Privacy Policy for Aquilo Solution·S GmbH

1. Introduction

Welcome to Aquilo Solution·S GmbH (“we,“ “our,“ or “us“). We are committed to protecting your personal data and your right to privacy. This Privacy Policy applies to all information collected through:

• Our public website at https://aquilo-solutions.com/
• Our WorkingHero mobile application (iOS and Android)
• Our cloud-based services and platforms

This policy explains what information we collect, how we use it, who we share it with, and your rights regarding your personal data.

Data Controller:

• Company Name: Aquilo Solution·S GmbH
• Address: Am Haubarg 9, 24229 Strande, Deutschland
• Commercial Register: Amtsgericht Kiel, HRB 25107 KI
• Managing Director: Mark Straßberger
• Email: info@aquilo-solutions.com
• Data Protection Officer: Contact us at info@aquilo-solutions.com

If you have any questions about this Privacy Policy, please contact us at info@aquilo-solutions.com.

2. Definitions

To help you understand this policy, here are definitions of key terms:

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on personal data, such as collection, storage, use, or deletion
• Data Controller: The entity that determines the purposes and means of processing personal data (Aquilo Solutions)
• Data Processor: An entity that processes personal data on behalf of the controller (our service providers)
• User/You: Any person using our website, mobile app, or services
• GDPR: The EU General Data Protection Regulation
• Consent: Freely given, specific, informed, and unambiguous indication of your agreement to processing

3. Types of Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Information You Provide Directly

Account Information:

• Name and display name (called name)
• Email address
• Profile picture
• PIN (stored as cryptographic hash only)
• Preferred language/culture settings
• Preferred display mode (light/dark theme)
• Notification preferences (email, push, SMS)

Organization/Group Information:

• Organization name and associations
• Group memberships
• Role assignments
• Business addresses

Communication Preferences:

• Email notification settings
• Push notification settings
• SMS notification settings

3.2 Information Collected Automatically

Device and Usage Information:

• IP address
• Device type and operating system
• Browser type and version
• App version and client metadata
• Device identifiers
• Time zone and language preferences

Location Data:

• Coarse and fine GPS location (mobile app, with your permission)
• Location associated with workplaces and projects

App Activity Data:

• Pages visited and features used
• Time spent in the application
• Navigation patterns
• Task progress and completion data
• Work session timing (start, pause, resume, completion)

3.3 Mobile App Specific Data

Device Permissions (requested with your explicit permission):

Android Permissions:

• Camera: QR code scanning and photo capture for task documentation
• Flashlight: Camera flash for QR code scanning in low light
• Location (Coarse & Fine): Workplace location tracking and navigation to project sites
• Storage (Read & Write): Local file caching, document access, and saving images
• Notifications: Push notifications about tasks, projects, and updates
• Vibrate: Haptic feedback for user interactions
• Network State: Monitor connectivity status for sync operations
• Battery Stats: Display battery information for field work planning
• Internet: Required for app functionality and data synchronization

iOS Permissions:

• Camera: QR code scanning to identify workplaces
• Location (When In Use): Workplace location tracking and navigation to project sites
• Photo Library (Read): Select images for workplaces and user profiles
• Photo Library (Write): Save images captured within the app

Note on Voice Input:

Both Android and iOS support voice-to-text input through the system keyboard's built-in dictation feature. No additional app permissions are required as this is a native keyboard feature.

Mobile-Specific Data:

• Battery status and network connectivity state
• App foreground/background status
• Device model and screen properties
• Available storage space

3.4 Project and Task Data

Work-Related Information:

• Projects you're assigned to
• Workplaces you access
• Tasks you work on
• Task documentation and photos you upload
• Task chat messages and collaboration data
• Checkpoints and quality validation data
• Non-conformance reports
• Guides and instructions you access
• Tools and materials data

3.5 Documents and Files

Document Processing:

• Files and documents you upload
• Document metadata (filename, file size, content type, page count)
• Content hash (SHA256) for deduplication
• Document processing status
• Document view and download history
• Generated document previews

Invoice Data (if applicable):

• Invoice documents you upload
• Extracted invoice information (supplier, amounts, dates, line items)
• Payment and tax details from invoices

3.6 Analytics and Technical Data

Performance and Diagnostics:

• Application Insights telemetry (production environment)
• OpenTelemetry distributed traces
• Error logs and crash reports
• Request/response metadata
• Performance metrics
• Request correlation IDs

Audit Information:

• Timestamp of actions (creation, modification)
• User ID associated with each action
• Change history for all data modifications
• Event logs and user activity trails

4. Purposes of Processing and Legal Basis

We process your personal data for the following purposes, based on the legal grounds listed:

4.1 Service Provision (Legal Basis: Contract Performance)

• Creating and managing your user account
• Providing access to our platform and mobile app
• Enabling project and task management functionality
• Facilitating team collaboration and communication
• Processing and storing your documents and files
• Delivering requested features and services

4.2 Authentication and Security (Legal Basis: Contract Performance & Legitimate Interest)

• Verifying your identity via Azure Active Directory
• Managing authentication tokens and sessions
• Securing your account with PIN authentication
• Preventing unauthorized access and fraud
• Maintaining platform security and integrity

4.3 Communication (Legal Basis: Contract Performance & Consent)

• Sending you service-related notifications
• Delivering task updates and project information
• Responding to your inquiries and support requests
• Sending newsletters and product updates (with your consent)
• Processing your email and push notification preferences

4.4 Platform Improvement (Legal Basis: Legitimate Interest)

• Analyzing usage patterns to improve our services
• Diagnosing technical issues and bugs
• Monitoring application performance
• Developing new features and functionality
• Conducting internal research and development

4.5 Legal Compliance (Legal Basis: Legal Obligation)

• Complying with applicable laws and regulations
• Responding to legal requests and court orders
• Maintaining audit trails as required by law
• Protecting our legal rights and interests

4.6 AI and Intelligent Features (Legal Basis: Legitimate Interest & Consent)

• Providing intelligent translation services for multi-language support
• Document intelligence and OCR processing for invoice and document data extraction (users can review and correct extracted data)

4.7 Payment Processing (Legal Basis: Contract Performance)

• Processing payments and subscriptions
• Managing payment plans and features
• Handling invoices and billing
• Processing refunds when applicable

5. Data Sharing and Third-Party Processors

We share your personal data only with trusted third-party service providers who help us operate our platform. All processors are bound by data processing agreements and comply with GDPR requirements.

5.1 Cloud Infrastructure and Services

Microsoft Azure Services:

• Purpose: Cloud hosting, data storage, authentication, AI services
• Services Used:

- Azure Active Directory (authentication and user management)

- Azure Blob Storage (document and file storage)

- Azure Key Vault (secure credential storage)

- Azure OpenAI (AI embeddings and intelligent features)

- Azure Translator (text translation services)

- Azure Document Intelligence (OCR and form recognition)

- Azure Application Insights (telemetry and monitoring)

- Azure PostgreSQL (database hosting)

• Data Location: Germany West Central (Frankfurt, Germany) - EU region
• Privacy Policy: https://privacy.microsoft.com/

Microsoft Graph API:

• Purpose: Email delivery, user/group management
• Data Shared: User email addresses, organizational data
• Privacy Policy: https://privacy.microsoft.com/

5.2 Authentication Services

Azure AD/Microsoft Entra ID (CIAM):

• Purpose: User authentication and identity management
• Tenant: aquilodevelopment.ciamlogin.com
• Data Shared: Email, name, authentication tokens
• Features: Single sign-on, Microsoft Authenticator integration, multi-factor authentication

5.3 Payment Processing

Mollie:

• Purpose: Payment processing for subscriptions and services
• Data Shared: Payment information, customer identifiers
• Data Location: EU/EEA
• Privacy Policy: https://www.mollie.com/privacy

5.4 Real-Time Communication

SignalR (Microsoft):

• Purpose: Real-time notifications and updates
• Data Shared: User IDs, task updates, event notifications
• Connection: WebSocket connections to our Azure infrastructure

5.5 Messaging Infrastructure

Azure Service Bus:

• Purpose: Asynchronous message processing between our microservices
• Data Shared: Internal event data, user context for event processing
• Data Location: Germany West Central (Azure region within EU)

5.6 No Data Sales

6. Data Retention

We retain your personal data only as long as necessary to fulfill the purposes outlined in this policy or as required by law.

6.1 Active Account Data

• User Profile and Account Information: Retained while your account is active
• Project and Task Data: Retained while projects are active, plus 3 years after project completion
• Documents and Files: Retained while relevant to active projects, or until you delete them

6.2 Audit and Compliance Data

• Audit Logs: Retained for 7 years for legal compliance and security purposes
• Financial Records: Retained for 10 years in accordance with tax and accounting regulations

6.3 Anonymized Analytics

• Aggregated Analytics Data: May be retained indefinitely in anonymized form for research and improvement

6.4 Account Deletion

When you request account deletion or delete your account:

• Your personal data will be deleted within 30 days
• Certain data may be retained in backups for up to 90 days
• Audit logs will be retained as required by law with your identity pseudonymized
• Anonymized data may continue to be used for analytics

6.5 Inactive Accounts

Accounts inactive for more than 24 months may be deleted after notifying you via email with 30 days' notice.

