Privacy Policy

Last updated: June 13, 2026

1. Introduction

Oliniuc Bogdan-Nicolae PFA — an authorized natural person (persoană fizică autorizată) established in Romania — operates the Kronly mobile application (the "App") under the "Kronly" brand ("Kronly", "we", "us", or "our"). Kronly is a construction site management tool for iOS and Android that enables construction managers and workers to track time, manage teams, handle material requests, and document job sites with photos.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Kronly App and any associated services. We are committed to protecting your privacy and handling your data in accordance with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), Romanian Law No. 190/2018, and other applicable Romanian and EU data protection legislation.

By using Kronly, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the App.

2. Data Controller & Data Processor

2.1 Our Role as Data Controller

For the following categories of data, Kronly acts as the data controller (as defined in Art. 4(7) GDPR):

  • Account registration and authentication data
  • Device information and push notification tokens
  • Usage data and error logs
  • Data related to operating and securing the App

The data controller is:

Oliniuc Bogdan-Nicolae PFA (Persoană Fizică Autorizată)
Registered office: Bd. Bucureștii Noi nr. 136, parter, ap. 5, Sector 1, Bucharest, Romania
Trade Register No.: F2022004979409  ·  EUID: ROONRC.F2022004979409
Tax ID (CUI): 46976220
Email: privacy@kronly.eu

2.2 Our Role as Data Processor

When Kronly is used by an organization for workforce management (time tracking, proximity verification, task assignments, material requests), the employer organization (represented by the Manager account holder) is the data controller for employee-related data. In this context, Kronly acts as a data processor (as defined in Art. 4(8) GDPR) processing data on behalf of the employer.

Kronly offers a Data Processing Agreement (DPA) in compliance with Art. 28 GDPR to all employer organizations using the App for workforce management. You can review our Data Processing Agreement online; to request a counter-signed copy, contact us at privacy@kronly.eu.

2.3 Data Protection Officer

At our current scale of operations, we have determined that the appointment of a Data Protection Officer (DPO) is not required under Art. 37 GDPR. We will reassess this determination as our operations grow. For all data protection inquiries, please contact us at privacy@kronly.eu.

If you have any questions about this Privacy Policy or the processing of your personal data, please contact us at the email address above.

3. Data We Collect

We collect and process the following categories of personal data:

3.1 Account Information

  • Full name
  • Phone number (part of your workforce contact details; it may also be used for sign-in if phone-based login is enabled in the future)
  • Email address
  • Authentication provider (Apple, Google, or Facebook) and associated account identifiers
  • Personal Numeric Code (CNP)optional. The Romanian national identification number, collected only to generate payroll/salary reports for your employer's accountant (see Section 5.6). It may be entered by you, or on your behalf by your organization's manager. You can add, change, or remove it at any time; leaving it blank does not limit your use of the App.

3.2 Organization Data

  • Company or organization name
  • Your role within the organization (Manager or Worker)
  • Organization membership and team assignments

3.3 Time Tracking Data

  • Clock-in and clock-out timestamps
  • Work session durations
  • Break times and durations
  • Timesheet approval status

3.4 Proximity Verification Results

  • A boolean value indicating whether the worker was within range or out of range of the job site at the time of clock-in or clock-out
  • The configured site radius at the time of the proximity check

Please see Section 7 for detailed information about how proximity verification works and what data is — and is not — collected.

3.5 Photos

  • Site documentation photos uploaded by users
  • Photos attached to material requests

Photos are uploaded without GPS metadata. Location data embedded in photos (EXIF GPS tags) is stripped before transmission and is never sent to or stored on our servers.

3.6 Device Information

  • Device tokens for push notifications (APNs tokens)
  • Device type and model
  • Operating system version
  • Device name and active-session records (session identifier, creation and last-use timestamps) — used for the multi-device sign-in feature, so you can review your signed-in devices and sign any of them out

3.7 Usage Data

  • Feature usage and app interactions
  • Sync status and connectivity information
  • Error logs and crash reports — server logs kept on our own EU infrastructure may include your IP address and account identifier; the error reports sent to our error-monitoring provider contain technical details only and never your name, email address, IP address, or account identifier (see Section 9.3)

3.8 Website Cookies & Analytics

Our website (kronly.eu / kronly.ro) uses a privacy-friendly, self-hosted analytics tool to understand aggregate usage — for example, which pages are visited and the referring website. This tool runs on our own servers in the European Union; we do not send this data to a third-party advertising network. It records limited technical information: pages viewed, the referring URL, and general browser, device type and approximate country (derived from your IP address, which we do not store in a form that identifies you). We process this on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in measuring and improving the website. We do not use advertising cookies, we do not track you across other websites, and we do not sell this data.

The only third-party script on our website is the Brevo live-chat widget (see Section 9.3), which loads — and sets a functional session cookie — only after you click "Start chat". No analytics or chat cookies are set as a precondition of simply reading our pages.

You can object to website analytics at any time by contacting us at privacy@kronly.eu, and you can block analytics scripts using your browser's privacy settings or a content-blocking extension.

One-click opt-out. You can also turn website analytics off directly in this browser. Your choice is saved locally on this device (in browser storage, not a cookie) and applies to this browser only:

4. Data We Do Not Collect

Kronly is designed with a privacy-by-design approach. The following data is explicitly not collected, transmitted to, or stored on our servers:

  • GPS coordinates — Your precise location (latitude and longitude) never leaves your device. All GPS processing for proximity verification occurs on-device.
  • Continuous location tracking — We do not monitor your location in the background, during work hours, between clock-in events, or at any other time.
  • Photo GPS metadata — EXIF location data is stripped from photos before upload. We do not know where photos were taken.
  • Biometric data — We do not collect fingerprints, facial recognition data, or any other biometric identifiers.
  • Personal device data — We do not access your contacts, calendar, messages, browsing history, or any other personal data on your device beyond what is listed in Section 3.

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

5.1 Performance of a Contract (Art. 6(1)(b) GDPR)

Processing is necessary for the performance of the contract between you and Kronly for the use of the Kronly App. This includes:

  • Account creation and authentication
  • Team management and organization membership
  • Material request processing
  • Task assignment and management
  • Photo documentation of job sites
  • Synchronization of data across devices

5.2 Legitimate Interests (Art. 6(1)(f) GDPR)

Processing is necessary for our legitimate interests, which include:

  • Improving and maintaining the quality of our service
  • Ensuring the security and integrity of the App (fraud prevention, rate limiting)
  • Analyzing anonymized usage data to enhance the user experience
  • Providing technical support and resolving issues

You have the right to object to processing based on legitimate interests. See Section 11 for details.

5.3 Consent (Art. 6(1)(a) GDPR)

For certain processing activities, we rely on your explicit consent. You can withdraw your consent at any time without affecting the lawfulness of prior processing. Consent-based processing includes:

  • Push notifications (clock-in reminders, approval alerts, team updates)

5.4 Legal Obligation (Art. 6(1)(c) GDPR)

We may process your data where necessary to comply with a legal obligation to which Kronly is subject, such as tax or accounting regulations, or in response to a valid legal request from a competent authority.

5.5 Note on Time Tracking and Proximity Verification Data

When Kronly is used by an employer for workforce time tracking, the legal basis for processing employee time tracking data and proximity verification results is determined by the employer (as data controller), not by Kronly (as data processor). The employer's legal basis will typically be:

  • Legal obligation (Art. 6(1)(c)) — Romanian Codul Muncii (Art. 119) requires employers to maintain records of working time.
  • Legitimate interests (Art. 6(1)(f)) — The employer has a legitimate interest in verifying workforce presence at job sites.

Important: Employee consent is generally not a valid legal basis for employer-mandated monitoring due to the power imbalance in the employment relationship (per EDPB Opinion 2/2017 and Romanian Law 190/2018). Employers should not rely on employee consent as the sole legal basis for deploying Kronly's time tracking features.

5.6 National Identification Number (CNP)

Where you provide a CNP (Personal Numeric Code), Kronly processes it solely to generate payroll/salary reports for your employer's accountant. The legal basis is:

  • Legal obligation (Art. 6(1)(c) GDPR) and/or performance of a contract (Art. 6(1)(b) GDPR) — Romanian payroll, tax, and accounting rules require the CNP to identify an employee on payroll and fiscal records.

Consistent with Section 5.5, we do not rely on employee consent as the basis for processing the CNP: in an employment relationship consent is generally not freely given (EDPB Guidelines 05/2020 on consent; Romanian Law no. 190/2018), and the CNP may be entered by your manager on your behalf, in which case no consent of yours could apply. Accepting the Terms of Service and this Privacy Policy when you create an account is contractual acceptance and acknowledgement of this notice — it is not the legal basis for processing your CNP.

Safeguards (Romanian Law no. 190/2018, Art. 4 — national identification numbers). Because the CNP is a national identification number of general application, we apply specific safeguards: it is optional and collected only for the payroll-export purpose described above (data minimisation); access is restricted — within your organization the CNP is visible only to managers/administrators and to you, it is never shown to other workers, and it is not used for any purpose outside the payroll export; it is transmitted over encrypted connections (TLS/HTTPS) and stored on servers in the European Union; and it is retained as described in Section 10. A written record of this legal-basis assessment is maintained internally.

5.7 Information Where Your Data Is Provided by Your Employer (Art. 14 GDPR)

Some details may be entered into Kronly on your behalf by your organization's manager rather than by you directly — most commonly your CNP, and in some cases your name or phone number. Where your personal data is obtained from your employer rather than from you, Article 14 GDPR requires that you be informed of the following:

  • Source of the data — your employer (the organization that invited you to Kronly), acting through a manager or administrator account.
  • Categories of data concerned — your CNP (Personal Numeric Code) and, where applicable, your name and phone number.
  • Purpose — generating payroll/salary reports for your employer's accountant and maintaining the workforce records your employer is required to keep (see Section 6).
  • Legal basis — legal obligation (Art. 6(1)(c) GDPR) and/or performance of a contract (Art. 6(1)(b) GDPR); not consent (see Section 5.6).
  • Recipients — your employer and the accountant your employer designates for payroll; apart from the service providers listed in Section 9.3, there are no other recipients. We do not sell this data.
  • Retention — as described in Section 10.
  • Your rights — access, rectification, erasure, restriction, objection, and portability, as set out in Section 11, including the right to lodge a complaint with the Romanian supervisory authority (ANSPDCP).

Controller responsibility. For employee data entered by a manager, your employer is the data controller and is responsible for informing you under Art. 14; Kronly acts as data processor on the employer's behalf (see Section 2.2). We provide this notice here for transparency, and we provide a model Art. 14 notice in our Employer DPIA Guide & Model Notices so employers can inform their staff directly. When a manager enters your details, the App requires the manager to confirm that they are authorized to provide that data and have informed you as required.

6. How We Use Your Data

We use your personal data for the following purposes:

6.1 Providing the Service

  • Enabling clock-in/out and time tracking with on-device proximity verification
  • Facilitating team management, including invitations, join requests, and role assignments
  • Processing and tracking material requests
  • Managing tasks and work assignments
  • Storing and displaying site documentation photos
  • Synchronizing data across devices and between managers and workers

6.2 Communications

  • Sending push notifications for clock-in reminders, approval alerts, and team updates
  • Sending transactional account emails (for example, password reset and account-deletion confirmation)

6.3 Service Improvement

  • Analyzing anonymized usage patterns to improve the App
  • Identifying and resolving technical issues

We do not use your personal data, User Content, or photos to train machine learning or artificial intelligence models.

We do not carry out automated decision-making, including profiling, that produces legal or similarly significant effects for you (Art. 22 GDPR). Timesheet, material request, and join request approvals are always decided by your manager — never automatically.

