Privacy Policy

This Privacy Policy describes how YayLeave (“we”, “us”, or “our”), the responsible party operating YayLeave.com, collects, uses, stores, and protects personal information in accordance with the Protection of Personal Information Act, 4 of 2013 (“POPIA”) and any applicable regulations or codes of conduct issued thereunder.

By registering for or using YayLeave, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal information as described herein, where consent is the applicable lawful basis.

1. Categories of Personal Information We Collect

We collect the following categories of personal information about you:

Identity information: first name, last name, employee number, job title, job grade, date of birth (where required for leave calculations).
Contact information: work email address, telephone number.
Employment information: employer (company / tenant), department, manager relationship, employment start date, employment status.
Leave and HR records: leave type entitlements, leave balances, leave requests and their status (approved / declined / pending), leave history, and any supporting notes or reasons provided.
Account credentials: hashed password (we never store passwords in plain text), authentication tokens, and session metadata.
Technical and usage data: IP address, browser user-agent string, date and time of sign-in, pages visited within the application, and audit-log entries generated by your actions in the system.
Communication data: any information you provide when you contact our support team.

We do not intentionally collect special personal information (as defined in section 26 of POPIA) such as health records, racial or ethnic origin, religious beliefs, or trade-union membership, unless it is strictly necessary to administer a specific leave type (e.g., a medical certificate submitted in connection with sick leave). Where such information is collected, we will obtain your explicit consent and handle it with enhanced safeguards.

2. Purposes of Processing

We process your personal information for the following purposes:

To create, manage, and authenticate your YayLeave account.
To administer leave management functions on behalf of your employer, including recording, approving, and reporting on leave requests.
To enforce tenant isolation — ensuring each company's data is accessible only to authorised personnel within that company.
To maintain an audit trail of changes in compliance with legal recordkeeping obligations and to enable dispute resolution.
To perform internal analytics and system diagnostics to improve service reliability and performance.
To respond to support requests and communicate service updates.
To comply with South African law, including the BCEA and POPIA.
To detect and prevent fraud, unauthorised access, or other unlawful activity.

3. Lawful Basis for Processing

We rely on the following grounds for processing personal information under POPIA:

Contractual necessity: processing is necessary to perform the service agreement between YayLeave and the employer (responsible party for their employees’ data) and to provide you with access to the platform.
Legal obligation: certain processing is required to comply with the BCEA, POPIA, and other applicable South African legislation.
Legitimate interest: we process technical and usage data for security monitoring, fraud prevention, and service improvement, balanced against your privacy rights.
Consent: where none of the above grounds apply (e.g., for optional communications or the collection of special personal information), we will obtain your explicit, informed consent prior to processing.

4. Cookies, Sessions, and Authentication Data

YayLeave uses the following cookies and session mechanisms:

Authentication cookie (.YayLeave.Auth): an HTTP-only, secure, essential cookie that stores your bearer session token. It is set when you sign in and is required for the application to function. It expires at the end of your session or after 8 hours of inactivity, whichever comes first.
Session cookie (.YayLeave.Session): an HTTP-only session cookie used to maintain temporary state (such as your currently selected company context) across requests. It expires when you close your browser or after 8 hours of inactivity.

We do not use third-party advertising cookies, tracking pixels, or any cookie that is not strictly necessary for the operation of the service. No personal information is processed through third-party analytics platforms via cookies.

5. Sharing with Third Parties and Operators

We do not sell, rent, or trade your personal information. We may share your information with the following categories of parties only to the extent necessary to deliver the service:

Cloud infrastructure providers (e.g., Microsoft Azure) that host the application and database. These providers are contractually bound to process data only on our instructions and to apply appropriate security measures.
Your employer (the tenant): personal information about employees is visible to authorised administrators and managers within the same company in accordance with their role.
Professional advisers and regulators: we may disclose information where required by law, court order, or request from a competent regulatory authority, including the Information Regulator.

All third-party operators with whom we share personal information are required to enter into a written operator agreement that obliges them to process information only as instructed by us and to implement appropriate security safeguards.

6. Cross-Border Transfers

Your personal information is primarily processed and stored within South Africa. Where we use cloud infrastructure that may store or process data outside South Africa (e.g., Microsoft Azure data centres), we take steps to ensure that the recipient country or organisation offers an adequate level of protection, or we put in place appropriate contractual safeguards as required by section 72 of POPIA.

7. Retention Periods

We retain personal information for as long as is necessary to fulfil the purposes set out in this policy, unless a longer retention period is required or permitted by law. Our default retention guidelines are:

Active account records (employee profiles, leave records, audit logs): retained for the duration of the employer’s subscription, plus 5 years after termination to satisfy recordkeeping obligations under the BCEA.
Authentication tokens and session logs: deleted upon session expiry or revocation; audit logs referencing sign-in events are retained for 5 years.
Soft-deleted records: records that have been deleted within the application are flagged as inactive and retained for 5 years to support audit and dispute resolution, after which they are purged.
Support communications: retained for 3 years from the date of the last communication.

8. Security Safeguards

We implement technical and organisational measures to protect personal information against unauthorised access, loss, destruction, or alteration, including:

Transport Layer Security (TLS/HTTPS) for all data in transit.
Hashed password storage (bcrypt with per-record salting; passwords are never stored in plain text).
HTTP-only and secure-flag cookies to mitigate XSS and session-hijacking risks.
Role-based access control with strict tenant isolation — users can only access data belonging to their own company.
Full audit logging of data modifications to enable detection of unauthorised changes.
Soft-delete architecture to prevent accidental or malicious data destruction.
Regular review of access rights to ensure least-privilege principles are maintained.

While we take reasonable steps to protect your information, no system is completely secure. In the event of a security compromise that affects your personal information, we will notify you and the Information Regulator as required by POPIA.

9. Your Rights as a Data Subject

Under POPIA, you have the following rights in relation to your personal information:

Right of access (section 23): you may request a description of the personal information we hold about you and the identity of any third parties who have or have had access to it.
Right to correction or deletion (section 24): you may request that we correct, destroy, or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
Right to object (section 11(3)): you may object, on reasonable grounds, to the processing of your personal information. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent: where processing is based on your consent, you may withdraw consent at any time without detriment. Withdrawal will not affect the lawfulness of processing before withdrawal.
Right not to be subject to automated decision-making: you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects concerning you.
Right to lodge a complaint: you may submit a complaint to the Information Regulator (see section 10 below).

To exercise any of these rights, please contact our Information Officer at support@yayleave.com. We will respond within 30 days of receiving a valid request.

10. Contact and Complaints

If you have any questions, concerns, or complaints about how we handle your personal information, please send an email to support@yayleave.com addressed to the Information Officer.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify registered users by email or via an in-application notice. We encourage you to review this policy periodically.

Continued use of YayLeave after the effective date of any updated Privacy Policy constitutes your acceptance of the revised policy.