Privacy Policy

1. Introduction

Restana (“we”, “us”, “our”) operates the leave management and time tracking platform available at restana.io. We are committed to protecting your privacy and handling your personal data responsibly. This policy explains what data we collect, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

The data controller for personal data processed through Restana is the company behind the Restana brand, based in the United Kingdom. For questions about data processing, contact us at support@restana.io.

3. What Data We Collect

We collect the following categories of personal data when you use our service:

Account information

• Full name and email address
• Organisation name and role within the organisation
• Password (stored securely as a cryptographic hash)
• Department and manager assignment

Service data

• Leave requests, approvals, and allowance records
• Clock in/out times and time entries
• Return-to-work check-in responses
• Recognition and reward records
• Training and compliance records
• Audit log entries (actions performed within the platform)

Technical data

• IP address and browser user agent (for security and logging)
• Device type and screen resolution (for responsive design)

4. How We Use Your Data

We process your personal data for the following purposes:

• Providing the service — managing leave requests, time tracking, approvals, and team scheduling
• Management insights — generating absence patterns, overtime reports, and team analytics for administrators and managers
• Notifications — sending request updates, approval reminders, and escalation alerts via email, Slack, or Microsoft Teams
• Account management — authentication, password resets, and billing
• Security — preventing unauthorised access, fraud detection, and maintaining audit logs
• Service improvement — understanding usage patterns to improve the platform (aggregated, non-identifying data only)

5. Legal Basis for Processing

We process personal data under the following legal bases:

• Performance of a contract — processing is necessary to provide the service you or your organisation has subscribed to
• Legitimate interests — improving the platform, preventing fraud, and ensuring security
• Legal obligation — where we are required to retain certain data for compliance purposes

6. Data Processors and Sub-processors

We use the following third-party processors to deliver our service:

All processors are bound by data processing agreements and are required to handle your data in accordance with GDPR. Where data is transferred outside the UK/EEA, appropriate safeguards are in place (including Standard Contractual Clauses).

7. Cookies

Restana uses only essential cookies required for the service to function. We do not use advertising, analytics, or third-party tracking cookies.

Because we only use strictly necessary cookies, no cookie consent banner is required under UK PECR regulations.

8. Data Retention

We retain your data for as long as your organisation’s account is active and as needed to provide the service. Specific retention periods:

• Account data — retained while the account is active, deleted within 30 days of account closure
• Leave and time records — retained for the duration of the subscription plus 90 days to allow for data export
• Audit logs — retained for 2 years from creation for compliance purposes
• Billing records — retained for 7 years as required by UK tax law

When data is no longer required, it is securely deleted or anonymised.

9. Your Rights Under GDPR

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your personal data (subject to legal retention requirements)
• Right to restrict processing — request that we limit how we use your data
• Right to data portability — receive your data in a structured, commonly used, machine-readable format (CSV export is available from your account settings)
• Right to object — object to processing based on legitimate interests

To exercise any of these rights, email support@restana.io. We will respond within 30 days, as required by law.

10. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Row-level security policies enforced at the database level
• Rate limiting and security headers on all API endpoints
• Regular security reviews and dependency updates
• Role-based access controls within the application

11. Children’s Data

Restana is a business-to-business service and is not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe a child’s data has been submitted to us, please contact support@restana.io and we will delete it promptly.

12. ICO Registration

Registration with the UK Information Commissioner’s Office (ICO) is currently pending. Our registration number will be published here once confirmed. In the meantime, if you have concerns about how we handle your data that we have not resolved to your satisfaction, you have the right to lodge a complaint with the ICO at ico.org.uk.

13. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or an in-app notification. The “last updated” date at the top of this page reflects the most recent revision.

14. Contact

If you have questions about this privacy policy or your personal data, contact us at: