Privacy Policy

Offly ("we", "our", "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, store and protect information when you use our leave management platform.

This policy applies to all users of Offly, including organisation administrators, managers, and employees. By using Offly, you acknowledge that you have read and understood this policy.

We process personal data as both a data controller (for our direct relationship with you) and as a data processor (when processing employee data on behalf of your organisation).

We collect the following categories of personal information to provide our leave management services:

• Name and email address — to identify you and deliver notifications
• Job title and department — to route approvals and display team structure
• Leave information — requests, balances, types, and approval history
• Account preferences — language, timezone, notification settings, and display options
• Authentication information — password hashes, session tokens, and SSO identifiers
• Usage data — pages visited, features used, and interaction patterns to improve the platform
• Device information — browser type, operating system, and IP address for security purposes

We use the information we collect for the following purposes:

• Provide and operate the leave management platform
• Process leave requests and route them through approval workflows
• Calculate leave balances, carry forward entitlements, and public holidays
• Deliver notifications via email, Slack, and in-app channels
• Sync leave events with connected calendar services
• Generate reports and analytics for organisation administrators
• Improve platform performance, reliability, and user experience
• Monitor for security threats and prevent unauthorised access
• Provide customer support and respond to enquiries

We process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

• Contract performance — processing necessary to deliver the services you or your organisation have contracted us to provide
• Legitimate interests — improving our platform, preventing fraud, and ensuring security, where these interests do not override your fundamental rights
• Legal obligation — where we are required by law to retain or disclose information
• Consent — where you have explicitly opted in to optional processing such as marketing communications

Where your organisation is our customer, they act as the data controller for employee data processed through Offly, and we act as their data processor under a Data Processing Agreement.

Your data is stored securely using industry-standard measures:

• All data is encrypted at rest using AES-256 encryption
• All data in transit is protected with TLS 1.3
• Database access is restricted to application services with strict network controls
• Infrastructure is hosted in secure, SOC 2-compliant data centres
• Access to production systems requires multi-factor authentication
• All administrative actions are recorded in immutable audit logs
• Regular security assessments and vulnerability scanning

Offly uses a minimal number of cookies to operate the platform:

We do not use advertising cookies or share cookie data with third-party advertisers. You can manage cookie preferences through your browser settings.

Offly integrates with the following third-party services when enabled by your organisation:

• Google Workspace — user provisioning, SSO, and calendar synchronisation
• Microsoft 365 — calendar synchronisation and SSO
• Slack — notifications, approval workflows, and status updates
• Payment providers — subscription billing (we do not store card details directly)
• Infrastructure providers — hosting, monitoring, and email delivery

Each integration only shares the minimum data required for its function. Integrations are activated by organisation administrators and can be disconnected at any time.

Where personal data is transferred outside of the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where the destination country provides an adequate level of protection
• Binding corporate rules where applicable with our sub-processors

You can request information about the specific safeguards applied to your data by contacting us.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Active account data — retained for the duration of the service agreement
• Leave records — retained for the period required by your organisation's policies and applicable employment law
• Audit logs — retained for 24 months to support compliance and security investigations
• Deleted account data — permanently removed within 30 days of account deletion
• Backup data — automatically purged within 90 days of deletion from primary systems

Organisation administrators can request earlier deletion of data by contacting our support team.

Under data protection law, you have the following rights regarding your personal data:

To exercise any of these rights, contact us at the address below. We will respond within 30 days. Where your data is processed on behalf of your organisation, we may direct your request to your organisation's administrator.

You can request deletion of your account at any time. For individual users, contact your organisation administrator. For organisation accounts, contact our support team.

Upon account deletion:

• Your personal profile and preferences are permanently removed
• Leave records may be retained in anonymised form for your organisation's compliance purposes
• All active sessions are immediately terminated
• Connected integrations are disconnected
• Data is purged from backup systems within 90 days

We take the security of your data seriously. Our security practices include:

• Regular penetration testing and vulnerability assessments
• Encrypted storage and transmission of all personal data
• Strict access controls with multi-factor authentication for all team members
• Continuous monitoring and alerting for suspicious activity
• Incident response procedures with defined notification timelines
• Regular security training for all team members

In the event of a data breach that poses a risk to your rights, we will notify affected organisations within 72 hours in accordance with GDPR requirements.

Offly is a business-to-business platform designed for workplace leave management. Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children.

If you believe a child has provided personal data to us, please contact us immediately and we will take steps to delete such information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We will notify organisation administrators via email for significant changes
• We will provide a summary of changes where practical
• Continued use of Offly after changes constitutes acceptance of the updated policy

If you have questions about this Privacy Policy or wish to exercise your data protection rights, you can reach us at:

You also have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been infringed.