Privacy Policy
Effective date: March 6, 2026 · Last updated: March 6, 2026
CameleonPro UG (haftungsbeschränkt) (“CameleonPro”, “we”, “us”, or “our”) is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, store, and share personal data when you use our field service management platform, websites, and mobile applications (collectively, the “Services”).
CameleonPro is a B2B SaaS platform that enables organizations to manage their field service operations. Organizations (“Subscribers”) use CameleonPro to coordinate fieldworkers and serve their own customers.
1. Data Controller and Data Processor
When you are a Subscriber (organization): CameleonPro acts as the data controller for account registration, billing, and platform usage data. For data that Subscribers input into the platform about their customers and fieldworkers, CameleonPro acts as a data processor on behalf of the Subscriber (the data controller).
When you are an end customer or fieldworker: Your organization (the Subscriber) is the data controller. CameleonPro processes your data on their behalf under our Data Processing Agreement.
Contact (Data Protection):
CameleonPro UG (haftungsbeschränkt)
Email: privacy@cameleonpro.com
2. Personal Data We Collect
The categories of personal data we collect depend on your role in the platform:
2.1 Organization Owners & Managers
- Identity: full name, email address, phone number
- Organization details: company name, address, industry, tax ID
- Billing: payment card details (processed by Stripe; we do not store card numbers), invoices, transaction history
- Account: login credentials (managed by Keycloak), role, permissions
- Usage: feature usage, session data, IP address, browser/device type
2.2 Fieldworkers
- Identity: full name, email address, phone number, profile photo
- Professional: skills, certifications, compliance documents, availability schedule
- Location: GPS coordinates during active service assignments (see Section 5)
- Communications: chat messages, discussion thread posts
- Performance: ratings, reviews, service history
- Device: push notification tokens (Firebase Cloud Messaging)
2.3 End Customers
- Identity: full name, email address, phone number
- Address: service location(s)
- Service: booking history, service requests, descriptions
- Communications: chat messages, support correspondence
- Financial: invoices, payment history
- Feedback: ratings, reviews, NPS responses
3. Legal Bases for Processing
We process personal data under the following legal bases (GDPR Article 6(1)):
| Purpose | Legal Basis |
|---|---|
| Providing the platform services | Performance of contract (Art. 6(1)(b)) |
| Processing payments | Performance of contract (Art. 6(1)(b)) |
| Sending service notifications (booking updates, invoices) | Performance of contract (Art. 6(1)(b)) |
| Fieldworker GPS tracking during active assignments | Legitimate interest (Art. 6(1)(f)) — service delivery and safety |
| Platform security, fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Analytics and platform improvement | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| NPS surveys and feedback requests | Consent (Art. 6(1)(a)) |
| Tax and financial record-keeping | Legal obligation (Art. 6(1)(c)) |
4. How We Use Your Data
- Service delivery: Managing bookings, dispatching fieldworkers, facilitating communications between parties, processing payments and invoices
- Platform operations: Authentication, authorization, multi-tenant data isolation, session management
- Notifications: Sending booking confirmations, status updates, chat messages, and discussion replies via email, SMS, push notifications, or WhatsApp
- Improvement: Analyzing usage patterns to improve features, performance, and user experience
- Support: Responding to inquiries, troubleshooting issues
- Compliance: Meeting legal, tax, and regulatory obligations
5. GPS and Location Data
CameleonPro collects GPS location data from fieldworkers' mobile devices. This is a sensitive category that we handle with particular care:
- When: Location is tracked only during active service assignments (when the fieldworker has accepted a booking and marked themselves as “en route” or “in progress”)
- Purpose: Enabling customers to track fieldworker arrival, optimizing dispatch, route planning, and service verification
- Who sees it: The assigned customer (during active booking), the Subscriber's organization managers, and CameleonPro platform administrators for support purposes
- Retention: Location data associated with completed bookings is retained for 90 days, then automatically deleted
- Consent: Fieldworkers grant location permission through the mobile app. They may revoke this permission at any time, though this may affect their ability to receive and fulfill service assignments
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account and profile data | Duration of account + 30 days after deletion |
| Booking and service history | Duration of subscription + 12 months |
| Chat messages and discussions | Duration of subscription + 6 months |
| GPS/location traces | 90 days after booking completion |
| Invoices and financial records | 10 years (German tax law — AO §147, HGB §257) |
| Notification history | 12 months |
| Server logs and security events | 12 months |
| Push notification tokens | Until token refresh or account deletion |
When a Subscriber cancels their subscription, we retain their data for 30 days to allow for reactivation or data export. After this period, data is permanently deleted in accordance with the schedule above, except where longer retention is required by law.
