Privacy Policy

Introduction
Key Definitions
Data Controller Details
Information We Collect
Legal Basis for Processing
Special Category Data
Transfers to Third Parties
Data Retention
Your Rights
Data Security
Data Breach Incidents
Consent and Notice
Client Responsibilities
Cookies
Policy Updates
Filing a Complaint

1. Introduction

This Privacy Policy describes how the Work Safety system ("the System" or "WorkSafety") collects, processes, stores and protects personal information of users, employees, contractors and clients.

This policy was written in accordance with Amendment 13 to Israel's Privacy Protection Law, 5741-1981, which came into force on August 14, 2025, aligning Israeli legislation with international privacy standards, particularly the EU GDPR.

WorkSafety is committed to full compliance with all applicable privacy laws and to protecting the information entrusted to us.

2. Key Definitions

Personal Information — Any information that identifies or could identify an individual: name, ID number, phone, email, location.
Special Category Data — Medical information (occupational exam validity) and national ID numbers, as defined under Amendment 13.
Data Subject — Any individual whose personal information is processed in the System: employee, contractor, site manager.
Client — A construction company or main contractor that purchased WorkSafety services.
Data Processing — Any operation involving information: collection, reading, storage, modification, reporting, deletion.

3. Data Controller Details

Field	Value
System Name	Work Safety
Registered Company	Barkai S. Safety Ltd.
Company Number	515782050
Address	D.N. Galil Tachton, Moshav Ilaniya 1525500, Israel
Privacy Email	privacy@worksafety.io
Data Protection Officer (DPO)	Bernard Dahan
Website	worksafety.io

4. Information We Collect and Why

4.1 System Users

Full name, username, email, phone — Identification and login
Role and permission level — Access control
Action history (Audit Log) — Security and compliance
IP address and login data — Account security

4.2 Employees and Contractors

Full name, national ID, date of birth — Identification for legal safety requirements
Mobile phone and email — Communication, safety alerts
Profession and site role — Training assignment, site access permissions
Medical examination validity (sensitive information) — Compliance with Safety Regulations (2013)
Safety training and professional licence validity — Regulatory compliance, accident prevention
Digital signatures — Consent records and attendance verification at training sessions

We do not collect information that is not required for safety management.

5. Legal Basis for Processing

Legal Obligation — Processing safety information to comply with the 2013 Safety Regulations.
Contractual Agreement — Processing user information to provide the service.
Data Subject Consent — For information that is not legally required (photo, precise location).
Legitimate Interest — Information security management, fraud prevention.

6. Special Category Data

WorkSafety acknowledges that certain data in the system is classified under Israeli law as "Special Category Data" requiring enhanced protection. The following categories are protected through advanced safeguards:

Medical data (occupational exam validity) — Accessible only to authorised users by role (safety officer, company administrator, system administrator) via Role-Based Access Control (RBAC). All access to this field is recorded in the audit log.
National ID numbers — Accessible only to authorised users by role. All actions on this field are recorded in the audit log. Database access is password-protected at the server level and is not exposed to the network.

WorkSafety will not transfer special category data to any third party without the explicit consent of the data subject, except where required by an explicit legal demand from a competent authority.

WorkSafety is continuously strengthening its security measures and is considering the addition of field-level encryption for sensitive personal data as part of its security roadmap.

7. Transfers to Third Parties

WorkSafety does not sell or share information for marketing purposes. Information is transferred only in the following cases:

Hosting Provider (VPS) — Active DPA contract, data hosted in Israel.
Green-API (WhatsApp) — Safety alerts only.
SMTP Provider — Sending alerts and reports.
Competent Authority — Pursuant to an explicit legal demand only.

8. Data Retention

Data Type	Retention Period
Active employee data	Employment period + 7 years
Safety training records	7 years (regulatory requirement)
Inspection reports	7 years
Digital signatures	7 years
Access logs (Audit Trail)	3 years
Closed client account	3 years from termination date
Daily database backups	30 days, automatic deletion
Infrastructure backups (VPS)	Rolling 7-backup window at hosting provider

9. Your Rights

Under Amendment 13, every individual whose personal information is held in the System has the following rights:

Right	Timeline	How to Exercise
Access to information	30 days	Written request to Privacy Officer
Correction of information	30 days	Request with details of error
Deletion of information	30 days	Written request with explanation
Restriction of processing	Immediate	Contact the Privacy Officer
Objection to processing	Immediate	Contact the Privacy Officer

Contact: privacy@worksafety.io

10. Data Security

Technical Measures

HTTPS/TLS 1.2+ on all communications (valid certificate, enforced HSTS)
AES-256 encryption for external service credentials (SMTP, Aconex) in the database
User passwords — bcrypt with cost=12 and random salt
Role-Based Access Control (RBAC) — field-level access restricted by user role
Login rate limiting — automatic lockout after 5 failed attempts
CSRF Token protection on every administrative action
XSS and SQL Injection protection (PDO Prepared Statements)
Audit Trail — every administrative action is logged and retained for 3 years
Daily automatic database backup (mysqldump + gzip compression), retained for 30 days in a protected directory on the server
Full VPS infrastructure backup by the hosting provider, with a rolling 7-backup window

Organisational Measures

WorkSafety personnel are bound by strict confidentiality obligations
Access to client data is restricted by role
External vendors are bound by Data Processing Agreements (DPA)

WorkSafety is continuously strengthening its security measures and is considering the addition of field-level encryption for sensitive personal data (national ID numbers, medical information) as part of its security roadmap.

11. Data Breach Incidents

In the event of a breach, leak or unauthorised access:

Notification to the Privacy Protection Authority within 72 hours
Personal notification to affected data subjects
Full documentation of the incident, causes and investigation outcomes

To report a suspected incident: security@worksafety.io

12. Consent and Notice on Data Entry

When entering a new employee, the manager confirms that the employee has been informed about the storage of their data. Information that is not legally required is marked "optional" in the interface. When creating a user account, a record of the acknowledgement is stored along with the date and policy version.

13. Client Responsibilities

System clients (construction companies) are joint controllers of the information they enter, and are required by Amendment 13 to comply with the following obligations:

Inform their employees about the storage of their data in WorkSafety
Verify authorisation for the collection of special category data
Refrain from entering excessive information that is not required
Handle their employees' access and deletion requests

WorkSafety undertakes to provide every client with a Data Processing Agreement (DPA) containing the clauses required under Amendment 13. This agreement is essential for legal compliance. Clients may request a copy of the DPA at privacy@worksafety.io.

14. Cookies

Cookie	Purpose
PHPSESSID	Session identification — essential, cannot be disabled
CSRF Token	Security protection — essential, cannot be disabled
Service Worker Cache	PWA — can be cleared in browser settings

The System does not use any marketing, tracking or analytics cookies (no Google Analytics, no Meta Pixel).

15. Policy Updates

For any material update: notification to account administrators 30 days in advance, publication of the new version in the interface, and recording of the version number and date. Continued use after a new version is published shall constitute acceptance of its terms.

16. Filing a Complaint with the Privacy Protection Authority

If you are not satisfied with how your request has been handled, you have the right to file a complaint with the Privacy Protection Authority:

Address: 39 Yirmiyahu St., Jerusalem 9446722, Israel
Website: gov.il/privacy (English)
Email: ppa@justice.gov.il
Phone: +972-2-5196666

Table of Contents