Security & data protection at Labourix
The short version: your data lives on EU servers, travels encrypted, is only visible to people in your own company with the right role, and is never sold or used to train AI models. GPS is captured only at the moment of clock-in and clock-out — Labourix does not track workers throughout the day.
Where your data lives
- EU hosting. The application and database run in the European Union (EU-West region) on professionally managed infrastructure with regular backups.
- Encryption in transit. All traffic, across every Labourix application, runs over HTTPS/TLS. Data at rest is protected by our hosting provider's storage encryption.
- Tenant isolation. Every company is a separate tenant. Your projects, workers and documents are never visible to another Labourix customer — enforced on every single API request, not just in the interface.
Who can see what
- Role-based access. Owners and admins manage the company; coordinators plan; foremen see their crew; workers see only their own hours, pay information and documents; your client sees only what you explicitly send (hour reports, document bundles).
- Accounts. Passwords are stored as salted bcrypt hashes — we cannot read them. Sessions use signed tokens. Login endpoints are rate-limited against brute force, and password resets use single-use, expiring links.
- Worker transparency. Workers see their own registered hours, documents and costs in their app — GDPR's transparency principle, built into the product.
GPS and time registration — the honest details
- Location is requested only when the worker clocks in or out, to verify presence inside the site's geofence. There is no continuous tracking, no location collection outside working actions, and no movement history.
- The company can disable the GPS requirement per worker; the clock-in then works without location.
- Registered hours are visible to the worker and can only be corrected through the approval flow — every change leaves a trace.
Identity documents (A1, LIMOSA, ID)
- Documents are stored in the vault with access limited to your company's authorized roles and the worker they belong to.
- Documents are processed only to deliver the feature you asked for. Customer data is not used to train AI models and is processed under the AI provider's business terms.
- Document bundles are only sent to a client when a manager explicitly triggers it.
Subprocessors
We use a small set of specialised providers, each bound by data-processing terms: infrastructure hosting (EU), transactional e-mail delivery, payment processing (card data is handled entirely by the payment provider — it never touches our servers), and AI processing for document reading and assistance. A current subprocessor list is part of our Data Processing Agreement.
Your GDPR rights & paperwork
- DPA: a Data Processing Agreement is available for every customer — request it at privacy@labourix.com.
- Export & deletion: you can request a full export of your company's data, and deletion when you leave. Workers can exercise their access and rectification rights through their employer or directly with us.
- Retention: we keep data as long as you're a customer plus the legal retention periods that apply to employment and compliance records; after that it is deleted.
- Breach notification: if a personal-data breach ever affects you, we notify you without undue delay, in line with GDPR article 33.
Found a vulnerability?
We appreciate responsible disclosure. Mail security@labourix.com with details — we respond fast, fix faster, and credit researchers who help us keep site data safe.
We deliberately make no certification claims we don't hold. What's on this page is how the system is actually built — ask us anything at privacy@labourix.com.
Compliance software should be compliant itself.
That's the bar we build against — every feature, every release.
Start your 5-day trial