Privacy Policy

Last updated: March 2026

1. Who we are

Off The Clock is operated by S7 Labs Ltd, a company registered in England and Wales under Company No. 17073823 and whose registered address is at 31 Mount Pleasant Drive, East Harling, Norwich, England, NR16 2GB, trading as Off The Clock ("we", "us", "our").

We are the data controller for personal data we process for our own purposes (for example, managing your account and billing). Where we process employee leave data on behalf of a Subscriber, we act as a data processor on that Subscriber's instructions, as set out in our Terms of Service.

ICO registration number: ZC108740

2. Data we collect

We collect data about the following persons:

  • Employees and staff of Subscribers
  • Subscriber administrators (e.g. managers, HR personnel)
  • Account holders responsible for subscriptions and billing

We collect data in the following ways:

  • User input through web application forms (e.g. account registration, leave requests)
  • Subscriber administrators entering employee details into the system
  • Authentication and session management via Supabase

The type of data we collect is:

  • Account information: name, email address, profile picture (stored in Supabase Storage)
  • Organisation information: company name, department structure
  • Leave records: holiday requests, approval history, allowance balances
  • Payment data: billing details processed by Stripe (we do not store card numbers)
  • Usage data: anonymous, aggregated page view and web performance metrics collected by Vercel Analytics and Vercel Speed Insights. These tools do not use cookies, do not collect IP addresses, and do not identify individual users. No personal data is processed for analytics purposes.

3. Lawful basis for processing

We process your data on the following bases under UK GDPR:

  • Contract: to provide and manage the leave-management service, including creating and maintaining your account, processing leave requests, and handling billing
  • Legitimate interest: to improve our service, prevent fraud, and ensure security. We have assessed that these interests do not override your rights and freedoms, taking into account the nature of the data processed and the safeguards we apply
  • Consent: where you have given explicit, freely given consent for a specific purpose, such as receiving optional marketing communications. You can withdraw consent at any time by contacting us at contact@s7labs.co.uk or using any unsubscribe mechanism provided, without affecting the lawfulness of processing carried out before withdrawal
  • Legal obligation: where we are required to process data by law, for example retaining billing records for tax purposes

4. Third-party processors

We share data with the following third parties who process data on our behalf:

  • Supabase: authentication, database hosting, and file storage (data stored in the EU). Privacy policy
  • Stripe: payment processing (data processed in the US). Privacy policy
  • Vercel: application hosting and anonymous usage analytics (data processed in the US). Privacy policy
  • SendGrid: transactional email delivery (data processed in the US). Privacy policy
  • SAML identity providers: If your organisation enables SSO, authentication is handled by your configured SAML identity provider. We exchange only the minimum data required to authenticate users (e.g. email address, name)

We have appropriate contractual protections in place with our sub-processors. Each sub-processor is required to process personal data only on our documented instructions and to maintain appropriate technical and organisational security measures.

5. Cookies and tracking

The following client-side technologies are used:

  • Authentication cookies: Supabase stores session tokens in your browser's cookies to keep you signed in. These are essential for the Service to function and are not used for tracking or advertising.
  • Analytics: Vercel Analytics and Vercel Speed Insights are completely cookieless. They do not set any cookies or store any data in your browser.

6. Data visibility within your organisation

As part of the leave-management service, certain personal data is visible within your organisation. Subscriber owners and administrators can see leave requests, allowance balances, and approval history across the organisation. Staff members can see leave information for colleagues in the same department. The scope of visibility may depend on your organisation's settings. This is a core part of how the Service operates.

7. International data transfers

Some of our third-party processors (Stripe, Vercel, and SendGrid) may process your data outside the UK and EU, primarily in the United States. If your organisation enables SSO, your configured SAML identity provider may also process authentication data in jurisdictions outside the UK and EU. Where data is transferred internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or reliance on adequacy decisions, to protect your data in accordance with UK GDPR.

8. Data retention

We retain your personal data for as long as your account is active or as needed to provide you with our services and thereafter it is deleted.

Data is deleted via application-level deletion processes and database removal. Files (e.g. profile images) are removed from storage systems. Backups are retained only as necessary for resilience and are automatically deleted after a defined retention period.

Specific retention periods are as follows:

  • Active accounts: data is retained for as long as your account or your organisation's subscription remains active
  • After account deletion: personal data, including uploaded files such as profile pictures stored in Supabase Storage, is deleted within 90 days
  • After organisation deletion: all organisation data is deleted within 90 days
  • Billing records: retained for 7 years to comply with UK tax and accounting obligations
  • Server logs: retained in anonymised form for up to 90 days for security and debugging purposes

9. Data security

We implement appropriate technical and organisational measures, including:

  • Encryption in transit using HTTPS/TLS
  • Encryption at rest provided by infrastructure providers
  • Role-based access controls within the application
  • Secure authentication handled by Supabase
  • Use of established providers such as Vercel and Stripe with industry-standard security practices
  • Restricted access to production systems (limited to the Director)

10. Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you (Subject Access Request)
  • Rectify inaccurate personal data
  • Request erasure of your personal data
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time (where consent is the basis for processing)
  • Not be subject to automated decision-making, including profiling, that produces legal or similarly significant effects (we do not engage in automated decision-making)

Organisation owners can export all of their organisation's data at any time using the built-in data export feature, which provides a downloadable archive of CSV files. This supports your right to data portability under UK GDPR.

To exercise any of these rights, please contact your organisation administrator or email us at contact@s7labs.co.uk.

In respect of Subject Access Requests we will verify your identity before fulfilling any requests and thereafter provide a response within one calendar month of receipt, as per Information Commissioner's Office guidelines. If your request is complex or numerous, we may extend this deadline by a further two months, provided we inform you within the first month that we will be doing so. You will not be charged for our response unless your request is unfounded, excessive, or repetitive.

11. Children

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

12. Data breaches

Our systems are monitored via infrastructure providers for suspicious activity. Any suspected breach is investigated promptly and where required, breaches are reported to the ICO within 72 hours and affected individuals will be notified where there is a high risk to their rights and freedoms.

If you become aware of a data breach you should notify us immediately so that we can take remedial action.

13. Complaints

If you are unhappy with how we handle your data you should in the first instance contact us in order that we may investigate and work with you to resolve your complaint.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

14. Changes to this policy

We may update this privacy policy from time to time. We will notify you of any material changes by email or in-app notification at least 30 days before the changes take effect, and will update the "last updated" date on this page.

15. Contact

If you have any questions about this privacy policy or how we handle your data, please contact S7 Labs Ltd. at contact@s7labs.co.uk.