Privacy Notice

Last updated: 2026-05-01

Worklii is a workforce management platform for construction companies operating in Sweden and the European Union. This Privacy Notice explains what personal data we collect about construction workers, employers, and their clients; why we process it; how long we keep it; and your rights under the EU General Data Protection Regulation (GDPR) and Swedish data protection law.

This is a working draft. The final wording will be reviewed by legal counsel and our Data Protection Officer before launch with Swedish customers.

1. Who is the data controller?

The construction company using Worklii (the employer) is the data controller for its own workers' data. Worklii operates the platform on the controller's behalf as a data processor. Contact details for the controller are available on request from your account administrator.

2. Lawful basis for processing

Our primary lawful basis is legitimate interest (Art. 6(1)(f) GDPR): managing the performance, qualifications, and assignment of construction workers is essential to the controller's business and serves the workers' interest in transparent, fair evaluation.

For specific operations (account creation, contractual obligations) we may also rely on Art. 6(1)(b) (contract performance) and Art. 6(1)(c) (legal obligation).

3. What data we process

• Identity: first name, last name, internal worker code (e.g., SE100), photo (optional), CV (optional)
• Contact: phone, email (both optional, used for internal communication and the upcoming Worker App)
• Professional: specialization, current site, current brigade, internal notes
• Performance: weekly evaluations on two scales (Professional skill, Motivation; each rated 1–3) and an optional comment from the brigadier
• Documents: passport scans, certificates, recommendation letters, contracts, medical certificates (uploaded by HR; access is restricted)
• Call records: when a call is made to or from a worker through the integrated telephony, we store metadata (time, duration, direction, recording URL, optional AI summary or transcript)

We do not intentionally process special categories of personal data (health, union membership, religion, political opinions, sexual orientation). The brigadier comment field includes a warning asking reviewers not to enter such information.

4. Who has access to your data

• Office coordinator and HR at the employer — full view of worker profiles, documents, and performance history
• Brigadier (foreman) — sees only workers in their own brigade; submits weekly evaluations
• Client (white helmet) — sees workers currently on their site, including names and an aggregate ⭐ rating; cannot see individual evaluation comments, payroll, or HR documents
• Worklii administrators — limited operational access for support and incident response, governed by access logs

5. Sub-processors

We rely on the following infrastructure providers, all under data processing agreements:

• Supabase — database and file storage, EU region (Frankfurt) — DPA
• Vercel — application hosting (EU) — DPA
• Resend — email delivery (EU region) — DPA on file

Personal data is not transferred outside the EU/EEA without appropriate safeguards.

6. How long we keep data

• Active worker profiles: for the duration of employment with the controller
• Weekly evaluations: 3 years after collection, then anonymized (link to specific worker is removed, aggregate metrics retained for analytics)
• Archived workers (deleted_at set): 5 years after archival, then permanently deleted including photo, CV, and all associated records
• Call records: 3 years
• Audit log: 7 years (for legal defence and incident forensics)

7. Your rights

Under GDPR you have the right to:

• Access a copy of your personal data
• Rectify inaccurate data
• Erase your data (subject to legal obligations to retain certain records)
• Restrict or object to certain processing
• Receive your data in a portable format (JSON)
• Lodge a complaint with the Swedish supervisory authority IMY (Integritetsskyddsmyndigheten)

8. How to exercise your rights

Send a request to your account administrator or contact our Data Protection Officer at privacy@worklii.com (placeholder — to be confirmed). Include your worker code (SE…), full name, and the right you wish to exercise. We will respond within 30 days.

For data portability, we provide a JSON export endpoint that returns all data we hold about you. Contact your administrator to receive it, or — once worker login is enabled — request it directly from your profile.

9. Security

• All data transmitted over TLS (HTTPS)
• Database access is gated by Row-Level Security policies enforcing organization isolation and role-based access
• Documents (passports, contracts) are stored in a private bucket; access uses signed URLs with a 15-minute expiry
• Audit logs record administrative actions for forensics

10. Changes to this notice

We will update this notice when our processing practices change. The "Last updated" date at the top will reflect the most recent version. Material changes will be communicated via email to account administrators.

11. Contact

Data Protection Officer (DPO): privacy@worklii.com (placeholder — to be confirmed)
For supervisory authority complaints: IMY, imy.se

This document is a draft. Final wording will be reviewed and approved by qualified legal counsel and the appointed Data Protection Officer before deployment with Swedish customers.