Privacy policy for Mobile

This Privacy Policy explains how Grant Thornton Bahrain (“we”, “our”, “us”), as the data controller, collects, uses, and protects personal data processed through the CRM Mobile Application (“the App”). The App is provided exclusively to authorized Grant Thornton Bahrain users for assigned business purposes. Certain operational functions may be supported by our appointed development vendor and relevant internal departments acting as data processors.

1. Categories of Data Collected

The App may collect and process the following categories of personal data:

  • Identification Data
    Name, user ID, email address, phone number, authentication credentials (passwords, MFA tokens).
  • Business Data
    Leave requests, approvals, attendance logs, payslips, payroll details, expense claims, task records, CRM activity logs.
  • Geo‑Location Data
    Precise or approximate location for attendance verification, workforce planning, and reporting (only when permission is granted).
  • Notifications Access
    Push notifications for leave requests, approvals, payslip availability, task updates, and other business alerts.
  • Photos & Media
    Images uploaded by users (e.g., receipts, site visit documentation, task‑related forms). The App only accesses photos explicitly selected and uploaded.
  • Device & Technical Data
    Device identifiers (e.g., IP address, OS version), log files, usage analytics, crash reports.
  • Sensitive Data (if applicable)
    Biometric authentication (fingerprint/face ID), medical certificates for leave, or other compliance‑related documentation. 

2. Purpose of Data Processing

Personal data collected through the App is processed solely for legitimate business purposes, including:

  • Leave application, approval, and tracking
  • Payslip access and payroll communication
  • CRM updates and client activity reporting
  • Workforce planning and task management
  • Documenting project‑related activities
  • Ensuring compliance, operational accuracy, and secure workflows
     

No personal data is used for marketing or shared externally, except where required by law or regulatory obligations.

3. Legal Basis

Data is processed under the lawful basis of:

  • Contractual necessity (employment relationship and business operations)
  • Legitimate interests (operational efficiency, compliance, and reporting)
  • Legal obligations (regulatory and statutory requirements) 

4. Data Security & Confidentiality

We apply strict technical and organizational measures to protect personal data, including:

  • Encryption of data in transit and at rest
  • Role‑based access controls
  • Secure storage protocols
  • Processing limited to authorized personnel and approved processors 

5. Data Retention

Personal data is retained only for as long as necessary to fulfill business purposes and comply with legal obligations. For example:

  • Payslips and payroll records: retained in line with statutory requirements
  • Leave and attendance records: retained for operational and compliance purposes
  • CRM activity logs: retained for business continuity and audit requirements 

6. Cross‑Border Data Transfers

If personal data is processed or stored outside Bahrain, including by our appointed third‑party application developer or cloud hosting provider, appropriate safeguards are applied. The developer manages certain aspects of the App and, in doing so, may have access to user data strictly for maintenance, support, and operational purposes.

Grant Thornton Bahrain ensures that:

  • The developer and any other external processors act only under our documented instructions.
  • Binding contractual clauses are in place to require confidentiality, security, and compliance with applicable data protection laws.
  • Technical and organizational measures are implemented to protect user data during transfer and storage.
  • Cross‑border transfers comply with Bahrain’s Personal Data Protection Law (PDPL) and any other applicable regulations. 

7. Roles & Responsibilities

  • Data Controller: Grant Thornton Bahrain
  • Data Subjects: Authorized users of the App
  • Data Processors: Development vendor and relevant internal departments supporting App operations 

8. Data Subject Rights

Users have the following rights regarding their personal data, subject to applicable law and limited by operational or legal requirements:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to object
  • Right to data portability
  • Right to withdraw consent (for permissions such as location or photos) 

Requests to exercise these rights can be submitted to the Data Protection Officer. We will verify identity, assess the request, and respond within a reasonable period in line with Bahrain PDPL requirements.

9. Data Breach Management (Aligned with Bahrain PDPL)

  • Incident Response: We maintain an incident response program to promptly identify, contain, investigate, and remediate any security events involving personal data.
  • Risk Assessment: Each incident is assessed to determine its potential impact on confidentiality, integrity, and availability of personal data, and whether it is likely to cause serious harm to users.
  • Regulator Notification: In accordance with Bahrain’s PDPL, Grant Thornton Bahrain will notify the Personal Data Protection Authority (PDPA) within 72 hours of becoming aware of a breach likely to cause serious harm.
  • User Notification: Where a breach is likely to result in risks to users’ rights and freedoms, we will notify affected users without undue delay, providing clear information on the nature of the breach, affected data, steps taken, and recommended protective actions.
  • Documentation & Continuous Improvement: All breaches are documented internally, and post‑incident reviews are conducted to strengthen controls, update policies, and enhance staff training. 

10. User Control & Permissions

Users may manage or revoke location, notification, and photo access at any time via device settings. Limiting permissions may affect certain functionalities of the App.

11. Internal Use Only

The App is restricted to authorized Grant Thornton Bahrain users and is not intended for public use. Access is controlled through secure authentication.

12. Contact

For questions or concerns regarding data processing in the App, please contact:
Data Protection Officer - Grant Thornton Bahrain
connect@bh.gt.com