Request a Walkthrough

Back

Privacy Policy

iPSM PLATFORM

PRIVACY POLICY

Effective Date: March 26, 2026

Derive Software Inc. ("Company," "we," "us," or "our") operates the iPSM platform (the "Platform"). This Privacy Policy describes how we collect, use, store, share, and protect information when you use the Platform.

By using the Platform, you consent to the data practices described in this Privacy Policy. In a business context, our processing of Customer Data is also necessary for the performance of our contractual obligations to the Customer. If you do not agree, please do not use the Platform.

  1. Information We Collect

1.1 Account Information

When a Customer subscribes to the Platform and creates user accounts, we collect:

  • Name, email address, job title, and role designation for each Authorized User

  • Organization name, billing address, and payment information

  • Account administrator contact information

  • Authentication credentials (passwords are hashed and salted; we never store plaintext passwords)

1.2 Facility and Compliance Data

The core purpose of the Platform is to manage PSM compliance data. The Customer and its Authorized Users may upload, enter, or generate the following types of data within the Platform:

  • Facility information including names, addresses, system descriptions, and refrigerant inventories

  • Equipment and asset records including specifications, installation dates, maintenance history, and condition assessments

  • Process and Instrumentation Diagrams (P&IDs) and related engineering documents

  • Standard Operating Procedures (SOPs), both user-created and AI-generated drafts

  • Inspection reports, findings, observations, and corrective actions

  • Process Hazard Analysis (PHA) worksheets, scenarios, and risk rankings

  • Management of Change (MOC) requests, reviews, and approvals

  • Hot Work Permit records

  • Training records, certifications, and completion dates

  • Compliance audit results, evidence binder contents, and regulatory correspondence

  • Digital signature records including signer identity and timestamps

1.3 Voice and Audio Data

The Platform includes voice-to-text transcription features that allow users to dictate inspection observations and other content. When this feature is used:

  • Audio is captured by the user's device and transmitted to our third-party transcription service provider for processing

  • The transcription service converts audio to text, which is returned to the Platform

  • Audio recordings are not permanently stored by the Company after transcription is complete

  • The third-party transcription provider's data handling is governed by our data processing agreement with them (see Section 5)

1.4 Usage Data

We automatically collect certain information about how the Platform is used, including:

  • Login timestamps, session duration, and feature usage patterns

  • Browser type, operating system, device information, and IP address

  • Error logs and performance metrics

  • Pages visited and actions taken within the Platform

Usage data is collected to maintain, improve, and secure the Platform. It is not used for advertising or sold to third parties.

1.5 AI Interaction Data

When the Platform's AI features are used, we collect:

  • Prompts, inputs, and context provided to the AI system (including Customer Data used to generate AI content)

  • AI-generated outputs and responses

  • User actions on AI-generated content (accept, edit, reject, approve)

AI interaction data is used to provide the requested AI functionality and to monitor and improve the quality and safety of AI-generated outputs. Derive may use anonymized and aggregated AI interaction patterns (such as acceptance rates and error frequencies) to improve the Platform's AI configuration. Derive does not use identifiable Customer Data to train or fine-tune any AI model, whether proprietary or third-party.

  1. How We Use Information

We use the information we collect for the following purposes:

PurposeDescription
Service DeliveryOperating and providing the Platform, processing Customer Data, generating AI content, and delivering compliance management functionality
Account ManagementManaging subscriptions, billing, user accounts, access controls, and customer communications
SecurityProtecting the Platform and Customer Data, detecting and preventing unauthorized access, monitoring for security threats, and maintaining audit logs
ImprovementAnalyzing usage patterns to improve Platform features, performance, reliability, and user experience
ComplianceMeeting our legal obligations, responding to lawful requests from authorities, and maintaining records as required by law
SupportProviding technical support and responding to Customer inquiries
CommunicationsSending service-related notifications including security alerts, compliance reminders, and platform updates
  1. AI Data Processing — Specific Disclosures

