Third Space Risk is a workplace incident reporting service that helps employers manage incident reports involving their staff. This policy explains what information we handle, why we handle it, and the choices you have. We have written it to be readable; the legal substance is here, but we have tried to avoid burying it.
This Privacy Policy describes how Third Space Holdings, Inc., a Delaware corporation operating the Third Space Risk service ("Third Space Risk," "we," "us," or "our"), processes information in connection with our incident reporting platform, our website, and related services (together, the "Services").
Our Services are designed for use by employers in the United States. We do not direct the Services to individuals outside the United States and do not knowingly process information from individuals outside the United States in connection with the Services.
Third Space Risk is a business-to-business service. Our customers are employers ("Employers") who use the platform to manage incident reports involving their staff ("Staff").
For most information processed through the platform — including incident reports and the personal information of Staff members — the Employer is the controller of that information, and Third Space Risk acts as a service provider (processor) on the Employer's behalf, subject to a written agreement.
If you are a Staff member and have questions about the incident report data your Employer manages through Third Space Risk — including requests to access, correct, or delete it — you should generally direct those requests to your Employer. We will support your Employer in responding.
For a limited set of information — our website visitors, prospective customer contacts, and the personal information of authorized users who log in to our platform — Third Space Risk acts as the controller. This Policy applies to that processing as well.
When an Employer uses the Services to manage an incident involving a Staff member, the Employer provides us with information about that Staff member. This may include:
For Employer personnel who log in to the platform (such as managers, HR, or risk administrators), we collect account information including name, work email address, work phone number, role, and authentication data.
When you visit our website, we automatically collect limited technical information necessary to operate it, including IP address, browser type, and pages visited. We use only essential cookies required for the website and platform to function (for example, authentication and session cookies). We do not use advertising or analytics cookies, marketing pixels, or third-party tracking technologies on our website.
If you contact us through our website or by email — for example, to ask a sales question or submit a privacy request — we receive the information you choose to provide, such as your name, email address, company, and the contents of your message.
Third Space Risk delivers SMS text messages to Staff members on behalf of their Employers, for the purpose of workplace incident reporting. These messages may include requests from a manager for additional information about an incident, follow-up questions, status updates, and links to complete incident report forms.
SMS messaging is an opt-in service. Employers must collect express written consent from each Staff member before adding that Staff member's mobile number to the platform. Consent is collected using a standard, branded paper consent form provided by Third Space Risk and signed by the Staff member as part of the Employer's onboarding process. A Staff member's mobile number is only added to the platform after consent has been signed and recorded by the Employer.
You may opt out of SMS messages at any time by replying STOP (or STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT) to any message. We will send one final confirmation message and will not send further messages to that number. You may reply HELP for help, or reply START to re-subscribe.
Phone numbers and SMS message content are used only to deliver the incident reporting communications described above and to operate the underlying service (for example, recording delivery and opt-out status). We do not sell mobile phone numbers or SMS content, and we do not share this information with third parties for their own marketing purposes. Mobile information is not shared with third parties or affiliates for marketing or promotional purposes.
To deliver SMS messages, we use a telecommunications provider (currently Twilio Inc.) that processes the message and phone number as a service provider on our behalf, subject to its own legal and regulatory obligations.
We use information for the following purposes:
| Purpose | What this looks like |
|---|---|
| Providing the Services | Operating the incident reporting platform, delivering SMS notifications, hosting incident records, authenticating users. |
| Supporting Employers | Responding to support requests, troubleshooting, helping Employers configure their accounts and respond to data subject requests from Staff. |
| Security & integrity | Detecting and preventing unauthorized access, fraud, and abuse; maintaining audit logs. |
| Legal & compliance | Meeting our own legal obligations, responding to lawful requests, enforcing our agreements. |
| Service improvement | Improving the Services using aggregated and de-identified information that does not identify any individual. |
We do not use incident report content, Staff personal information, or SMS content to train artificial intelligence or machine learning models for general-purpose use, and we do not sell this information.
Incident reports and related records frequently must be retained to comply with workplace safety, employment, insurance, and other legal obligations. Retention periods under these obligations commonly extend seven years or longer from the date of the incident, and in some cases continue indefinitely.
Accordingly, we retain incident-related information for the period the Employer is required (or reasonably needs) to retain it, plus a short additional period to support archival, audit, and dispute resolution needs. Employers may instruct us to delete specific records earlier, subject to their own legal retention obligations and our agreement.
For other categories of information — such as platform user accounts, website inquiries, and SMS opt-out records — we retain information for as long as needed for the purpose for which it was collected, and then delete or de-identify it. We retain opt-out records for as long as needed to honor the opt-out, which may be indefinite.
We maintain administrative, technical, and physical safeguards designed to protect information against unauthorized access, disclosure, alteration, and destruction. These include encryption of data in transit and at rest, role-based access controls, audit logging, multi-factor authentication for platform access, regular security reviews, and vendor due diligence.
Our infrastructure is hosted on Amazon Web Services in the United States. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security; however, we work continuously to maintain industry-standard practices.
Depending on where you live and your relationship with us, you may have rights to access, correct, delete, or restrict the use of your personal information, to opt out of certain processing, and to lodge a complaint with your state attorney general or equivalent regulator.
Because Third Space Risk is a service provider to Employers for most personal information, if you are a Staff member, please direct rights requests to your Employer in the first instance. Your Employer is the controller of that information and is best positioned to respond. We will support your Employer in fulfilling valid requests.
If you are an authorized user of our platform, a website visitor, or otherwise interact with us directly, you may contact us using the details in the Contact us section to exercise any rights you have under applicable law.
This section provides additional disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, "CCPA"). Capitalized terms used in this section have the meanings given to them in the CCPA.
In the preceding twelve months, we have collected the following categories of personal information: identifiers (such as name and contact details), employment-related information (in the form of incident reports and related context provided by Employers), commercial information (records of Employer relationships), internet or other electronic network activity information (limited technical website information), and inferences drawn from the foregoing for the purpose of operating the Services. We do not collect Sensitive Personal Information beyond what may be incidentally contained within incident report content submitted by Employers or Staff.
Sources, purposes for processing, and categories of recipients are described in Information we process, How we use information, and How we share information above.
We do not sell personal information and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA.
Subject to certain exceptions, California residents have the right to know what personal information we hold about them, request that we correct or delete it, limit our use of Sensitive Personal Information, and not be discriminated against for exercising these rights. To exercise these rights, contact us using the details in the Contact us section. We may need to verify your identity before fulfilling a request, and we will respond within the timeframes required by law. You may also designate an authorized agent to act on your behalf.
The Services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. If we make material changes, we will provide reasonable additional notice — for example, by notifying Employers through the platform or by email. Your continued use of the Services after an updated Policy takes effect constitutes acceptance of the updated Policy.
If you have questions about this Privacy Policy or our privacy practices, please contact us: