1. Introduction

This Privacy Policy describes how the Work Safety system ("the System" or "WorkSafety") collects, processes, stores and protects personal information of users, employees, contractors and clients.

This policy was written in accordance with Amendment 13 to Israel's Privacy Protection Law, 5741-1981, which came into force on August 14, 2025, aligning Israeli legislation with international privacy standards, particularly the EU GDPR.

2. Key Definitions

• Personal Information — Any information that identifies or could identify an individual: name, ID number, phone, email, location, etc.
• Special Category Data — Medical information (exam validity), biometric data (digital signatures), and national ID numbers, as defined under Amendment 13.
• Data Subject — Any natural person whose personal information is processed in the system: employee, contractor, site manager, safety inspector.
• Client / Joint Controller — A construction company, general contractor, or any other entity that has purchased WorkSafety services and manages personal data through the system.
• Processing — Any operation performed on data: collection, reading, storage, modification, reporting, transmission, deletion.

3. Data Controller Details

In accordance with Amendment 13, the following are the details of the data controller:

4. What Data We Collect and Why

WorkSafety collects personal data only for the purposes listed below, in accordance with the principle of data minimisation:

4.1 System Users (Managers, Safety Inspectors)

• Full name, username, email address, phone number — Identification, login, alert delivery
• Role and permission level — Access control
• Action history (Audit Log) — Security, regulatory compliance, fraud prevention
• IP address and login data — Account security, intrusion detection

4.2 Employees and Contractors

• Full name, national ID, date of birth, gender — Identification for legal safety requirements
• Mobile phone and email — Communication, safety alerts
• Profession and site role — Training assignment, site access permissions
• Medical examination validity (Special Category) — Compliance with Safety Regulations (2013)
• Safety training and professional licence validity — Regulatory compliance, accident prevention
• Digital signatures (Biometric) — Attendance verification at training sessions and safety document acknowledgement
• Profile photo (optional) — Visual identification on employee card

4.3 Work Sites and Operational Data

• Inspection and defect photos — Documentation and corrective action tracking
• Site GPS coordinates — Site management and regulatory reporting
• Completed inspection form content — Regulatory compliance, audit records

5. Legal Basis for Processing

WorkSafety processes personal data on one or more of the following grounds:

• Legal obligation — Processing safety data is required to comply with the Occupational Safety Regulations (2013) and the Work Safety Ordinance.
• Contractual necessity — Processing user and client data is necessary to provide the WorkSafety service.
• Consent — For data not required by law (e.g., photos, precise location), we collect data only after obtaining explicit consent.
• Legitimate interest — Information security management, fraud prevention, service improvement — always limited to the minimum necessary.

6. Special Category Data

Under Amendment 13, the following categories are defined as "Special Category Data" and are subject to enhanced protection:

• Medical data — Periodic examination validity is stored encrypted, accessible only to the safety officer and system administrator.
• Biometric data (signatures) — Stored as an encrypted hash; cannot be reconstructed.
• National ID numbers — Encrypted storage; only the last 4 digits are displayed in the interface.

7. Transfers to Third Parties

WorkSafety does not sell, rent or share personal data for marketing purposes. Data may only be transferred in the following cases:

7.1 Infrastructure Service Providers (Processors)

Under the "Processor" definition in Amendment 13, the following parties process data on our behalf and are contractually bound to comply with the law:

• Hosting Provider (VPS) — Data Processing Agreement (DPA) in force. Location: Israel.
• WhatsApp Service (Green-API) — Used solely for sending safety alerts. No content retention.
• Email Provider (SMTP) — Used for sending alerts and reports. No access to database content.

7.2 Competent Authorities

In accordance with applicable law, we will disclose data to enforcement authorities, the Privacy Protection Authority, labour inspectors, or a court — only in response to an explicit legal requirement and limited to the scope required.

7.3 Clients

WorkSafety clients (construction companies) access only the data of their own employees and contractors, within their defined permission scope. There is no cross-access between different clients.

8. Data Retention

WorkSafety retains personal data for the period required by law and for legitimate business purposes — and no longer:

9. Your Rights

Under Amendment 13, every individual whose personal data is held in WorkSafety has the following rights:

To submit a request: privacy@worksafety.io — please include your full name, ID number (for identity verification), and a description of your request.

10. Data Security

WorkSafety implements technical and organisational security measures in accordance with the Privacy Protection Regulations (Data Security), 5777-2017:

Technical Measures

• HTTPS/TLS 1.2+ on all communication between browser and server
• AES-256 encryption of special category data fields in the database
• Passwords — bcrypt with random salt; passwords cannot be recovered from the database
• RBAC — each user accesses only data relevant to their role
• Rate limiting, CSRF tokens, XSS and SQL Injection protection
• Audit Trail — every administrative action is logged with timestamp, user, IP and data change
• Daily encrypted backup, retained for 30 days

Organisational Measures

• WorkSafety staff are bound by strict confidentiality obligations regarding client data
• Access to client data is restricted to specific individuals by role
• Third-party suppliers have signed Data Processing Agreements (DPA)

11. Data Breach Incidents

Under Amendment 13, in the event of a material data security incident (breach, leak, or unauthorised access):

• WorkSafety will notify the Privacy Protection Authority within 72 hours of discovering the incident
• Affected data subjects will receive personal notification as soon as practicable
• The notification will include: description of the incident, type of data exposed, and remediation steps taken
• A full record of the incident, its causes, and the findings of the internal investigation will be maintained

To report a suspected security incident: security@worksafety.io

12. Consent and Notice

Under Amendment 13, wherever new personal data is entered into the system, notice is provided and consent is documented:

12.1 New Employees

• When adding an employee, the authorised manager confirms that the employee has been informed about how their data will be stored
• The type of data collected and its purpose are displayed in the interface at the point of entry
• Data that is not legally mandatory (photo, address) is marked "Optional" in the interface

12.2 System Users

• When creating a user account, the user confirms they have read this Privacy Policy
• The date, time, and version of the policy accepted are recorded

13. Client Responsibilities

WorkSafety clients (construction companies, general contractors) are "joint controllers" of the data they enter into the system. Under Amendment 13, the following obligations apply to them:

• Inform their employees about how their data is stored in WorkSafety
• Ensure they are authorised to collect and enter special category data (medical examinations, etc.)
• Refrain from entering excessive data beyond what is required for safety management
• Handle access and erasure requests from their employees in coordination with WorkSafety

WorkSafety provides every client with a Data Processing Agreement (DPA) defining the allocation of responsibilities between the parties. This agreement is required for legal compliance.

14. Cookies

The system uses cookies solely for operational purposes:

The system does not use marketing, tracking or analytics cookies (no Google Analytics, Meta Pixel, or similar).

15. Policy Updates

WorkSafety reserves the right to update this policy from time to time. For any material update:

• Account managers will be notified 30 days before the change takes effect
• The updated version will be published in the system interface
• A version number and update date will be recorded

16. Filing a Complaint

If you are not satisfied with how we have handled your request, you have the right to file a complaint with the Israeli Privacy Protection Authority: