Team Absence - DPA

DPA: Annex 1

Categories of Personal Data, Data Subjects, and Retention Periods

Last updated October 22, 2025

Purpose of processing:
Provision of Team Absence as Software-as-a-Service (SaaS).

1. Type of personal data processed:

The Provider processes the following personal data on behalf of the Customer and in accordance with the Customer’s instructions:

- Content and user data: (a) User’s name, (b) E-Mail address, (c) Company name, (d) Absence information including information in free text fields provided by the user.

Personal data processed by the Provider as a controller (e.g. for authentication, security, billing or contract management) is not subject to this DPA and is described separately in the Privacy Policy.

2. Categories of data subjects:

- Employees of the client organizations who use the software

- Clients or Contractors of the controller (organizations using the software)

- Third parties whose data is processed within the software, on behalf of the controller

3. Retention periods:

- Content and user data: are deleted in accordance with the default retention periods, or earlier upon the customer’s request, unless legal retention obligations require otherwise. The default retention periods are:

a. Unused Boards. Boards that have not been viewed within eighteen (18) months will be automatically and permanently deleted from our systems. All absence data associated with that board is deleted and cannot be recovered.

b. Removed members. Members that have been removed from the board will be automatically and permanently deleted from our systems within thirty (30) days. All absence data associated with that user is deleted and cannot be recovered.

c. Deleted Boards. Boards that have been removed from all tabs will be automatically and permanently deleted from our systems within two (2) months. All absence data associated with that board is deleted and cannot be recovered.

- Residual data fragments that may remain in system databases or backups are automatically overwritten or deleted in the ordinary course of business after last read access, as defined in the terms and conditions. The Controller remains solely responsible for deleting any remaining references or links to the Personal Data within its own systems.

→ Data Processing Agreement (DPA)