Privacy Policy

BEEZEE

Last updated: May 2026

Version: 1.0

This document constitutes the joint privacy notice issued by both joint controllers under Article 26(2) GDPR. Previous versions are available on request.


1. Who We Are and Our Role

BEEZEE is a workforce management platform developed and operated jointly by:

("we", "us", "our"). We provide mobile tools that help businesses manage employee shifts, tasks, breaks, and inventory.

Contact details:

1.1 Our role depends on whose data we process

1.2 Joint-controller arrangement (Art. 26 GDPR — essence)

Ivan Melchenko and Andrei Rabeshka have agreed in writing on the allocation of their respective GDPR responsibilities. The essence of that arrangement is:

The full arrangement is available on request.

1.3 Data Protection Officer

We have assessed Article 37 GDPR and concluded that we are not required to designate a Data Protection Officer. All data protection enquiries should be sent to the email above.

1.4 Children

The Service is intended for use in a professional employment context and is not directed at persons under 16. We do not knowingly collect or process personal data of persons under 16. If you believe we have inadvertently done so, please contact us so that we can delete the data.


2. What Data We Collect

We collect the following categories of personal data. Where we process this data on behalf of your employer, we do so only on the employer's documented instructions:

Category Data Why We Need It
Account data First name, last name, email address To create and manage your account
Authentication data Password (stored only as a cryptographic hash — we never store your actual password), access and refresh tokens To verify your identity and keep you logged in
Work activity data Shift start and end times, break start and end times, break duration, working time calculations, shift status To record your working hours and support labour-law compliance
Task data Task assignments, completion timestamps, task status, task notes, task comments To manage and track work tasks
Photos Task completion proof photos, task description photos, and inventory request photos (from your camera or photo library) To provide visual documentation of completed work
Scheduled shifts Planned work dates, start and end times, notes, draft/published status To plan employee work schedules in advance
Inventory requests Item name, description, notes, category, priority, attached photos To allow employees to request supplies
Notifications Notification messages (may include task names and colleague names) To deliver real-time alerts about assignments and schedule changes
Device data Push notification token, device platform (iOS or Android) To send push notifications to your device
Preferences Language setting (English, Polish, or Ukrainian) To display the app in your preferred language
Audit data Timestamps and user identifiers recording who created or last modified each record To maintain accountability and security
Server/technical logs IP address, request timestamps, HTTP headers Security monitoring, abuse prevention, debugging

Note: Aggregated statistics shown to Managers (e.g. shift summaries, task completion rates) are derived from the personal data listed above. The derivation step — computing aggregates from individual records — is itself a processing activity covered by this notice.


3. Why We Collect Your Data (Legal Basis)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

Contract performance (Article 6(1)(b)) Most of the data we collect is necessary to provide the workforce management service you or your employer signed up for. This includes: account data, authentication data, work activity data, task data, scheduled shifts, inventory requests, and your language preference.

Legal obligation (Article 6(1)(c)) Shift and break records are also processed to comply with labour-law requirements for working-time record-keeping.

Legitimate interest (Article 6(1)(f)) We rely on legitimate interest for the following processing activities, pursuing the specific interests indicated:

We have carried out a balancing test for each of these interests and concluded that they are not overridden by your interests, rights and freedoms. You may object to processing based on legitimate interest at any time — see Section 7.

Consent (Article 6(1)(a)) We do not currently rely on consent as a legal basis. If we ever ask for your consent for a specific processing activity, you will be able to withdraw it at any time, with effect for the future, without affecting the lawfulness of processing carried out before withdrawal (Article 7(3) GDPR).

Contract acceptance mechanism: When a new user first logs in to the Service, they are presented with a mandatory acceptance screen requiring them to confirm acceptance of the Terms of Use and this Privacy Policy via a checkbox before accessing any features. This constitutes contractual acceptance — the legal basis for the processing described in this Section is contract performance (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)), not consent within the meaning of Art. 6(1)(a) GDPR.

Whether providing data is required

Providing the data listed in Section 2 is a contractual requirement necessary to use the Service. If you do not provide it, your employer will not be able to create an account for you on the platform and you will not be able to use the Service. Providing shift and break data is additionally a statutory requirement to the extent your employer is obliged to keep working-time records under Polish labour law.

No automated decision-making or profiling

We do not carry out automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. We do not engage in profiling of users. Statistics shown to your Manager are descriptive aggregates only.

Source of data

If you are an employee, your account data (name, email, role) is generally provided to us by your employer (the Manager). All other data is generated by your use of the Service. This satisfies our information obligation under Article 14 GDPR.


4. Recipients and Processors of Your Data

We engage the following categories of recipients. Where the recipient acts on our behalf under documented instructions, they are our processor within the meaning of Article 4(8) GDPR; otherwise they are an independent recipient.

Recipient Role What They Receive Why
Your employer (manager) Independent controller Your work activity data — shifts, breaks, tasks, task photos, inventory requests Managers use this data to operate the business and manage employee work
Microsoft Azure Processor (sub-processor) All platform data (database records, uploaded files) Provides the managed cloud database, object storage, compute and secrets-management services that host the Service
Apple (APNs) Processor (sub-processor) Device token, notification title and body text To deliver push notifications on iOS devices
Google (FCM) Processor (sub-processor) Device token, notification title and body text To deliver push notifications on Android devices

Access to personal data within BEEZEE is limited to personnel who need it to provide or maintain the Service and is controlled by role-based access controls.

We do not sell your personal data to any third party. We do not use any third-party analytics, advertising, or crash-reporting services.


5. International Data Transfers

Our cloud infrastructure is deployed in an EU region. Your primary data (database records and uploaded files) is stored and processed within the European Union/European Economic Area.

Some sub-processor support, monitoring or maintenance personnel may be located outside the EEA. Any such access is limited, logged and protected by the contractual safeguards listed below (in particular Standard Contractual Clauses incorporated into the relevant data processing agreements). A copy of the safeguards in place is available on request from biznest.platform@gmail.com.

Push notifications require transferring a limited amount of data to the United States:

Recipient Safeguard
Apple (APNs) Apple's Data Processing Agreement; EU–US Data Privacy Framework certification
Google (FCM) Google Cloud Data Processing Amendment; EU–US Data Privacy Framework certification; Standard Contractual Clauses
Microsoft Azure Microsoft Products and Services Data Protection Addendum (DPA); EU-approved Standard Contractual Clauses. Routine data processing takes place in an EU region; access from outside the EEA is limited to support and maintenance and is covered by the same safeguards.

6. How Long We Keep Your Data

Data Retention Period How It Is Deleted
Account data Until you or your manager requests deletion Manager removes the user account, or you contact us directly
Access tokens 24 hours Automatically expire
Refresh tokens 7 days Automatically expire; also invalidated immediately on logout
Shifts and breaks For the duration of the contract with the employer (Manager) Deleted at the end of the contract or upon the employer's request. Compliance with Polish labour law record-keeping obligations is the responsibility of the employer (Manager) as data controller. In particular, art. 94 pkt 9b of the Kodeks pracy requires employers to retain employment and working-time records for up to 10 years from the end of the employment relationship (for employees hired on or after 1 January 2019; earlier transitional rules may apply to other employment).
Tasks and task photos Until the task is deleted by a manager, or 12 months after the photo was uploaded (whichever is earlier) Manager deletes the task; or photos are automatically purged 12 months after upload
Task comments Until the parent task is deleted Deleted together with the task
Notifications 12 months from delivery, or until deletion is requested (whichever is earlier) Automatically purged after 12 months; can be deleted earlier on request
Scheduled shifts 3 years from the planned shift date Manager can delete individual scheduled shifts; otherwise purged after 3 years
Inventory requests 3 years from creation Manager can delete individual requests; otherwise purged after 3 years
Device push tokens Until you log out or the token is rejected by Apple/Google Automatically removed on logout; stale tokens are cleaned up when the notification service rejects them
Audit trail Same as the parent record Deleted when the parent record is deleted
Server/technical logs 90 days from collection Automatically purged after 90 days
Local device data Until you log out or uninstall the app All local data is cleared automatically on logout
Language preference Lifetime of your account Deleted when your account is removed

We keep your data only for as long as it is needed for the purposes described in this policy or as required by applicable law. The retention periods above are maximum periods — data may be deleted earlier where a deletion request can lawfully be honoured.

Where data is included in platform backups, it will be removed from backups in the ordinary course of the backup retention cycle, which does not exceed 90 days. Upon account termination, data is retained for 90 days from the contract expiration date to allow for reactivation or data export. After 90 days without reactivation, data is permanently deleted from primary systems, consistent with Section 4.3 of our Terms of Use. Data held in existing backups at the time of deletion will be removed as those backups expire, within the same 90-day maximum.


7. Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right of access (Article 15) You can view your own profile, shifts, tasks, and notifications through the app. You may also request a complete copy of all personal data we hold about you by contacting us.

Right to rectification (Article 16) If your personal data is incorrect or outdated, you may request correction by contacting your manager or by contacting us directly.

Right to erasure — "right to be forgotten" (Article 17) You can request deletion of your account and associated personal data by contacting us. Some data may be subject to legal retention obligations applicable to your employer under Polish labour law (Kodeks pracy, art. 94 pkt 9b in conjunction with art. 94⁵). In such cases, we will process deletion requests in accordance with the instructions of the employer acting as the data controller. We will inform you if any of your data cannot be deleted for this reason.

Right to restrict processing (Article 18) You can request that we limit how we use your data. Account deactivation effectively restricts processing by preventing further access.

Right to data portability (Article 20) You have the right to receive your personal data in a structured, commonly used, machine-readable format. Contact us to request a data export.

Right to object (Article 21) You have the right to object, on grounds relating to your particular situation, to processing based on legitimate interest (such as audit logs, notifications, photos and aggregated statistics). Following an objection, we will cease the processing unless we can demonstrate compelling legitimate grounds which override your interests, rights and freedoms, or unless the processing is necessary for the establishment, exercise or defence of legal claims.

Right to object to direct marketing (Article 21(2)) You have an unconditional right to object at any time to the processing of your personal data for direct marketing purposes, including any profiling carried out for direct marketing. This right is absolute — it cannot be balanced against our interests — and we will cease such processing immediately upon receipt of your objection. We do not currently carry out direct marketing, but this right applies immediately if we do so in the future.

Right to withdraw consent (Article 7(3)) Where processing is based on your consent, you may withdraw that consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Right to lodge a complaint If you believe your data protection rights have been violated, you have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO — Urząd Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, Poland, or with the supervisory authority in your country of residence.

How to exercise your rights: Contact us at biznest.platform@gmail.com. We will respond within one month of receiving your request. In the case of complex or numerous requests, this period may be extended by a further two months; if so, we will notify you within one month of receiving your request and explain the reason for the extension (Art. 12(3) GDPR). To protect your privacy, we may need to verify your identity before fulfilling a request.


8. Security Measures

We implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, in line with Article 32 GDPR. These include in particular:

Encryption

Authentication and access control

Operational security

Personal data breach notification

Where a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR. Where we act as a processor on behalf of your employer, we will notify the employer (controller) without undue delay after becoming aware of a breach so that they can comply with their notification obligations. Where required by GDPR Article 33, we will notify the relevant supervisory authority (UODO) within 72 hours of becoming aware of a breach.


9. Local Storage on Your Device

The BEEZEE mobile app stores limited data locally on your device using secure device storage (not browser cookies). The push notification SDKs (Apple APNs, Google FCM) assign a device-level push token used solely to deliver notifications; we do not use any advertising identifiers, analytics SDKs, or third-party tracking technologies. Local storage covers, in particular: authentication tokens (to keep you logged in), basic profile and session information, the language setting, a short-lived cache of recently viewed content, and an offline action queue. The offline action queue is cleared on logout along with all other local data.

All local data is cleared when you log out. You can disable push notifications at any time in your device's operating system settings.


10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons.

When we make significant changes, we will notify you through the app. We encourage you to review this policy periodically.

The date at the top of this policy indicates when it was last updated.


11. Language Versions

This Privacy Policy is provided in English, Polish, and Ukrainian. For customers located in Poland, the Polish version is the governing version and shall prevail in case of any inconsistencies between language versions. For all customers outside Poland, the English version is the governing version and shall prevail in case of any inconsistencies between language versions. For Customers who are consumers or quasi-consumers under Polish law, in the event of any inconsistency between language versions, the interpretation most favourable to the consumer shall apply, and nothing in this clause deprives such Customers of any protection afforded by mandatory provisions of Polish consumer protection law.