Last updated: 9 May 2026
DSJ Holdings MB ("CONCAM", "we", "us", "our") is the data controller responsible for your personal data processed through the CONCAM platform.
This Privacy Policy applies to all personal data we process in connection with the CONCAM construction site monitoring platform (the "Service"). We process personal data in compliance with:
When you create an account or are invited to the platform, we collect your name, email address, and organisation membership. Authentication is handled by our identity management provider (see Section 6).
When a construction project is set up on the platform, our administrators record contact details for the client representative — typically their name, email address, phone number, company name, and project location. These details are used solely to administer the contract and to contact the client about service operations. Where the contact is also a platform user, the data overlaps with the Account Data described above.
Standard web server access logs are recorded for security monitoring and abuse prevention, including IP address, request URL, response status, and timestamp. Application logs are limited to error traces and operational events and do not contain identifying information beyond what is necessary to diagnose the issue. Logs are not used for profiling or behavioural advertising.
We process several categories of construction site imagery: (a) periodic photographs captured automatically by fixed cameras installed on site, (b) drone photographs uploaded by the client, and (c) 360° panoramic images uploaded for site walk navigation. Any of these may incidentally contain images of workers, visitors, or other individuals on site. Site operators are responsible for displaying appropriate notices on-site and informing affected individuals in accordance with applicable national law. All imagery is stored on EU-based cloud storage infrastructure.
We use strictly necessary cookies for session management and authentication. See our Cookie Policy for details.
We assign and store technical identifiers for camera devices connected to the platform, including a private VPN address, a hostname, and a physical site location label. These identifiers refer to hardware, not to individuals, and are used to route monitoring traffic and display device status.
When you visit our public marketing site (concam.lt) and have given consent for marketing cookies via the cookie banner, Google Ads receives a limited set of measurement data: a click identifier (gclid) if you arrived from one of our ads, the URL of the page visited, technical browser information (user agent, screen size), and the occurrence of conversion events (such as opening the customer-portal sign-in page). Without your consent, the Google tag operates in Consent Mode v2 default-denied state and only the conversion event count is sent in an anonymised, aggregated form. No advertising data is processed when you are signed in to the customer portal — the marketing tag only loads on the public marketing site.
When a user with an administrative or moderator role performs a privileged operation in the platform (for example, creating, modifying, or deleting devices, projects, scrapers, schedules, organisations, or user roles), we record an audit-log entry. Each entry contains the actor's user identifier (issued by our authentication provider) and email address, the IP address and user-agent string of the request, the action name, a reference to the affected object (type and identifier), a JSON description of the change, and a timestamp. These entries are only created for privileged operations and are not generated by ordinary client use of the platform.
When a project administrator creates a public share link, anyone in possession of the link can view photographs the administrator has chosen to share. For each share link, we record: the link's opaque token, the date and time it was last accessed (lastAccessedAt), and a running count of accesses (accessCount). We do not record the IP address or user-agent string of viewers who reach photographs through a share link. The information is used to provide administrators with usage telemetry for revocation decisions. Share-link records are deleted 30 days after the link is revoked or expires.
When you submit an issue report via the in-app 'Report an issue' button, we record the category you selected (bug, translation, UX, other), the description you typed, the URL of the page you were on, your browser's user-agent string and viewport size, the locale you were using, your IP address, and a timestamp. If you are signed in, we also associate the report with your Clerk user identifier and email address. The information is used solely to investigate and resolve the reported problem. Issue reports are retained for 12 months from submission and then deleted automatically.
Project administrators may configure 'privacy masks' on individual cameras to blur portions of every photograph captured by that camera before it is displayed in our platform. This serves data minimisation under GDPR Art. 5(1)(c) by reducing the personal data contained in each photograph at the point of viewing. The mask itself (a set of polygon coordinates and a blur intensity) is stored in our database. The original, unblurred photograph remains on our storage box and is accessible only to authenticated administrators of the project through the privacy-mask configuration interface. Blurred outputs are cached on our servers to avoid recomputing on every view; the cache is invalidated when the mask is changed and is bounded in size.
Project administrators with appropriate organizational permissions may convert a soft privacy mask into a 'permanent' privacy mask. When this is done, our servers process every existing photograph from the affected camera, apply the blur, and overwrite the original photograph on disk. After this operation: (a) the original (unblurred) photographs are no longer recoverable; (b) all future photographs uploaded from this camera will be automatically blurred at the same coordinates before being stored. This option exists for organizations whose privacy requirements (e.g., contractual obligations to data subjects) demand that no unblurred copy ever exist on our infrastructure. The choice between 'soft' and 'permanent' mode is configured by an organization administrator and may be globally constrained or required by the platform operator (CONCAM).
| Processing Activity | Legal Basis (GDPR Art. 6) |
|---|---|
| User authentication and account management | Art. 6(1)(b) — performance of a contract |
| Delivery of the monitoring platform to clients | Art. 6(1)(b) — performance of a contract |
| Security logging and abuse prevention | Art. 6(1)(f) — legitimate interests |
| Compliance with legal obligations | Art. 6(1)(c) — legal obligation |
| Site photography (construction documentation) | Art. 6(1)(b) or 6(1)(f) — contract / legitimate interests of the site operator |
| Conversion measurement and online advertising | Art. 6(1)(a) — your consent |
| Administrative audit logging (security, accountability, abuse detection) | Art. 6(1)(f) — legitimate interests (IT security and demonstrability of compliance) |
| User-submitted issue reports (operational quality improvement) | Art. 6(1)(f) — legitimate interests (diagnosing and resolving reported defects) |
| Image processing — soft and permanent privacy masks (data minimisation) | Art. 6(1)(f) — legitimate interests (data minimisation under GDPR Art. 5(1)(c); meeting controller-determined privacy obligations) |
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Clerk Inc. | Authentication, user identity, and organisation management | United States (with EU data region available) | Standard Contractual Clauses (SCCs); Clerk DPA |
| Hetzner Online GmbH | Cloud storage for site imagery, hosting infrastructure, and database storage | Germany (EU) | EU jurisdiction — GDPR applies directly; Hetzner DPA |
| Svix Inc. | Webhook signature verification and delivery for authentication events | United States | Standard Contractual Clauses (SCCs) |
| Google Ireland Limited / Google LLC | Advertising measurement, conversion tracking, ad delivery on public marketing site (concam.lt only) | Ireland (EU) / United States | EU jurisdiction (Google Ireland) / EU-US Data Privacy Framework + Standard Contractual Clauses (Google LLC); Google Ads Data Processing Terms |
| Google Fonts (Google LLC) | Serves web fonts (Geist Sans, Geist Mono) used in the user interface | United States | Standard Contractual Clauses (SCCs); Google Fonts does not set cookies and does not log identifying request data for end-user analytics |
| sharp (libvips) | Server-side image processing for privacy-mask blur | In-process on our EU-hosted VPS | Not a third-party processor — runs entirely within our infrastructure |
Our processors may engage their own sub-processors to deliver their services. Clerk, for example, uses Cloudflare, Inc. (US/global) for bot protection and challenge verification on authentication flows. A current list of sub-processors is available from each processor and on request from us at info@dsj.lt.
We do not sell, rent, or share your personal data with any other third parties for marketing purposes.
Some personal data (account and authentication data) is processed by our identity management provider, headquartered outside the EU. These transfers are subject to Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to GDPR Article 46(2)(c). All site imagery and metadata are stored exclusively on EU-based cloud infrastructure.
Under the GDPR and applicable national laws, you have the following rights:
Erasure requests directed at entries in our administrative audit log may be restricted under GDPR Article 17(3)(e) and (b) where retention is necessary for the establishment, exercise, or defence of legal claims, or for compliance with a legal obligation. In place of deletion, and on request, we will pseudonymise such entries by replacing the actor's email address with a one-way hashed value, while preserving the operational record needed for security and accountability.
Photographs displayed via public share links carry a CSS watermark overlay and the browser's right-click context menu is suppressed. These are visual deterrents intended to discourage casual saving and reuse. They are not cryptographic protections — a viewer using browser developer tools can remove the overlay and read the image directly from the network response. If your project contains imagery whose redistribution requires strong technical protection, do not use the public share link feature for it; share via authenticated dashboard access instead.
To exercise any of these rights, including data access requests, data export, or account deletion, contact us at info@dsj.lt. All requests are handled manually by our team and we will respond within 30 days in accordance with GDPR Article 12.
If you believe your personal data is being processed in breach of applicable law, you have the right to lodge a complaint with the supervisory authority in your country of residence. Our primary supervisory authority is:
State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija — VDAI)
https://vdai.lrv.ltResidents of other EEA/EU countries may also lodge complaints with their local supervisory authority (e.g., IMY in Sweden, Datatilsynet in Norway/Denmark, Tietosuojavaltuutettu in Finland, Datu valsts inspekcija in Latvia, AKI in Estonia, UODO in Poland).
We implement appropriate technical and organisational measures to protect personal data, including encrypted data transfer, server-side authentication, role-based access control, secured camera connections, and firewall hardening on all infrastructure.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay, as required by Article 34.
We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email or via a notice in the client portal at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
For any privacy-related queries, please contact our data protection contact at: info@dsj.lt