Krafta Hugbúnaðarlausnir ehf. — workforce management application ("Krafta", the "App").
1. Introduction
Krafta Hugbúnaðarlausnir ehf. ("Krafta", "we", "us", or "our"), registration number (kennitala) 6606250110, Gauksríma 21, 800 Selfoss, Iceland, provides a workforce management application that organizations use to manage time tracking, scheduling, projects, and leave for their workforce.
This Privacy Policy explains how we process personal data in connection with the App. We process personal data in accordance with Regulation (EU) 2016/679 (the "GDPR"), as incorporated into the EEA Agreement, and the Icelandic Act on Data Protection and the Processing of Personal Data No. 90/2018.
2. Our role: controller and processor
Krafta accounts are provided to you by an organization (your employer or another entity you work for — the "Organization"). You cannot create an account yourself within the App.
- For most data you enter or generate while using the App on behalf of your Organization (for example time entries, work locations, work items, attachments, and leave records), your Organization is the data controller and Krafta acts as a data processor on the Organization's behalf, under a data processing agreement. The Organization's own privacy notice also applies, and you should direct requests about that data to your Organization in the first instance.
- For a limited set of data where we determine the purposes and means of processing — such as account authentication, security, and diagnostic/crash information used to keep the App working — Krafta is the data controller.
This Policy describes both roles. Where we act only as a processor, we act on the documented instructions of your Organization.
3. The personal data we process
- Account and identity data — your email address, a unique user identifier, and authentication credentials (your password is stored only in irreversibly hashed form).
- Profile data — your name and, if provided, a profile photo.
- Time and attendance data — clock-in/clock-out times, breaks, and associated work allocations.
- Precise location data (GPS) — when you clock in or out, the App records your device's precise location at that moment and sends it to our backend so your Organization has an accurate record of where work was performed. Location is collected only in the foreground, at the time of a clock-in/out action — the App does not track your location in the background or continuously.
- Work content — work items, comments, and photo and video attachments you add.
- Leave data, including health information — leave requests and, for certain types of leave (such as sick leave), medical or doctor's certificates that you or your Organization upload. Certificates may contain health information, which is a special category of personal data (see section 5).
- Device and notification data — a push notification token (provided by the operating system / Firebase Cloud Messaging) so we can deliver notifications.
- Diagnostic data — crash reports and performance/error data (technical event information, app state, and your user identifier) used to detect and fix problems.
- Support communications — information you provide when you contact us.
Data we do NOT collect
We do not collect advertising identifiers (IDFA/GAID), we do not carry out advertising or behavioural tracking, and we do not collect analytics on your in-app behaviour, your contacts, your browsing history, or financial information.
4. Purposes and legal bases
We process personal data for the following purposes, on the following legal bases under Article 6 of the GDPR:
- Providing the App and your account (account, identity, profile data) — performance of a contract (Art. 6(1)(b)) and the legitimate interests of Krafta and your Organization in operating the service (Art. 6(1)(f)).
- Time tracking, scheduling, projects, and payroll records (time & attendance, work content) — based on your employment/engagement relationship and your Organization's legal obligations and legitimate interests (Art. 6(1)(b), (c), (f)), as determined by your Organization.
- Recording where work is performed (precise location at clock-in/out) — your Organization's legitimate interests in accurate records (Art. 6(1)(f)) and, where applicable, your consent given through the operating-system location permission (Art. 6(1)(a)).
- Delivering notifications (push token) — legitimate interests (Art. 6(1)(f)) and device-level consent via the OS prompt.
- Keeping the App secure, stable, and working (diagnostic/crash data) — our legitimate interests (Art. 6(1)(f)).
- Responding to your support requests — our legitimate interests (Art. 6(1)(f)).
5. Special category data (health information)
Where you or your Organization upload medical certificates in connection with sick leave or similar absence, this may include health data, a special category of personal data under Article 9 of the GDPR. Such data is processed only where necessary for carrying out obligations and exercising rights in the field of employment and social security law (Article 9(2)(b) GDPR), as determined and instructed by your Organization, or on another lawful Article 9 basis. Health information is access-restricted and handled with additional care.
6. How we collect personal data
We collect personal data: (a) directly from you when you use the App; (b) from your Organization, which provisions your account and may enter data about you; and (c) automatically from your device (for example diagnostic data and, at the moment of a clock-in/out, location).
7. Recipients and sub-processors
We share personal data only as necessary to provide the App, with the following categories of recipients, who act as processors under contract:
- Your Organization and its authorized administrators.
- Cloud hosting — our backend and data are hosted on Hetzner Online GmbH, in data centres located within the European Economic Area (Germany and Finland).
- Mapbox (maps and geocoding) — receives location/coordinate data to render maps. Mapbox is based in the United States.
- Google / Firebase — Firebase Cloud Messaging (push delivery) and Crashlytics (native crash reporting). Google is based in the United States.
- Sentry — error and performance monitoring, hosted in the European Union (we transmit a user identifier only, with personal data minimized and request headers scrubbed).
We do not sell personal data.
8. International transfers
Where recipients are located outside the EEA (for example Mapbox and Google/Firebase in the United States), transfers are protected by appropriate safeguards, primarily the European Commission's Standard Contractual Clauses, together with supplementary measures where required. Sentry processing takes place within the EU. You may request more information about these safeguards using the contact details below.
9. Retention
- Account and profile data — retained while your account is active. When your Organization deactivates your account, data is retained only as long as necessary to meet legal and operational obligations, then deleted or anonymized.
- Time, attendance, location, and work records — retained according to your Organization's instructions and applicable employment, tax, and accounting law. Records subject to Icelandic bookkeeping obligations (Act on Bookkeeping No. 145/1994) are generally retained for 7 years.
- Leave and health certificates — retained only as long as necessary for the employment/social-security purpose and applicable law, then deleted.
- Diagnostic/crash data — retained for a limited period for security and reliability, then deleted.
10. Your rights
Subject to the GDPR, you have the right to: access your personal data; have inaccurate data rectified; have data erased; restrict or object to processing; data portability; and, where processing is based on consent, to withdraw consent at any time. These rights are subject to legal exceptions.
Because your Organization is the controller of most work-related data, please direct requests about that data to your Organization; we will assist them as their processor. For data where Krafta is the controller (account, security, diagnostics), contact us at support@krafta.is.
Account creation and closure are managed by your Organization's administrators. If you want your account closed or your data erased, contact your Organization or us at support@krafta.is.
You also have the right to lodge a complaint with the Icelandic Data Protection Authority, Persónuvernd (personuvernd.is), or your local supervisory authority.
11. Security
We protect personal data with appropriate technical and organizational measures, including encryption in transit, encrypted on-device storage of credentials and tokens, access controls, and restricted handling of sensitive data. No system is perfectly secure, but we work to protect your data and to respond promptly to any incident.
12. Children
The App is a workplace tool intended for use by working individuals and is not directed at children.
13. Automated decision-making
We do not use your personal data for automated decision-making that produces legal or similarly significant effects, nor for profiling.
14. Changes to this Policy
We may update this Policy from time to time. The current version and its publication date are shown wherever this Policy is published. Material changes will be communicated as appropriate.
15. Contact
Krafta Hugbúnaðarlausnir ehf.
Gauksríma 21, 800 Selfoss, Iceland
Reg. no. (kt.) 6606250110
Email: support@krafta.is