Privacy Policy

1. Data Controller

The data controller responsible for processing your personal data is Local Development d.o.o., a company registered at the Commercial Court in Zagreb, Croatia, with its registered office at Haulikova ulica 1, 10000 Zagreb, OIB 09338516846, MBS 05576407. For privacy-related inquiries, you may reach us at info@ldweb.co.

When your company (the Customer) uses BreezeLeave to manage employee leave, the Customer acts as the data controller for employee data, and Local Development d.o.o. acts as the data processor on the Customer's behalf, in accordance with Article 28 of the GDPR.

2. What Personal Data We Collect

We collect and process the following categories of personal data, depending on how you interact with BreezeLeave:

2.1 Account and Profile Data

Full name and email address, password (stored using bcrypt hashing — we never store plaintext passwords), role within your company (e.g., employee, manager, administrator), and profile photo if uploaded.

2.2 Employment-Related Data

Employment start date and assigned team or department, assigned country (used to apply the correct public holiday calendar), and custom vacation day entitlements and rules configured by your employer.

2.3 Leave and Absence Data

Vacation and leave requests including dates, leave type, status, and notes, approval and rejection history including approver identity and timestamps, and leave balances, accruals, and carry-over calculations.

2.4 Technical and Usage Data

Login timestamps and IP addresses, browser type, operating system, and device information, actions performed within the platform for audit logging, and error logs and performance metrics.

2.5 Integration Data

Slack workspace tokens and channel identifiers if Slack integration is enabled, Microsoft Teams webhook URLs and channel identifiers if Teams integration is enabled, and SMTP credentials and email provider configuration if custom email delivery is configured.

2.6 Data We Do Not Collect

We do not collect sensitive personal data (special categories under GDPR Article 9), including health information, political opinions, religious beliefs, trade union membership, genetic data, or biometric data. Sick leave entries are recorded as dates and type only — no medical details are stored or requested.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under the GDPR. Performance of a contract (Art. 6(1)(b)): processing is necessary to provide you with the BreezeLeave service as described in our Terms of Service. Legitimate interests (Art. 6(1)(f)): we process certain data such as usage analytics and security logs to maintain, secure, and improve the Service, where our legitimate interests do not override your fundamental rights and freedoms. Legal obligation (Art. 6(1)(c)): we may process data to comply with applicable legal requirements, such as tax and accounting obligations. Consent (Art. 6(1)(a)): where required, we obtain your explicit consent before processing, for example for optional marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4. How We Use Your Data

We use your personal data to provide the leave management service, including processing requests, calculating balances, managing approvals, and displaying team calendars. We send email, Slack, and Microsoft Teams notifications about vacation requests, approvals, rejections, and reminders. We use your data for authentication, authorization, and role-based access control, and for maintaining audit trails for accountability and regulatory compliance. We also use data to detect and prevent unauthorized access, fraud, and abuse, to analyze aggregated and anonymized usage patterns for service improvement (individual users are never identified in this analysis), and to respond to support inquiries and resolve issues.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances.

5.1 Within Your Organization

Managers and administrators within your company can view vacation requests, balances, and team availability for employees they manage, as defined by your company's role structure and permissions.

5.2 Third-Party Service Providers

Our servers are hosted by DigitalOcean with data centers in the EU, and DigitalOcean processes data on our behalf under a Data Processing Agreement. Notification emails may be sent via SendGrid (Twilio Inc.) or your company's configured SMTP provider. If your company enables Slack integration, leave information is transmitted to your configured Slack channels via the Slack API. If your company enables Microsoft Teams integration, leave information is transmitted via Teams webhooks. All third-party processors are contractually bound to process data only on our instructions and in accordance with applicable data protection laws.

5.3 Legal Requirements

We may disclose personal data if required to do so by law, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

6. International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). If data is transferred outside the EEA, for example to third-party service providers based in the United States, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions by the European Commission where applicable, and the EU-U.S. Data Privacy Framework where the recipient is certified.

7. Data Retention

We retain your personal data for as long as your account remains active and the Service is in use. Upon account deletion, all personal data associated with the deleted account is permanently removed within 30 days. Audit logs may be retained for up to 12 months after account deletion for compliance and accountability purposes. Backup copies may persist in encrypted backups for up to 30 days after deletion, after which they are automatically purged. Aggregated, anonymized data that can no longer identify individuals may be retained indefinitely for statistical analysis.

8. Your Rights Under the GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data. You may request a copy of the personal data we hold about you (right of access, Art. 15), request correction of inaccurate or incomplete data (right to rectification, Art. 16), request deletion of your personal data, also known as the right to be forgotten (right to erasure, Art. 17), subject to legal retention obligations. You may request that we restrict the processing of your data in certain circumstances (right to restriction, Art. 18), request your data in a structured, commonly used, machine-readable format such as JSON or CSV (right to data portability, Art. 20), object to processing based on legitimate interests including profiling (right to object, Art. 21), and withdraw consent at any time where processing is based on consent (Art. 7(3)).

You also have the right to lodge a complaint with a supervisory authority. In Croatia, this is the Agencija za zaštitu osobnih podataka (AZOP), located at Selska cesta 136, 10000 Zagreb — azop.hr.

To exercise any of these rights, contact us at info@ldweb.co or reach out to your company administrator. We will respond to your request within 30 days, as required by the GDPR. If we need additional time due to the complexity of the request, we will inform you of the extension within the initial 30-day period.

9. Cookies and Tracking Technologies

BreezeLeave uses strictly necessary cookies for authentication and session management. These cookies are essential for the Service to function and cannot be disabled. They do not track your browsing activity across other websites. We do not use advertising or remarketing cookies, third-party tracking pixels such as Facebook Pixel or Google Analytics, and we do not sell or share cookie data with any third party.

If analytics are enabled, we use privacy-respecting tools that do not collect personally identifiable information and do not use cookies for tracking. Analytics data is aggregated and used solely to improve the Service.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher, and sensitive data is encrypted at rest on our servers. All passwords are hashed using bcrypt with appropriate cost factors, and plaintext passwords are never stored. Role-based access control ensures users only access data they are authorized to see, and each company's data is logically isolated with no cross-company data access. We conduct periodic reviews of our security practices, infrastructure, and dependencies, and maintain an incident response plan. In the event of a personal data breach, we will notify affected parties and supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

11. Self-Hosted Deployments

If your company operates a self-hosted deployment of BreezeLeave, all data is stored entirely on your own infrastructure and we have no access to it. In such cases, your company is both the data controller and the data processor, and this Privacy Policy applies only to the cloud-hosted version of BreezeLeave at breezeleave.com. Your company is responsible for implementing appropriate data protection measures in self-hosted environments.

12. Children's Privacy

BreezeLeave is a workplace tool designed for use by adults in a professional context. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will take steps to delete that data promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and notify account administrators via email at least 14 days before the changes take effect, highlighting the key changes. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes your acknowledgment of the updated policy.

14. Contact

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how your data is being processed, you may contact us by email at info@ldweb.co. Our registered office is at Haulikova ulica 1, 10000 Zagreb, Croatia.

You may also contact the Croatian Data Protection Authority (AZOP) if you believe your data protection rights have been violated: azop.hr, Selska cesta 136, 10000 Zagreb, Croatia.