Privacy Policy

Last updated: June 13, 2026

This privacy policy explains what data we collect, why we collect it, how we use it, and your rights. We've written it in plain English.

When we say "we", "us" or "our", we mean Book Time Off, operated by BDI Resourcing Ltd.

Legal basis for processing personal data

We collect and process personal data to provide you with Book Time Off, in line with our Terms of Service. We also process data for our legitimate business interests: running the service, billing, security, and improving the product.

What personal data do we collect?

Identity data: your name and your team members' names.
Contact data: email addresses.
Employment data: leave requests, allowances, start dates, birthdays, department assignments, and approver relationships.
Financial data: payment details are processed by Stripe. We don't store your full card number.
Technical data: IP address, browser type and version, device type.

How do we use your data?

When you sign up

We collect your name, email, and company name to create your account. We verify your email address using a one-time code. We use your email to send password resets and essential account notifications.

When you pay

Payment is handled entirely by Stripe. Your card details go directly to Stripe's servers and never pass through ours.

When you use Book Time Off

Your team's leave data is stored so the application can function. We send email notifications for leave requests and approvals via Resend.

When you connect Microsoft 365

Microsoft 365 features are optional and stay off until you turn them on. If you sign in with Microsoft, we receive your name, email address and a Microsoft account identifier so we can authenticate you. If you connect Outlook calendar sync, we create, update and remove calendar events for approved leave on the calendars you authorise. If your organisation installs the Book Time Off app for Microsoft Teams, we process the work email and Microsoft account identifier of the people who use it, so we can match them to their Book Time Off account, and we post leave notifications and the daily who's-off summary to the channel you choose. We never read your mailbox, your files or your chat history, and a leave type you mark as private never shows its reason in a Teams post. You can disconnect any of these at any time in Settings, which stops the processing.

When you connect Slack

Slack features are optional and stay off until an admin turns them on. If you sign in with Slack, we receive your name, email address and a Slack account identifier so we can authenticate you. If your organisation connects its Slack workspace, we process the work email and Slack account identifier of the people who use the app, so we can match them to their Book Time Off account, and we send leave request and approval messages, post the daily who's-off summary to the channel you choose, and answer the /whosoff command. If you connect your own Slack, we set your Slack status to show when you are on approved leave, and clear it when you return. We never read your Slack conversations. You can disconnect the workspace or your own account at any time in Settings, which stops the processing and removes the stored access tokens.

When you contact support

If you email us, we use your name and email address to respond. We keep support conversations for up to 12 months.

Third-party processors

Service	Purpose	Location
Supabase	Database, authentication	London, UK
Stripe	Payment processing	US (GDPR compliant)
Resend	Transactional email	US (GDPR compliant)
Netlify	Website hosting	US (GDPR compliant)
Cloudflare	DNS, email routing	US (GDPR compliant)
Microsoft	Optional sign-in, Outlook calendar sync, Teams app	EU / US (GDPR compliant)
Slack	Optional sign-in, leave messages, who's-off digest, status sync	US (GDPR compliant)

All data shared with these processors is encrypted in transit. We have appropriate agreements in place with each provider.

International transfers

Your primary data is stored by Supabase in London, UK. Some processors (Stripe, Resend, Netlify, Cloudflare, Slack) are based in the United States but comply with GDPR requirements.

Protecting your data

All data is encrypted in transit via TLS. Each organisation's data is isolated from every other organisation's data. You are responsible for keeping your password secure.

How long do we keep data?

We keep your data for as long as your account is active. If you cancel your subscription, your data is deleted when your billing period ends. If you delete your account, all data is removed immediately. We recommend exporting your data before cancelling or deleting.

After account closure, we may retain financial records for up to 6 years as required by UK law.

Cookies

Book Time Off uses only essential cookies required for authentication. We don't use tracking cookies, analytics cookies, or advertising cookies.

Your rights

Under UK data protection law, you have the right to:

Access the personal data we hold about you.
Correct inaccurate data.
Delete your personal data.
Restrict how we process your data.
Export your data in a common format (CSV export is available in Settings).
Object to processing based on legitimate interests.

Most of these can be done directly in Book Time Off. For anything else, email us at [email protected].

Age of users

Book Time Off is not intended for use by anyone under the age of 16.

Changes to this policy

We may update this policy from time to time. Significant changes will be communicated by email.

Complaints

If you have concerns about how we handle your data, please contact us first at [email protected]. If you're not satisfied, you can contact the Information Commissioner's Office (ICO).

Contact

For any questions, email us at [email protected].