Legal

Privacy Policy

Last updated: 11 March 2026

1. Who We Are (Data Controller)

DSJ Holdings MB ("CONCAM", "we", "us", "our") is the data controller responsible for your personal data processed through the CONCAM platform.

  • Company: DSJ Holdings MB
  • Registration No.: 306983891
  • Address: Spaudos g. 9, LT-05132 Vilnius, Lithuania
  • Email: info@dsj.lt

2. Scope and Applicable Law

This Privacy Policy applies to all personal data we process in connection with the CONCAM construction site monitoring platform (the "Service"). We process personal data in compliance with:

  • EU General Data Protection Regulation (GDPR) — Regulation 2016/679
  • Republic of Lithuania Law on Legal Protection of Personal Data
  • Norwegian Personal Data Act (Personopplysningsloven), implementing GDPR via EEA Agreement
  • Swedish Data Protection Act (Dataskyddslagen 2018:218)
  • Danish Data Protection Act (Databeskyttelsesloven)
  • Finnish Data Protection Act (Tietosuojalaki 1050/2018)
  • Latvian Personal Data Processing Law (Fizisko personu datu apstrādes likums)
  • Estonian Personal Data Protection Act (Isikuandmete kaitse seadus)
  • Polish Personal Data Protection Act (Ustawa o ochronie danych osobowych)

3. Data We Collect

3.1 Account Data

When you create an account or are invited to the platform, we collect your name, email address, and organisation membership. Authentication is handled by our identity management provider (see Section 6).

3.2 Usage Data

We may log server-side events such as API request timestamps, IP addresses, and error traces for the purposes of security monitoring and debugging. These are not used for profiling.

3.3 Site Photography

Cameras installed on construction sites capture images of the site at configured intervals. These images may incidentally contain images of workers or other individuals on site. Site operators are responsible for displaying appropriate notices on-site in accordance with applicable national law. Imagery is stored on EU-based cloud storage infrastructure.

3.4 Cookie Data

We use strictly necessary cookies for session management and authentication. See our Cookie Policy for details.

4. Legal Basis for Processing

Processing ActivityLegal Basis (GDPR Art. 6)
User authentication and account managementArt. 6(1)(b) — performance of a contract
Delivery of the monitoring platform to clientsArt. 6(1)(b) — performance of a contract
Security logging and abuse preventionArt. 6(1)(f) — legitimate interests
Compliance with legal obligationsArt. 6(1)(c) — legal obligation
Site photography (construction documentation)Art. 6(1)(b) or 6(1)(f) — contract / legitimate interests of the site operator

5. Retention Periods

  • Account data: Retained for the duration of the active account. Deleted within 30 days of account termination unless required by law.
  • Site photography: Retained for the duration of the client contract and a 30-day archival period thereafter, unless the client requests earlier deletion.
  • Security & server logs: Retained for a maximum of 90 days.
  • Device telemetry & alerts: Retained for a maximum of 90 days.
  • Cookie consent records: Retained in your browser's local storage. Cleared when you clear browser data.

6. Third-Party Processors

ProcessorPurposeLocationSafeguard
Identity Management ProviderAuthentication & user managementUSA (EU data region)Standard Contractual Clauses (SCCs)
EU Cloud Infrastructure ProviderCloud storage for site imagery & platform hostingGermany (EU)EU jurisdiction — GDPR applies directly

We do not sell, rent, or share your personal data with any other third parties for marketing purposes.

7. International Data Transfers

Some personal data (account and authentication data) is processed by our identity management provider, headquartered outside the EU. These transfers are subject to Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to GDPR Article 46(2)(c). All site imagery and metadata are stored exclusively on EU-based cloud infrastructure.

8. Your Rights

Under the GDPR and applicable national laws, you have the following rights:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate data.
  • Right to erasure (Art. 17): Request deletion of your data where there is no legitimate basis for continued processing.
  • Right to restriction (Art. 18): Request that we limit how we use your data.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, including data access requests, data export, or account deletion, contact us at info@dsj.lt. All requests are handled manually by our team and we will respond within 30 days in accordance with GDPR Article 12.

9. Right to Lodge a Complaint

If you believe your personal data is being processed in breach of applicable law, you have the right to lodge a complaint with the supervisory authority in your country of residence. Our primary supervisory authority is:

State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija — VDAI)

https://vdai.lrv.lt

Residents of other EEA/EU countries may also lodge complaints with their local supervisory authority (e.g., IMY in Sweden, Datatilsynet in Norway/Denmark, Tietosuojavaltuutettu in Finland, Datu valsts inspekcija in Latvia, AKI in Estonia, UODO in Poland).

10. Security

We implement appropriate technical and organisational measures to protect personal data, including encrypted data transfer, server-side authentication, role-based access control, secured camera connections, and firewall hardening on all infrastructure.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay, as required by Article 34.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email or via a notice in the client portal at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

For any privacy-related queries, please contact our data protection contact at: info@dsj.lt