Privacy Policy

1. Introduction

YoLeave! ("we", "our", "us") is committed to protecting the privacy and security of your personal data. This privacy policy explains how we collect, use, store, and protect information when you use our leave and absence management platform.

We are the data processor for employee data entered by our customers (the data controllers). We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable.

2. Data Controller & Processor

Your employer or organisation that subscribes to YoLeave! is the Data Controller responsible for decisions about how your personal data is used. YoLeave! acts as the Data Processor, processing data only on the instructions of the Data Controller and in accordance with this policy.

3. What Data We Collect

We collect and process the following categories of personal data:

• Account data: Name, email address, hashed password, role within organisation
• Employee data: Employee number, job title, department, start date, working patterns, manager assignment
• Leave data: Leave requests, approvals, allowances, calendar events
• Sickness data: Sickness absence dates, reasons (if provided), fit notes, Bradford Factor scores
• Attendance data: Tardiness records, arrival times
• Document data: Uploaded files, document categories, expiry dates
• Billing data: Company name, billing contact, payment method details (processed via our payment provider)
• Technical data: IP addresses, browser type, access logs for security purposes

4. Lawful Basis for Processing

We process personal data under the following lawful bases:

• Contract performance: To provide the services agreed in our terms of service
• Legitimate interests: To maintain security, prevent fraud, and improve our services
• Legal obligation: To comply with employment law and regulatory requirements
• Consent: Where you have explicitly consented, such as marketing communications

5. How We Use Your Data

• Providing and maintaining the YoLeave! platform
• Processing leave requests, sickness records, and attendance data
• Sending notifications related to your account (approvals, reminders)
• Billing and payment processing
• Customer support and troubleshooting
• Platform security and abuse prevention
• Aggregated, anonymised analytics to improve our services

6. Data Storage & Security

All data is stored on secure servers within the European Economic Area (EEA). We use industry-standard encryption (TLS 1.3) for data in transit and AES-256 encryption for data at rest. All passwords are hashed using bcrypt with a minimum cost factor of 12.

We implement appropriate technical and organisational measures to protect your data, including role-based access controls, multi-factor authentication, regular security audits, and automated backups.

7. Data Sharing

We do not sell, trade, or rent your personal data to third parties. We may share data with:

• Payment processors: To process subscription payments securely
• Hosting providers: Who store data on our behalf under strict data processing agreements
• Legal authorities: When required by law or to protect our legal rights

8. Data Retention

We retain personal data for as long as the customer's account is active. Upon account termination, all data is deleted within 90 days unless retention is required by law. Billing records are retained for 7 years to comply with UK tax regulations.

9. Your Rights Under GDPR

Under the UK GDPR and EU GDPR, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate personal data
• Right to erasure: Request deletion of your personal data ("right to be forgotten")
• Right to restrict processing: Request limitation of how we use your data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests
• Rights related to automated decision-making: Not to be subject to decisions based solely on automated processing

To exercise any of these rights, contact us at privacy@yoleave.com. We will respond within 30 days.

10. Cookies

We use essential cookies required for authentication and platform functionality. We do not use advertising or tracking cookies. Session cookies are deleted when you close your browser. Authentication tokens expire after 8 hours of inactivity.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and affected individuals without undue delay, as required by the UK GDPR.

12. International Data Transfers

We store all data within the EEA. If any data transfer outside the EEA is required, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and UK adequacy regulations.

13. Children's Privacy

YoLeave! is a business-to-business service and is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this privacy policy from time to time. We will notify account administrators of material changes via email at least 30 days before they take effect.

15. Contact Us

If you have questions about this privacy policy or wish to exercise your data rights, contact us: