Privacy Policy

1. Introduction

ConstructionApp operates the Kredo mobile application (the "App"), a construction site management tool for iOS. Kredo enables construction managers and workers to track time, manage teams, handle material requests, and document job sites with photos.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Kredo App and any associated services. We are committed to protecting your privacy and handling your data in accordance with the General Data Protection Regulation (GDPR) and applicable German data protection laws.

By using Kredo, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the App.

2. Data Controller

The data controller responsible for the processing of your personal data is:

ConstructionApp
Germany
Email: privacy@constructionapp.de

If you have any questions about this Privacy Policy or the processing of your personal data, please contact us at the email address above.

3. Data We Collect

We collect and process the following categories of personal data:

3.1 Account Information

Full name
Phone number
Email address
Authentication provider (Apple, Google, or Facebook) and associated account identifiers

3.2 Organization Data

Company or organization name
Your role within the organization (Manager or Worker)
Organization membership and team assignments

3.3 Time Tracking Data

Clock-in and clock-out timestamps
Work session durations
Break times and durations
Timesheet approval status

3.4 Location Data

GPS coordinates collected at the moment of clock-in and clock-out only
Distance from the job site geofence boundary at the time of clock-in/out

Please see Section 6 for detailed information about our location data practices.

3.5 Photos

Site documentation photos uploaded by users
Photos attached to material requests

3.6 Device Information

Device tokens for push notifications (APNs tokens)
Device type and model
Operating system version

3.7 Usage Data

Feature usage and app interactions
Sync status and connectivity information
Error logs and crash reports (anonymized)

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

4.1 Performance of a Contract (Art. 6(1)(b) GDPR)

Processing is necessary for the performance of the contract between you and your organization for the use of Kredo. This includes:

Time tracking and timesheet management
Team management and organization membership
Material request processing
Task assignment and management
Photo documentation of job sites

4.2 Legitimate Interests (Art. 6(1)(f) GDPR)

Processing is necessary for our legitimate interests, which include:

Improving and maintaining the quality of our service
Ensuring the security and integrity of the App (fraud prevention, rate limiting)
Analyzing anonymized usage data to enhance the user experience
Providing technical support and resolving issues

4.3 Consent (Art. 6(1)(a) GDPR)

For certain processing activities, we rely on your explicit consent. You can withdraw your consent at any time without affecting the lawfulness of prior processing. Consent-based processing includes:

Push notifications (clock-in reminders, approval alerts, team updates)
Location services (GPS collection at clock-in/out)

5. How We Use Your Data

We use your personal data for the following purposes:

5.1 Providing the Service

Enabling clock-in/out and time tracking with GPS verification
Facilitating team management, including invitations, join requests, and role assignments
Processing and tracking material requests
Managing tasks and work assignments
Storing and displaying site documentation photos
Synchronizing data across devices and between managers and workers

5.2 Communications

Sending push notifications for clock-in reminders, approval alerts, and team updates
Sending SMS verification codes during account registration

5.3 Service Improvement

Analyzing anonymized usage patterns to improve the App
Identifying and resolving technical issues

5.4 Security

Fraud prevention and detection
Rate limiting to prevent abuse
Authenticating users and verifying access permissions

6. Location Data

Kredo collects GPS location data only at the moment of clock-in and clock-out. We do not continuously track your location. Kredo does not monitor your location in the background, during work hours, or at any other time.

GPS coordinates are collected to verify that you are within the designated job site geofence when clocking in or out. This geofence is configured by your organization manager and typically has a radius between 50 and 500 meters.

Your location data is:

Stored alongside your time entry records
Visible to your organization manager as part of timesheet records
Used to calculate your distance from the job site boundary at clock-in/out
Never shared with third parties for advertising or tracking purposes
Deleted when you delete your account

You can disable location services for Kredo at any time in your iOS Settings. If location access is denied, you may still clock in and out, but GPS verification will not be available, and your manager may require location verification depending on the organization's settings.

7. Photo Storage

Photos uploaded through Kredo (site documentation, material request attachments) are stored in encrypted S3-compatible object storage on servers located in the European Union (Hetzner, Germany).

Your photos are:

Associated with your organization and the relevant job site, material request, or task
Visible to managers within your organization
Encrypted at rest on our servers
Transmitted over encrypted connections (TLS/HTTPS)
Permanently deleted when you delete your account, within 30 days of account deletion

We do not use your photos for any purpose other than providing the Kredo service. Photos are never analyzed, sold, or shared with third parties.

We value your privacy and limit data sharing to what is strictly necessary for the operation of the service.

