Privacy Policy

1. Introduction

PTOFlow is a product of Cherry Plum Studios, LLC (“PTOFlow,” “we,” “us,” or “our”). We provide a cloud-based paid time off (PTO) management platform that helps teams track leave requests, approvals, balances, and schedules. We operate the website ptoflow.com and related services (collectively, the “Service”).

This Privacy Policy explains what information we collect, how we use it, with whom we share it, and the choices you have. It applies to all users of the Service, including company administrators, managers, and employees whose PTO is managed through PTOFlow.

By using PTOFlow, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, please discontinue use of the Service.

2. Information We Collect

We collect information in three ways: information you provide directly, information collected automatically, and information received from third-party integrations.

2.1 Information You or Your Organization Provides

• Account and organization data: company name, administrator name and email address, billing information, and organization settings (e.g., company holidays, PTO categories, accrual policies).
• Employee profile data: employee names, work email addresses, job titles, team membership, manager relationships, and employment start dates.
• PTO request data: leave request dates, leave type (e.g., Vacation, Sick, Mental Health Day), duration, optional notes or reasons attached to requests, approval or decline decisions, and comments made by managers.
• PTO balance data: accrued balances, days used, days remaining, carry-over amounts, and prorated balances for new hires.
• Communications: messages sent to our support team at support@ptoflow.com.

2.2 Information Collected Automatically

• Log data: IP address, browser type and version, operating system, referring URLs, pages viewed, and timestamps of access.
• Usage data: features used, actions taken within the Service (e.g., submitting a request, approving a request, running a Slack command), and session duration.
• Device information: device type, unique device identifiers, and mobile network information.
• Cookies and similar technologies: see Section 8 (Cookies and Tracking) for details.

2.3 Information from Third-Party Integrations

When you connect PTOFlow to third-party services, we receive certain data from those services:

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service, including processing PTO requests and approvals.
• Create and manage user accounts and organizational settings.
• Calculate, track, and display PTO balances, accruals, and usage history.
• Send notifications via email and Slack regarding request status, approvals, and account activity.
• Sync approved PTO to Google Calendar on behalf of users who have enabled the integration.
• Respond to support requests and communicate with administrators about their accounts.
• Improve and develop the Service, including understanding how features are used and identifying bugs.
• Enforce our Terms of Service, prevent fraud, and ensure the security of the Service.
• Comply with applicable legal obligations.

We do not use employee PTO data for advertising or sell it to third parties for marketing purposes.

4. Legal Basis for Processing (EEA / UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, our legal basis for processing personal data is:

• Contract performance: processing necessary to deliver the Service you or your employer has subscribed to.
• Legitimate interests: improving the Service, maintaining security, and preventing fraud, where these interests are not overridden by your rights.
• Legal obligation: where processing is required to comply with applicable law.
• Consent: where you have given explicit consent for a specific processing activity (e.g., connecting optional third-party integrations).

5. How We Share Your Information

5.1 Within Your Organization

PTOFlow is an organizational tool. Within your company's PTOFlow account, certain data is visible to authorized users:

• Managers can see PTO requests, balances, and calendars for employees on their teams.
• Company administrators have access to all employee PTO data within their organization.
• Shared team calendars display who is out and when, visible to all members of that team.

Your employer controls who within your organization has access to what data. PTOFlow follows the access controls set by your company administrator.

5.2 Service Providers

We share personal data with trusted third-party service providers who assist us in operating the Service, including:

• Cloud hosting and infrastructure providers.
• Payment processors (for billing of company subscriptions).
• Analytics providers (used only for aggregated, de-identified usage analytics).
• Customer support tools.

These providers are contractually required to use personal data only as directed by us and to maintain appropriate security measures.

5.3 Third-Party Integrations

When you connect Google or Slack, data flows between PTOFlow and those platforms in accordance with the permissions you grant. Those platforms' own privacy policies govern their handling of your data.

5.4 Legal Requirements

We may disclose information if required to do so by law, regulation, or valid legal process, or to protect the rights, property, or safety of PTOFlow, our users, or others.

5.5 Business Transfers

If Cherry Plum Studios, LLC is involved in a merger, acquisition, or sale of all or substantially all of its assets, personal data may be transferred as part of that transaction. We will notify users via email and/or a prominent notice on the Service prior to any such transfer.

6. Data Retention

We retain personal data for as long as your organization's account is active and for a reasonable period thereafter, to allow for account recovery and to meet our legal obligations.

PTO request records and balance history are retained for the duration of the account and for up to 3 years following account closure, as these records may be needed for employment compliance purposes.

Log and usage data is retained for up to 12 months.

When an organization closes its account, we will delete or anonymize personal data within 90 days of account closure, unless a longer retention period is required by law.

Individual employees may request deletion of their data by contacting their company administrator, who can submit a deletion request to support@ptoflow.com.

7. Data Security

We implement industry-standard technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of data at rest.
• Role-based access controls limiting internal access to personal data.
• Regular security assessments and monitoring.
• Authentication via Google SSO, reducing password-related risk.

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security. In the event of a data breach that affects your rights, we will notify you in accordance with applicable law.

8. Cookies and Tracking Technologies

PTOFlow uses cookies and similar technologies to operate the Service. We use:

• Essential cookies: required for authentication sessions and to keep you logged in.
• Functional cookies: to remember your preferences and settings within the Service.
• Analytics cookies: to understand how the Service is used in aggregate. We use de-identified or anonymized analytics data only.

We do not use cookies to serve advertising or to track you across third-party websites.

You can control cookies through your browser settings, though disabling essential cookies will prevent you from using the Service.

9. Your Privacy Rights

9.1 For All Users

Regardless of your location, you may:

• Access the personal data PTOFlow holds about you by contacting your company administrator or emailing support@ptoflow.com.
• Request correction of inaccurate personal data.
• Disconnect third-party integrations (Google Calendar, Slack) at any time through your account settings.

9.2 For EEA / UK Residents (GDPR)

If you are located in the EEA or UK, you have the right to:

• Access: obtain a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure: request deletion of your personal data, subject to legal retention obligations.
• Restriction: request that we restrict processing of your data in certain circumstances.
• Portability: receive your personal data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise these rights, contact us at support@ptoflow.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9.3 For California Residents (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, or sell.
• Delete personal information we have collected, subject to certain exceptions.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of personal information. PTOFlow does not sell personal information.
• Non-discrimination for exercising your privacy rights.

To submit a verifiable consumer request, email support@ptoflow.com with the subject line “California Privacy Request.”

10. International Data Transfers

PTOFlow is operated in the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For transfers from the EEA or UK, we rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data receives an adequate level of protection.

11. Children's Privacy

PTOFlow is designed for use by businesses and is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us at support@ptoflow.com and we will promptly delete it.

12. Third-Party Services and Links

The Service integrates with and may link to third-party services including Google Workspace and Slack. This Privacy Policy does not govern the data practices of those services. We encourage you to review the privacy policies of any third-party services you connect to PTOFlow:

• Google Privacy Policy: https://policies.google.com/privacy
• Slack Privacy Policy: https://slack.com/trust/privacy/privacy-policy

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify company administrators by email and post the updated policy on ptoflow.com with a revised Effective Date. We encourage you to review this policy periodically.

Your continued use of the Service after the effective date of any updates constitutes your acceptance of the revised Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: