This Privacy Policy is entered into between you (“you” or “user”) and hyOffice UG (haftungsbeschränkt) (“hyOffice”, “we”, “us”) and governs your use of the Team Absence software, including both free and paid versions, as well as the corresponding website (www.team-absence.com).

We take data protection seriously and are committed to complying with the General Data Protection Regulation (GDPR) and applicable privacy laws. This Privacy Policy, together with our Terms and Conditions, describes how we collect, use, and safeguard your personal data. The responsible party within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws is:

hyOffice UG (haftungsbeschränkt)
Karwinskistr. 40
81247 Munich
Germany

Data Protection Officer:

Phone: +49 89 200 055 74
Email: privacy@team-absence.com

I. Scope of this Policy

This Privacy Policy covers the Team Absence software, including both free and paid versions, the Team Absence website (www.team-absence.com), and all associated services provided in connection with Team Absence. It complements the Terms & Conditions that outline the use of Team Absence. By accessing or using Team Absence or visiting this website, you confirm your acceptance of this Privacy Policy.

II. EU Standard Contractual Clauses

To the extent applicable, hyOffice will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area and Switzerland. All transfers of Customer Data out of the European Union, European Economic Area, and Switzerland will be governed by the Standard Contractual Clauses, as designated by the European Commission.

III. Legal Basis for Processing

To the extent that we have obtained the data subject's consent for the processing of personal data, Article 6(1)(1a) of the GDPR shall serve as the legal basis.

If the processing of personal data is necessary for the performance of a contract with the data subject or for pre-contractual measures initiated by the data subject, Article 6(1)(1b) GDPR shall serve as the legal basis.

If the processing of data is the result of a legal obligation to which we are subject, we invoke Article 6(1)(1c) GDPR.

If the processing of personal data is carried out to protect the vital interests of the data subject or another natural person, we rely on Article 6(1)(1d) GDPR.

If the processing of data serves a task carried out in the public interest or in the exercise of official authority, we rely on Article 6(1)(1e) GDPR.

Insofar as the processing of personal data is necessary to protect the legitimate interests of the controller or a third party—without jeopardizing the interests, fundamental rights or freedoms of the data subject—Article 6(1)(1f) GDPR is the legal basis.

IV. Collected Data

(1) Roles. We process certain personal data as the Controller (Art. 4 (7) GDPR), meaning we determine the purposes and means of processing. We also process data on behalf of our customers, as a Processor (Art. 4 (8) GDPR) under our Data Processing Agreement (DPA), for data that customers upload, store or otherwise submit in the course of using the software. For those data, the DPA governs our obligations, including security, retention, deletion and the handling of user requests.

(2) Data Collected as Controller. When you use Team Absence software, we collect and process the following personal data as a controller: (a) User’s name, (b) E-Mail address, (c) User ID and Tenant ID, (d) Company name.

Upon purchase of paid license, we additionally collect the following payment data as a controller: (a) Billing data, (b) billing address and (c) contractual data.

We also collect and process technical data as a controller for support and analytics purposes: (a) Operating system, (b) Browser metadata, (c) Server logs, (d) Technical metadata, (e) Client ID, (f) Language/regional settings.

(3) Usage.When using Team Absence, we handle your personal data for the following purposes: (a) To create and manage user accounts, (b) Authenticate users, (c) Enforce access controls, (d) Send user notifications, (e) Manage licenses and subscriptions, (f) Process billing, (g) Address user support inquiries, (h) Ensure stable IT operations.

(4) Customer Consent. Customer consents to the processing of Personal Data by hyOffice and its Affiliates, and their respective agents and subcontractors, as provided in this agreement. Before providing Personal Data to hyOffice, Customer will obtain all required consents from third parties (including Customer's contacts, partners, distributors, administrators, and employees) under applicable privacy and Data Protection Laws.

(5) Data Removal Requests. hyOffice retains data only as long as necessary to provide services or comply with legal obligations. Should a user request deletion of their data before automatic retention periods expire (see VII for details), they may contact our support team (support@team-absence.com). In such cases, the data will be deleted immediately upon request. Specific retention periods are defined below.

(6) Essential Data. All data collected through the software is strictly essential for providing the service. If a user no longer wishes to provide or have their data processed, they must uninstall and cease using the app. The collection of your personal data is essential for the conclusion of a contract and the fulfilment of contractual obligations and services. If you do not provide us with the requested information, we will not be able to successfully conclude a contract or provide you with any further contractual services.

(7) Resellers. Payment processing is done through one of our resellers. Once you decide to acquire a paid license and make a payment, you will be redirected to a designated page which will collect data on their behalf. We receive and process some of the information you provide to the payment processor (e.g., country of card issuance, card expiration date, billing address). We never store or have access to the full credit card number.

V. Personally Identifying Information

Some users may engage with hyOffice in ways that require the collection of personally identifiable information. The type and amount of information collected depend on the specific interaction. For instance, if a user sends an email to hyOffice, the email's header and content will be stored and processed. Such correspondence is typically retained for 10 years to comply with regulatory requirements.

In certain situations, users might voluntarily provide sensitive information through free text input fields. All such data is encrypted both in transit and at rest. By providing this data, users consent to its processing and storage. Users are advised to avoid sharing unnecessary sensitive information.

VI. Processing of Personal Data

(1) Roles. When using Team Absence, the Customer acts as the controller for absence data (e.g., leave dates, status and – where configured – reason categories such as vacation, remote work or sick leave). hyOffice acts as the Customer’s processor (or sub-processor where the Customer itself acts as a processor) for such absence data and processes it only on the Customer’s documented instructions. Separately, hyOffice is the controller solely for personal data that hyOffice collects according to IV (2) of this Privacy Policy. This role allocation – Customer as controller for absence data; hyOffice as processor for that data; – is governed by a separate Data Processing Agreement (DPA), which also sets out applicable technical and organizational measures (see also section IV (1) of this Privacy Policy).

(2) Health data. Use of Team Absence may reveal health data (e.g., sickness-related absences), which are special categories under Art. 9 GDPR. The Customer as controller must ensure a valid Art. 9 legal basis, typically Art. 9(2)(b) GDPR in the employment context (and, where that is not applicable, explicit consent under Art. 9(2)(a) in non-employment scenarios); mere “consent by entering information” is not relied upon for employment processing. hyOffice processes such absence data solely on the Customer’s documented instructions as set out in the DPA, which also governs the applicable technical and organizational measures. Customers are responsible for ensuring that only data necessary for absence management is entered and that no unnecessary health-related information is included. Support access by hyOffice occurs only when needed and is tightly controlled.

(3) Processing Details. The parties acknowledge and agree that: The subject-matter of the processing is limited to Personal Data within the scope of the GDPR; The duration of the processing will be for the duration of the Customer’s right to use Team Absence and until all Personal Data is deleted or returned in accordance with Customer instructions or the terms of this Agreement; The nature and purpose of the processing will be to provide the purchased services; The types of Personal Data processed by the Offering include those expressly identified in Article 4 of the GDPR; and The categories of data subjects are Customer’s representatives and end users, such as employees, contractors, collaborators, and customers, and other data subjects whose Personal Data is contained within any data made available to hyOffice by Customer.

(4) Data Subject Rights; Assistance with Requests. Assistance with Requests. hyOffice will make information available to Customer consistent with the functionality of Team Absence and its role as processor. If hyOffice receives a request from Customer’s data subject, it will inform the Customer and, where appropriate, redirect the data subject to the Customer. hyOffice may, at its discretion and where appropriate, respond directly to the data subject or assist the Customer in responding. See also Data Processing Agreement (DPA).

(5) Use of Sub-processors. Customer consents to hyOffice using sub-processors. hyOffice remains responsible for its sub-processors’ compliance with the obligations herein. For a list of sub-processors, see also DPA: Annex 3.

(6) Records of Processing Activities. hyOffice will maintain all records required by Article 30(2) GDPR and make them available to Customer upon request.

VII. Data Retention

hyOffice retains personal data only as long as necessary to fulfill the purposes for which it was collected, including any legal or reporting requirements. Specific retention periods are defined below.

a. Unused Boards. Boards that have not been viewed within eighteen (18) months will be automatically and permanently deleted from our systems. All absence data associated with that board is deleted and cannot be recovered.

b. Removed members. Members that have been removed from the board will be automatically and permanently deleted from our systems within thirty (30) days. All absence data associated with that user is deleted and cannot be recovered.

c. Deleted Boards. Boards that have been removed from all tabs will be automatically and permanently deleted from our systems within two (2) months. All absence data associated with that board is deleted and cannot be recovered.

d. Server logs. Server logs will be automatically and permanently deleted from our systems within thirty (30) days.

VIII. Data Security & Location

The security of your personal data is important to us. All data is encrypted in transit and at rest (256-bit AES encryption). While we apply industry-standard security measures, no system is entirely risk-free. Your data is stored on Microsoft Azure servers located in Europe, specifically in Germany.

IX. Subcontractors

Users agree to the commissioning of subcontractors to provide the technical solution. Current subcontractors: Paddle.net (reseller), Microsoft.com (reseller and cloud provider) and ionos.com (web hosting). Paddle.net and Microsoft.com are located in third countries outside the EU. Transfers rely on appropriate safeguards such as Standard Contractual Clauses. DPAs are concluded with all sub-processors per Art. 28 GDPR.

X. Links To External Sites

Our service may contain links to external sites not operated by us. We advise reviewing the privacy policies of every site you visit. We have no control over and assume no responsibility for third-party content or practices.

XI. Cookies and Web Storage

Team Absence uses Cookies and Web Storage to store preferences locally. Users who do not wish to have cookies placed should configure their browsers to refuse cookies; some features may not function properly.

XII. E-Commerce

Those who engage in transactions with hyOffice are asked to provide necessary personal and financial information. We collect only what is required to fulfill the interaction. Refusal may prevent completion of certain activities.

XIII. Privacy Policy Changes

Although most changes are likely minor, hyOffice may change this Privacy Policy at its sole discretion. When we do, we revise the “Last updated” date. Modifications are effective immediately for anyone who installs or uses the software, purchases or renews a license, or uses the website after publication. If material changes occur, you may terminate by non-renewal and uninstalling. Continued use constitutes acceptance.

XIV. Data Subject Rights

You have the following rights under GDPR: (a) Access (Art. 15), (b) Rectification (Art. 16), (c) Erasure (Art. 17), (d) Restrict Processing (Art. 18), (e) Data Portability (Art. 20), (f) Object (Art. 21), (g) Withdraw Consent (Art. 7(3)). To exercise these rights, contact us. You may also lodge a complaint with a supervisory authority. A list of German authorities: bfdi.bund.de.

→ Terms & Conditions

→ Data Processing Agreement (DPA)

If you have any questions about this Privacy Policy, please contact us.