Privacy Policy
Last updated: 15 May 2026 | Version: 1.1.1
1. Introduction
POWERENT Ltd. ("we", "us", "our") operates the Helionix platform – a software-as-a-service solution for construction project management, workforce management, and task coordination.
We respect your privacy and are committed to protecting your personal data in accordance with:
- General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 of the European Parliament and of the Council
- Bulgarian Personal Data Protection Act (ЗЗЛД)
This Privacy Policy explains what personal data we collect, the purposes for which we process it, and your rights as a data subject.
2. Who is the data controller?
POWERENT Ltd.
Tax ID (EIN): 202432231
VAT Registration No.: BG202432231
Registered office: Galabovo 6280, 4 Panayot Hitov Str, Bulgaria
Managing Director: Dilyana Simeonova Ilieva
Email: info@powerent-ltd.com
3. What personal data do we collect?
3.1 For Organizations (B2B Clients)
- Legal entity name
- Registered business address
3.2 For system users
- First and last name
- Email address
- Position/role in organization
- Password (hashed, not stored in plain text)
3.3 For construction site workers
- First and last name
- Phone number
- Specialty/profession
- Hourly rate
3.4 Platform Usage Data
- Working hours: clock-in and clock-out timestamps (check-in/check-out)
- Geolocation data: collected ONLY at the time of check-in/check-out for the purpose of verifying the worker's presence at the designated work site. GPS coordinates are not used for continuous tracking and are not stored as a standard server attendance record – they are processed for validation and may be held temporarily on the device or pending synchronization in offline mode until validation or cleanup is completed.
- Device identifier: An encrypted unique identifier used to associate one worker with one device
- IP address: Logged in audit records for security and action tracking purposes
4. Why do we process your data?
| Data type | Legal basis |
|---|---|
| Name, email, phone | Contract (Art. 6(1)(b) GDPR) – necessary for the performance of a contract |
| Working time | Contract, legitimate interest, and/or legal obligation (Art. 6(1)(b)(c)(f) GDPR), depending on the Controller's use case and applicable employment law |
| GPS coordinates | Legitimate interest (Art. 6(1)(f) GDPR) and/or consent or worker notice where required by applicable law or the Controller's policy |
| Device ID | Legitimate interest (Art. 6(1)(f) GDPR) – fraud prevention and security |
| IP addresses | Legitimate interest (Art. 6(1)(f) GDPR) – audit trail and security monitoring |
How We Use Your Data
We process your personal data for the following purposes:
- Project Management – creation and tracking of construction projects, tasks, and phases
- Time Tracking – recording check-in/check-out times to calculate worked hours and wages
- GPS Location Validation – verifying that workers are at the correct work site at check-in/check-out
- Security and Fraud Prevention – device binding, IP logging, and audit trails to prevent unauthorized access
- Communication – sending service notifications, system alerts, and important updates
- Billing and payments – subscription management, payment status, invoices, tax/VAT handling, and billing support. Payment card data is handled by Stripe and is not stored by Helionix.
- Analytics and Improvement – aggregated or technical telemetry used to improve platform performance only when the relevant analytics/performance feature is enabled.
How We Protect Your Data
We implement industry-standard security measures to protect your personal data:
Technical Measures
- HTTPS/TLS – all data in transit is encrypted using TLS 1.3
- Password Hashing – passwords are hashed using bcrypt with salting
- Data at Rest Encryption – database encryption using AES-256
- Row Level Security (RLS) – strict tenant isolation in the database
- Secure Cookies – HttpOnly, Secure, SameSite attributes on all cookies
- Rate Limiting – protection against brute-force and DDoS attacks
Organizational Measures
- Access Control – role-based access control (RBAC) with least privilege principle
- Audit Logging – all sensitive operations are logged for accountability
- Regular Backups – automated daily backups with encryption
- Incident Response – documented procedures for security incident handling
5. Who do we share data with?
We DO NOT sell, rent, or trade your personal data. We share personal data only with trusted providers that are necessary to operate, secure, bill, and support the Helionix platform:
| Provider | Service | Status / transfer | GDPR |
|---|---|---|---|
| Supabase Inc.→ View DPA | Database hosting & authentication | EU West (Frankfurt) | ✅ SCCs |
| Vercel Inc.→ View DPA | Application hosting | Active; Vercel infrastructure locations | ✅ SCCs |
| Stripe→ View DPA | Subscriptions, checkout, payments, invoices, tax/VAT evidence | Active; Stripe acts as processor and/or controller depending on the activity | ✅ DPA / transfer mechanisms |
| Resend→ View DPA | Transactional email, notifications, DSAR confirmations, billing and partner messages | Active; email infrastructure and listed subprocessors | ✅ DPA / subprocessor list |
| Vercel Analytics / Speed Insights | Website analytics and performance telemetry | Conditional; used only when explicitly enabled | ✅ Vercel DPA |
| Google reCAPTCHA | Anti-abuse checks for public/auth forms | Conditional; used only when reCAPTCHA keys are configured | ✅ Google terms where applicable |
| Mapbox | Map and geofence UI when Mapbox is configured | Conditional | ✅ Subprocessor terms |
| Upstash Redis | Rate limiting and abuse prevention when Redis is configured | Conditional | ✅ DPA |
Subprocessor updates: The current Subprocessor List is available at /en/subprocessors. We will provide appropriate notice before material additions or replacements of active subprocessors where required by the DPA or applicable law.
List last updated: 15 May 2026
6. Your rights
Under the GDPR, you have the following rights with respect to your personal data:
- Right of Access (Art. 15) – to obtain a copy of your personal data
- Right to Rectification (Art. 16) – to correct inaccurate or incomplete data
- Right to Erasure (Art. 17) – "Right to be Forgotten"
- Right to Data Portability (Art. 20) – to receive your data in a structured, machine-readable format (JSON/CSV)
- Right to Object (Art. 21) – to object to certain types of processing
How to Exercise Your Rights
Email: info@powerent-ltd.com
Online form: /en/privacy/request
Response timeframe: Within thirty (30) days from receipt of your request, in accordance with Article 12(3) of the GDPR
7. Cookies
By default, and without optional cookie-banner permission, we use only strictly necessary cookies required for the platform to function:
| Cookie | Purpose | Retention period |
|---|---|---|
| auth-token | Authentication | 30 days |
| device-id | Device binding | 1 year |
| worker-session | Worker session | Until logout |
Note: Consent is not required for strictly necessary cookies pursuant to GDPR Recital 30 and the ePrivacy Directive.
If Google reCAPTCHA or analytics/performance telemetry is enabled, it is loaded only after cookie-banner permission, and additional browser, device, interaction, IP, or performance signals may be processed by the relevant provider as described in the Subprocessor List and applicable provider terms.
Data Retention Periods
We retain personal data only for as long as necessary for the purposes set out in this policy, in compliance with GDPR Article 5(1)(e) - Storage Limitation Principle:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| User account data | Until account deletion | Contract |
| Attendance records | 5 years | Bulgarian Labor Code |
| GPS coordinates | Standard server record: not stored after validation; offline/pending sync: temporarily until validation or cleanup | Data minimization |
| Security logs | 2 years | Legitimate interest |
| Notifications | 90 days | Operational necessity |
| Login attempts | 90 days | Security |
| Session data | 30 days after session end | Operational necessity |
After the retention period expires, data is either securely deleted or anonymized in accordance with our data retention policies.
8. Contact
For questions about privacy:
Email: info@powerent-ltd.com
POWERENT Ltd.
EIN: 202432231
Registered office: Galabovo 6280, 4 Panayot Hitov Str
Managing Director: Dilyana Simeonova Ilieva
Supervisory Authority
If you are not satisfied with our response, you have the right to lodge a complaint with:
Commission for Personal Data Protection (CPDP) of Bulgaria
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Website: https://cpdp.bg
Email: kzld@cpdp.bg
© 2025-2026 POWERENT Ltd. All rights reserved.
Last update: 15 May 2026