Privacy Policy
Last updated: 15 November 2025 | Version: 1.0
1. Introduction
DALINA GROUP EOOD ("we", "us", "our") operates the Helionix platform – a software-as-a-service solution for construction project management, workforce management, and task coordination.
We respect your privacy and are committed to protecting your personal data in accordance with:
- General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 of the European Parliament and of the Council
- Bulgarian Personal Data Protection Act (ЗЗЛД)
This Privacy Policy explains what personal data we collect, the purposes for which we process it, and your rights as a data subject.
2. Who is the data controller?
DALINA GROUP EOOD / ДАЛИНА ГРУП ЕООД
Tax ID (EIN): 201241579
VAT Registration No.: BG201241579
Registered office: Stara Zagora 6000, 17 Oborishte Street, Floor 2, Apt. 2, Bulgaria
Managing Director: Dilyana Simeonova Ilieva
Email: helionix@dalinagroup.com
3. What personal data do we collect?
3.1 For Organizations (B2B Clients)
- Legal entity name
- Tax identification number (EIN/VAT)
- Registered business address
- Contact person details (name, email address, telephone number)
3.2 For system users
- First and last name
- Email address
- Phone number (optional)
- Position/role in organization
- Password (hashed, not stored in plain text)
3.3 For construction site workers
- First and last name
- Phone number
- Specialty/profession
- Hourly rate
3.4 Platform Usage Data
- Working hours: clock-in and clock-out timestamps (check-in/check-out)
- Geolocation data: collected ONLY at the time of check-in/check-out for the purpose of verifying the worker's presence at the designated work site. GPS coordinates are NOT stored permanently – they are deleted immediately following validation.
- Device identifier: An encrypted unique identifier used to associate one worker with one device
- IP address: Logged in audit records for security and action tracking purposes
4. Why do we process your data?
| Data type | Legal basis |
|---|---|
| Name, email, phone | Contract (Art. 6(1)(b) GDPR) – necessary for the performance of a contract |
| Working time | Contract + Legal obligation (Art. 6(1)(b)(c) GDPR) – Labor Code of Bulgaria, Art. 62 |
| GPS coordinates | Legitimate interest (Art. 6(1)(f) GDPR) + Explicit consent where required |
| Device ID | Legitimate interest (Art. 6(1)(f) GDPR) – fraud prevention and security |
| IP addresses | Legitimate interest (Art. 6(1)(f) GDPR) – audit trail and security monitoring |
How We Use Your Data
We process your personal data for the following purposes:
- Project Management – creation and tracking of construction projects, tasks, and phases
- Time Tracking – recording check-in/check-out times to calculate worked hours and wages
- GPS Location Validation – verifying that workers are at the correct work site at check-in/check-out
- Security and Fraud Prevention – device binding, IP logging, and audit trails to prevent unauthorized access
- Communication – sending service notifications, system alerts, and important updates
- Analytics and Improvement – aggregated, anonymized data to improve platform performance
How We Protect Your Data
We implement industry-standard security measures to protect your personal data:
Technical Measures
- HTTPS/TLS – all data in transit is encrypted using TLS 1.3
- Password Hashing – passwords are hashed using bcrypt with salting
- Data at Rest Encryption – database encryption using AES-256
- Row Level Security (RLS) – strict tenant isolation in the database
- Secure Cookies – HttpOnly, Secure, SameSite attributes on all cookies
- Rate Limiting – protection against brute-force and DDoS attacks
Organizational Measures
- Access Control – role-based access control (RBAC) with least privilege principle
- Audit Logging – all sensitive operations are logged for accountability
- Regular Backups – automated daily backups with encryption
- Incident Response – documented procedures for security incident handling
5. Who do we share data with?
We DO NOT sell, rent, or trade your personal data to third parties. We share data only with the following trusted service providers:
| Provider | Service | Location | GDPR |
|---|---|---|---|
| Supabase Inc.→ View DPA | Database hosting & authentication | EU West (Frankfurt) | ✅ SCCs |
| Vercel Inc.→ View DPA | Application hosting | EU (Amsterdam) | ✅ SCCs |
Subprocessor updates: We will notify customers at least 30 days before adding new subprocessors. You may subscribe to updates at helionix@dalinagroup.com.
List last updated: January 2025
6. Your rights
Under the GDPR, you have the following rights with respect to your personal data:
- Right of Access (Art. 15) – to obtain a copy of your personal data
- Right to Rectification (Art. 16) – to correct inaccurate or incomplete data
- Right to Erasure (Art. 17) – "Right to be Forgotten"
- Right to Data Portability (Art. 20) – to receive your data in a structured, machine-readable format (JSON/CSV)
- Right to Object (Art. 21) – to object to certain types of processing
How to Exercise Your Rights
Email: helionix@dalinagroup.com
Online form: /privacy/request
Response timeframe: Within thirty (30) days from receipt of your request, in accordance with Article 12(3) of the GDPR
7. Cookies
We use ONLY strictly necessary (essential) cookies required for the platform to function:
| Cookie | Purpose | Retention period |
|---|---|---|
| auth-token | Authentication | 30 days |
| device-id | Device binding | 1 year |
| worker-session | Worker session | Until logout |
Note: Consent is not required for strictly necessary cookies pursuant to GDPR Recital 30 and the ePrivacy Directive.
Data Retention Periods
We retain personal data only for as long as necessary for the purposes set out in this policy, in compliance with GDPR Article 5(1)(e) - Storage Limitation Principle:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| User account data | Until account deletion | Contract |
| Attendance records | 5 years | Bulgarian Labor Code |
| GPS coordinates | Immediately after validation | Data minimization |
| Security logs | 2 years | Legitimate interest |
| Notifications | 90 days | Operational necessity |
| Login attempts | 90 days | Security |
| Session data | 30 days after session end | Operational necessity |
After the retention period expires, data is either securely deleted or anonymized in accordance with our data retention policies.
8. Contact
For questions about privacy:
Email: helionix@dalinagroup.com
DALINA GROUP EOOD / ДАЛИНА ГРУП ЕООД
EIN: 201241579
Registered office: Stara Zagora (6000), 17 Oborishte St., Floor 2, Apt. 2
Managing Director: Dilyana Simeonova Ilieva / Диляна Симеонова Илиева
Supervisory Authority
If you are not satisfied with our response, you have the right to lodge a complaint with:
Commission for Personal Data Protection (CPDP) of Bulgaria
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Website: https://cpdp.bg
Email: kzld@cpdp.bg
© 2025 DALINA GROUP EOOD / ДАЛИНА ГРУП ЕООД. All rights reserved.
Last update: 15 November 2025