Bragi LogoBragi

Privacy

Privacy Policy

Last updated: September 07, 2025

Introduction

Welcome to BragiBuild (the "App"), a mobile application developed and operated by Bragi AB. We are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use the App. It also describes your rights under the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable privacy laws.

For GDPR purposes, Bragi AB acts as the data controller. This policy applies to all users, including administrators, employees, and residents, with our current user base of approximately 100 individuals, expected to scale to up to 10,000 within the year. By using the App, you consent to the practices described here, subject to your privacy rights.

Information We Collect

We collect only the personal data necessary to provide and improve the App's services (principle of data minimization). The types of information we collect include:

Account and Authentication Data

Information you provide during registration or login, such as your name, email address, phone number, user role (e.g., admin, employee, resident), company or organization ID, and authentication tokens to secure your sessions. Note that biometric authentication, if used, is processed entirely on your device and we do not collect, store, or transmit any biometric data.

Project and Usage Data

Data related to your interactions with the App, including project details (e.g., IDs, names, budgets, expenses, time entries, pipes, reports, and contacts), resident information (e.g., apartment numbers, status), calendar events, chat messages, and interaction logs (e.g., timestamps of actions). This helps enable core features like project management, time tracking, and collaboration.

Device and Technical Data

Automatically collected information about your device and usage, such as device ID, operating system, app version, push notification tokens, anonymized IP address, and analytics data (e.g., features used, time spent in the App). We also use session replay tools (e.g., LogRocket) to record session interactions, which may be linked to your user account to help us reproduce bugs, provide targeted support, and improve user experience. This is used for compatibility, security, and performance optimization.

Communication Data

Information from in-app communications, such as messages in chats, notifications, and feedback in reports. This supports collaboration and support features.

We do not collect sensitive personal data (e.g., health information, location data, biometric data, or financial details beyond project budgets) unless you explicitly provide it and consent to its processing. Biometric features, where available, operate locally on the device without any data transmission to our servers. Cookies or similar technologies are used minimally for essential functions, in line with our cookie policy (if applicable).

How We Use Your Information

We use your personal data for legitimate business purposes, always in compliance with GDPR. Specific uses include:

  • To provide, maintain, and improve the App's services, such as project tracking, calendar management, and time registration.
  • To authenticate users and ensure secure access (e.g., via device-based biometrics or multi-factor authentication, without collecting biometric data).
  • To enable features like notifications, chats, and reports for better collaboration.
  • To analyze usage patterns (anonymized where possible) to enhance functionality and user experience.
  • To detect, prevent, and respond to security issues, fraud, or technical problems.
  • To communicate with you about updates, support requests, or service changes.
  • To comply with legal obligations, such as record-keeping for audits or dispute resolution.

We do not use your data for automated decision-making that has legal effects on you without human review, nor for marketing purposes without your consent.

Legal Basis for Processing

Our processing of personal data is based on the following GDPR lawful bases (Article 6):

  • Consent: For optional features like push notifications.
  • Contract: To perform our agreement with you, such as delivering App services (e.g., project management).
  • Legitimate Interests: For essential operations like security, analytics, and service improvements, balanced against your rights.
  • Legal Obligation: To meet regulatory requirements, e.g., data retention for compliance.

We do not process special categories of data (e.g., biometrics), as such features are handled entirely on-device without our involvement.

Sharing and Disclosure of Your Information

We do not sell your personal data. We may share it only in limited circumstances:

  • With service providers who act as processors under strict GDPR-compliant contracts (Article 28).
  • Within the App's ecosystem, such as administrators accessing employee or resident data for project purposes, governed by role-based access controls.
  • For legal reasons, such as responding to court orders, government requests, or to protect our rights, safety, or property.
  • In the event of a business transfer (e.g., merger or acquisition), with notice to you.

Data is stored within the European Union (or equivalent secure regions). For any international transfers, we use safeguards like Standard Contractual Clauses to ensure adequate protection.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

  • Account and authentication data: Until you delete your account or for up to 5 years after your last activity, to comply with legal requirements.
  • Project and usage data: For the duration of the relevant project plus 7 years, for audit and compliance purposes.
  • Device and analytics data: 12-24 months, after which it is anonymized or deleted.

When data is no longer needed, it is securely deleted or anonymized. Backups are kept for up to 30 days for recovery.

Your Privacy Rights

You have important rights under GDPR and applicable laws regarding your personal data. These include:

Right of Access (Art. 15)

Request confirmation of whether we process your data and access a copy of it.

Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data.

Right to Erasure (Art. 17)

Request deletion of your data when it's no longer needed or consent is withdrawn.

Right to Restriction (Art. 18)

Restrict processing in certain cases, such as while contesting accuracy.

Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format for transfer to another service.

Right to Object (Art. 21)

Object to processing based on legitimate interests or for direct marketing.

Rights Regarding Automated Decisions (Art. 22)

Challenge decisions made solely by automated means.

Right to Withdraw Consent (Art. 7)

Withdraw consent at any time, without affecting prior lawful processing.

To exercise these rights, contact us using the details below. We will respond within one month (extendable to three months for complex requests). Requests are free unless manifestly unfounded or excessive. You also have the right to lodge a complaint with your local data protection authority, such as the Swedish Authority for Privacy Protection (IMY).

Data Security

We prioritize the security of your personal data and implement appropriate technical and organizational measures to protect it from unauthorized access, loss, alteration, or disclosure (GDPR Article 32). These include:

  • Encryption of data in transit (HTTPS) and at rest.
  • Secure authentication methods, including device-based biometrics (processed locally without data collection) and role-based access controls.
  • Regular security audits, vulnerability assessments, and penetration testing.
  • Pseudonymization and anonymization techniques where possible.
  • GDPR-compliant agreements with third-party processors.
  • A breach response plan, including notifications to you and authorities within 72 hours if required (Articles 33-34).

While we strive for robust protection, no system is completely secure. In the event of a data breach, we will notify affected users promptly.

Children's Privacy

The App is not intended for use by children under 16 years of age. We do not knowingly collect personal data from minors. If we learn that we have collected such data without verifiable parental consent, we will delete it immediately.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes via the App, email, or in-app notifications. Your continued use of the App after such changes constitutes acceptance.

Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or need further information, please contact our Data Protection Officer:

Bragi AB (Data Controller)
Email: support@bragi.se
Location: Stockholm, Sweden

We aim to respond to your inquiries within 30 days.

Our Commitment to You

At BragiBuild, your privacy is a top priority. We are dedicated to transparent and responsible data practices as we grow our services. Thank you for choosing BragiBuild.

Privacy Policy | Bragi