Privacy Policy
Last updated: March 8, 2026
1. Controller
The controller of personal data is the organization using the SubPRO platform to manage its employees and projects (the "controller"). The SubPRO platform provider acts as a data processor within the meaning of Art. 28 GDPR.
2. What data we process
- Identification data: first name, last name, date of birth, permanent address
- Contact data: phone number, email address
- Documents: ID card, driver's license, health insurance certificate, A1 forms
- Work data: hours worked, team assignment, project allocation
- Technical data: login credentials, IP address (only with cookie consent)
3. Purpose and legal basis for processing
| Purpose | Legal basis |
|---|---|
| Worker records and timesheets | Performance of contract (Art. 6(1)(b) GDPR) |
| Scanning and OCR analysis of documents | Consent of the data subject (Art. 6(1)(a) GDPR) |
| Error monitoring and application security | Legitimate interest (Art. 6(1)(f) GDPR) |
| Tax and labour-law records | Legal obligation (Art. 6(1)(c) GDPR) |
4. Data recipients (sub-processors)
| Service | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database, authentication, storage | EU (Ireland) |
| Google Gemini API | OCR document analysis | EU/US (DPF) |
| Sentry | Error monitoring | EU/US (DPF) |
| Vercel | Application hosting | EU |
DPF = EU-US Data Privacy Framework
5. Retention period
- Personal data of active workers: for the duration of the employment relationship
- Documents after end of cooperation: deleted within 30 days
- Timesheets: 10 years (legal obligation — tax law)
- Technical logs: maximum 1 year
6. Your rights
As a data subject you have the right to:
- Right of access (Art. 15) — obtain a copy of your data
- Right to rectification (Art. 16) — correct inaccurate data
- Right to erasure (Art. 17) — request deletion of data
- Right to data portability (Art. 20) — receive data in a structured format
- Right to restriction of processing (Art. 18)
- Right to object (Art. 21) — object to processing
- Right to withdraw consent — at any time without giving reasons
7. Data security
- Data encryption in transit (TLS) and at rest (AES-256)
- Data isolation between organizations (Row Level Security)
- Role-based access control (RBAC)
- Automatic removal of personal data from error reports
- Audit log of all changes
8. Contact
If you have questions about personal data processing or wish to exercise your rights, contact us at the email address listed in your contract or contact your organization's administrator.
You also have the right to lodge a complaint with the relevant supervisory authority in your country.