Privacy Policy
Version 1.0 · Effective 2025-07-01
Privacy Policy
BERLi Technologies OÜ
⚠️ Limited Availability
BERLi is currently in development. Access is limited to authorized personnel for testing purposes. Full commercial availability will be announced separately.
Version: 1.0
Estimated Effective Date: July 1, 2025
Last Updated: February 27, 2025
This Privacy Policy explains how BERLi Technologies OÜ (“we”, “us”, “our”) collects, uses, discloses, and protects your personal data when you use our HR management platform (“Services”). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR).
We act as Data Controller for customer account data and as Data Processor for employee personal data processed on behalf of our customers.
1. Who We Are
| Field | Value |
|---|---|
| Company | BERLi Technologies OÜ |
| Jurisdiction | Estonia |
| Registration | 12345678 |
| DPO Contact | dpo@berli.io |
| Privacy Contact | privacy@berli.io |
| Address | Tallinn, Estonia |
2. Data We Collect
2.1 Categories of Personal Data
| Category | Examples | Sensitivity |
|---|---|---|
| Identity | Name, date of birth, nationality, ID numbers | Standard |
| Contact | Email, phone, address | Standard |
| Financial | IBAN, salary, tax ID | High |
| Employment | Job title, department, contract details, work hours | Standard |
| Performance | Reviews, goals, feedback | Standard |
| Access | IP address, user agent, login times, device info | Standard |
| Documents | Uploaded files, contracts, certificates | Standard |
2.2 Special Category Data
We may process health data under Article 9(2)(b) GDPR for employment law compliance:
- Sick leave records
- Medical certificates for absence
- Disability accommodations
This data is processed only when necessary and with appropriate safeguards.
2.3 Data Sources
| Source | Data Types | Purpose |
|---|---|---|
| Directly from you | Identity, Contact, Employment | Account creation, profile updates |
| From your organization | Employment, Financial, Performance | HR management |
| Automatically collected | Access, Device | Security, analytics |
| Third parties | Identity verification | Compliance checks |
2.4 Data We Do NOT Collect
We do not collect:
- Biometric data (fingerprints, facial recognition)
- Genetic data
- Political opinions
- Religious beliefs
- Sexual orientation
- Trade union membership
3. How We Use Your Data
3.1 Purposes and Legal Bases
| Purpose | Legal Basis | Data Categories | Retention |
|---|---|---|---|
| Account management | Contract | Identity, Contact | Duration + 30 days |
| Service delivery | Contract | All relevant | Duration + retention |
| Payroll processing | Legal obligation | Financial, Employment | 5 years |
| Employment compliance | Legal obligation | Employment, Health | 5 years post-termination |
| Security | Legitimate interest | Access, Device | 3 years |
| Analytics | Legitimate interest | Anonymized | Aggregated only |
| Product improvement | Legitimate interest | Usage patterns | Anonymized |
| Marketing | Consent (optional) | Contact | Until withdrawal |
3.2 Legitimate Interests
We rely on legitimate interest for:
- Security monitoring and fraud prevention
- Improving our Services
- Direct marketing (with opt-out)
- Internal research and analytics
3.3 Automated Decision-Making
We do not use automated decision-making with legal or significant effects. Our AI features:
- OCR for receipts: Extracts data for expense reports (human review required)
- Document processing: Assists with categorization (user confirms)
- Search: Powers search functionality (no profiling)
All AI-assisted features require human confirmation before final actions.
4. Data Sharing
4.1 Within BERLi
Data is accessible to:
| Role | Access Level | Purpose |
|---|---|---|
| Support staff | As needed | Customer support |
| System administrators | Technical access | Maintenance, security |
| Engineers | Limited, logged | Development, debugging |
| Management | Aggregated | Business oversight |
All personnel are bound by confidentiality agreements and access is logged.
4.2 With Customers
| Data Subject | Data Shared With | Visibility |
|---|---|---|
| Employees | Customer organization | As configured by permissions |
| Staff | Customer administrators | Full visibility |
| Clients | Customer | Project-related only |
4.3 Subprocessors
We use the following subprocessors:
| Processor | Location | Purpose | Transfer Mechanism |
|---|---|---|---|
| OVHCloud | Germany | Infrastructure hosting | No transfer (EU) |
| Self-hosted MinIO | Italy | Object storage | No transfer (EU) |
| Self-hosted Ollama | Italy | AI processing | No transfer (EU) |
| Google Firebase | USA | Push notifications | SCCs |
| Google Workspace | USA | Transactional email | SCCs |
4.4 Legal Requirements
We may disclose data when:
- Required by law, court order, or government request
- Necessary to protect our rights, privacy, safety, or property
- Necessary to enforce our agreements
- Necessary to detect, prevent, or address fraud or security issues
We will notify you unless prohibited by law.
5. International Data Transfers
5.1 Within the EU
All primary data storage is within the European Union:
- Germany (OVHCloud): Primary infrastructure
- Italy (Self-hosted): Object storage, AI processing
5.2 Transfers to the US
Limited data is transferred to US providers (Google) under Standard Contractual Clauses (SCCs) approved by the European Commission.
5.3 Supplementary Measures
For transfers to third countries, we implement:
- Encryption: All data encrypted in transit and at rest
- Data minimization: Only necessary data transferred
- Access controls: Strict role-based access
- Contractual protections: Equivalent obligations in contracts
5.4 No Transfers to Inadequate Countries
We do not transfer personal data to countries without an adequacy decision unless SCCs are in place.
6. Data Retention
6.1 Retention Periods
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account data | Duration + 30 days | Contract |
| Employment records | 5 years post-termination | Applicable employment law |
| Payroll data | 5 years | Tax/audit requirements |
| Financial records | 5 years | Accounting requirements |
| Access logs | 3 years | Security (Art. 32 GDPR) |
| Backups | 90 days | Recovery |
| Marketing consent | Until withdrawal + 1 year | Documentation |
| Deleted data | 30 days (soft delete) | Recovery window |
6.2 Deletion
After retention periods:
- Data is securely deleted
- Backups are overwritten
- Deletion is logged
- Certificates available upon request
6.3 Legal Holds
Retention periods may be extended for:
- Pending litigation
- Regulatory investigations
- Contractual disputes
7. Your Rights
7.1 GDPR Rights
| Right | Article | Description | How to Exercise |
|---|---|---|---|
| Access | Art. 15 | Copy of your data | App → Settings → Export |
| Rectification | Art. 16 | Correct inaccurate data | Edit profile or contact support |
| Erasure | Art. 17 | Delete your data | App → Settings → Delete Account |
| Restriction | Art. 18 | Limit processing | Contact privacy@berli.io |
| Portability | Art. 20 | Data in machine-readable format | Export feature (JSON/CSV) |
| Object | Art. 21 | Object to processing | Opt-out or contact us |
| Automated decisions | Art. 22 | Human review | Contact us |
7.2 Response Timeline
| Request Type | Standard Timeline | Extension |
|---|---|---|
| Simple access | 14 days | Up to 30 days |
| Complex requests | 30 days | Up to 90 days (with notice) |
| Urgent requests | 7 days | As applicable |
7.3 Verification
To protect your data, we may:
- Verify identity before fulfilling requests
- Request additional information
- Use secure communication channels
7.4 Exemptions
Rights may be limited when:
- Processing is necessary for legal claims
- Data must be retained by law
- Disclosure would adversely affect others’ rights
- Request is manifestly unfounded or excessive
7.5 Complaints
You have the right to lodge a complaint with a supervisory authority:
- Estonia: Andmekaitse Inspektsioon
- Denmark: Datatilsynet
- Italy: Garante Privacy
- Your country of residence: Local DPA
8. Security Measures
8.1 Technical Measures
| Category | Measures |
|---|---|
| Encryption | AES-256 at rest, TLS 1.3 in transit |
| Access control | Role-based, principle of least privilege |
| Authentication | Magic link + secure session management |
| Monitoring | 24/7 system monitoring, intrusion detection |
| Backups | Daily backups, 90-day retention, encrypted |
| Network | Firewall, VPN for admin access, DDoS protection |
| Audit | Comprehensive audit logging |
8.2 Organizational Measures
| Category | Measures |
|---|---|
| Training | Regular data protection training for all staff |
| Access reviews | Quarterly access audits |
| Policies | Documented security and data protection policies |
| Incident response | Documented breach response procedures |
| Vendor management | Due diligence on all subprocessors |
| Background checks | For personnel with access to sensitive data |
8.3 Certifications
We are working toward:
- ISO 27001 (Information Security)
- SOC 2 Type II
8.4 Breach Notification
In case of a personal data breach affecting your data:
| Recipient | Timeline | Method |
|---|---|---|
| Supervisory authority | Within 72 hours | Official notification |
| Affected individuals | Without undue delay | Email (if high risk) |
| Affected customers | Within 48 hours | Email + phone |
Notification includes:
- Nature of the breach
- Categories and approximate number of individuals affected
- Likely consequences
- Measures taken or proposed
- Contact point for more information
9. Children’s Privacy
9.1 Age Restrictions
- Under 16: Not permitted to use BERLi
- 16-18: May use with parental or guardian consent
- 18+: Full access
9.2 Data from Children
We do not knowingly collect personal data from children under 16. If we discover we have collected such data, we will:
- Delete it immediately
- Notify the parent/guardian if identifiable
- Document the deletion
9.3 Reporting
If you believe a child under 16 has provided us with personal data, contact: privacy@berli.io
10. Cookies and Tracking
10.1 Essential Cookies
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
sup | Access token | Session | Essential |
ent | Refresh token | 7 days | Essential |
preferences | User preferences | 1 year | Functional |
10.2 Analytics
We use self-hosted analytics with:
- Anonymized IP addresses
- No cross-site tracking
- No third-party cookies
- No profiling
10.3 No Third-Party Tracking
We do not use:
- Google Analytics
- Facebook Pixel
- Third-party advertising cookies
- Cross-site tracking
10.4 Cookie Management
You can manage cookies through:
- Browser settings
- App preferences
- Opt-out mechanisms
11. Changes to This Policy
11.1 Notification
We will notify you of material changes via:
- Email to your registered address
- In-app notification with countdown
- Banner notice in application
11.2 Notice Period
We provide at least 30 days notice before material changes take effect.
11.3 Acceptance
- Continued use after effective date constitutes acceptance
- You may reject changes and terminate without penalty
11.4 Version History
All versions are archived and available upon request.
12. Contact Information
12.1 General Privacy Inquiries
- Email: privacy@berli.io
- Response time: 5 business days
12.2 Data Protection Officer
- Email: dpo@berli.io
- Response time: 10 business days
12.3 Legal Department
- Email: legal@berli.io
12.4 Postal Address
BERLi Technologies OÜ
Data Protection Officer
[Address]
Tallinn, Estonia
13. Related Documents
Policy History
| Version | Effective Date | Changes |
|---|---|---|
| 1.0 | July 1, 2025 (est.) | Initial version |
Last updated: February 27, 2025