6.4 Security

  • Fraud prevention and detection
  • Rate limiting to prevent abuse
  • Authenticating users and verifying access permissions

7. Proximity Verification (On-Device)

Kronly uses a privacy-by-design approach to proximity verification. Here is exactly how it works:

7.1 How It Works

When you clock in or out, the Kronly App requests your device's GPS position. The App then compares your position to the job site boundary configured by your organization's manager. This comparison is performed entirely on your device. Your GPS coordinates are processed locally and are never transmitted to Kronly's servers.

7.2 What Is Sent to Our Servers

After the on-device check, only the following non-location data is transmitted:

  • A boolean value: whether you are within range or out of range of the job site
  • The configured site radius (in meters) at the time of the check

This data does not reveal your location. It only indicates whether you were inside or outside a defined area at the moment of clock-in or clock-out.

7.3 What Is Never Sent

  • Your GPS coordinates (latitude, longitude) are never transmitted
  • Your distance from the site boundary is never transmitted
  • Your location between clock-in events is never accessed or transmitted

7.4 Your Control

You can disable location services for Kronly at any time in your device settings (iOS: Settings → Privacy & Security → Location Services → Kronly; Android: Settings → Apps → Kronly → Permissions → Location). If location access is denied:

  • You may still clock in and out normally
  • Proximity verification will not be available
  • Your manager will see that the clock-in was made without proximity verification

8. Photo Storage

Photos uploaded through Kronly (site documentation, material request attachments) are stored in S3-compatible object storage on access-controlled servers located in the European Union (Hetzner).

GPS metadata removal: Before any photo is uploaded from your device, Kronly strips all EXIF GPS metadata (latitude, longitude, altitude). The photo stored on our servers contains no location information. We do not know where your photos were taken.

Your photos are:

  • Associated with your organization and the relevant job site, material request, or task
  • Visible to managers within your organization
  • Stored on access-restricted servers that are not exposed to the public internet
  • Transmitted over encrypted connections (TLS/HTTPS)
  • Permanently deleted when you delete your account, within 30 days of account deletion

We do not use your photos for any purpose other than providing the Kronly service. Photos are never analyzed, used for AI/ML training, sold, or shared with third parties.

9. Data Sharing

We value your privacy and limit data sharing to what is strictly necessary for the operation of the service.

9.1 Within Your Organization

Your organization manager can access:

  • Your time entries, including clock-in/out times, durations, and proximity verification results (in-range or out-of-range — not GPS coordinates)
  • Your material requests and associated photos
  • Your task assignments and their status
  • Your site documentation photos
  • Your profile information (name, role, contact details)
  • Your CNP, if provided — visible to managers/administrators only, solely for generating the payroll export for your employer's accountant (see Section 5.6). The accountant your employer designates receives the payroll export containing your CNP as a recipient on your employer's behalf.

9.2 No Sale or Advertising Use

We do not sell your personal data to any third parties. We do not use your data for advertising purposes. We do not share your data with data brokers or marketing platforms.

9.3 Third-Party Service Providers

We use the following third-party service providers to operate Kronly. These providers process data on our behalf and are bound by data processing agreements in compliance with the GDPR:

  • Apple, Google, Facebook — Authentication providers for social sign-in (we receive only your name, email, and a unique identifier from these services)
  • Hetzner — Cloud hosting and S3-compatible object storage for our servers and photo storage, located in the European Union
  • Apple Push Notification Service (APNs) — Delivery of push notifications to your device. The notification content is operational references such as a project, task, or material name — never a person's name, CNP, or location.
  • Brevo (Sendinblue SAS, France) — (i) Delivery of transactional account emails (password reset, account-deletion confirmation): your email address and the content of those messages; (ii) Live chat widget on our Support page. The chat widget is loaded only when you click "Start chat" on the Support page (it does not run automatically). Once loaded, Brevo processes the messages you send, your IP address, browser/device information, and sets functional cookies in your browser to maintain the chat session. Brevo is established in the EU. See Brevo's privacy policy.
  • Sentry (Functional Software, Inc.) — Error and crash monitoring (web and mobile apps on iOS and Android), hosted in Sentry's European Union data region (Frankfurt, Germany). Error reports contain technical details only (error type, stack trace, request URL, user agent); we do not attach your name, email address, IP address, or account identifier. Sentry's operator is a US company certified under the EU-US Data Privacy Framework, which covers any access from the United States (see Section 15).
  • Google LLC — Firebase Cloud Messaging (FCM) — Delivery of push notifications to your device on both iOS and Android (on iOS, push is routed through FCM and relayed to the Apple Push Notification service). We provide FCM with your device push token and the notification content, which is operational references such as a project, task, or material name — never a person's name, CNP, or location. Location: United States. Google LLC is certified under the EU-US Data Privacy Framework, covering any access to push tokens and payloads from the United States (see Section 15).
  • TelemetryDeck GmbH (Germany) — Privacy-focused analytics for our mobile apps (iOS and Android) to understand feature usage and improve the App. Personal data: an anonymous per-install identifier and feature-usage events only; no personal identifiers or other personally identifiable information are collected. Location: European Union (Germany). No international transfer. This is distinct from the website analytics described in Section 3.8.

We will notify organization administrators (Manager account holders) of any changes to our sub-processors that affect the processing of employee data, providing at least 30 days' advance notice.

9.4 Legal Obligations

We may disclose your personal data if required to do so by Romanian law, EU law, or in response to a valid legal request from a competent authority (e.g., a court order, ANSPDCP investigation, or regulatory inquiry).

10. Data Retention

We retain your personal data for as long as your account is active and you are a member of an organization using Kronly. The list below summarizes how long we keep each category of data; where a fixed period is not possible, we keep data only as long as necessary for the purpose described.

  • Account & profile data (name, phone, email, authentication identifiers) — for the life of your account; deleted within 30 days of account deletion.
  • National Identification Number (CNP), if provided — until you remove it or delete your account; erased within 30 days.
  • Time entries, proximity verification results, material requests and tasks — for the life of your account; deleted within 30 days of account deletion (employers remain responsible for separately exporting and retaining time records as required by law — see the note below).
  • Photos — for the life of your account; deleted within 30 days of account deletion.
  • Device & push notification (APNs) tokens — kept while your device is registered for notifications; removed on logout, on token refresh, or within 30 days of account deletion.
  • Active-session records (device name, session identifier, creation and last-use timestamps) — deleted when you sign the device out or it is replaced by a newer sign-in; at the latest within 30 days of account deletion.
  • Error and crash logs — internal server logs may include your IP address and account identifier; error-monitoring reports contain technical details only (see Section 9.3). Both are kept only as long as necessary to diagnose and fix issues, then deleted.
  • Website analytics — retained only in aggregated, non-identifying form (see Section 3.8).

The following general rules also apply:

  • Active accounts: All personal data is retained to provide the service.
  • Account deletion: When you delete your account, all personal data (including time entries, photos, material requests, proximity verification results, and device tokens) is permanently removed from our systems within 30 days.
  • Backups: Residual copies of deleted data may persist in our routine server backups until those backups are overwritten as part of the ordinary backup cycle — at the latest within 6 months — and are not used for any other purpose in the meantime.
  • Anonymized data: Aggregated and anonymized data that cannot be used to identify you may be retained indefinitely for analytics and service improvement purposes.
  • Legal requirements: Certain data may be retained beyond the 30-day deletion period if required by Romanian tax, labor, or accounting regulations applicable to Kronly
  • National Identification Number (CNP): If you provided a CNP, it is deleted from Kronly's systems when you delete your account (within the same 30-day window). Where your employer is legally required to retain payroll and fiscal records containing the CNP, your employer — as data controller — is responsible for that separately retained copy (see the note below).

Important Note for Employers

Romanian labor law (Codul Muncii, Art. 268) establishes a 3-year statute of limitations for labor law claims. Employers are legally obligated to retain time tracking records for at least this period. Kronly's 30-day post-deletion policy applies to Kronly's systems only. Employers must independently export and retain time tracking records using Kronly's export functionality to meet their legal retention obligations. Kronly is not responsible for employer compliance with record retention requirements after account data has been deleted.

11. Your Rights

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) — You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
  • Right to rectification (Art. 16 GDPR) — You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
  • Right to erasure (Art. 17 GDPR) — You have the right to request deletion of your personal data ("right to be forgotten"), subject to certain legal exceptions.
  • Right to restriction of processing (Art. 18 GDPR) — You have the right to request that we restrict the processing of your personal data under certain circumstances.
  • Right to data portability (Art. 20 GDPR) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format (CSV or JSON), and to transmit it to another controller.
  • Right to object (Art. 21 GDPR) — You have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis. If you are a worker and wish to object to proximity verification, you may disable location services on your device; your ability to clock in will not be affected, though proximity verification results will not be available.
  • Right to withdraw consent — Where processing is based on your consent (e.g., push notifications), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
  • Right to lodge a complaint — You have the right to lodge a complaint with a data protection supervisory authority:
    • In Romania: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) — www.dataprotection.ro
    • In your EU Member State: You may lodge a complaint with the supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

To exercise any of these rights, please contact us at privacy@kronly.eu. We will respond to your request within one month, as required by Art. 12(3) GDPR.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit: All data transmitted between the Kronly App and our servers is encrypted using TLS/HTTPS.
  • Access-restricted storage: Data is stored on servers in the European Union, on an internal network that is not exposed to the public internet, with access limited to the operator.
  • Authentication: We use JWT (JSON Web Token) authentication with short-lived access tokens (15 minutes) and longer-lived refresh tokens, with revocation support.
  • Rate limiting: API rate limiting protects against brute-force attacks and abuse.
  • Access control: Organization-based multi-tenancy ensures that users can only access data within their own organization.
  • Security headers: Our servers enforce security headers (via Helmet) to mitigate common web vulnerabilities.
  • App verification: All API requests require a verified application identifier to prevent unauthorized access.
  • On-device GPS processing: GPS coordinates are processed locally and never transmitted, eliminating server-side location data exposure.
  • Photo metadata stripping: EXIF GPS data is removed from photos before upload, preventing inadvertent location disclosure.

13. Push Notifications

Kronly uses the Apple Push Notification Service (APNs) to deliver timely notifications to your device. These notifications may include:

  • Clock-in and clock-out reminders
  • Timesheet and material request approval or rejection alerts
  • Team join request notifications (for managers)
  • Task assignment updates

To deliver push notifications, we store your APNs device token on our servers. This token is unique to your device and the Kronly App and cannot be used to identify you personally.

You can disable push notifications at any time in your device settings (iOS: Settings > Notifications > Kronly; Android: Settings > Apps > Kronly > Notifications). Disabling notifications will not affect the core functionality of the App.

14. Children

Kronly is a professional construction management tool and is not intended for use by children under the age of 16. We do not knowingly collect or process personal data from children under 16.

If a worker between 15 and 16 years of age is legally employed under Romanian labor law (Art. 13 Codul Muncii), their employer may request a supervised account with parental or legal guardian consent.

If we become aware that we have inadvertently collected personal data from a child under the applicable age threshold without appropriate consent, we will take immediate steps to delete that data from our systems. If you believe that a child has provided us with personal data, please contact us at privacy@kronly.eu.

15. International Transfers

All core data processed by Kronly — account data, time entries, photos, and proximity verification results — is stored and processed on servers located in the European Union (Hetzner data centres). We do not transfer your personal data outside the European Economic Area (EEA) for the operation of the Service, with the following limited exceptions:

  • Push notifications — delivered through the Apple Push Notification service operated by Apple Inc. (USA); the device push token and the notification content (operational references such as a project, task, or material name — never a person's name, CNP, or location) transit Apple's infrastructure. Apple Inc. is certified under the EU-US Data Privacy Framework.
  • Push notification delivery (Firebase Cloud Messaging) — push notifications for both iOS and Android are delivered through Firebase Cloud Messaging, operated by Google LLC (USA); on iOS the message is relayed by Google to the Apple Push Notification service. The device push token and the notification content (operational references such as a project, task, or material name — never a person's name, CNP, or location) transit Google's infrastructure. Google LLC is certified under the EU-US Data Privacy Framework, covering any access to push tokens and payloads from the United States.
  • Error monitoring — technical error reports, without your name, email address, IP address, or account identifier (see Section 9.3), are stored in Sentry's European Union data region (Frankfurt, Germany); Sentry's operator, Functional Software, Inc. (USA), is certified under the EU-US Data Privacy Framework, which covers any access from the United States.
  • Optional social sign-in — if you choose to sign in with Apple, Google, or Facebook, that provider authenticates you within its own infrastructure (which may be located outside the EEA) under its own privacy policy. The personal data we receive back from these providers — your name, email, and a unique identifier — is stored and processed exclusively on our EU-based servers.

16. Employer Obligations & Romanian Law 190/2018

This section is addressed to organizations and managers using Kronly for workforce management in Romania. Romanian Law 190/2018 establishes specific requirements for employee monitoring that employers must comply with.

16.1 Kronly's Privacy-by-Design Approach

Kronly's on-device proximity verification system is designed to minimize the compliance burden on employers. Because GPS coordinates never leave the worker's device, Kronly's architecture significantly reduces the scope of employee monitoring. The only monitoring-related data transmitted is a boolean proximity result, which does not constitute location tracking under most interpretations of Law 190/2018.

16.2 Employer Responsibilities

Nevertheless, employers deploying Kronly for workforce time tracking should:

  • Assess necessity (Art. 5, Law 190/2018): Determine that using Kronly's time tracking and proximity verification features is justified by legitimate interests and that less intrusive means would not be equally effective.
  • Inform employees (Art. 5, Law 190/2018): Provide employees with complete prior information about the use of Kronly and its proximity verification features before deployment. The notice should explain: what data is collected, how it is used, and that GPS coordinates remain on the device.
  • Consult employee representatives (Art. 5, Law 190/2018): Where applicable, consult with trade unions or employee representatives before deploying the App.
  • Maintain time records (Art. 119, Codul Muncii): Export and independently retain time tracking records for the periods required by law (minimum 3 years).
  • Have a Data Processing Agreement in place: As data controller for employee data, the employer should have a DPA in place with Kronly (see our Data Processing Agreement; a counter-signed copy is available on request).

16.3 DPIA Consideration

Given Kronly's privacy-by-design architecture (no GPS coordinates transmitted, no continuous tracking, no biometric data), a full Data Protection Impact Assessment (DPIA) under Art. 35 GDPR may not be required. However, employers should assess their specific circumstances. If you deploy Kronly alongside other monitoring tools, or if your use case involves additional data processing, a DPIA may be advisable. Kronly will cooperate with any employer conducting a DPIA in relation to the use of the Kronly App. For a practical screening checklist, a DPIA template, and a model employee notice, see our Employer DPIA Guide & Model Notices.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the functionality of the Kronly App.

If we make significant changes to this policy, we will notify you via an in-app notification within Kronly and provide at least 30 days' advance notice. We encourage you to review this policy periodically.

Your continued use of the App after the notice period constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the App and delete your account.

18. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

Oliniuc Bogdan-Nicolae PFA (Persoană Fizică Autorizată)
Bd. Bucureștii Noi nr. 136, parter, ap. 5, Sector 1, Bucharest, Romania
Tax ID (CUI): 46976220  ·  Reg. No.: F2022004979409
Email: privacy@kronly.eu

For data protection complaints, you may contact:

  • ANSPDCP (Romania): Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal — www.dataprotection.ro
  • Your local EU supervisory authority: You have the right to lodge a complaint with the data protection authority in your EU Member State of habitual residence (Art. 77 GDPR).

We are committed to resolving any complaints about your privacy and our collection or use of your personal data. We will respond to all inquiries within one month.