Offly
Back to home

Privacy Policy

Last updated: January 7, 2026

1. Introduction and Data Controller

At Offly ("we", "us", or "our"), we respect your privacy and are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

This privacy policy explains how we collect, use, process, and safeguard your personal information when you use our time off management platform. This policy applies to all users, including employers, employees, managers, and administrators.

For the purposes of GDPR, Offly acts as a data processor for employee time off data submitted by our business customers (who act as data controllers), and as a data controller for account and billing information.

2. Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contractual Necessity: To provide our time off management services to you and your organization.
  • Legitimate Interests: To improve our services, ensure security, and comply with employment law requirements.
  • Legal Obligation: To comply with applicable laws, including tax, labor, and accounting regulations.
  • Consent: Where explicitly provided for optional features or marketing communications (you may withdraw consent at any time).

For employee data, we rely primarily on contractual necessity and legitimate interests rather than consent, recognizing the power imbalance between employers and employees as outlined in GDPR guidelines.

3. Information We Collect

In accordance with data minimization principles, we only collect data necessary for providing our services:

  • Account Information: Email address, full name, job title, department, and company/organization name.
  • Time Off Data: Time off requests, approval status, leave dates, leave type (vacation, sick leave, etc.), remaining leave balances, and comments or notes related to requests.
  • Usage and Technical Data: IP address, browser type and version, device identifiers, access times, pages viewed, and referring URLs.
  • Communication Data: Email notifications, in-app messages, and support correspondence.
  • Payment Information: For business customers only - billing address and payment method details (processed securely by our payment provider; we do not store full credit card numbers).

4. How We Use Your Information

We process your personal data only for specified, explicit, and legitimate purposes:

  • Providing and maintaining the time off management service
  • Processing time off requests and sending approval/denial notifications
  • Calculating and tracking leave balances and entitlements
  • Generating reports and analytics for workforce planning (aggregated and anonymized where possible)
  • Ensuring compliance with employment laws and payroll processing requirements
  • Authenticating users and maintaining account security
  • Providing customer support and responding to inquiries
  • Detecting and preventing fraud, abuse, and security incidents
  • Improving service functionality and user experience
  • Sending service-related communications (not marketing, unless you opt-in)

We do not use your data for purposes incompatible with those for which it was collected without obtaining your consent.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We may share your information only in the following circumstances:

  • Within Your Organization: Time off data is visible to authorized users within your organization, including managers, HR personnel, and team members (based on your organization's access controls).
  • Service Providers (Subprocessors): We work with third-party service providers who assist in delivering our services, including cloud hosting (AWS/Azure), email delivery, payment processing, and analytics. All subprocessors are contractually bound by Data Processing Agreements (DPAs) to protect your data.
  • Legal Obligations: When required by law, court order, or regulatory authority, or to protect our legal rights and safety.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred (you will be notified beforehand).

A complete list of our subprocessors is available upon request to privacy@offly.app.

6. International Data Transfers

Your data may be processed in countries outside the European Economic Area (EEA) or your country of residence. When transferring data internationally, we ensure appropriate safeguards are in place:

  • Use of EU Standard Contractual Clauses (SCCs) for transfers to third countries
  • Ensuring service providers maintain adequate data protection measures
  • Compliance with Privacy Shield successor frameworks where applicable

For transfers to the United States, we implement supplementary measures beyond SCCs to ensure GDPR compliance.

7. Data Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Multi-factor authentication (MFA) options for user accounts
  • Role-based access controls and principle of least privilege
  • Regular security audits and penetration testing
  • Secure key management procedures
  • Employee training on data protection and security
  • Incident response and breach notification procedures
  • Regular backups with secure storage

In the event of a data breach affecting your personal data, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR.

8. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected:

  • Active Account Data: Retained while your account is active and for the duration of your organization's subscription.
  • Time Off Records: Retained for 7 years after the calendar year in which the leave occurred, in compliance with employment law and tax regulations.
  • Billing and Payment Data: Retained for 7 years to comply with accounting and tax requirements.
  • Technical Logs: Retained for 90 days for security and troubleshooting purposes.

Upon account deletion or subscription termination, we will delete or anonymize personal data within 90 days, except where retention is required by law. You may request data export before deletion.

9. Your Rights Under GDPR (EU/EEA Users)

If you are located in the EU/EEA, you have the following rights:

  • Right of Access: Request confirmation of whether we process your data and obtain a copy of your personal data.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure ('Right to be Forgotten'): Request deletion of your personal data under certain circumstances.
  • Right to Restriction of Processing: Request that we limit how we use your data under certain conditions.
  • Right to Data Portability: Receive your data in a structured, machine-readable format and transmit it to another controller.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time.
  • Right to Lodge a Complaint: File a complaint with your local supervisory authority (Data Protection Authority).

To exercise these rights, contact us at privacy@offly.app. We will respond within one month (extendable by two additional months for complex requests).

Note for Employees: If you are an employee whose data is processed by your employer using Offly, you should direct rights requests to your employer (the data controller). We will assist your employer in fulfilling these requests.

10. Your Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the CCPA:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell about you.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out: We do not sell personal information and never have. If this changes, you will have the right to opt-out.
  • Right to Non-Discrimination: You will not be discriminated against for exercising your CCPA rights.

To exercise CCPA rights, email us at privacy@offly.appor call our toll-free number (if applicable). We will verify your identity before processing your request.

California Employee Privacy: The CCPA employee exemption expired on January 1, 2023. California employees now have full CCPA rights regarding their employment data.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve our service:

  • Strictly Necessary Cookies: Essential for authentication, security, and core functionality. These cannot be disabled.
  • Functional Cookies: Remember your preferences (e.g., language, theme). You can disable these in your browser settings.
  • Analytics Cookies: Help us understand how users interact with our service (anonymized where possible). You can opt-out via cookie settings.

We do not use advertising or tracking cookies. We do not engage in cross-site tracking or behavioral advertising.

You can manage cookie preferences through your browser settings or our cookie consent banner (for EU/EEA users).

12. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you. All time off approval decisions are made by human managers within your organization.

13. Children's Privacy

Our service is not directed to individuals under 18 years of age (or 16 in the EU). We do not knowingly collect personal data from children. If we discover we have collected data from a child, we will delete it promptly.

14. Changes to This Privacy Policy

We may update this privacy policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes via email or prominent notice in the service at least 30 days before the changes take effect.

Continued use of the service after changes become effective constitutes acceptance of the updated policy.

15. Data Protection Officer and Contact Information

For questions, concerns, or requests regarding this privacy policy or your personal data, please contact:

Email: privacy@offly.app
Data Protection Officer: dpo@offly.app

EU Representative: [To be appointed if you process EU data and are not established in the EU]

Supervisory Authority: If you are unsatisfied with our response, you may lodge a complaint with your local data protection authority. For EU users, find your authority at:https://edpb.europa.eu/about-edpb/board/members_en