Privacy Policy

1. Introduction

Calm Leave (“we”, “us”, or “our”) is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our leave management platform (“Service”). By using the Service, you consent to the practices described in this policy.

2. Information We Collect

2.1 Information You Provide

• Account information: name, email address, job title, and company name when you register.
• Profile data: profile photo, team assignments, and role information.
• Leave data: leave requests, balances, approval records, and related notes.
• Billing information: payment details are processed by our payment provider (Stripe) and are not stored on our servers.
• Communications: messages you send to us for support or feedback.

2.2 Information Collected Automatically

• Usage data: pages visited, features used, timestamps, and interaction patterns.
• Device information: browser type, operating system, screen resolution, and language preferences.
• Log data: IP address, access times, and referring URLs.
• Cookies: we use essential cookies for authentication and session management. See Section 7 for details.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service.
• Process leave requests, approvals, and generate reports.
• Send transactional notifications (e.g., leave approvals, reminders).
• Process payments and manage subscriptions.
• Respond to support inquiries and provide customer service.
• Monitor and analyze usage trends to improve user experience.
• Detect, prevent, and address security issues and abuse.
• Comply with legal obligations.

4. How We Share Your Information

We do not sell your personal data. We may share information in these limited circumstances:

• Within your organization: leave requests and approvals are visible to authorized managers and administrators within your company as configured by your organization.
• Service providers: we share data with trusted third-party providers who assist us in operating the Service (e.g., cloud hosting, payment processing, email delivery). These providers are contractually obligated to protect your data.
• Legal requirements: we may disclose information if required by law, subpoena, or government request, or to protect our rights, safety, or the rights of others.
• Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you of any such change.

5. Data Security

We implement industry-standard security measures to protect your data, including:

• Encryption of data in transit (TLS/SSL) and at rest.
• Secure password hashing using bcrypt.
• Role-based access controls within the application.
• Regular security audits and vulnerability assessments.
• Automatic session expiration and secure token management.

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., audit logs, billing records). Aggregated, anonymized data that cannot identify you may be retained indefinitely for analytics purposes.

7. Cookies

We use the following types of cookies:

• Essential cookies: required for authentication, session management, and security. These cannot be disabled.
• Analytics cookies: help us understand how the Service is used so we can improve it. You may opt out of analytics cookies through your browser settings.

We do not use advertising or tracking cookies. We do not participate in cross-site tracking.

8. Your Rights

Depending on your location, you may have the following rights regarding your data:

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete data.
• Deletion: request deletion of your personal data, subject to legal retention requirements.
• Portability: request your data in a structured, machine-readable format.
• Objection: object to processing of your data in certain circumstances.
• Withdrawal of consent: withdraw consent at any time where processing is based on consent.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

9. International Data Transfers

Your data may be processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses or other legally recognized mechanisms. By using the Service, you consent to the transfer of your data to these jurisdictions.

10. Children’s Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a notice on the Service. Your continued use of the Service after the changes take effect constitutes your acceptance of the revised policy. We encourage you to review this policy periodically.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: