Privacy Policy

1. Introduction

TimeLeaf, Inc. ("TimeLeaf", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our time-off management platform ("Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

• Account information: Name, email address, and password when you create an account.
• Organization information: Company name, team structure, and organizational hierarchy.
• Employee data: Employee names, email addresses, roles, employment dates, contract types, and team assignments as entered by your organization's administrators.
• Leave and time data: Leave requests, approvals, balances, timesheets, and time entries.
• Payment information: Billing details processed securely through Stripe. We do not store credit card numbers on our servers.
• Mobile phone numbers: If you opt in to SMS notifications (e.g. for overtime opportunity broadcasts), we collect your mobile phone number and a record of your opt-in consent. See Section 12 (SMS Communications) for details.

2.2 Information Collected Automatically

• Usage data: Pages visited, features used, and actions taken within the Service.
• Device information: Browser type, operating system, and device identifiers.
• Log data: IP addresses, access times, and referring URLs.

2.3 Third-Party Integrations

If you connect third-party services (Google Workspace, Microsoft 365, Slack, etc.), we may receive information from those services as authorized by you, such as calendar data, directory information, and messaging identifiers.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service.
• Process leave requests, approvals, and time tracking.
• Sync calendars, out-of-office statuses, and directory information with connected services.
• Send notifications about leave requests, approvals, overtime opportunities, and system events — including SMS, email, push, and in-app notifications based on your stated preferences.
• Process payments and manage subscriptions.
• Provide customer support and respond to inquiries.
• Monitor and analyze usage patterns to improve the Service.
• Detect, prevent, and address technical issues and security threats.
• Comply with legal obligations.

4. Data Sharing and Disclosure

We do not sell your personal data. We may share information in the following circumstances:

• Within your organization: Leave data is shared with managers and administrators as configured by your organization.
• Service providers: We use third-party providers (hosting, payment processing, email delivery) who process data on our behalf under strict contractual obligations.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction.
• With your consent: We may share information with third parties when you explicitly authorize us to do so.

5. Data Security

We implement industry-standard security measures to protect your data, including:

• Encryption of data in transit (TLS) and at rest.
• Secure authentication with support for SSO and multi-factor authentication.
• Role-based access controls within the application.
• Regular security audits and monitoring.
• Isolated tenant environments for managed (SaaS) deployments.

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Upon account termination, we will retain your data for up to 30 days to allow for data export, after which it will be securely deleted.

Audit logs and security-related data may be retained for up to 12 months for compliance and security purposes.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request your data in a structured, machine-readable format.
• Restriction: Request that we limit the processing of your data.
• Objection: Object to the processing of your data for certain purposes.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

8. International Data Transfers

Your data may be processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where required.

9. Cookies

We use essential cookies required for the Service to function (authentication sessions, security tokens). We do not use third-party tracking cookies or advertising cookies.

10. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. SMS Communications

TimeLeaf offers optional SMS-based notifications for workforce events such as overtime opportunity broadcasts, offer acceptance confirmations, and related transactional messages. This section describes how SMS is used and how you can control it.

12.1 Opt-In and Consent

SMS notifications are off by default. You must explicitly opt in by (a) providing your mobile phone number in your TimeLeaf notification preferences and (b) verifying that number by entering a one-time code we send to it. No SMS will be sent to you until both steps are complete. The date, time, IP address, and method of your opt-in are recorded for compliance purposes.

12.2 Message Types and Frequency

SMS messages are strictly transactional — they relate to overtime offers your employer posts, your acceptance or decline of those offers, resolution of broadcast windows, and service-related confirmations. We do not send marketing, advertising, or promotional SMS. Message frequency depends entirely on how often your employer posts overtime opportunities you are eligible for and is typically a few messages per week.

12.3 Opt-Out

You can opt out of SMS at any time by replying STOP (or STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT) to any message you receive from us. You will receive a final confirmation message acknowledging your opt-out, after which no further SMS will be sent to that phone number. You can re-enroll at any time by replying START or by re-enabling SMS in your TimeLeaf notification preferences. For help, reply HELP or email [email protected].

12.4 Message and Data Rates

Message and data rates may apply. Consult your mobile carrier for details. TimeLeaf does not charge you to receive SMS, but carrier charges from your mobile plan are your responsibility.

12.5 Data Sharing for SMS Delivery

We do not sell, rent, share, or otherwise disclose your mobile phone number or SMS opt-in data to any third party for marketing or promotional purposes. Your phone number is shared only with our SMS delivery provider (Twilio Inc.), and only as strictly required to transmit the messages you have opted in to receive. Phone number and opt-in information is not made available to any affiliates or external entities for any purpose other than message delivery.

12.6 Audit and Record Keeping

Because SMS is used for workforce compliance (e.g. union or collective-bargaining-agreement audits), we retain delivery receipts, opt-in records, opt-out records, and message history for the duration of your account and for a compliance period afterwards as described in Section 6 (Data Retention).

12.7 Supported Carriers and Countries

SMS is currently available for U.S. mobile numbers. Carriers are not liable for delayed or undelivered messages. We cannot guarantee that every message will be delivered — delivery depends on your carrier, device, and network conditions.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

• Email: [email protected]
• General: [email protected]