8.1 Within Your Organization

Your organization manager can access:

Your time entries, including clock-in/out times, durations, and GPS locations
Your material requests and associated photos
Your task assignments and their status
Your site documentation photos
Your profile information (name, role, contact details)

8.2 No Sale or Advertising Use

We do not sell your personal data to any third parties. We do not use your data for advertising purposes. We do not share your data with data brokers or marketing platforms.

8.3 Third-Party Service Providers

We use the following third-party service providers to operate Kredo. These providers process data on our behalf and are bound by data processing agreements in compliance with the GDPR:

Twilio — SMS verification codes for phone-based account registration
Apple, Google, Facebook — Authentication providers for social sign-in (we receive only your name, email, and a unique identifier from these services)
Hetzner — Cloud hosting and S3-compatible object storage for our servers and photo storage, located in Germany (EU)
Apple Push Notification Service (APNs) — Delivery of push notifications to your device

8.4 Legal Obligations

We may disclose your personal data if required to do so by German law, or in response to a valid legal request from a competent authority (e.g., a court order or regulatory investigation).

9. Data Retention

We retain your personal data for as long as your account is active and you are a member of an organization using Kredo.

Active accounts: All personal data is retained to provide the service.
Account deletion: When you delete your account, all personal data (including time entries, photos, material requests, location data, and device tokens) is permanently removed from our systems within 30 days.
Anonymized data: Aggregated and anonymized data that cannot be used to identify you may be retained indefinitely for analytics and service improvement purposes.
Legal requirements: Certain data may be retained beyond the 30-day deletion period if required by German tax or labor regulations.

10. Your Rights

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

Right of access (Art. 15 GDPR) — You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
Right to rectification (Art. 16 GDPR) — You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
Right to erasure (Art. 17 GDPR) — You have the right to request deletion of your personal data ("right to be forgotten"), subject to certain legal exceptions.
Right to restriction of processing (Art. 18 GDPR) — You have the right to request that we restrict the processing of your personal data under certain circumstances.
Right to data portability (Art. 20 GDPR) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
Right to object (Art. 21 GDPR) — You have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis.
Right to withdraw consent — Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Right to lodge a complaint — You have the right to lodge a complaint with a data protection supervisory authority. In Germany, the relevant authority is the Federal Commissioner for Data Protection and Freedom of Information (BfDI) or the data protection authority of your federal state.

To exercise any of these rights, please contact us at privacy@constructionapp.de. We will respond to your request within 30 days, as required by the GDPR.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption in transit: All data transmitted between the Kredo App and our servers is encrypted using TLS/HTTPS.
Encryption at rest: Photos and other stored data are encrypted on our servers.
Authentication: We use JWT (JSON Web Token) authentication with short-lived access tokens (15 minutes) and longer-lived refresh tokens, with revocation support.
Rate limiting: API rate limiting protects against brute-force attacks and abuse.
Access control: Organization-based multi-tenancy ensures that users can only access data within their own organization.
Security headers: Our servers enforce security headers (via Helmet) to mitigate common web vulnerabilities.
App verification: All API requests require a verified application identifier to prevent unauthorized access.
Regular audits: We conduct regular security reviews and audits of our infrastructure and code.

12. Push Notifications

Kredo uses the Apple Push Notification Service (APNs) to deliver timely notifications to your device. These notifications may include:

Clock-in and clock-out reminders
Timesheet and material request approval or rejection alerts
Team join request notifications (for managers)
Task assignment updates

To deliver push notifications, we store your APNs device token on our servers. This token is unique to your device and the Kredo App and cannot be used to identify you personally.

You can disable push notifications at any time by navigating to Settings > Notifications > Kredo on your iOS device. Disabling notifications will not affect the core functionality of the App.

13. Children

Kredo is a professional construction management tool and is not intended for use by children under the age of 16. We do not knowingly collect or process personal data from children under 16.

If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete that data from our systems. If you believe that a child under 16 has provided us with personal data, please contact us at privacy@constructionapp.de.

14. International Transfers

All data processed by Kredo is stored on servers located within the European Union, specifically in Germany (Hetzner data centers). We do not transfer your personal data outside of the European Economic Area (EEA).

Our third-party authentication providers (Apple, Google, Facebook) may process authentication tokens in their own infrastructure. However, the personal data we receive from these providers (name, email, unique identifier) is stored and processed exclusively on our EU-based servers.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the functionality of the Kredo App.

If we make significant changes to this policy, we will notify you via an in-app notification within Kredo. We encourage you to review this policy periodically.

Your continued use of the App after changes are posted constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the App and delete your account.

16. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us: