Privacy Policy
This Privacy Policy explains how [LEGAL ENTITY / SOLE-PROPRIETOR NAME] (“Leavefly”, “we”) collects, uses, and shares personal data when you use Leavefly (the “Service”).
1. Who is responsible
For personal data of people who visit our site and sign up, Leavefly is the controller. For personal data that a customer’s workspace processes about its own members (“Customer Data”), the customer organisation is the controller and Leavefly acts as processor on its behalf.
2. Data we collect
- Account data: name, work email, hashed password (or Google sign-in identifier), organisation name, role.
- Leave & workspace data: leave requests, dates, leave types, balances, approvals, comments/reasons, teams, holidays, approver/delegate relationships.
- Usage & technical data: log data, IP address, device/browser information, and cookies necessary for authentication and security.
- Payment data: handled by our Merchant of Record (see §5). We do not store full card details.
3. How we use data
To provide and operate the Service; authenticate users; send transactional emails (e.g. invitations, approval notifications, verification); provide optional integrations you enable; maintain security and prevent abuse; comply with legal obligations; and improve the Service.
We rely on the following legal bases (where GDPR/UK-GDPR applies): performance of a contract, legitimate interests (security, service improvement), consent (where required, e.g. non-essential cookies), and legal obligation.
4. Cookies and analytics
We use strictly necessary cookies for login sessions and security (via our authentication provider). We do not use advertising cookies. We use a privacy-friendly, cookieless analytics tool (Plausible) that collects aggregate, non-identifying usage statistics and does not track you across sites.
5. Sub-processors and sharing
We share data with service providers who process it on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Web app hosting | [verify] |
| Render | API hosting | [verify] |
| Neon | Database (PostgreSQL) | [verify] |
| Brevo | Transactional email | [verify] |
| Cloudflare R2 | File/avatar storage | [verify — remove if unused] |
| [MoR: Paddle / Dodo Payments] | Payment processing & tax (Merchant of Record) | [verify] |
| Slack, ClickUp | Only when you connect them; data is exchanged to provide the integration | [verify] |
We do not sell personal data. We may disclose data if required by law or to protect rights and safety.
6. International transfers
Your data may be processed in countries other than your own. Where required, we use appropriate safeguards (e.g. standard contractual clauses) for such transfers.
7. Retention
We keep Customer Data for as long as your workspace is active. When a workspace is deleted, data is removed after a short grace period (used for accidental-deletion recovery). You can export your data and request deletion at any time.
8. Your rights
Depending on your location, you may have rights to access, correct, delete, export, or restrict processing of your personal data, and to object or withdraw consent. The Service includes self-service data export and workspace deletion. For other requests, contact us at [CONTACT EMAIL]. You may also complain to your local data-protection authority.
9. Security
We use industry-standard measures including encryption in transit, hashed passwords, scoped access controls, and signed tokens for calendar feeds and integrations. No system is perfectly secure; we cannot guarantee absolute security.
10. Children
The Service is for workplace use and not directed to children under [16].
11. Changes
We may update this Policy and will notify you of material changes.
12. Contact
[CONTACT EMAIL] — [LEGAL ENTITY / SOLE-PROPRIETOR NAME], [ADDRESS].