Bragi LogoBragi

Compliance

GDPR Compliance

Last updated: September 07, 2025

Introduction and Controller Information

BragiBuild (the "App") is developed and operated by Bragi AB. For the purposes of the General Data Protection Regulation (GDPR) (EU) 2016/679, Bragi AB acts as the data controller for personal data processed through the App. This privacy policy outlines how we collect, use, disclose, and protect your personal data in compliance with GDPR. We are committed to safeguarding your privacy and ensuring that all processing activities are lawful, fair, and transparent. This policy applies to all users of the App, including administrators, employees, and residents, with our current ~100 users scaling to up to 10,000 within the year. We commit to privacy by design, including periodic reviews as we grow.

By using the App, you consent to the practices described herein, subject to your GDPR rights.

Legal Basis for Processing

We process personal data based on the following lawful bases under GDPR Article 6:

  • Consent: For optional features like push notifications.
  • Contract: To fulfill user agreements, such as project management and time tracking.
  • Legitimate Interests: For app functionality, security, and analytics (balanced against your rights).
  • Legal Obligation: For compliance with applicable laws, e.g., record-keeping for audits.

We do not process special categories of data (e.g., biometrics), as such features are handled entirely on-device without our involvement.

What Personal Data We Collect

We collect only the minimum data necessary for the App's functionality (data minimization principle). Categories include:

Account and Authentication Data

User ID, name, email, phone number, role (admin/employee/resident), company ID, and authentication tokens. Collected during signup/login for secure access. Note that biometric authentication, if used, is processed entirely on your device and we do not collect, store, or transmit any biometric data.

Project and Usage Data

Project details (e.g., IDs, names, pipes, budgets, expenses, time entries, reports, contacts), resident information (e.g., apartment number, status), and interaction logs (e.g., event timestamps). Used for core features like calendar, pipes, and reports.

Device and Technical Data

Device ID, OS type, push tokens, IP address (anonymized), and usage analytics (e.g., app interactions). We also utilize session replay tools (e.g., LogRocket) to monitor app performance and debug issues by recording session interactions, which may be associated with your identity to facilitate troubleshooting and provide direct support. Collected for compatibility, security, and performance improvements.

Communication Data

Messages in chats, notifications, and reports (e.g., resident feedback). Processed for collaboration.

We do not collect location data, financial details beyond project budgets, or special categories of data unless explicitly provided and consented to. Biometric features, where available, operate locally on the device without any data transmission to our servers.

How We Use Your Data

Personal data is used to:

  • Provide and maintain App services (e.g., project tracking, authentication).
  • Improve functionality through analytics (anonymized where possible).
  • Ensure security (e.g., fraud detection, access controls).
  • Communicate updates, notifications, and support.
  • Comply with legal requirements and resolve disputes.

We do not use data for automated decision-making that produces legal effects without human oversight.

Data Sharing and Transfers

We do not sell your data. Sharing occurs only:

  • With service providers under strict contracts (GDPR Article 28).
  • Within the App ecosystem (e.g., admins viewing employee/resident data for project needs, with role-based access).
  • For legal reasons (e.g., court orders) or to protect rights/safety.

Data is stored in the EU (or equivalent secure regions) with safeguards for international transfers (e.g., Standard Contractual Clauses).

Data Retention

We retain data only as long as necessary:

  • Account data: Until account deletion or 5 years post-last activity (for legal/statutory purposes).
  • Project data: Duration of the project plus 7 years (for audits/compliance).
  • Logs/analytics: 12-24 months, anonymized thereafter.

Upon expiry, data is securely deleted or anonymized. Backups are retained for 30 days for recovery purposes.

Your GDPR Rights

Under GDPR Chapter III, you have rights regarding your data. We facilitate these via the App or direct contact:

Right of Access (Art. 15)

Request confirmation of processing and a copy of your data.

Right to Rectification (Art. 16)

Correct inaccurate or incomplete data.

Right to Erasure ("Right to be Forgotten") (Art. 17)

Request deletion where no longer needed or consent withdrawn.

Right to Restriction (Art. 18)

Limit processing in cases of inaccuracy or objection.

Right to Data Portability (Art. 20)

Receive data in a structured format for transfer.

Right to Object (Art. 21)

Object to processing based on legitimate interests or for direct marketing.

Rights re Automated Decisions (Art. 22)

Challenge decisions based solely on automated processing.

Right to Withdraw Consent (Art. 7)

Withdraw consent at any time (does not affect prior processing).

To exercise rights, contact us below. We respond within one month (extendable to three for complex cases). No fees apply unless requests are excessive. You may complain to your local data protection authority (e.g., IMY in Sweden).

Data Protection Impact Assessments (DPIA)

For high-risk processing (e.g., resident data), we conduct DPIAs as required by GDPR Art. 35. Currently voluntary for our scale; mandatory assessments will be implemented upon reaching 1,000+ users or identified risks.

Data Security Measures

We implement appropriate technical and organizational measures to protect against unauthorized access, loss, misuse, or alteration (GDPR Art. 32). These include:

  • End-to-end encryption for data in transit and at rest.
  • Secure authentication methods, including device-based biometrics (processed locally without data collection) and multi-factor authentication for sensitive access.
  • Regular security audits, vulnerability scans, and penetration testing.
  • Role-based access controls (RBAC) to limit data visibility (e.g., residents see only their projects).
  • Data pseudonymization/anonymization where feasible.
  • Secure third-party integrations with GDPR-compliant contracts.
  • Incident response plan: In case of a breach, we notify affected users and authorities within 72 hours (Art. 33-34).

Despite these measures, no system is impenetrable. We cannot guarantee absolute security but commit to notifying you promptly of any breaches affecting your data.

Children's Privacy

The App is not intended for children under 16. We do not knowingly collect data from minors without verifiable parental consent. If we become aware of such data, it will be deleted immediately.

Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. Significant changes will be notified via the App or email. Continued use after updates constitutes acceptance.

Contact Information

For GDPR inquiries, rights exercises, or concerns, contact the Data Protection Officer:

Bragi AB (Data Controller)
Email: support@bragi.se
Location: Stockholm, Sweden

We aim to respond within 30 days. For EU users, you may also contact your local supervisory authority.

Our Commitment

At BragiBuild, protecting your data is paramount. We are dedicated to GDPR compliance and continuously review our practices to mitigate risks like data loss, hacks, or mishaps as we scale. Thank you for trusting us with your information.

GDPR Compliance | Bragi