Privacy Policy

Last updated: March 1, 2026

1. Introduction

Kredo Tech S.R.L. ("Kredo", "we", "us", or "our") operates the Kredo mobile application (the "App"), a construction site management tool for iOS. Kredo enables construction managers and workers to track time, manage teams, handle material requests, and document job sites with photos.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Kredo App and any associated services. We are committed to protecting your privacy and handling your data in accordance with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), Romanian Law No. 190/2018, and other applicable Romanian and EU data protection legislation.

By using Kredo, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the App.

2. Data Controller & Data Processor

2.1 Our Role as Data Controller

For the following categories of data, Kredo Tech S.R.L. acts as the data controller (as defined in Art. 4(7) GDPR):

  • Account registration and authentication data
  • Device information and push notification tokens
  • Anonymized usage data and error logs
  • Data related to operating and securing the App

The data controller is:

Kredo Tech S.R.L.
Brașov, Brașov County, Romania
Trade Register: [To be completed upon registration]
CUI: [To be completed upon registration]
Email: privacy@kredo.app

2.2 Our Role as Data Processor

When Kredo is used by an organization for workforce management (time tracking, proximity verification, task assignments, material requests), the employer organization (represented by the Manager account holder) is the data controller for employee-related data. In this context, Kredo Tech S.R.L. acts as a data processor (as defined in Art. 4(8) GDPR) processing data on behalf of the employer.

Kredo Tech S.R.L. offers a Data Processing Agreement (DPA) in compliance with Art. 28 GDPR to all employer organizations using the App for workforce management. To request a DPA, contact us at privacy@kredo.app.

2.3 Data Protection Officer

At our current scale of operations, we have determined that the appointment of a Data Protection Officer (DPO) is not required under Art. 37 GDPR. We will reassess this determination as our operations grow. For all data protection inquiries, please contact us at privacy@kredo.app.

If you have any questions about this Privacy Policy or the processing of your personal data, please contact us at the email address above.

3. Data We Collect

We collect and process the following categories of personal data:

3.1 Account Information

  • Full name
  • Phone number
  • Email address
  • Authentication provider (Apple, Google, or Facebook) and associated account identifiers

3.2 Organization Data

  • Company or organization name
  • Your role within the organization (Manager or Worker)
  • Organization membership and team assignments

3.3 Time Tracking Data

  • Clock-in and clock-out timestamps
  • Work session durations
  • Break times and durations
  • Timesheet approval status

3.4 Proximity Verification Results

  • A boolean value indicating whether the worker was within range or out of range of the job site at the time of clock-in or clock-out
  • The configured site radius at the time of the proximity check

Please see Section 7 for detailed information about how proximity verification works and what data is — and is not — collected.

3.5 Photos

  • Site documentation photos uploaded by users
  • Photos attached to material requests

Photos are uploaded without GPS metadata. Location data embedded in photos (EXIF GPS tags) is stripped before transmission and is never sent to or stored on our servers.

3.6 Device Information

  • Device tokens for push notifications (APNs tokens)
  • Device type and model
  • Operating system version

3.7 Usage Data

  • Feature usage and app interactions
  • Sync status and connectivity information
  • Error logs and crash reports (anonymized)

4. Data We Do Not Collect

Kredo is designed with a privacy-by-design approach. The following data is explicitly not collected, transmitted to, or stored on our servers:

  • GPS coordinates — Your precise location (latitude and longitude) never leaves your device. All GPS processing for proximity verification occurs on-device.
  • Continuous location tracking — We do not monitor your location in the background, during work hours, between clock-in events, or at any other time.
  • Photo GPS metadata — EXIF location data is stripped from photos before upload. We do not know where photos were taken.
  • Biometric data — We do not collect fingerprints, facial recognition data, or any other biometric identifiers.
  • Personal device data — We do not access your contacts, calendar, messages, browsing history, or any other personal data on your device beyond what is listed in Section 3.

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

5.1 Performance of a Contract (Art. 6(1)(b) GDPR)

Processing is necessary for the performance of the contract between you and Kredo Tech S.R.L. for the use of the Kredo App. This includes:

  • Account creation and authentication
  • Team management and organization membership
  • Material request processing
  • Task assignment and management
  • Photo documentation of job sites
  • Synchronization of data across devices

5.2 Legitimate Interests (Art. 6(1)(f) GDPR)

Processing is necessary for our legitimate interests, which include:

  • Improving and maintaining the quality of our service
  • Ensuring the security and integrity of the App (fraud prevention, rate limiting)
  • Analyzing anonymized usage data to enhance the user experience
  • Providing technical support and resolving issues

You have the right to object to processing based on legitimate interests. See Section 11 for details.

