) for a limited period before they cycle out. Billing records held by our payment processor, and email-delivery logs held by our email provider, are retained under those providers’ policies.
10. Security
We protect data with encryption in transit (HTTPS/HSTS) and at rest, database row-level security that isolates each organization’s data, role-based access controls and PII walls, organization-enforceable multi-factor authentication, private storage buckets with server-mediated signed URLs, signed webhooks, and audit logging of sensitive actions. No method of transmission or storage is perfectly secure, but we work to safeguard information and to limit access to those who need it. If we become aware of a breach affecting personal information, we will notify affected customers and authorities as required by applicable law — and notify the customer of a breach affecting their data without undue delay (targeting within 72 hours) as set out in our Data Processing Addendum.
11. Your privacy rights
Depending on where you live, you may have the right to access, correct, or delete personal information we hold about you as a business/controller (primarily account, billing, and usage data). To exercise a right, contact us at privacy@epitaph.llc. For information in an injury or incident record, your employer is the controller — please direct the request to your employer, and we will assist them as their processor. We will verify your request (typically by confirming control of the email on file) and respond within the time required by applicable law. We will not discriminate against you for exercising your rights.
12. California privacy rights (CCPA/CPRA)
For personal information we process on behalf of a customer employer, we act as that customer’s service provider under the CCPA/CPRA and process it only to perform the Service under our written contract. As a business, in the past 12 months we have collected these categories about account holders: identifiers (name, work email, IP address); commercial information (subscription and billing details); internet or network activity (usage and log data); professional or employment information (role, organization, establishment); and, within injury records our customers control, health information about injuries and illnesses.
California residents have the right to know/access, delete, and correct personal information, to opt out of the sale or sharing of personal information, and to limit the use of sensitive personal information. We do not sell or share personal information, and we do not use sensitive personal information for purposes that require a right-to-limit option. We will not discriminate against you for exercising these rights. To exercise a right about business data, contact us using the details above; for injury-record data, contact the employer that controls it.
13. Children’s privacy
Scribe is a workplace tool not directed to children, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, contact us and we will delete it.
14. Changes to this policy
We may update this Privacy Policy from time to time. We will revise the “last updated” date above and, for material changes, take additional steps as required by law and may ask you to re-accept before continuing to use the Service.
15. Contact us
Questions about this policy or our data practices? Contact Epitaph LLC at privacy@epitaph.llc, [COMPANY ADDRESS — Epitaph LLC, Pennsylvania — TO BE SUPPLIED].