7. Your Rights Under GDPR

As an EU resident, you have the following rights regarding your personal data:

7.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation whether we process your personal data and to receive a copy of your personal data.

How to Exercise: Email info@aquilo-solutions.com with your access request.

7.2 Right to Rectification (Art. 16 GDPR)

You have the right to correct inaccurate personal data and to complete incomplete personal data.

How to Exercise: Update your profile in the app or contact info@aquilo-solutions.com.

7.3 Right to Erasure/“Right to be Forgotten“ (Art. 17 GDPR)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes it was collected
• You withdraw consent and there is no other legal basis
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

How to Exercise: Contact info@aquilo-solutions.com to request account deletion.

7.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to restrict processing of your personal data in certain circumstances.

How to Exercise: Contact info@aquilo-solutions.com with your restriction request.

7.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON).

How to Exercise: Contact info@aquilo-solutions.com to request a data export.

7.6 Right to Object (Art. 21 GDPR)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

How to Exercise: Contact info@aquilo-solutions.com or adjust your notification preferences in the app.

7.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time.

How to Exercise: Adjust your settings in the app or contact info@aquilo-solutions.com.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection supervisory authority.

German Supervisory Authority: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI)

Website: https://www.bfdi.bund.de/

8. Cookies and Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us provide a better user experience.

8.2 Cookies We Use

Public Website (aquilo-solutions.com):

• Minimal Cookie Usage: Our public website is a static site that uses minimal cookies
• Next.js Session Cookies: Essential session cookies for site functionality (if any)
• No Tracking Cookies: We do not use analytics, advertising, or tracking cookies on our public website
• Local Storage: User preferences (language selection) are stored in your browser's local storage, not cookies

Internal Applications (for registered users):

• Authentication Cookies: ASP.NET Core authentication cookies for secure login

- Purpose: Maintain your authenticated session

- Legal Basis: Necessary for service provision (no consent required)

- Retention: Session-based or as per your “Remember Me“ selection

• Anti-Forgery Tokens: Security tokens to prevent cross-site request forgery

- Legal Basis: Legitimate interest in security (no consent required)

• Session Cookies: Temporary session management

- Retention: Deleted when you close your browser

No Third-Party Cookies:

• We do not use third-party cookies, advertising cookies, or cross-site tracking cookies

8.3 Your Cookie Choices

Public Website:

Since our public website uses only essential cookies (if any) and no tracking cookies, no cookie consent is required or presented. User preferences are stored in local storage, which you can clear through your browser settings.

Internal Applications:

The authentication cookies used in our internal applications are strictly necessary for the service to function and do not require consent under GDPR Article 6(1)(b) (necessary for contract performance).

8.4 Browser Settings

You can control cookies through your browser settings:

• View and delete cookies
• Block all cookies (note: this will prevent you from logging into our services)
• Clear your browser's local storage to remove saved preferences

Note: Blocking strictly necessary cookies will prevent our internal applications from functioning properly, as they are required for authentication and security.

8.5 Mobile App Local Storage

Our mobile app stores minimal data locally on your device in app-private storage protected by your operating system's security (app sandboxing):

User Settings (unencrypted JSON files):

• Your user ID (identifier only)
• UI customization preferences (floating button position, transparency)
• Theme and display preferences
• Language settings

Authentication Tokens (encrypted):

• Stored securely in iOS Keychain or Android Keystore
• Never stored in plain text
• Protected by platform-specific encryption

Cached Data (temporary):

• Temporary cache for offline functionality
• Project and task data for performance
• Automatically cleared when no longer needed

Important: All personal data, consent preferences, and sensitive information are stored securely in our encrypted database, not on your device. The local settings contain only cosmetic preferences and non-sensitive identifiers. These files are protected by your device's operating system security, which prevents other apps from accessing them.