5.3 Consent (Art. 6(1)(a) GDPR)

For certain processing activities, we rely on your explicit consent. You can withdraw your consent at any time without affecting the lawfulness of prior processing. Consent-based processing includes:

  • Push notifications (clock-in reminders, approval alerts, team updates)

5.4 Legal Obligation (Art. 6(1)(c) GDPR)

We may process your data where necessary to comply with a legal obligation to which Kredo Tech S.R.L. is subject, such as tax or accounting regulations, or in response to a valid legal request from a competent authority.

5.5 Note on Time Tracking and Proximity Verification Data

When Kredo is used by an employer for workforce time tracking, the legal basis for processing employee time tracking data and proximity verification results is determined by the employer (as data controller), not by Kredo Tech S.R.L. (as data processor). The employer's legal basis will typically be:

  • Legal obligation (Art. 6(1)(c)) — Romanian Codul Muncii (Art. 119) requires employers to maintain records of working time.
  • Legitimate interests (Art. 6(1)(f)) — The employer has a legitimate interest in verifying workforce presence at job sites.

Important: Employee consent is generally not a valid legal basis for employer-mandated monitoring due to the power imbalance in the employment relationship (per EDPB Opinion 2/2017 and Romanian Law 190/2018). Employers should not rely on employee consent as the sole legal basis for deploying Kredo's time tracking features.

6. How We Use Your Data

We use your personal data for the following purposes:

6.1 Providing the Service

  • Enabling clock-in/out and time tracking with on-device proximity verification
  • Facilitating team management, including invitations, join requests, and role assignments
  • Processing and tracking material requests
  • Managing tasks and work assignments
  • Storing and displaying site documentation photos
  • Synchronizing data across devices and between managers and workers

6.2 Communications

  • Sending push notifications for clock-in reminders, approval alerts, and team updates
  • Sending SMS verification codes during account registration

6.3 Service Improvement

  • Analyzing anonymized usage patterns to improve the App
  • Identifying and resolving technical issues

We do not use your personal data, User Content, or photos to train machine learning or artificial intelligence models.

6.4 Security

  • Fraud prevention and detection
  • Rate limiting to prevent abuse
  • Authenticating users and verifying access permissions

7. Proximity Verification (On-Device)

Kredo uses a privacy-by-design approach to proximity verification. Here is exactly how it works:

7.1 How It Works

When you clock in or out, the Kredo App requests your device's GPS position. The App then compares your position to the job site boundary configured by your organization's manager. This comparison is performed entirely on your device. Your GPS coordinates are processed locally and are never transmitted to Kredo's servers.

7.2 What Is Sent to Our Servers

After the on-device check, only the following non-location data is transmitted:

  • A boolean value: whether you are within range or out of range of the job site
  • The configured site radius (in meters) at the time of the check

This data does not reveal your location. It only indicates whether you were inside or outside a defined area at the moment of clock-in or clock-out.

7.3 What Is Never Sent

  • Your GPS coordinates (latitude, longitude) are never transmitted
  • Your distance from the site boundary is never transmitted
  • Your location between clock-in events is never accessed or transmitted

7.4 Your Control

You can disable location services for Kredo at any time in your iOS device settings (Settings → Privacy & Security → Location Services → Kredo). If location access is denied:

  • You may still clock in and out normally
  • Proximity verification will not be available
  • Your manager will see that the clock-in was made without proximity verification

8. Photo Storage

Photos uploaded through Kredo (site documentation, material request attachments) are stored in encrypted S3-compatible object storage on servers located in the European Union (Hetzner).

GPS metadata removal: Before any photo is uploaded from your device, Kredo strips all EXIF GPS metadata (latitude, longitude, altitude). The photo stored on our servers contains no location information. We do not know where your photos were taken.

Your photos are:

  • Associated with your organization and the relevant job site, material request, or task
  • Visible to managers within your organization
  • Encrypted at rest on our servers
  • Transmitted over encrypted connections (TLS/HTTPS)
  • Permanently deleted when you delete your account, within 30 days of account deletion

We do not use your photos for any purpose other than providing the Kredo service. Photos are never analyzed, used for AI/ML training, sold, or shared with third parties.

9. Data Sharing

We value your privacy and limit data sharing to what is strictly necessary for the operation of the service.

9.1 Within Your Organization

Your organization manager can access:

  • Your time entries, including clock-in/out times, durations, and proximity verification results (in-range or out-of-range — not GPS coordinates)
  • Your material requests and associated photos
  • Your task assignments and their status
  • Your site documentation photos
  • Your profile information (name, role, contact details)

9.2 No Sale or Advertising Use

We do not sell your personal data to any third parties. We do not use your data for advertising purposes. We do not share your data with data brokers or marketing platforms.

9.3 Third-Party Service Providers

We use the following third-party service providers to operate Kredo. These providers process data on our behalf and are bound by data processing agreements in compliance with the GDPR:

  • Twilio — SMS verification codes for phone-based account registration. Twilio may process phone numbers outside the EEA (see Section 15).
  • Apple, Google, Facebook — Authentication providers for social sign-in (we receive only your name, email, and a unique identifier from these services)
  • Hetzner — Cloud hosting and S3-compatible object storage for our servers and photo storage, located in the European Union
  • Apple Push Notification Service (APNs) — Delivery of push notifications to your device

We will notify organization administrators (Manager account holders) of any changes to our sub-processors that affect the processing of employee data, providing at least 30 days' advance notice.

9.4 Legal Obligations

We may disclose your personal data if required to do so by Romanian law, EU law, or in response to a valid legal request from a competent authority (e.g., a court order, ANSPDCP investigation, or regulatory inquiry).

10. Data Retention

We retain your personal data for as long as your account is active and you are a member of an organization using Kredo.

  • Active accounts: All personal data is retained to provide the service.
  • Account deletion: When you delete your account, all personal data (including time entries, photos, material requests, proximity verification results, and device tokens) is permanently removed from our systems within 30 days.
  • Anonymized data: Aggregated and anonymized data that cannot be used to identify you may be retained indefinitely for analytics and service improvement purposes.
  • Legal requirements: Certain data may be retained beyond the 30-day deletion period if required by Romanian tax, labor, or accounting regulations applicable to Kredo Tech S.R.L.

Important Note for Employers

Romanian labor law (Codul Muncii, Art. 268) establishes a 3-year statute of limitations for labor law claims. Employers are legally obligated to retain time tracking records for at least this period. Kredo's 30-day post-deletion policy applies to Kredo's systems only. Employers must independently export and retain time tracking records using Kredo's export functionality to meet their legal retention obligations. Kredo Tech S.R.L. is not responsible for employer compliance with record retention requirements after account data has been deleted.

11. Your Rights

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) — You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
  • Right to rectification (Art. 16 GDPR) — You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
  • Right to erasure (Art. 17 GDPR) — You have the right to request deletion of your personal data ("right to be forgotten"), subject to certain legal exceptions.
  • Right to restriction of processing (Art. 18 GDPR) — You have the right to request that we restrict the processing of your personal data under certain circumstances.
  • Right to data portability (Art. 20 GDPR) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format (CSV or JSON), and to transmit it to another controller.
  • Right to object (Art. 21 GDPR) — You have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis. If you are a worker and wish to object to proximity verification, you may disable location services on your device; your ability to clock in will not be affected, though proximity verification results will not be available.
  • Right to withdraw consent — Where processing is based on your consent (e.g., push notifications), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
  • Right to lodge a complaint — You have the right to lodge a complaint with a data protection supervisory authority:
    • In Romania: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) — www.dataprotection.ro
    • In your EU Member State: You may lodge a complaint with the supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

To exercise any of these rights, please contact us at privacy@kredo.app. We will respond to your request within 30 days, as required by the GDPR.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit: All data transmitted between the Kredo App and our servers is encrypted using TLS/HTTPS.
  • Encryption at rest: Photos and other stored data are encrypted on our servers.
  • Authentication: We use JWT (JSON Web Token) authentication with short-lived access tokens (15 minutes) and longer-lived refresh tokens, with revocation support.
  • Rate limiting: API rate limiting protects against brute-force attacks and abuse.
  • Access control: Organization-based multi-tenancy ensures that users can only access data within their own organization.
  • Security headers: Our servers enforce security headers (via Helmet) to mitigate common web vulnerabilities.
  • App verification: All API requests require a verified application identifier to prevent unauthorized access.
  • On-device GPS processing: GPS coordinates are processed locally and never transmitted, eliminating server-side location data exposure.
  • Photo metadata stripping: EXIF GPS data is removed from photos before upload, preventing inadvertent location disclosure.

13. Push Notifications

Kredo uses the Apple Push Notification Service (APNs) to deliver timely notifications to your device. These notifications may include:

  • Clock-in and clock-out reminders
  • Timesheet and material request approval or rejection alerts
  • Team join request notifications (for managers)
  • Task assignment updates

To deliver push notifications, we store your APNs device token on our servers. This token is unique to your device and the Kredo App and cannot be used to identify you personally.

You can disable push notifications at any time by navigating to Settings > Notifications > Kredo on your iOS device. Disabling notifications will not affect the core functionality of the App.

14. Children

Kredo is a professional construction management tool and is not intended for use by children under the age of 16. We do not knowingly collect or process personal data from children under 16.

If a worker between 15 and 16 years of age is legally employed under Romanian labor law (Art. 13 Codul Muncii), their employer may request a supervised account with parental or legal guardian consent.

If we become aware that we have inadvertently collected personal data from a child under the applicable age threshold without appropriate consent, we will take immediate steps to delete that data from our systems. If you believe that a child has provided us with personal data, please contact us at privacy@kredo.app.

15. International Transfers

All core data processed by Kredo (account data, time entries, photos, proximity verification results) is stored on servers located within the European Union, specifically in the European Union (Hetzner data centers).

15.1 Twilio (SMS Verification)

Twilio, which we use for SMS verification during account registration, is a US-based company. When you register with a phone number, your phone number and the SMS verification code are processed by Twilio's infrastructure, which may involve processing outside the European Economic Area (EEA). This transfer is safeguarded by:

  • Twilio's certification under the EU-US Data Privacy Framework (DPF), where applicable
  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Twilio's Data Processing Agreement with Kredo Tech S.R.L.

15.2 Authentication Providers

Our third-party authentication providers (Apple, Google, Facebook) may process authentication tokens in their own infrastructure. However, the personal data we receive from these providers (name, email, unique identifier) is stored and processed exclusively on our EU-based servers.

16. Employer Obligations & Romanian Law 190/2018

This section is addressed to organizations and managers using Kredo for workforce management in Romania. Romanian Law 190/2018 establishes specific requirements for employee monitoring that employers must comply with.

16.1 Kredo's Privacy-by-Design Approach

Kredo's on-device proximity verification system is designed to minimize the compliance burden on employers. Because GPS coordinates never leave the worker's device, Kredo's architecture significantly reduces the scope of employee monitoring. The only monitoring-related data transmitted is a boolean proximity result, which does not constitute location tracking under most interpretations of Law 190/2018.

16.2 Employer Responsibilities

Nevertheless, employers deploying Kredo for workforce time tracking should:

  • Assess necessity (Art. 3, Law 190/2018): Determine that using Kredo's time tracking and proximity verification features is necessary for legitimate business purposes.
  • Inform employees (Art. 5–6, Law 190/2018): Notify employees about the use of Kredo and its proximity verification features before deployment. The notice should explain: what data is collected, how it is used, and that GPS coordinates remain on the device.
  • Consult employee representatives (Art. 5, Law 190/2018): Where applicable, consult with trade unions or employee representatives before deploying the App.
  • Maintain time records (Art. 119, Codul Muncii): Export and independently retain time tracking records for the periods required by law (minimum 3 years).
  • Request a Data Processing Agreement: As data controller for employee data, the employer should have a DPA in place with Kredo Tech S.R.L. (available upon request).

16.3 DPIA Consideration

Given Kredo's privacy-by-design architecture (no GPS coordinates transmitted, no continuous tracking, no biometric data), a full Data Protection Impact Assessment (DPIA) under Art. 35 GDPR may not be required. However, employers should assess their specific circumstances. If you deploy Kredo alongside other monitoring tools, or if your use case involves additional data processing, a DPIA may be advisable. Kredo Tech S.R.L. will cooperate with any employer conducting a DPIA in relation to the use of the Kredo App.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the functionality of the Kredo App.

If we make significant changes to this policy, we will notify you via an in-app notification within Kredo and provide at least 30 days' advance notice. We encourage you to review this policy periodically.

Your continued use of the App after the notice period constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the App and delete your account.

18. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

Kredo Tech S.R.L.
Brașov, Brașov County, Romania
Email: privacy@kredo.app

For data protection complaints, you may contact:

  • ANSPDCP (Romania): Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal — www.dataprotection.ro
  • Your local EU supervisory authority: You have the right to lodge a complaint with the data protection authority in your EU Member State of habitual residence (Art. 77 GDPR).

We are committed to resolving any complaints about your privacy and our collection or use of your personal data. We will respond to all inquiries within 30 days.