Skip to main content
← Back to home

GDPR Compliance

Last updated: 15 March 2026

1. Data Controller

Leavely acts as the data controller for account and billing data, and as a data processor for employee data stored on behalf of our customers (the data controllers).

Contact: support@leavely.online

2. Data We Collect

We collect and process the following categories of personal data:

  • Account data: names, email addresses, and hashed passwords for users who register on the platform
  • Employee records: employee names, email addresses, job titles, departments, and roles as entered by the organisation
  • Leave records: leave requests, approvals, balances, and calendar data
  • Documents: files uploaded by the organisation (e.g. HR policies, employee documents)
  • Billing data: payment details processed securely by Stripe; we do not store full card numbers
  • Technical data: IP addresses, browser type, and access timestamps for security and audit purposes

3. Legal Basis for Processing

We process personal data under the following legal bases:

  • Contract performance (Article 6(1)(b)): processing is necessary to provide the Leavely service as agreed in our Terms of Service
  • Legitimate interest (Article 6(1)(f)): we process data for platform security, fraud prevention, service improvement, and audit logging
  • Legal obligation (Article 6(1)(c)): we may retain certain data to comply with tax, accounting, or regulatory requirements

4. Data Retention

We retain data for the following periods:

  • Account and employee data: for the duration of the active subscription plus 30 days after cancellation or deletion, to allow for account recovery
  • Audit logs: retained for 2 years for compliance and dispute resolution purposes
  • Billing records: retained as required by applicable tax and accounting regulations (typically 6 years under UK law)
  • Backup data: purged within 30 days of the primary data being deleted

5. Data Subject Rights

Under the UK GDPR and EU GDPR, data subjects have the following rights:

  • Right of access: request a copy of the personal data we hold about you
  • Right to rectification: request correction of inaccurate or incomplete data
  • Right to erasure: request deletion of your personal data where there is no compelling reason for continued processing
  • Right to data portability: receive your data in a structured, commonly used, and machine-readable format
  • Right to restrict processing: request that we limit how we use your data
  • Right to object: object to processing based on legitimate interest

6. How to Exercise Your Rights

To exercise any of the rights listed above, please contact us at support@leavely.online. We will respond to your request within 30 days. If we need additional time (up to 60 days), we will inform you of the reason for the extension.

Organisation administrators can also export and delete employee data directly from the Leavely platform at any time.

7. Sub-Processors

We use the following sub-processors to deliver the Leavely service. Each processes the minimum data necessary for their function:

ProviderPurposeLocation
CloudflareHosting, CDN, DDoS protection, edge computeGlobal (EU data region available)
NeonPostgreSQL database hostingEU (AWS eu-west-1)
ResendTransactional email deliveryUSA
StripePayment processing and billingUSA / EU

8. International Transfers

Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place:

  • Cloudflare: data is processed at the nearest edge location; customers can request EU-only data residency
  • Neon: our primary database is hosted in an EU region
  • Resend and Stripe: transfers are covered by Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA)

9. Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of data subjects:

  • We will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
  • We will notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms
  • We will notify affected customer organisations (data controllers) within 48 hours so they can fulfil their own notification obligations

10. Cookie Policy

Leavely uses a single, strictly necessary session cookie for authentication. This cookie keeps you signed in and is essential for the service to function. We do not use any advertising, analytics, or tracking cookies. No consent is required for strictly necessary cookies under the UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

11. Data Protection Officer

For data protection enquiries, you can contact our Data Protection Officer at dpo@leavely.online.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

12. Related Policies

For more information, please also review our Privacy Policy, Terms of Service, and Data Processing Agreement.