Legal

Privacy policy

Last updated: 18 April 2026

This policy explains what LeaveTrac ("we", "us") collects, how we use it, and the rights you have under UK GDPR and the Data Protection Act 2018. If you are a staff member using LeaveTrac inside a business account, the business owner is the controller of your leave records; we process that data on their behalf.

What we collect

When you sign up we store your email address and a password hash via Supabase Auth. Business owners create a business record (name, leave year start, booking rules). Staff records contain a name, email, entitlement total, and the leave requests you submit or the owner books on your behalf. We also store push notification tokens so we can alert you about approvals, declines, and company closures.

How we use it

We use the data to provide the service: showing dashboards, sending notifications, calculating entitlement, and generating CSV exports the owner requests. We do not sell data, we do not serve advertising, and we do not profile individuals for anything beyond running the app.

Where it lives

Data is stored in the EU on Supabase (PostgreSQL) and pushed via Expo's notification service. Backups are taken by our hosting provider. Our app bundles are distributed by Apple and Google's stores, which apply their own privacy standards.

How long we keep it

Leave records are kept while the business account is active, plus the minimum period required for HR record keeping (typically six years in the UK). When a business owner deletes their account, all associated staff, leave requests, and public holiday records are removed within 30 days. Push tokens are removed on logout or deletion.

Your rights

You can request access to, correction of, or deletion of your personal data at any time. The "Delete my account" button in Settings performs an immediate deletion. If you prefer to contact us, email privacy@leavetrac.app and we will respond within 30 days.

Children

LeaveTrac is not intended for anyone under 16. We do not knowingly collect data from children.

Cookies and tracking

The mobile app does not use cookies. We may use aggregated, anonymous diagnostic reporting (crashes and product analytics providers you enable in builds) so we can keep the app stable and improve reliability; identifiers are pseudonymous and not sold.

Changes

If we update this policy we will post a new "last updated" date here and, for material changes, notify you in-app before the change takes effect.

Contact

Questions? Email privacy@leavetrac.app. For formal complaints, the UK supervisory authority is the Information Commissioner's Office (ico.org.uk).