Privacy Policy

1. Who is responsible

ConstructionOS is operated by Providus Labs (Pty) Ltd (CIPC 2026/142873/07), a company registered in South Africa. For personal information about our direct customers and the people who log in to the Service (owners, project managers, foremen), Providus Labs is the responsible party.

For data captured about workers on a customer's worksite — including face-recognition attendance — our customer (the employer) is the responsible party, and ConstructionOS acts as their operator (processor) under POPIA, processing that data on their instruction.

2. What we collect

• Account information — name, work email, phone number, role, time zone and organisation details of login users. Authentication is handled by AWS Cognito.
• Worker records — names, employee numbers and roles of the workers a customer tracks (a tracked worker does not need a login).
• Project & site content — schedules, tasks, daily logs, punch lists, RFIs, safety and incident records, and the documents and drawings you upload.
• Attendance & timesheet data — check-in/check-out times, status and the method used (manual, QR or face-verified).
• Biometric, location & image data — see section 3.
• Communications — in-app messages and comments between your team members.
• Device & technical data — push-notification device tokens, app version, and security/audit logs of key actions (who created or changed a record, and when).
• Billing data — your name, email and subscription details. Card details are entered on our payment provider's secure page and are never received or stored by us.

3. Face recognition, GPS & photos

Face-recognition attendance is an optional feature. When a customer enables it and a worker has consented (see section 5), this is what happens:

• On the phone, the app takes a photographof the worker's face. It uses on-device face detection only to check that a live face is present — it does not build a face map on the device, and the temporary photo is deleted from the phone after upload.
• The photo is uploaded to our private storage (Amazon S3). Our facial-recognition provider, Amazon Rekognition, creates a mathematical representation of the face (a "face vector") and stores it in a secured collection that is isolated per organisation, so future check-ins can be matched. We do not sell this data or use it for any purpose other than attendance verification.
• Our own database stores a reference ID to that face vector, the storage key of the check-in photo, a quality/match score, the GPS coordinates and accuracyand time of check-in, and the worker's consent record. We do not hold the raw face vector ourselves.
• GPS location is also attached, where available, to field reports, photos, punch items, safety observations and incidents, to confirm where work was done. Location capture is best-effort and a check-in still works if location is unavailable.

Facial data is special personal information and is treated with extra care: it is access-controlled, isolated per organisation, and never used for advertising or shared for any unrelated purpose.

4. Why we process it

We process personal information to provide the Service: to authenticate users, verify attendance, build accurate timesheets, reduce wage fraud, show site progress, generate reports, send notifications, support customers and keep the platform secure. Worker biometric, photo and GPS data is processed solely to confirm and evidence site attendance.

5. Consent & lawful basis

Before a worker is enrolled in face-recognition attendance, the app shows a biometric-consent screen that explains what is collected, why, how and where it is stored, and that the worker may decline and use a manual or QR check-in instead. The worker must actively agree. We record the exact consent text shown, the date and time, and (for web) the IP address and browser, and we track any later withdrawal.

A worker can withdraw consent at any time. On withdrawal we remove their enrolled face data from the recognition service, and attendance continues using manual or QR methods. Our customers, as employers and responsible parties, are required by our terms to obtain and maintain this consent and to have a lawful basis for processing under POPIA.

6. Cookies & on-device storage

We keep this simple: we do not use advertising or third-party tracking cookies, and we do not run analytics tools such as Google Analytics, Sentry or similar. There is no behavioural tracking.

• The web dashboard sets a single functional cookie, sidebar_state, which remembers whether your navigation sidebar is open or collapsed. It expires after 7 days and contains no personal information.
• Your login sessionis managed by AWS Cognito. Authentication tokens are held in your browser's memory and, on mobile, in your device's secure storage (iOS Keychain / Android Keystore) — not in cookies.
• The dashboard saves a few non-sensitive preferencesin your browser's local storage (for example your consent selections at sign-up and your schedule view settings). The mobile app caches your project data on the device so it works offline; this cache is scoped to your account and cleared when you sign out.

7. Who we share it with

We do not sell personal information. We share it only with the customer (employer) whose worksite the data relates to, with authorities where legally required, and with the sub-processors that run the Service under contract:

• Amazon Web Services (AWS) — cloud hosting, database, authentication (Cognito), file/photo storage (S3) and facial recognition (Rekognition).
• Google (Firebase Cloud Messaging) — delivery of push notifications; it receives device tokens and the notification content, not your records.
• Paystack — payment processing for subscriptions; it receives your name, email and billing details. Card details are entered on Paystack's secure page and never reach our servers.
• Hasura — the API layer that routes requests between the apps and our database; it processes data in transit and does not store your records.

8. Cross-border processing

Your data is primarily stored in AWS's South Africa (Cape Town) region. Some processing happens outside South Africa: facial recognition runs in AWS Europe (Ireland) because the service is not yet available in the South Africa region (the original photos remain stored in South Africa); push notifications are delivered via Google; and paymentsare processed by Paystack. These transfers are covered by the providers' data-processing agreements and standard contractual protections, consistent with POPIA's conditions for trans-border information flows.

9. How long we keep it

• Account and project data is kept while your account is active and for as long as needed to comply with law.
• Biometric face data (the face vector and enrolment/check-in photos) is deleted when a worker withdraws consent, is de-enrolled, or the customer's account is closed.
• Attendance records and photos are retained for the period the employer needs them as wage and labour evidence, after which they are deleted or anonymised.
• Encrypted backups are retained for a short rolling period (around 7 days). Security and audit logs are kept as a protective record.

10. How we protect it

We encrypt personal information in transit using TLS, and store uploaded files, photos and documents in access-controlled Amazon S3 storage with server-side encryption. Access is role-based and isolated by organisation and project, enforced at our API layer; passwords are managed and hashed by AWS Cognito; and we apply least-privilege access and audit logging. No system is perfectly secure, but we work to protect personal information in line with POPIA's security safeguards and continue to strengthen them.

11. Your POPIA rights

Subject to POPIA, you and the workers whose data we process may:

• Ask what personal information is held and request access to it;
• Request correction or deletion of inaccurate or unlawfully held data;
• Object to processing or withdraw consent (which may affect attendance features);
• Complain to the Information Regulator of South Africa.

Worker requests are usually directed to the employer (the responsible party); we will assist them as the operator.

12. Information officer & contact

Privacy questions and requests can be sent to our information officer at gareth@providuslabs.co.za. You may also lodge a complaint with the Information Regulator (South Africa).