Legal
Privacy Notice
This Privacy Notice explains how Pearce & Sons Group Ltd, trading as Oooly (Company No. 17209008), registered at 167–169 Great Portland Street, Fifth Floor, London, England, W1W 5PF ("Oooly", "we", "us") collects, uses, stores, and shares personal data in connection with the Oooly leave management platform.
Questions about this notice or our data practices should be directed to privacy@oooly.uk.
1. Our roles under UK GDPR
Depending on the data involved, we act in different capacities:
- Data Controller — for personal data we process for our own purposes: account registration, billing, customer communications, and platform analytics. We determine the purpose and means of this processing.
- Data Processor — for personal data that customer organisations (the Data Controller) upload into Oooly about their employees: names, leave records, working patterns, and related information. We process this data strictly on the organisation's instructions. A formal Data Processing Agreement (DPA) will be provided prior to general availability.
If you are an employee whose data appears in Oooly because your employer uses it, your employer is the Data Controller for that data. Rights requests relating to it should be directed to your employer in the first instance.
2. Personal data we collect and why
Account and billing data
When an organisation administrator registers an account, we collect their name, work email address, and (for paid plans) billing details via our payment processor. We use this to provide access to the platform, communicate about the service, and process payments. The legal basis is performance of a contract.
Employee data (processed on behalf of customer organisations)
Customer organisations input data about their employees, including names, email addresses, start dates, job roles, working patterns, and leave records. We process this solely to provide the leave management features of the platform, on the instruction of the organisation. The organisation is responsible for establishing its own legal basis as Controller for this data.
Absence and leave records
Leave requests, approval decisions, absence durations, and leave types are stored to support core platform functionality including balance calculation, team visibility, and reporting. These records may include sensitive details — see Section 3.
Usage and analytics data
We collect log data, IP addresses, browser and device type, and in-app interaction data to monitor service health, diagnose errors, and understand how the platform is used. The legal basis is our legitimate interests in maintaining and improving the service. We do not sell this data or use it for advertising.
3. Special category data
Some leave types inherently reveal, or may reveal, special category personal data as defined in UK GDPR Article 9:
- Health data: Sickness absence records, return-to-work interview notes, fit-for-work assessments, and medical certificate uploads may reveal information about an individual's physical or mental health.
- Religious or philosophical beliefs: Leave taken for religious observance may reveal an employee's religion or beliefs.
As Data Processor, we handle this data under the instruction of the employing organisation (the Controller). Organisations are responsible for ensuring they have an appropriate legal basis — typically explicit consent or the employment law exemption under Article 9(2)(b) — for processing special category data about their employees. Health-related return-to-work notes are encrypted at rest within the platform.
4. Legal basis summary
| Processing activity | Legal basis |
|---|---|
| Account registration and access | Contract |
| Billing and payment processing | Contract |
| Service communications (product updates, invoices) | Contract / Legitimate interests |
| Employee leave data (on behalf of orgs) | Processor — DPA to be provided prior to GA |
| Platform security and fraud prevention | Legitimate interests |
| Usage analytics and product improvement | Legitimate interests |
| Legal compliance (e.g. tax records) | Legal obligation |
5. Data retention periods
We do not keep personal data longer than necessary. Our specific retention periods are:
- Active account — employee and leave data: Retained for the duration of the subscription.
- Post-cancellation export window: Data is accessible in read-only mode for 30 days after cancellation.
- Post-cancellation production retention: Organisation data is permanently deleted from production systems 90 days after the end of the export window (120 days after cancellation).
- Encrypted backup snapshots: Purged within 30 days of production deletion.
- Billing records: Retained for 7 years to comply with HMRC requirements.
- Security and access logs: Retained for 90 days.
- Anonymised, aggregated analytics: Retained indefinitely (no individual can be identified).
If you require early deletion of your organisation's data, contact privacy@oooly.uk. We will action verified requests within 30 days.
6. Third-party subprocessors
We use the following subprocessors to deliver the Service. Each is bound by a data processing agreement and provides appropriate safeguards:
| Subprocessor | Purpose | Location |
|---|---|---|
| Laravel Cloud (Laravel LLC) | Application hosting, database, and storage for the Oooly platform. Laravel Cloud uses underlying infrastructure providers which they do not currently disclose publicly. We are seeking clarification from Laravel Cloud on this and will update this list accordingly. | USA — SCCs in place |
| Vercel Inc. | Hosting of the Oooly web application frontend. Transiently handles authenticated requests proxied to the backend; no persistent storage of personal data. | USA — SCCs in place |
| Brevo (Sendinblue SAS) | Transactional email delivery (invitations, notifications, account communications) | EU (France) |
| Stripe | Payment processing and subscription billing (paid plans only) | UK / EU |
| Google LLC | Google OAuth sign-in; Google Calendar and Google Workspace integrations (when enabled by the organisation) | USA — SCCs in place |
| Microsoft Corporation | Microsoft Teams and Outlook Calendar integrations (when enabled by the organisation) | USA — SCCs in place |
| Slack Technologies LLC | Slack integration (when enabled by the organisation) | USA — SCCs in place |
We will notify you of any material changes to our subprocessors with at least 30 days' notice, giving you the opportunity to object. Where a subprocessor maintains their own subprocessor list (such as Laravel Cloud), changes to that downstream list are governed by their own notification process.
7. International data transfers
Our application is hosted on Laravel Cloud and our frontend on Vercel, both of which are US-based services. Personal data is therefore transferred to the United States in the course of normal platform operation. Where personal data is transferred outside the UK, we rely on UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) approved for UK transfers to ensure an equivalent level of protection. All US-based subprocessors listed above operate under such agreements.
Laravel Cloud's underlying infrastructure providers are not currently publicly disclosed by Laravel Cloud. We are seeking this information and will update this notice when confirmed.
8. OAuth tokens and third-party integrations
When an organisation connects a third-party integration (Google Calendar, Google Workspace, Slack, Microsoft Teams, or Outlook Calendar), we store OAuth access and refresh tokens necessary to maintain that connection. These tokens are:
- Encrypted at rest using AES-256 encryption;
- Used solely to perform the actions authorised by the organisation;
- Permanently deleted within 24 hours of the organisation disconnecting the integration or closing their account.
We do not use integration access to read data beyond what is necessary for the specific feature enabled.
9. Individual rights
Under UK GDPR, individuals have the following rights regarding their personal data:
- Access: The right to obtain a copy of personal data held about you.
- Rectification: The right to have inaccurate data corrected.
- Erasure: The right to request deletion of your data in certain circumstances.
- Restriction: The right to restrict processing in certain circumstances.
- Portability: The right to receive data in a structured, machine-readable format.
- Objection: The right to object to processing based on legitimate interests.
If you are an employee whose data is in Oooly because your employer uses it, your employer is the Data Controller. You should direct rights requests to your employer in the first instance.
If you are an account holder (organisation administrator), you may exercise your rights directly by contacting privacy@oooly.uk. We will respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data has been mishandled.
10. Data Processing Agreement
A formal Data Processing Agreement (DPA) governing our obligations as processor for customer organisation data is currently being finalised and will be provided to all customers prior to general availability. During the beta period, organisations accept our processing of their employee data on the basis of this Privacy Notice and our Terms of Service. If you have specific DPA requirements during beta, please contact privacy@oooly.uk to discuss.
11. Cookies
The Oooly application uses the following cookies:
- Session cookies: Strictly necessary to maintain your authenticated session. Set on login, deleted on logout or session expiry. No consent required.
We do not currently use analytics cookies in the application or on this website. If we introduce them in future, we will update this notice and implement an appropriate consent mechanism before setting them.
12. Security
We employ industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest for sensitive fields, role-based access controls, and logical tenant isolation. In the event of a personal data breach, we will notify affected organisations and the ICO within 72 hours where required by law.
13. Changes to this notice
We may update this Privacy Notice from time to time. We will notify account holders by email and post the updated notice on this page with a revised date. For material changes, we will give at least 30 days' notice before they take effect.
14. Contact
For privacy queries, data subject requests, or DPA-related enquiries:
- Email: privacy@oooly.uk
- Post: Pearce & Sons Group Ltd (t/a Oooly), 167–169 Great Portland Street, Fifth Floor, London, England, W1W 5PF