Privacy Policy — SiteOn mobile application

Version: 1.0
Last updated: 14 April 2026

Disclaimer. This document is provided for informational and operational purposes to describe processing related to the SiteOn application in accordance with Regulation (EU) 2016/679 (GDPR) and Belgian data protection law. It does not constitute legal advice. Have it reviewed by counsel and replace all bracketed placeholders [ … ] (controller identity, contact details, retention periods, processors, etc.) before any publication (website, Play Console, App Store Connect).

1. Who we are

Data controller:

Legal name	`SiteOn`
Legal form / company number	`/`
Registered office	/
Privacy / DPO email	`info@siteon.be`

Depending on how you use SiteOn (especially in a professional context or on behalf of an employer), other controllers (e.g. your employer or the company engaging you on site) may be involved in certain processing. If in doubt, contact the organisation that invited you to install the app.

2. Scope

This policy explains how SiteOn (mobile app for Android and iOS) collects and uses personal data, and what rights you have.

App identifiers (indicative — confirm in the stores):

Android: package be.itw.siteon;
iOS: bundle ID according to the Apple Developer account used for release.

3. What data do we process?

The categories below reflect the current features of the app (sign-in, construction sites, check-in, employee badge).

3.1 Authentication / mobile account data

Phone number (international format, e.g. +32…): used to request sign-in and verify via code (server-side login flow).
Technical identifiers generated or stored on the device (e.g. install / device ID for traceability of operations or service operation).

3.2 Employee / badge data

Data read from a compatible NFC badge (e.g. professional badges such as ConstruBadge / LisaBadge — MIFARE DESFire-class technology), including information needed to identify the worker on site (name, first name, employee record fields, card technical identifiers, etc., depending on badge content).
Equivalent data may be provided via an employee QR code where that path is offered.

This data is stored locally on the device (local database) as needed for the app to work, then synchronised with servers for the SiteOn / backend service configured by the publisher.

3.3 Site data and check-in

Information from the site QR code (single site document — DUC —, CBE references, etc.).
Photograph of the location or site poster when you use capture / upload linked to scanning.
Check-in data: type of event, timestamp, site and employee information required for presence declaration or tracking as designed into the product, plus technical fields required by the API (local IDs, reader ID, billing / business fields if present in the payload).

3.4 Location

Geographical position (precise or approximate depending on system permission) when you have granted it: used to associate check-in or site registration with a geographical context (e.g. consistency with the workplace).

The app declares use of location while using the app and, on iOS, modes that may include background location if the user extends permissions in Settings.

3.5 Camera and NFC

Camera: scanning QR codes (site / employee) and image capture for evidence or site records. Images may be sent to the server as part of poster scanning.
NFC: reading compatible badges; no advertising purpose; processing limited to identification and check-in.

3.6 Company / branding data

VAT number or company identifier used to load branding (logo, colours, on-screen information) in the app.
Data cached locally for reasonable offline display (appearance, company details).

3.7 Technical data and logs

Network exchanges with APIs (hosting at the URL configured for the application, which varies by production environment).
Server-side logs (if any): to be detailed in an internal annex (retention, access).

No third-party advertising analytics tool was identified in the mobile client codebase at the time of drafting; if you add any (e.g. Firebase), update this policy.

4. Purposes and legal bases (indicative)

Purpose	Examples of legal basis (refine with counsel)
Session creation / SMS authentication	Performance of a contract or pre-contract steps; possible legal obligation on the employer side
Employee identification (badge / QR) and site registration	Performance of employment / engagement contract; legal obligation regarding worker registration (depending on your framework)
Sending check-ins and photos to the backend	Same framework; documented legitimate interest where applicable
Location linked to check-in	Consent or obligation / legitimate interest depending on business context (document internally)
Employer branding customisation	Performance of contract / controller’s legitimate interest

Bases must be chosen case by case with your adviser.

5. Recipients and transfers

Authorised staff of [the publisher / controller].
Processors: hosting provider, SMS provider, IT maintenance — list by name in an annex or processing register.
Public authorities or bodies where required by law.

Transfers outside the EU: if servers or processors are outside the European Economic Area, state the mechanism (standard contractual clauses; note that Privacy Shield is no longer valid for the US — prefer 2023 EU–US Data Privacy Framework compliance or other GDPR safeguards).

6. Retention (to be completed)

State concrete periods (e.g. inactive accounts, server logs 6 / 12 months, photo evidence X years). On-device data may be erased by uninstalling the app or via sign-out / purge features as the product evolves.

7. Security

Appropriate technical and organisational measures: encryption in transit (HTTPS in production), API access control (API key in the client — protect and rotate), secure local storage where feasible, staff training.

8. Your rights (GDPR)

Subject to conditions and exceptions under law, you have in particular the right to:

Access, rectification, erasure;
Restriction of processing;
Object to processing;
Data portability (where applicable);
Withdraw consent where processing is based on consent.

Send requests to: [privacy@…]. A reasonable proof of identity may be required to prevent fraud.

9. Complaint

Without prejudice to a judicial remedy, you may lodge a complaint with the supervisory authority:

Data Protection Authority (GBA / APD)
Rue de la Presse 35, 1000 Brussels, Belgium
Website: https://www.dataprotectionauthority.be/ (Dutch/English) — https://www.autoriteprotectiondonnees.be/ (French)

10. Children

SiteOn is aimed at professional users (construction sites, employers). It is not intended for minors who are not authorised to work under applicable law.

11. Changes

We may update this policy (new features, legal requirements). The date at the top will be revised; for material changes, consider notice (email, in-app banner, or re-acceptance as advised by counsel).

12. Contact

Questions: [privacy@…]