Given the critical role of AI in the Platform, we provide the following specific disclosures about how Customer Data is processed by AI systems:

3.1 What Data Is Sent to AI Providers

When you use AI-powered features (such as SOP generation, PHA assistance, compliance analysis, or voice transcription), relevant portions of your Customer Data are transmitted to third-party AI service providers. This may include:

  • Equipment specifications and descriptions

  • Facility system descriptions and configurations

  • P&ID content and process descriptions

  • Existing SOPs, procedures, and compliance documents

  • Inspection observations and findings

  • Process parameters and operating conditions

  • Audio recordings (for voice transcription only)

3.2 How AI Providers Handle Your Data

Our AI service providers process Customer Data under the following constraints:

  • Data is transmitted via encrypted connections (TLS 1.2+)

  • Data is processed solely to generate the requested output and is not used to train the provider's general-purpose AI models

  • Data is processed solely to generate the requested output. Retention by the AI provider after processing completion is governed by that provider's data retention policies, which we review as part of our vendor diligence and data processing agreements

  • We maintain data processing agreements with all AI service providers that include confidentiality obligations, data handling requirements, and security commitments

3.3 AI Prompt Caching

The Platform may use prompt caching techniques to improve performance and reduce latency for AI-powered features. Cached prompts are designed to contain domain knowledge and system instructions. Customer-specific data included in AI requests is transmitted per-request and is not intended to be cached across sessions or customers.

3.4 Current AI Service Providers

The Platform currently uses the following third-party AI and data processing services:

  • Large Language Model processing: Anthropic Claude, OpenAI, and Google Gemini (accessed via OpenRouter) — used for document generation, analysis, and compliance assistance

  • Voice transcription: AssemblyAI — used for converting audio recordings to text during inspections and data entry

We may change AI service providers from time to time. Any new provider will be subject to equivalent or stricter data processing requirements. Any change in AI service providers will be treated as a material change to this Privacy Policy and communicated in accordance with Section 12.

  1. Data Storage and Security

4.1 Infrastructure

Customer Data is stored on cloud infrastructure hosted in the United States. We use Supabase (built on PostgreSQL) as our primary data storage platform, with row-level security (RLS) enforced at the database layer to ensure that data access is restricted to authorized users within the appropriate organizational context.

4.2 Security Measures

We implement commercially reasonable security measures including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)

  • Row-level security policies enforced at the database layer

  • Role-based access controls with configurable permission levels

  • Secure authentication with hashed and salted passwords

  • Regular security monitoring and error tracking

  • Audit logging of security-relevant events including logins, permission changes, and document approvals

4.3 Data Retention

We retain Customer Data for the duration of the Customer's active subscription plus thirty (30) days following termination to facilitate data export. After this period, Customer Data may be permanently deleted. Certain data may be retained longer as required by law or for legitimate business purposes such as maintaining audit logs.

Given the regulatory nature of PSM compliance records, we recommend that Customers maintain independent backups of their compliance documentation and not rely solely on the Platform for long-term record retention.

4.4 Breach Notification

In the event of a data breach affecting Customer Data, we will notify affected Customers without unreasonable delay and in no event later than seventy-two (72) hours of confirming the scope and nature of the breach, to the extent feasible, or within the timeframe required by applicable law, whichever is shorter. Notification will include the nature of the breach, the data affected, steps taken to mitigate the breach, and recommended actions for the Customer.

  1. Third-Party Service Providers

We use third-party service providers to operate and deliver the Platform. These providers have access to Customer Data only as necessary to perform their designated functions and are contractually obligated to maintain the confidentiality and security of such data. Current categories of service providers include:

  • Cloud infrastructure and database hosting (Supabase, Vercel/DigitalOcean)

  • AI model providers (Anthropic, OpenAI, and Google via OpenRouter)

  • Voice transcription (AssemblyAI)

  • Email delivery (Resend)

  • Payment processing (Stripe)

  • Error monitoring and application performance (Sentry)

  • Domain and DNS management

We do not sell, rent, or trade Customer Data to any third party for marketing, advertising, or any purpose unrelated to the operation of the Platform.

  1. When We Share Information

We may share Customer Data or information derived from it only in the following circumstances:

  • With the Customer's consent or at the Customer's direction

  • With our third-party service providers as described in Section 5, subject to appropriate data processing agreements

  • To comply with applicable law, regulation, legal process, or enforceable governmental request

  • To protect the rights, property, or safety of the Company, our customers, or the public

  • In connection with a merger, acquisition, or sale of all or a portion of our assets, provided that the acquiring entity agrees to be bound by the terms of this Privacy Policy

We do not share Customer Data with other customers of the Platform. Each Customer's data is logically segregated using row-level security and organizational access controls.

  1. Customer Rights and Data Control

Customers and their Authorized Users have the following rights regarding their data:

7.1 Access and Export

Customers may access their data through the Platform at any time during their subscription. Upon request, we will provide a complete data export in a standard, machine-readable format.

7.2 Correction

Customers may correct, update, or modify their data directly through the Platform at any time.

7.3 Deletion

Customers may request deletion of their data by contacting us at privacy@ipsm.app. We will process deletion requests within forty-five (45) days, subject to any legal retention requirements. If additional time is needed due to the complexity or volume of the request, we will notify the requestor and provide an explanation. Note that deletion of compliance records may affect the Customer's ability to demonstrate regulatory compliance.

7.4 Portability

Customers may request a portable copy of their data as described in Section 7.1. We support data export in standard formats to facilitate migration to other systems if desired.

7.5 Restriction of Processing

Customers may request that we restrict processing of certain data. Note that restricting processing may affect the availability of Platform features that rely on the restricted data.

  1. Cookies and Tracking Technologies

The Platform uses essential cookies and similar technologies solely for the following purposes:

  • Authentication: Maintaining your logged-in session and verifying your identity

  • Security: Detecting and preventing unauthorized access and security threats

  • Preferences: Remembering your display settings and interface preferences

We do not use advertising cookies, third-party tracking cookies, or analytics cookies that track users across other websites. We do not participate in cross-site tracking or retargeting.

  1. Children's Privacy

The Platform is designed for use by organizations managing industrial process safety compliance. It is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected information from a child under 18, we will take steps to delete such information promptly.

  1. International Data Transfers

The Platform is hosted in the United States and Customer Data is stored and processed in the United States. If you access the Platform from outside the United States, you consent to the transfer, storage, and processing of your data in the United States, where data protection laws may differ from those of your jurisdiction. If you are located outside the United States and applicable law requires additional transfer safeguards, we will work with you to implement appropriate data transfer mechanisms.

  1. State Privacy Rights

Residents of certain U.S. states (including California, Virginia, Colorado, Connecticut, and others with comprehensive privacy legislation) may have additional rights under applicable state privacy laws, including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale or sharing of personal information.

We do not sell personal information. As a Virginia-based company, we are committed to compliance with the Virginia Consumer Data Protection Act and have designed our data practices to meet its requirements. To exercise any rights available to you under applicable state privacy law, please contact us at privacy@ipsm.app. We will respond to verified requests within the timeframes required by applicable law.

  1. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to the Customer's account administrator via email and/or through a notice within the Platform at least thirty (30) days before taking effect. The "Effective Date" at the top of this policy indicates when the most recent revisions were published. Continued use of the Platform after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

  1. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws provisions.

  1. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Derive Software Inc.

Attention: Privacy

Email: privacy@ipsm.app

Website: https://ipsm.app

For data breach concerns or urgent security matters, please contact: security@ipsm.app

© 2026 Derive Software Inc. All rights reserved.

iPSM is a product of Derive Software Inc.

Terms of Service