Privacy Policy

1. Information We Collect

We collect different types of information depending on how you interact with our Service:

1.1 Customer Account Information

• Company name and business information
• Account administrator name, email, and phone number
• Billing and payment information
• Company address and tax identification details

1.2 Employee/End User Information

• Name, email address, and employee ID
• Date of birth (for leave balance calculations)
• Job title, department, and reporting manager
• Work schedule and employment dates
• Leave requests, types, dates, and reasons
• Leave balances and accrual information
• Approval/rejection history and comments
• Profile photo (optional)

1.3 Technical and Usage Information

• IP address, browser type, and device information
• Operating system and screen resolution
• Pages visited, features used, and time spent
• Referring URLs and search terms
• Cookies and similar tracking technologies
• Log files and error reports

1.4 Integration Data

• Calendar events synced from Google Calendar
• Slack workspace information and notification preferences
• OAuth tokens for authorized third-party integrations
• Webhook endpoints and integration configurations

1.5 AI and Machine Learning Data

When you use AI-powered features (leave pattern analysis, scheduling suggestions), we process:

• Historical leave patterns and trends (anonymized and aggregated)
• Team scheduling data and availability patterns
• Leave approval/rejection patterns (for insights)
• Seasonal trends and business patterns

AI Data Processing: We do not use your personal data to train general AI models. AI features use your organization's data in real-time for analysis specific to your account only. We do not share your data with third-party AI providers. All AI processing occurs within our secure infrastructure.

Opting Out of AI Features: You can disable AI-powered features in your account settings. This will not affect core leave management functionality.

2. How We Collect Information

• Directly from you: When you register, create leave requests, or update your profile
• From your employer: When they add you to their Leaveasy account
• Automatically: Through cookies, analytics, and tracking technologies
• From integrations: When you connect third-party services like Slack or Google Calendar
• From your usage: As you interact with the Service

Biometric Data: We do not process biometric data or perform facial recognition on profile photos. Profile photos are stored as image files only for display purposes.

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and UK, we process your personal data based on the following legal grounds:

• Contract: Processing is necessary to perform our contract with you or your employer
• Legitimate Interests: For improving our Service, security, and analytics
• Consent: For marketing communications and optional features
• Legal Obligation: To comply with applicable laws and regulations

4. How We Use Your Information

• Service Delivery: To provide leave management features, approvals, and notifications
• Account Management: To create and maintain your account
• Payment Processing: To process subscription fees and billing
• Communications: To send transactional emails, notifications, and updates
• Analytics: To understand usage patterns and improve the Service
• AI Features: To provide intelligent scheduling suggestions and leave pattern analysis
• Security: To detect fraud, prevent abuse, and ensure security
• Legal Compliance: To comply with legal obligations and requests
• Marketing: To send promotional emails (with your consent, opt-out available)

5. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

5.1 With Your Employer (for End Users)

Your leave requests, balances, and related data are shared with your employer's authorized administrators and managers.

5.2 Service Providers and Sub-Processors

We share data with trusted partners who help us operate the Service. A complete and up-to-date list of sub-processors is available at www.leaveasy.io/sub-processors. We will notify you at least 30 days before adding new sub-processors or changing existing ones.

Categories of sub-processors include:

• Cloud Hosting: Amazon Web Services (AWS) - data hosting and infrastructure (US, EU regions)
• Payment Processing: Stripe Inc. - payment processing and billing (US, with EU data residency options)
• Email Services: [Email Provider TBD] - for transactional and notification emails
• Analytics: Google Analytics (with IP anonymization enabled) - usage analytics
• Customer Support: [Support Tool TBD] - helpdesk and support ticket systems
• Monitoring and Security: [Security Tool TBD] - security monitoring and incident response

All sub-processors are bound by data protection agreements and are required to implement appropriate technical and organizational measures to protect your data.

5.3 Third-Party Integrations

When you enable integrations (Slack, Google Calendar), we share relevant data with those services according to your integration settings.

5.4 Legal Requirements

We may disclose information when required to:

• Comply with legal obligations, court orders, or subpoenas
• Protect our rights, property, or safety
• Investigate fraud or security issues
• Enforce our Terms of Service

5.5 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

6. Data Storage and International Transfers

Your data is primarily stored on secure servers hosted by Amazon Web Services (AWS) in the United States, with backup servers in the European Union (Frankfurt, Germany). Data may be processed in other countries where we or our service providers operate.

If you are located in the EEA, UK, or other regions with data protection laws, your data may be transferred to countries that do not have equivalent data protection laws. We implement the following safeguards for international transfers:

6.1 Transfer Mechanisms for EEA/UK Users

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) approved in June 2021 for transfers to sub-processors outside the EEA
• UK International Data Transfer Agreement (IDTA): For UK users, we use the UK IDTA and/or the UK Addendum to the EU SCCs as required post-Brexit
• Adequacy Decisions: Where possible, we rely on European Commission adequacy decisions for countries deemed to provide adequate protection
• Supplementary Measures: We implement additional technical measures including end-to-end encryption, pseudonymization, and access controls to ensure data protection during transfers

Privacy Shield Notice: We do not rely on the EU-US Privacy Shield framework, which was invalidated by the European Court of Justice in July 2020 (Schrems II decision). We use alternative transfer mechanisms as described above.

Copies of our data transfer agreements and SCCs are available upon request by contacting privacy@leaveasy.io.

7. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this policy:

• Active account data: Retained while your account is active
• Leave history: Retained for 7 years after termination for legal/tax compliance
• Billing records: Retained for 7 years for financial compliance
• Usage logs: Retained for 90 days for security and analytics
• Marketing data: Retained until you unsubscribe or request deletion
• Backup data: May persist in backups for up to 90 days after deletion

After these periods, we will delete or anonymize your data unless retention is required by law.

8. Your Rights and Choices

Depending on your location, you may have the following rights:

8.1 Rights for All Users

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete information
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Opt-out of Marketing: Unsubscribe from promotional emails

8.2 Additional Rights for EEA/UK Users (GDPR)

• Data Portability: Receive your data in a structured, machine-readable format
• Restriction: Request restriction of processing in certain circumstances
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent for processing (where applicable)
• Lodge a Complaint: File a complaint with your local data protection authority

8.3 California Residents' Rights (CCPA/CPRA)

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed (we do not sell)
• Right to opt-out of the sale of personal information (we do not sell)
• Right to deletion of personal information
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising your rights

8.4 How to Exercise Your Rights

To exercise your rights: Contact us at contact@leaveasy.io or privacy@leaveasy.io with "Data Subject Rights Request" in the subject line. Please include:

• Your full name and email address associated with your account
• Specific right you wish to exercise
• Details of your request
• Proof of identity (to prevent unauthorized access)

Response Timeframes:

• GDPR (EEA/UK): Within 30 days (extendable to 60 days for complex requests)
• CCPA/CPRA (California): Within 45 days (extendable to 90 days for complex requests)
• Other jurisdictions: Within 30 days or as required by local law

Identity Verification: To protect your privacy, we may request additional information to verify your identity before fulfilling requests. This may include:

• Matching information against account records
• Requesting government-issued ID for deletion requests
• Multi-factor authentication via your registered email

Fees: We do not charge fees for most requests. However, we may charge a reasonable fee for:

• Manifestly unfounded or excessive requests
• Additional copies of data beyond the first free copy
• Requests requiring disproportionate technical effort

For End Users: Your employer is the data controller for employment-related data. For requests regarding employee data (leave records, balances, approval history), please contact your employer's HR or IT department first. We will assist your employer in fulfilling such requests.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (EEA/UK), the California Attorney General's office (California), or other applicable regulatory body.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. Upon your first visit, you will see a cookie consent banner allowing you to manage your preferences.

