Bridgemart Comply · Last updated July 8, 2026
Privacy Policy
Bridgemart Comply handles some of the most sensitive records a workplace keeps — reports of injuries and illnesses. This policy explains what we collect, how Comply AI processes it, who can see it, how long we keep it, and the choices you have.
01Who we are and what this covers
Bridge Purchasing Solutions, Inc., doing business as Bridgemart ("Bridgemart," "we," "our," or "us"), provides Bridgemart Comply — a software service for workplace incident reporting, investigations, audits, corrective actions, and OSHA recordkeeping (the "Service"), available at comply.bridgemart.com and through related pages on bridgemart.com.
This policy describes how we collect, use, disclose, and protect information in connection with the Service and its marketing pages. The Bridgemart safety-eyewear programs are covered by the separate Bridgemart Privacy Policy.
02Our role: processor for your employer
The Service is business software. When you use Comply as an employee, manager, or reporter, your employer (our customer) is the data controller of the records in its workspace — including incident reports and injury and illness records. We process that information on the customer’s behalf and under its instructions. If you have questions or requests about records your employer keeps in Comply, contact your employer first; we will support them in responding.
For visitors to our marketing pages and for account, billing, and support contacts, Bridgemart acts as the data controller.
03Information we collect
- Account information — name, work email address, role, establishment assignments, authentication data, and device-trust tokens.
- Incident and safety records — reports of injuries, illnesses, near misses, hazards, and observations submitted to a customer workspace, including narratives, photos and attachments, follow-up answers, investigation findings, corrective actions, and audit completions. Because OSHA recordkeeping (29 CFR Part 1904) requires details about work-related injuries and illnesses, these records may include health-related information about identified individuals.
- Anonymous frontline submissions — reports made by scanning a posted QR code do not require an account. They are attributed to the QR code’s location, not to the reporter, unless the reporter chooses to identify themselves.
- Usage and log data — pages viewed, actions taken, timestamps, IP address, and browser type. The Service also keeps an immutable activity log of workspace actions (who submitted, reviewed, confirmed, overrode, assigned, or changed what) as a compliance feature.
- Billing information — plan, subscription status, and payment records. Card details are collected and processed by Stripe; we do not store full card numbers.
- Support and marketing contacts — messages you send us, demo bookings, and form submissions on our marketing pages.
04How we use information
- To provide the Service: intake, review, and routing of reports; investigations, corrective actions, and audits; generation of OSHA 300, 300A, and 301 forms; deadline tracking and notifications.
- To provide AI-assisted features described in the next section.
- To secure the Service, maintain audit trails, prevent abuse, and meet our legal obligations.
- To administer accounts, billing, and support.
- To operate and improve our marketing pages and communicate with prospective customers.
We do not sell personal information, and we do not use customer workspace content for advertising.
05AI processing (Comply AI)
Comply AI features — recordability classification, adaptive intake questions, investigation drafts, recommended corrective actions, safety insights, and compliance chat — are powered by large language models from third-party AI providers, currently Anthropic. To provide these features, relevant workspace content (for example, an incident narrative and its attachments) is transmitted to the provider for processing and the output is returned to your workspace.
Our AI providers process this data to provide the feature and are not permitted to use customer content to train their models. Comply AI output is decision support: recommendations are recorded alongside the human confirmation or override, and responsibility for final determinations remains with the customer.
06How we share information
- Service providers (subprocessors) — cloud hosting and database infrastructure, Anthropic (AI processing), Stripe (payments), and transactional email delivery. Each is bound by contract to protect the data and use it only to provide services to us.
- Your employer — content you submit to a customer workspace is visible to that customer according to its role and location settings.
- Legal — when required by law, regulation, legal process, or a governmental request, or to protect the rights, safety, or property of Bridgemart, our customers, or others. OSHA forms are generated for the customer; we do not submit them to OSHA on the customer’s behalf.
- Corporate transactions — in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.
07Retention
OSHA requires employers to retain injury and illness records for five years following the end of the calendar year the records cover (29 CFR 1904.33). Comply retains customer workspace records — including the activity log — for at least that period while the workspace is active, and follows the customer’s documented instructions on export and deletion when a subscription ends, subject to legal holds and our backup cycles.
Account, billing, and marketing records are kept for as long as needed for the purposes above and as required by law.
08Security
We protect information with encryption in transit and at rest, role- and location-scoped access controls, two-factor authentication, device-trust tokens, and immutable audit logging of workspace actions. No system is perfectly secure; we encourage customers to scope roles narrowly and to report any suspected issue to info@bridgemart.com.
09Privacy of injury and illness details
The Service supports OSHA’s privacy-case protections (29 CFR 1904.29(b)(6)–(10)): sensitive cases can be recorded without the employee’s name appearing on the 300 Log, and the 300A posting copy is generated without individual names. Access to case detail is limited by role.
10Your rights and choices
Depending on where you live, you may have rights to access, correct, delete, or receive a copy of personal information, and to opt out of certain processing. For records in an employer’s workspace, we will refer your request to that employer and assist them in responding. For information Bridgemart controls (account, billing, marketing), contact info@bridgemart.com and we will respond as required by applicable law, including U.S. state privacy laws. We do not discriminate against anyone for exercising privacy rights.
Employees also have rights under OSHA rules to access certain injury and illness records held by their employer; those requests are handled by the employer.
11Cookies and analytics
Our marketing pages use cookies and similar technologies for essential site functions and aggregate analytics (for example, page performance and conversion measurement). The Service uses cookies and tokens for authentication and session security. You can control cookies through your browser settings; essential cookies are required for the Service to work.
12Children
The Service is intended for workplaces and is not directed to children under 16. We do not knowingly collect personal information from children.
13Changes to this policy
We may update this policy from time to time. We will post the updated version here with a new "Last updated" date and, for material changes affecting the Service, notify customer administrators.
14Contact us
Bridge Purchasing Solutions, Inc. (d/b/a Bridgemart) — info@bridgemart.com. Please include "Comply Privacy" in the subject line so we can route your request quickly.
Questions about this document? Contact us at info@bridgemart.com. See also the Comply Privacy Policy and Comply Terms of Service.