Security & Privacy

Privacy that leans
the right way.

How we treat your data

Leave records are HR data — sensitive, personal, occasionally medical. We treat them that way. Encrypted, locked down, only visible to people who actually need to see them, and never used for anything you didn't sign up for.

HTTPS in transit, encrypted at rest, GDPR-ready by design, three-role permission model with delegation that expires on its own. The defaults err on the side of less exposure.

HTTPSEnd to end

GDPRBy design

0Data sold or trained on

The thing that separates good privacy from theatre is what happens by default. Reason fields aren't shared. Medical leave shows as "out of office", not the diagnosis. The defaults err on the side of less exposure.

Privacy by default

Encryption that's just there

Every connection to Vacation Flow goes over HTTPS, and everything we store is encrypted at rest — including backups. The fundamentals were in place before the first customer signed up.

🔒HTTPS in transitActive

🛡️AES-256 at restActive

💾Encrypted backupsActive

🔑Keys rotated quarterlyActive

Fundamentals in place before the first customer signed up.

GDPR-ready by design

The European data-protection rules shaped how we built the platform. Consent is explicit. Customers can request a data export or full deletion at any time, and we'll honour either request promptly.

GDPREU data protection

SSLTLS 1.3+

DPAAvailable on request

EUData residency

✓ Data export on request — any time, any format

✓ Full deletion on request — promptly, end-to-end

Your data belongs to you

We don't sell it, and we don't use it to train anything. When you decide to leave, we hand back a clean export in the format you ask for and delete our copy on request. No retention games, no exit fees, no "but you'll lose access to insights".

Export your data

Free

JSONCSVSQL dump

✓Members & balances

✓Every leave request, ever

✓Approval history with timestamps

✓Policies as configured

Download exportDelete my data

Roles, scoped the obvious way

Three roles cover what most companies need: Employee, Manager, Admin. Defaults are sensible enough that most teams never touch them — employees see their own stuff, managers see their team's, admins see everything. If you do want to dig in, every permission is editable. A common case worth knowing about: a manager can delegate approvals while they're on leave without handing over balances or HR data, and the delegation expires the day they're back.

👤

EmployeeOwn balance, own history

👥

ManagerTeam's calendar & pending approvals

⚙️

AdminEverything · all settings

↻Delegate while on leaveAuto-expires

FromMaya P. · away May 12 – 16

ToDaniel S. · approvals only

No balances, no HR data — and the delegation expires on its own.

Privacy that leans the right way

The thing that separates good privacy from theatre is what happens by default. In Vacation Flow, reason fields aren't shared with teammates. Medical leave shows up as "out of office" in the team view, not as the diagnosis. Admins see balances but not why someone took the day. You can loosen any of that if your culture wants more openness — but the defaults err on the side of less exposure, because that's the version you can't accidentally regret.

Defaults that protect

Reason fieldHidden from teammates

Medical leaveShows as "Out of office"

Admin seesBalances, not why

VacationVisible by default

You can loosen any of these — but the defaults err the right way.

Get started

The defaults you can't accidentally regret.

Encrypted, GDPR-ready, three roles that map to how teams actually work, privacy that protects what should stay private.

Get Started Free Request our DPA