Privacy Policy

Holidaay is a leave management tool for organisations. Under UK GDPR, each organisation using Holidaay is the Data Controller for its members' data; Holidaay acts as a Data Processor on behalf of the organisation. This policy explains what data is processed, how it is used, and your rights.

1. What data we process

Holidaay processes the following data:

• Account information: first name and surname, email address, organisation role (Admin, Manager, Employee).
• Leave information: leave type, start and end dates, duration, and optional notes (entered by users).
• System information: organisation membership, audit events (e.g. approvals, cancellations, role changes).

Holidaay does not collect: payment card details (payment for paid plans is handled by our billing provider; we may hold billing status only); marketing or analytics tracking; IP address logs; or special category data unless you choose to put it in leave notes; we advise minimising sensitive information there.

2. How data is used

Data is processed only to: provide leave management (requests, approvals, calendar, reporting); allow admins and managers to approve or reject leave; maintain organisational records; and ensure system security and integrity. Holidaay does not sell personal data or use it for advertising or profiling.

3. Legal basis

The organisation determines the lawful basis for processing its members' data (commonly legitimate interests or performance of a contract). Holidaay processes personal data solely on the documented instructions of the organisation, in its role as Data Processor.

4. Data retention

Leave records are retained as organisational records. Audit logs are retained for up to 24 months, then removed. Invitation links expire automatically (e.g. after 7 days). When a user deletes their account, their personal details are anonymised; deleted users appear as "Deleted user" in historical leave records.

5. Data security

Holidaay uses: role-based access controls; organisation-level data isolation; secure authentication; hashed invite tokens; rate limiting on sensitive actions (e.g. data export, account deletion); and encrypted connections (HTTPS). We use carefully selected sub-processors (such as hosting and authentication providers) who provide appropriate technical and organisational safeguards. Data is stored in secure data centres located in the United Kingdom or European Economic Area.

6. Your rights

Under UK GDPR you have the right to access, correct, request deletion (where applicable), and export your data. You can use Download my data (Settings → Account) to get a copy of your personal data, and Delete my account (Settings → Account) to anonymise your profile (leave records remain as organisational records). You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. We suggest contacting your organisation (the Data Controller) first for questions about how they use the service.

7. Cookies

Holidaay uses only session cookies that are required for authentication. No analytics or marketing cookies are used. See the Cookies page for more information.

8. Contact

For data protection queries about how your organisation uses the service, contact your organisation (the Data Controller). Holidaay may be contacted at: support@holidaay.co.uk.

For a concise overview see Data processing; for terms of use see Terms.