Controller and processor roles
Customer organisations control the employee data they add to Leavely. Leavely acts as processor for workspace, employee, leave, sickness, approval, and audit records entered into the service.

GDPR compliance
Leavely helps UK SMEs handle leave, sickness, and employee records with clear data roles, secure cloud storage, practical retention controls, and transparent security measures.
A practical overview for teams reviewing Leavely before inviting employees.
Customer organisations control the employee data they add to Leavely. Leavely acts as processor for workspace, employee, leave, sickness, approval, and audit records entered into the service.
Leavely is designed around practical leave management, so the service asks for the employee, organisation, and absence information needed to run approvals, balances, reports, and notifications.
Production application delivery runs through Cloudflare, with workspace records stored in managed PostgreSQL infrastructure and database connections requiring SSL.
The platform uses encrypted traffic, hashed passwords, role-based access controls, audit history, protected secrets, and restricted operational access.
Data storage
Leavely stores customer workspace data for as long as the account is active and needed to provide leave management. After closure, workspace data is normally kept for up to 30 days for export or recovery, then deleted or anonymised unless a longer period is required for legal, accounting, security, or dispute-resolution reasons.
Security measures
Employee absence records are sensitive operational data. Leavely uses layered safeguards across access, authentication, hosting, payment handling, and operational monitoring to reduce risk and support GDPR accountability.
TLS encryption for application traffic and SSL-required database connections.
Password hashing, server-side session protection, and optional OAuth sign-in through supported identity providers.
Role-based permissions for owners, admins, managers, and employees.
Audit logs for important workspace actions and leave-management changes.
Stripe-hosted checkout and card handling, so Leavely does not store card numbers.
Sub-processor transparency for hosting, database, payments, email, analytics, and support tooling.
Data rights
Workspace owners can manage users and employee records inside Leavely. For GDPR rights requests involving employee records, Leavely supports the customer organisation as controller. For account, billing, sales, or support data controlled by Leavely, requests can be sent directly to us.
Access and export support
Correction and deletion support
DPA available on request