Effective Date: 08/01/2025
Company: ToBeShore AB, Sweden
Product: DayzOff, Leave Management System
Contact: support@tobeshore.freshdesk.com
1. Introduction
ToBeShore AB is fully committed to complying with the General Data Protection Regulation (GDPR) EU 2016/679. This policy outlines how we protect the personal data of users, organizations, and employees who use our Leave Management System, including those based in the European Union and EEA.
2. Definitions
Personal Data: Any information that can identify a natural person (e.g. name, email, IP address).
Processing: Any operation on personal data (e.g. collecting, storing, analyzing).
Controller: The customer (organization or individual) using our system.
Processor: ToBeShore AB, who processes data on behalf of the controller.
3. Lawful Basis for Processing
We process personal data under the following lawful bases:
Performance of a contract – To deliver the service the customer has subscribed to.
Legitimate interest – To maintain and improve our services (e.g., through analytics, AI bot).
Consent – For optional features such as email alerts or cookies on our website.
4. Data We Process
We collect and process the following personal data on behalf of our customers:
- Employee and administrator names
- Employee & administrator job titles
- Employee & administrator profile pictures
- Email addresses
- Leave records and approvals
- Country-specific public holidays
- Organization hierarchy
- Organization related leave types
- Organization specific email configurations
- Organization specific notification templates
- Organization specific rules (related to the leaves)
We do not collect sensitive personal data such as race, religion, or health details directly. However, some holiday data may imply religious observances.
5. Data Rights of Individuals
As per GDPR, individuals have the right to:
Access – Request a copy of their personal data
Rectification – Request corrections to inaccurate data
Restriction – Limit how their data is processed
Objection – Object to certain types of processing
Portability – Request export of their data
Erasure – Request deletion (subject to platform limitations and legal obligations)
📩 To exercise any of these rights, users can contact us at support@tobeshore.freshdesk.com. Requests will be handled within 30 days.
6. Data Storage and Retention
- All customer data is stored securely in Microsoft Datacenters in Sweden for the EU market.
- Data is retained in the primary database for 2 years, after which it is archived for historical purposes.
- Data deletion is not available through the UI; requests must be made through our support team.
7. Subprocessors
We use the following subprocessors, all of which are GDPR-compliant:
Microsoft Azure – For cloud infrastructure and storage
Azure Bot– For chatbot services
Data is never sold or transferred to unauthorized third parties.
8. Data Security
We take data protection seriously and implement industry-standard security measures to safeguard customer information. Our controls include:
Data Encryption – All data is encrypted both at rest and during transmission.
Role-Based Access Control (RBAC) – Access to data is restricted based on user roles and permissions.
Audits & Monitoring – Regular security audits, monitoring, and compliance checks are performed to detect and prevent unauthorized activity.
Tenant Isolation – A multi-tenant architecture is enforced to ensure strict separation of customer data, preventing cross-customer access.
- Data Minimization & Purpose Limitation – Collect only the minimum personal data necessary and use it solely for the stated purpose.
- Data Retention & Deletion – Retain personal data only for the defined period and ensure secure deletion when no longer required.
9. International Data Transfers
As a global service provider, data may be processed outside the EU. In such cases, we rely on:
Azure’s EU-US Data Privacy Framework commitments
Standard Contractual Clauses (SCCs) where applicable
10. Breach Notification
In the event of a personal data breach, we will notify affected customers and relevant authorities within 72 hours, as required by GDPR Article 33.
11. Data Protection Officer (DPO)
If required, please direct inquiries to:
📧 Email: support@tobeshore.freshdesk.com
📍 ToBeShore AB, Sweden