9. International Data Transfers

9.1 Data Storage Locations

Your personal data is stored and processed exclusively within the European Economic Area (EEA):

• Primary Region: Germany West Central (Azure region in Frankfurt, Germany)
• Database Hosting: Azure PostgreSQL in Germany West Central
• File Storage: Azure Blob Storage in Germany West Central
• Messaging: Azure Service Bus in Germany West Central
• All Services: All infrastructure is deployed in Germany West Central within the EU

9.2 Transfers Outside the EEA

In limited cases, your data may be transferred to countries outside the EEA:

Microsoft Services:

• Safeguards: EU Standard Contractual Clauses (SCCs), Microsoft's Privacy Shield successor commitments
• Purpose: Authentication, support services, limited technical operations
• Microsoft Compliance: https://www.microsoft.com/trust-center/privacy/gdpr-overview

Mollie (Payment Processing):

• Location: Primarily within EEA
• Safeguards: EU Standard Contractual Clauses if transfers occur

9.3 Our Commitment

We ensure that any international data transfer complies with GDPR requirements through:

• EU Standard Contractual Clauses
• Adequacy decisions by the European Commission
• Binding corporate rules of our processors
• Your explicit consent when required

10. Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

10.1 Technical Security

Encryption:

• Data in transit: TLS/HTTPS encryption for all communications
• Data at rest: Encryption for Azure Blob Storage and databases
• Authentication tokens: Secure storage in platform keychains

Access Controls:

• Role-based access control (RBAC)
• Multi-factor authentication support
• PIN authentication for mobile app
• Token-based API authentication

Infrastructure Security:

• Azure Active Directory for identity management
• Azure Key Vault for credential storage
• Regular security updates and patches
• Firewall and network security groups

10.2 Organizational Security

Data Protection Measures:

• Audit logging of all data access and modifications
• Automatic change tracking for all entities
• Request correlation and tracing
• Regular security reviews and assessments

Employee Training:

• Data protection training for all staff
• Least privilege access principle
• Confidentiality agreements

Incident Response:

• Security incident monitoring
• Defined breach notification procedures
• Regular backup procedures

10.3 Application Security

• Input validation and sanitization
• Protection against SQL injection
• CORS and CSRF protection
• Rate limiting and timeout controls
• Secure password hashing (PINs never stored in plain text)

10.4 Data Breach Notification

As the data controller, we maintain appropriate incident response procedures to handle potential data breaches. In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the competent supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 GDPR
• Provide clear information about:

- The nature of the personal data breach

- The likely consequences of the breach

- Measures taken or proposed to address the breach and mitigate potential adverse effects

Our incident response procedures include coordination with third-party service providers where applicable, while maintaining our obligations as data controller for all notification and remediation requirements under applicable data protection law.

11. Children's Privacy

Our services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such information promptly.

If you believe we have collected information from a child under 16, please contact us at info@aquilo-solutions.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

12.1 Notification of Changes

We will notify you of material changes through:

• Email notification to your registered email address
• In-app notification in the WorkingHero mobile app
• Prominent notice on our website
• Updated “Last Updated“ date at the top of this policy

12.2 Review of Changes

We encourage you to review this Privacy Policy periodically. Your continued use of our services after changes are posted constitutes acceptance of the updated policy.

12.3 Previous Versions

Upon request, we can provide you with previous versions of this Privacy Policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Am Haubarg 9

24229 Strande, Deutschland

Email: info@aquilo-solutions.com

Alternative: info@aquilosolutions.onmicrosoft.com

Data Protection Officer:

For data protection inquiries, contact info@aquilo-solutions.com

Response Time:

We aim to respond to all inquiries within 30 days, as required by GDPR.

Platform-Specific Information

For Website Users

Our Website: https://aquilo-solutions.com/

Hosting: Azure Static Web Apps (Next.js static export)

Analytics: No analytics or tracking cookies used

Cookies: Only essential cookies (see Section 8)

Local Storage: Language preferences stored in browser local storage

For Mobile App Users (WorkingHero)

App Name: WorkingHero (WorKing Hero)

Package ID: com.aquilo.aquiloworkinghero

Platforms: iOS (15.0+), Android (7.0+ / API 24+)

Framework: .NET MAUI with Blazor Hybrid

Android Permissions:

Camera, Flashlight, Location, Storage, Notifications, Vibrate, Network State, Battery Stats, Internet

iOS Permissions:

Camera, Location (When In Use), Photo Library (Read + Write)

Voice Input: Both platforms use the system keyboard's built-in voice dictation (no additional app permission required).

Permission Request: All permissions are requested only when the feature is used. You can manage permissions anytime in your device settings (Settings → Apps → WorkingHero).

Data Storage:

• User settings stored locally on your device as JSON files
• Authentication tokens stored securely in iOS Keychain or Android Keystore
• Cached data for offline functionality

App Store Privacy Labels:

• Apple App Store: See our App Privacy Details in the App Store listing
• Google Play Store: See our Data Safety section in the Play Store listing

Legal Compliance

This Privacy Policy complies with:

• GDPR (EU General Data Protection Regulation 2016/679)
• ePrivacy Directive (Directive 2002/58/EC)
• German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG)
• Apple App Store Guidelines
• Google Play Store Data Safety Requirements