Data processing
Last updated: March 2025
This page provides a short factual overview of how Holidaay processes personal data. It is not a legal contract; for full details see our Privacy Policy.
Roles
- Each organisation using Holidaay is the Data Controller for its members' data.
- Holidaay is the Data Processor and processes data only on the organisation's instructions.
Data we process
- Account: first name and surname, email address, organisation role (Admin, Manager, Employee).
- Leave: leave type, start and end dates, duration, optional notes.
- System: organisation membership, audit events (e.g. approvals, cancellations, role changes).
- We do not collect payment card details, marketing or analytics tracking data, or IP address logs. Payment for paid plans is handled by our billing provider; we may hold billing status only.
Retention
- Leave records are retained as organisational records.
- Audit logs are retained for up to 24 months, then removed.
- Invitation links expire automatically (currently 7 days).
- When a user deletes their account, their personal details are anonymised; they appear as "Deleted user" in historical leave records.
Your rights
- You can download a copy of your data (Settings → Account → Download my data).
- You can delete your account (Settings → Account → Delete my account); your profile is anonymised and leave records remain as organisational records.
- You have the right to lodge a complaint with the ICO (ico.org.uk). Your organisation (the Data Controller) is the first point of contact for queries about how they use the service.
Security and location
- Data is stored in secure data centres in the United Kingdom or European Economic Area.
- Holidaay uses role-based access, organisation-level isolation, secure authentication, hashed invite tokens, rate limiting on sensitive actions, and encrypted connections (HTTPS). We use sub-processors (e.g. hosting, authentication) with appropriate safeguards.
Cookies
Holidaay uses only session cookies required for authentication. No analytics or marketing cookies. See our Cookies page for more.
Contact and links
- For data protection queries about how your organisation uses the service, contact your organisation (the Data Controller). For Holidaay: support@holidaay.co.uk.
- For full policies: Privacy Policy, Cookies, Terms.