Privacy Policy

Last updated: May 3, 2026

This privacy policy explains what data we collect, why we collect it, how we use it, and your rights. We've written it in plain English.

When we say "we", "us" or "our", we mean Book Time Off, operated by BDI Resourcing Ltd.

Legal basis for processing personal data

We collect and process personal data to provide you with Book Time Off, in line with our Terms of Service. We also process data for our legitimate business interests: running the service, billing, security, and improving the product.

What personal data do we collect?

Identity data: your name and your team members' names.
Contact data: email addresses.
Employment data: leave requests, allowances, start dates, birthdays, department assignments, and approver relationships.
Financial data: payment details are processed by Stripe. We don't store your full card number.
Technical data: IP address, browser type and version, device type.

How do we use your data?

When you sign up

We collect your name, email, and company name to create your account. We verify your email address using a one-time code. We use your email to send password resets and essential account notifications.

When you pay

Payment is handled entirely by Stripe. Your card details go directly to Stripe's servers and never pass through ours.

When you use Book Time Off

Your team's leave data is stored so the application can function. We send email notifications for leave requests and approvals via Resend.

When you contact support

If you email us, we use your name and email address to respond. We keep support conversations for up to 12 months.

Third-party processors

Service	Purpose	Location
Supabase	Database, authentication	London, UK
Stripe	Payment processing	US (GDPR compliant)
Resend	Transactional email	US (GDPR compliant)
Netlify	Website hosting	US (GDPR compliant)
Cloudflare	DNS, email routing	US (GDPR compliant)

All data shared with these processors is encrypted in transit. We have appropriate agreements in place with each provider.

International transfers

Your primary data is stored by Supabase in London, UK. Some processors (Stripe, Resend, Netlify, Cloudflare) are based in the United States but comply with GDPR requirements.

Protecting your data

All data is encrypted in transit via TLS. Each organisation's data is isolated from every other organisation's data. You are responsible for keeping your password secure.

How long do we keep data?

We keep your data for as long as your account is active. If you cancel your subscription, your data is deleted when your billing period ends. If you delete your account, all data is removed immediately. We recommend exporting your data before cancelling or deleting.

After account closure, we may retain financial records for up to 6 years as required by UK law.

Cookies

Book Time Off uses only essential cookies required for authentication. We don't use tracking cookies, analytics cookies, or advertising cookies.

Your rights

Under UK data protection law, you have the right to:

Access the personal data we hold about you.
Correct inaccurate data.
Delete your personal data.
Restrict how we process your data.
Export your data in a common format (CSV export is available in Settings).
Object to processing based on legitimate interests.

Most of these can be done directly in Book Time Off. For anything else, email us at [email protected].

Age of users

Book Time Off is not intended for use by anyone under the age of 16.

Changes to this policy

We may update this policy from time to time. Significant changes will be communicated by email.

Complaints

If you have concerns about how we handle your data, please contact us first at [email protected]. If you're not satisfied, you can contact the Information Commissioner's Office (ICO).

Contact

For any questions, email us at [email protected].