Skip to main content
BLOG

Privacy Policy

Last Updated: January 26, 2026

ERA Environmental Consulting, Inc. (“ERA,” “we,” “our,” or “us”) provides a comprehensive Environmental, Health, and Safety (EHS) SaaS platform. We are committed to processing personal data with the highest standards of transparency and security. This policy explains how we handle your data whether you are a website visitor, a business prospect, or an authorized user of our platform.

 

1. Our Role and Responsibility

Under the GDPR, ERA operates in two distinct capacities depending on the activity:

  • Data Controller: ERA acts as the data controller for personal data collected through its website, marketing activities, customer communications, and business administration (including billing and contract management).
  • Data Processor: For limited personal data processed within the ERA EHS Platform (such as user account information and access logs), ERA acts as a data processor on behalf of its customers, who remain the data controllers for their organizational data.

Contact Information:

ERA Environmental Consulting, Inc.

Headquarters: Quebec, Canada | US Office: Bala Cynwyd, Pennsylvania

Privacy Office: privacy@era-ehs.com

 

2. Data Processing Map: Purpose & Legal Basis

In accordance with GDPR Article 13, the table below maps the categories of data we collect to our specific business purposes and the lawful basis for processing.

 

Data Category

Purpose of Processing

Lawful Basis (Article 6)

Business Contact Info (Name, Work Email, Phone, Job Title, Inquiry Content)

Responding to inquiries, providing demonstrations, communicating with prospective clients, and managing pre-contract business relationships.

Legitimate interest:
Business development and responding to requests and steps taken at the request of the data subject prior to entering into a contract

Customer contact information and account-related communications

Managing customer accounts, delivering contracted services, and providing customer support.
  • · Legal Basis:

Contractual necessity and legitimate interest (service delivery and recordkeeping)

Platform Access Data (Encrypted Login Credentials, User Roles)

Providing secure access to EHS modules (Emissions, SDS, Waste Management).

Contractual Necessity:
Essential for platform delivery.

Technical Metadata
(IP address, device type, browser type, cookie identifiers, and interaction data)

Ensuring platform and website security, monitoring system performance, and analyzing usage patterns to improve functionality and user experience.

Legitimate Interest:
To maintain security and system integrity and consent (for non-essential analytics cookies).

Marketing Data
(Newsletter signups, Webinar attendance)

Communicating service updates and industry insights.

Consent:
Opt-in provided at the time of collection.

 

3. Data Retention Periods

We do not store data longer than necessary. Our retention schedule is based on legal requirements and business utility:

 

  • Customer Account Data: Retained for the duration of the active contract plus at least 7 years to comply with financial auditing and tax obligations (e.g., Canadian and US tax law).
  • Security & Audit Logs: System access logs and security metadata are retained for 12 months to allow for year-over-year security analysis and incident investigation.
  • Marketing Leads: Contact info is kept for at least 24 months after the last meaningful interaction (e.g., last email open or website visit). Inactive leads are then purged.
  • Cookies: Expiry varies by type (Session cookies expire when the browser closes; persistent analytics cookies expire after 12months).

 

4. International Data Transfers

ERA processes data primarily in Canada and the United States.

 

Canada: Recognized by the European Commission as providing an "adequate" level of data protection.

Other Jurisdictions: When we transfer data to service providers (sub-processors) outside the EEA or Canada, ERA implements appropriate safeguards, including Standard Contractual Clauses (SCCs) and contractual confidentiality and security requirements.

 

5. Security of Processing

ERA maintains SOC2 Type II certification, ensuring our technical and organizational measures are audited for effectiveness. These include:

 

  • Encryption: All data is encrypted using AES-256 at rest and TLS 1.2+ in transit.
  • Access Control: Role-based access (RBAC)and Multi-Factor Authentication (MFA) are mandatory for all administrative access.
  • Resilience: Continuous monitoring and secure backups for business continuity.

 

These measures protect personal data against unauthorized access, loss, or disclosure.

 

6. Processor Responsibilities (Limited Platform Personal Data)

Where ERA processes limited personal data within the EHS Platform solely for user access, authentication, and platform security purposes, ERA:

  • Processes such data only in accordance with customer instructions and contractual agreements
  • Ensures authorized personnel are subject to confidentiality obligations
  • Applies appropriate technical and organizational security measures
  • Engages service providers under data protection obligations
  • Supports customers with data subject rights requests where applicable
  • Supports breach notification obligations
  • Securely deletes or returns personal data upon service termination in accordance with contractual terms

 

7. Your Data Subject Rights

If you are located in the EEA or UK, you have the following rights under GDPR Articles15–22:

 

  • Access & Portability – Request a copy of your personal data in a machine-readable format
  • Rectification – Correct inaccurate or incomplete data
  • Erasure (“Right to be Forgotten”) – Request deletion of data no longer required
  • Restriction of Processing – Limit how your data is used in certain circumstances
  • Objection to Processing – Object to processing based on legitimate interests
  • Withdraw Consent – Opt out of marketing communications at any time
  • Lodge a Complaint – File a complaint with a supervisory authority in your country of residence, workplace, or where an alleged infringement occurred

To exercise these rights, please email privacy@era-ehs.com. We will respond within 30 days.

 

ERA does not conduct automated decision-making or profiling that produces legal or similarly significant effects.

 

8. Cookie Consent & Management

Our website uses cookies to distinguish you from other users.

 

  • Essential Cookie: Required for core site functionality (e.g., secure login). These do not require consent.
  • Non-Essential Cookies: We use Google Analytics and similar tools to understand site traffic. We only deploy these if you click "Accept All" on our cookie banner.
  • Management: You can reset your preferences at anytime through your browser settings.

 

Want to make a privacy inquiry? Fill out our Data Subject Rights Request (DSAR) Form by clicking here and mail it to privacy@era-ehs.com.