Types of Cookies We Use:

• Strictly Necessary Cookies: Required for the Service to function (authentication, security, load balancing). These cannot be disabled as they are essential for Service operation. Legal basis: Legitimate interest and contract performance.
• Functional/Preference Cookies: Remember your settings and preferences (language, timezone, theme). Legal basis: Consent (can be disabled in cookie settings).
• Analytics/Performance Cookies: Help us understand usage patterns (Google Analytics with IP anonymization). Legal basis: Consent (can be disabled).
• Marketing/Advertising Cookies: Track conversion from marketing campaigns and display targeted ads. Legal basis: Consent (can be disabled).

Cookie Consent and Management:

For EEA/UK Users: We use an opt-in consent mechanism compliant with GDPR and UK GDPR. Non-essential cookies will only be set after you provide explicit consent. You can withdraw consent at any time via our cookie preference center.

Managing Cookies: You can control cookies through:

• Our cookie preference center (accessible in account settings or via banner)
• Your browser settings (Chrome, Firefox, Safari, Edge all provide cookie controls)
• Browser extensions or privacy tools (e.g., uBlock Origin, Privacy Badger)

Note that disabling essential cookies may limit Service functionality. Disabling analytics cookies will not affect core features.

For complete details about cookies, retention periods, and third-party cookies, see our Cookie Policy.

10. Security

We implement industry-standard security measures to protect your information:

• Encryption of data in transit (TLS/SSL) and at rest
• Regular security audits and penetration testing
• Access controls and authentication mechanisms
• Secure backup and disaster recovery procedures
• Employee training on data protection
• Monitoring for suspicious activity

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk.

11. Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify affected users and relevant authorities as required by law, typically within 72 hours of becoming aware of the breach. Notifications will include the nature of the breach, types of data affected, and steps being taken to address it.

12. Automated Decision-Making and Profiling

We use automated systems and AI for the following purposes:

• Leave Pattern Analysis: Analyzing historical leave trends to provide insights (e.g., "Your team typically takes more leave in December")
• Scheduling Suggestions: Recommending optimal times for leave based on team availability and workload
• Anomaly Detection: Identifying unusual patterns that may require attention (e.g., frequent last- minute requests)
• Load Balancing: Helping managers understand team coverage and potential conflicts

Important Limitations:

• These automated features are advisory onlyand do not make binding decisions
• All leave approval decisions must be made by authorized human personnel (managers, HR)
• We do not use automated decision-making that produces legal effects or similarly significantly affects you without human review
• No automated system can approve, reject, or modify leave requests without explicit human action

Your Rights Regarding Automated Processing:Under GDPR and similar laws, you have the right to:

• Not be subject to solely automated decision-making with legal or significant effects
• Request human review of any decision influenced by automated processing
• Express your point of view and contest automated recommendations
• Opt-out of AI features (see Section 1.5)

To exercise these rights or learn more about our automated processing, contact privacy@leaveasy.io.

13. Children's Privacy

The Service is intended for business use and is not directed to individuals under 16 years of age (or the age of digital consent in your jurisdiction, whichever is higher). We do not knowingly collect personal information from children without appropriate consent.

If we become aware that we have collected data from a child under the applicable age without proper parental consent or legal authorization, we will take immediate steps to delete it within 30 days.

Customers are responsible for ensuring compliance with age requirements under applicable employment and data protection laws in their jurisdiction, including obtaining necessary consents for employees under 18 years of age where required by law.

14. Customer vs. Processor Relationship

For B2B customers: Your organization is the data controller of employee data, and Leaveasy acts as a data processor. We process employee data on your behalf according to your instructions and our Data Processing Agreement (DPA).

For End Users: Your employer controls your employment data. For questions about how your employer handles your data, please contact them directly.

15. Contact Us and Data Protection Officer

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to your inquiry within the timeframes specified in Section 8.4.

Supervisory Authorities: If you are in the EEA or UK and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority or the Information Commissioner's Office (ICO) in the UK.