Privacy Policy

1. Introduction

This Privacy Policy describes how Orator ("we", "us", or "our") collects, uses, and shares information about you when you use our Huskies application, website, API, and mobile application (collectively, the "Service").

This policy is issued in compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR") and applies to all users of the Service, including the web application at huskies.gr, the API at api.huskies.gr, and the Huskies mobile application.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the Service.

2. Data Controller

The data controller responsible for your personal data is:

When we process personal data on behalf of your organization (our client), your organization acts as the Data Controller and Orator acts as the Data Processor. In such cases, data processing is governed by a Data Processing Agreement between Orator and your organization.

3. Information We Collect

3.1 Information You Provide

When you create an account or use the Service, we collect:

• Name and email address
• Phone number
• Organization information
• Profile information you choose to provide
• Content you create within the application (projects, tasks, schedules, documents)
• Messages and communications within the platform (in-app conversations)

3.2 Information Collected Automatically

When you use our Service, we automatically collect:

• Device information (device type, operating system)
• Log data (access times, pages viewed, IP address for security and abuse prevention)
• Usage data (features used, interactions with the Service)
• Error and performance data (via Sentry, for service reliability)

3.3 Mobile Application Data

When you use our mobile application, we may collect additional information with your permission:

• Location data: We collect precise location data to show nearby tasks and help you navigate to job sites. Location is collected only while the app is in use or with your explicit permission for background location access. Location data is automatically deleted after 30 days.
• Camera and photos: We access your camera and photo library only when you choose to take or select photos for work-related attachments. We do not access your camera or photos without your action.
• Local storage: The app stores data locally on your device (using SQLite) to enable offline functionality. This data is synced with our servers when connectivity is available.
• Push notifications: With your permission, we send push notifications for task updates and important alerts via the Expo push notification service.

3.4 Call Data

If your organization has enabled the VoIP integration (3CX), call history and phone numbers may be synced with the Service for work-related communication tracking.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

5. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process transactions and send related information
• Send technical notices, updates, and support messages
• Send push notifications for task updates and alerts (with your consent)
• Respond to your comments, questions, and requests
• Monitor and analyze trends, usage, and activities
• Detect, investigate, and prevent security incidents and abuse
• Monitor errors and maintain service reliability (via Sentry)

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

• With your consent or at your direction
• With service providers (sub-processors) who assist in operating our Service (see Section 13)
• Within your organization, as part of the team collaboration features of the Service
• To comply with legal obligations
• To protect the rights, safety, and security of our users and third parties

7. International Data Transfers

Our primary infrastructure is located in Germany (European Union). All databases, backups, and file storage are hosted by Hetzner Online GmbH in the Nuremberg (nbg1) region.

The following limited data transfers outside the EU occur:

No other personal data is transferred outside the European Economic Area. We ensure that any transfer of personal data to a third country is subject to appropriate safeguards as required by GDPR Chapter V.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information. These include:

• Encryption at rest: Sensitive personal data (email addresses, phone numbers) is encrypted using AES-256-GCM
• Encryption in transit: All data transmitted between your device and our servers is protected by TLS/HTTPS
• Password security: Passwords are hashed using bcrypt with a high work factor and are never stored in plaintext
• Access control: Role-based access control (RBAC) with entity-level, field-level, and system-level permissions
• Login protection: Rate limiting on login attempts with IP-based and username-based blocking
• Session management: Sessions expire automatically and concurrent sessions are limited
• Backups: Automated database backups every 6 hours, stored securely within the EU
• Monitoring: Continuous availability monitoring via our status page at status.huskies.gr
• Audit trails: All significant actions (entity changes, login events, permission changes, file access) are logged

No method of transmission over the Internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

9. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this policy. Specific retention periods are:

When data reaches the end of its retention period, it is permanently deleted through automated cleanup processes. You may request earlier deletion of your data at any time (see Section 11).

10. Cookies and Local Storage

Our Service uses a single authentication cookie ("huskies_token") that is strictly necessary for the Service to function. This cookie contains a session token that identifies you when you are logged in.

We do not use any analytics, tracking, advertising, or third-party cookies. Because we only use a strictly necessary cookie, no cookie consent banner is required under the ePrivacy Directive.

The mobile application uses secure on-device storage to store authentication tokens and local data for offline functionality. This data remains on your device and is not accessible to third parties.

11. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of all personal data we hold about you
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to restrict processing (Art. 18): Request that we limit how we use your data
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time for processing based on consent (e.g., location tracking, push notifications)

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you.

How to Exercise Your Rights

To exercise any of these rights, please contact us at hello@huskies.gr. We will respond to your request within 30 calendar days. We may need to verify your identity before fulfilling your request. If your request is complex or we receive a large number of requests, we may extend the response period by an additional 60 days, and we will inform you of any such extension.

There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive.

12. Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

Our lead supervisory authority is:

13. Sub-processors

We use the following third-party service providers (sub-processors) to help us operate the Service:

We maintain data processing agreements with all sub-processors. We will notify users of any material changes to this list. We do not use any analytics or advertising services.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Hellenic Data Protection Authority (HDPA) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• Notify affected users without undue delay when the breach is likely to result in a high risk to rights and freedoms, as required by GDPR Article 34
• Provide clear information about the nature of the breach, the data involved, the likely consequences, and the measures we have taken to address it

15. Children's Privacy

Our Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information, please contact us and we will take steps to delete such information.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

For material changes that affect how we process your personal data, we will provide at least 30 days' advance notice and notify registered users by email where possible.

17. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at: