Privacy Policy

VacationTracker provides an employer-administered absence and time-off management platform. Organizations configure absence categories and manage employee records within the service.

We collect and process information necessary to operate, secure, and improve the service. Information is not sold and is shared only with service providers required to deliver the platform or where legally required.

  • Information may be processed to investigate, prevent, or take action regarding illegal activities, suspected fraud, safety risks, or violations of Terms of Service.
  • If VacationTracker is acquired or merged, information may transfer subject to continued protection under a new privacy policy.

INFORMATION GATHERING AND USAGE

  • When an organization registers for VacationTracker, we collect administrator name, company name, email, billing address, and payment details.
  • Employers configure absence types and administer employee access.
  • Employees may submit absence requests and optional notes.
  • VacationTracker uses collected information for service provision, authentication, billing, support, service improvement, and security monitoring.

SPECIAL CATEGORY DATA

Absence categories defined by employers may include information relating to health, family status, or other sensitive matters. Where this occurs:

  • The employer determines the categories used and the lawful basis for processing.
  • VacationTracker processes such information solely under the employer’s instructions.
  • We do not independently determine or infer health conditions.
  • User-entered notes are processed only for operational purposes and are not analyzed for profiling or marketing.

ROLE OF THE PARTIES

  • Employer organizations act as data controllers for employee data processed within the service.
  • VacationTracker acts as a data processor for employee absence data and as a controller for account, billing, and operational service data.
  • Data processing terms governing controller-processor obligations are incorporated into the Terms of Service.

SUBPROCESSORS

We use third-party service providers necessary to operate the platform:

  • Hosting provider: Amazon Web Services, Akamai Technologies, Hetzner
  • Email delivery: Postmark
  • Payment processor: Stripe
  • Analytics: Google Analytics
  • Support systems: Freshdesk, Chatify, email

Subprocessor Guidelines

VacationTracker engages subprocessors only where necessary to deliver and support the service. All subprocessors are subject to appropriate data protection and security obligations.

Selection and Due Diligence

Subprocessors are evaluated prior to engagement based on:

  • Security practices and certifications (e.g., SOC 2, ISO 27001 where applicable)
  • Ability to meet data protection obligations under applicable laws (e.g., GDPR)
  • Data minimization practices and access controls
  • Reliability and operational maturity

Contractual Safeguards

All subprocessors are bound by written agreements that require:

  • Processing of personal data only on documented instructions
  • Confidentiality obligations
  • Implementation of appropriate technical and organizational security measures
  • Assistance with data subject rights and incident response
  • Deletion or return of data upon termination

Data Minimization and Access Control

Subprocessors are provided access only to the minimum data necessary to perform their function. Access is restricted and reviewed periodically.

International Data Transfers

Where subprocessors process data outside the UK or EEA, appropriate safeguards are implemented, such as Standard Contractual Clauses or equivalent mechanisms.

Monitoring and Review

Subprocessors are periodically reviewed to ensure continued compliance with security and data protection requirements. Where risks are identified, appropriate remediation actions are taken.

Changes to Subprocessors

We may update our list of subprocessors from time to time. Material changes will be communicated to customers through appropriate channels where required.

THIRD-PARTY AUTHENTICATION AND API INTEGRATIONS

  • VacationTracker supports integrations to enable authentication and workflow automation.

Google Integration

  • Basic profile data is received to authenticate accounts.
  • Calendar access is used solely to synchronize absence events selected by the user.
  • Only minimal encrypted tokens and identifiers are stored.
  • We do not access or process unrelated calendar content.
  • Use of Google data complies with the Google API Services User Data Policy and Limited Use requirements.

Microsoft Integration

  • Basic profile data is received to authenticate accounts.
  • Calendar access is used solely to synchronize absence events selected by the user.
  • Only minimal encrypted tokens and identifiers are stored.
  • We do not access or process unrelated calendar content.
  • Use of Microsoft data complies with the Microsoft API Services User Data Policy and Limited Use requirements.

Slack Integration

  • Slack OAuth may be used for authentication and to deliver absence notifications within Slack.
  • We store only the minimum data required to operate the integration, including workspace and user identifiers and encrypted OAuth tokens.
  • Slack message content is not stored. Data from Slack interactions (such as slash commands) is processed only to fulfill the requested action and is not retained after processing.
  • Processing occurs solely based on user or workspace authorization and configuration.
  • Slack-related data is deleted or anonymized following uninstall or disconnection in accordance with our data retention policy.

DATA RETENTION

  • Account data after cancellation: 90 days
  • Backups: up to 180 days
  • System logs: up to 1 year
  • OAuth tokens after disconnect: deleted immediately
  • Billing records: retained as legally required

INTERNATIONAL DATA TRANSFERS

Data may be processed in the UK, EU, United States, and other jurisdictions where subprocessors operate. Where transfers occur outside the UK/EEA, appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms are used.

DATA PROTECTION AND SECURITY

  • Encryption in transit and at rest
  • Role-based access controls
  • Administrative audit logging
  • Key management and rotation
  • Incident response procedures
  • Vulnerability scanning and patching

In the event of a confirmed data breach affecting customer data, VacationTracker will notify the relevant controller organization without undue delay.

COOKIES AND TRACKING

  • Session cookies are required for authentication and service operation.
  • We use Google Tag Manager to manage scripts and consent preferences.
  • Analytics cookies (Google Analytics) are used only after you provide consent via our cookie banner, where required by law.
  • You can withdraw or change your cookie preferences using the controls provided in the cookie banner (where available).

DATA STORAGE

VacationTracker uses third-party infrastructure providers to operate the platform. Customers retain ownership of their organizational data and may export it using available tools.

DISCLOSURE

  • Personal information may be disclosed where required by law, to enforce agreements, or to protect rights and safety.

YOUR RIGHTS AND BUSINESS CONTEXT

VacationTracker is administered by employer organizations.

  • Employers determine how employee data is used.
  • Employees should direct privacy requests to their employer administrator first.

Where applicable under UK GDPR, EU GDPR, and other laws:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction
  • Right to data portability
  • Right to object

Requests may be directed to your employer administrator or to dpo@vacationtracker.com.

US PRIVACY RIGHTS

Where applicable, US residents may have rights regarding access, deletion, and disclosure of personal information under state privacy laws.

CHILDREN

VacationTracker is not intended for individuals under 16.

LEGAL INFORMATION

  • Company incorporated in Ireland
  • Service offered globally (UK, EU, US and other regions)
  • Privacy contact: dpo@vacationtracker.com
  • Postal address: Envision Technologies, 28b Princes Street, Cork, Ireland
  • Effective date: 2025-07-15

CHANGES

VacationTracker may update this policy periodically. Material changes will be communicated via the service or account email.

QUESTIONS

Any questions about this Privacy Policy should be addressed to support@vacationtracker.com