7. Sub-Processors
We use the following third-party services to provide and support the platform. Each sub-processor processes data only as necessary for its stated purpose:
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Stripe | Payment processing | Name, email, payment card details, transaction amounts | EU / US (SCCs) |
| Keycloak (self-hosted) | Authentication and identity management | Email, name, credentials, session tokens | EU |
| Firebase / Google Cloud | Push notifications (FCM) | Device tokens, notification content | EU / US (SCCs) |
| Mapbox | Mapping and geocoding | Addresses, GPS coordinates | US (SCCs) |
| Brevo (Sendinblue) | Transactional email delivery | Email addresses, email content | EU (France) |
| Cloudinary | Image hosting and transformation | Profile photos, uploaded images, compliance documents | EU / US (SCCs) |
| STRATO AG | Infrastructure (PostgreSQL, application servers, web hosting) | All platform data | EU (Germany) |
We will notify Subscribers at least 30 days before adding a new sub-processor, giving them the opportunity to object.
8. International Data Transfers
CameleonPro's primary infrastructure is hosted within the European Union. Where data is transferred to sub-processors outside the EU/EEA, we rely on:
- European Commission adequacy decisions (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The sub-processor's certification under recognized frameworks
9. Your Rights Under GDPR
Depending on your role, you have the following rights regarding your personal data:
- Right of access (Art. 15) — Request a copy of the personal data we hold about you
- Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data
- Right to erasure (Art. 17) — Request deletion of your data (“right to be forgotten”)
- Right to restriction (Art. 18) — Request limitation of how we process your data
- Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format
- Right to object (Art. 21) — Object to processing based on legitimate interests, including profiling
- Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time for consent-based processing
- Right to lodge a complaint — File a complaint with your local supervisory authority
For Subscribers (organization owners): Exercise your rights by contacting us at privacy@cameleonpro.com.
For end customers and fieldworkers: Your organization (the Subscriber) is the data controller. Please contact your organization directly to exercise your rights. We will assist the Subscriber in fulfilling your request.
We respond to all data subject requests within 30 days, in accordance with GDPR Article 12(3).
10. Cookies and Local Storage
Our web applications use cookies and browser local storage for the following purposes:
| Category | Purpose | Examples |
|---|---|---|
| Essential | Authentication, session management, security, CSRF protection | Keycloak session cookies, JWT tokens, tenant context |
| Functional | User preferences, language selection, UI state | Dark mode preference, sidebar state, selected locale |
| Analytics | Usage tracking and platform improvement | Google Analytics 4 (if enabled by Subscriber) |
| Marketing | Campaign tracking | Meta Pixel (if enabled by Subscriber) |
Essential cookies are required for the platform to function and cannot be disabled. Analytics and marketing cookies are only activated with your consent via our cookie preference banner.
11. Data Security
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 database encryption)
- Multi-tenant data isolation — each organization's data is logically separated at the database level
- Role-based access control with principle of least privilege
- Authentication via Keycloak with support for multi-factor authentication
- Regular security audits and vulnerability assessments
- Automated backups with point-in-time recovery
- Incident response procedures with 72-hour breach notification (see our DPA)
12. Children's Privacy
CameleonPro is a business platform not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@cameleonpro.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify Subscribers of material changes at least 30 days before they take effect via email or in-platform notification. Continued use of the Services after changes become effective constitutes acceptance of the updated policy.
14. Contact and Supervisory Authority
For questions, concerns, or to exercise your data protection rights:
CameleonPro UG (haftungsbeschränkt)
Data Protection Contact
Email: privacy@cameleonpro.com
You also have the right to lodge a complaint with the German federal data protection authority:
BfDI (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit)
Graurheindorfer Str. 153, 53117 Bonn, Germany
Website: www.bfdi.bund.de