Privacy policy

Last updated: December 13, 2025
Please read this privacy policy carefully before using our service.

We at BrainCore Solutions GmbH (hereinafter referred to as "we," "us," or "absentify") are committed to protecting your personal data and ensuring transparency in how we collect, process, and use it. This privacy policy applies to the use of our website https://absentify.com and our SaaS application absentify.

1. General Information

1.1 Who is responsible for data processing?

BrainCore Solutions GmbH Panoramaweg 1 8274 Tägerwilen, Switzerland

Phone: +49 251 9811573777 Email: support@absentify.com

1.2 Our Representative in the EU (Art. 27 GDPR)

Prighter Group GmbH Neustiftgasse 83/2A 1070 Vienna, Austria

Contact: https://app.prighter.com/portal/absentify

1.3 Our Representative in the UK (Art. 27 UK GDPR)

Prighter Ltd 20 Primrose Street London EC2A 2EW, United Kingdom

Contact: https://app.prighter.com/portal/absentify

1.4 Data Protection Officer

BrainCore Solutions GmbH – Data Protection Officer Email: privacy@absentify.com

1.5 Supervisory Authorities

EU Supervisory Authority: You may lodge a complaint with a supervisory authority in your EU member state, particularly in the member state of your habitual residence, place of work, or place of the alleged infringement.

UK Supervisory Authority: Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom Website: https://ico.org.uk

2. Regulatory Framework

2.1 EU GDPR Compliance

absentify is fully compliant with the General Data Protection Regulation (EU) 2016/679 (GDPR). We process personal data lawfully, fairly, and transparently in accordance with Articles 5-11 GDPR.

2.2 UK GDPR Compliance

absentify is also compliant with the UK General Data Protection Regulation (UK GDPR) as retained in UK law under the European Union (Withdrawal) Act 2018, read together with the Data Protection Act 2018. The UK GDPR applies to processing of personal data of individuals located in the United Kingdom.

2.3 Swiss Data Protection

As a Swiss company, we also comply with the Swiss Federal Act on Data Protection (FADP/DSG).

3. Data Collection and Processing

We collect and process your data in the following ways:

3.1 Information You Provide

Registration and account setup information
Forms, emails, and support messages
Absence requests, leave reasons, and uploaded documents
Profile information entered manually

3.2 Data Synced from Microsoft (when Microsoft login is enabled)

When you use Microsoft login, we receive and sync the following basic profile data:

Data Element

Purpose

First Name

User identification and display

Last Name

User identification and display

Email Address

Account identification and communication

Profile Picture

User profile display

3.3 Data Entered Directly in absentify

Data Element

Purpose

Birthday (optional)

Birthday notifications and HR insights

Employment Start/End Dates

Anniversary notifications, tenure tracking, HR reporting

Custom Employee ID

Integration with HR systems

Public Holiday Calendar

Accurate leave calculations

Regional Preferences

Localized user experience

3.4 Business Data

Data Element

Purpose

Absence Requests

Core absence management functionality

Leave Allowances

Quota management and balance tracking

Department Assignments

Organizational structure and access control

Approver/Representative Assignments

Approval workflows

Work Schedules

Accurate leave calculations

Uploaded Documents

Supporting documentation for leave requests

3.5 Technical Data Collected Automatically

Data Element

Purpose

IP Address

Security, fraud prevention, and legal compliance

Browser Type and Version

Technical support and optimization

Operating System

Technical support and optimization

Time of Access

Security monitoring and analytics

Referring URLs

Marketing analytics

3.6 Authentication Data

Data Element

Purpose

Retention

Microsoft OAuth Tokens

API access for optional integrations

Encrypted, automatic renewal

Magic Link Tokens

Passwordless authentication

15 minutes, single-use

Session Cookies

Session management

30 days, AES-256 encrypted

4. Purpose and Legal Basis of Processing

Purpose

Legal Basis (EU GDPR)

Legal Basis (UK GDPR)

Providing access to the application

Art. 6(1)(b) – Performance of contract

Ensuring functionality and security

Art. 6(1)(f) – Legitimate interest

Support and customer service

Art. 6(1)(f) – Legitimate interest

Newsletter and marketing (with consent)

Art. 6(1)(a) – Consent

Product analytics and improvements

Art. 6(1)(f) – Legitimate interest

Legal compliance and record-keeping

Art. 6(1)(c) – Legal obligation

Legitimate Interest Assessment: Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting privacy@absentify.com.

Withdrawal of Consent: Where processing is based on consent, you may withdraw your consent at any time with effect for the future by contacting privacy@absentify.com or using the unsubscribe link in marketing communications.

5. Subprocessors and Hosting

We carefully select subprocessors who meet our security and data protection standards. All subprocessors operate under Data Processing Agreements (DPAs) in compliance with GDPR.

5.1 Current Subprocessors

We work exclusively with subprocessors within the European Union (EU) and the United Kingdom (covered by an EU adequacy decision). The current list of approved subprocessors, including their locations and purposes, is available at:

https://absentify.com/subprocessors

5.2 Changes to Subprocessors

We will notify customers of any new subprocessors at least 30 days before engagement via email or the subprocessors page. Customers may object within 14 days if they have reasonable, documented concerns regarding data protection compliance.

6. International Data Transfers

6.1 Primary Data Processing Locations

All personal data is primarily processed within the European Union and Switzerland:

Data Type

Primary Location

Backup Location

Customer Data

North Europe (Ireland)

EU paired region (geo-redundant)

Application Logs

North Europe (Ireland)

–

Audit Logs

North Europe (Ireland)

–

6.2 EU-UK Data Transfers

The European Commission has adopted an adequacy decision for the United Kingdom, recognizing that the UK provides an adequate level of data protection. This adequacy decision is currently valid until December 27, 2025 (extended). We monitor this status and will implement appropriate safeguards if necessary.

6.3 Safeguards for International Transfers

For any transfers to countries outside the EU/EEA/UK/Switzerland without an adequacy decision, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) as approved by the European Commission
UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs where required
Technical and organizational security measures
Transfer Impact Assessments where required

You may request a copy of these safeguards at privacy@absentify.com.

7. Your Rights

7.1 Rights under EU GDPR and UK GDPR

You have the following rights regarding your personal data:

Right

Description

Reference

Right to Access

Obtain confirmation of processing and a copy of your data

Art. 15 GDPR

Right to Rectification

Correct inaccurate or incomplete data

Art. 16 GDPR

Right to Erasure

Request deletion of your data ("right to be forgotten")

Art. 17 GDPR

Right to Restriction

Restrict processing in certain circumstances

Art. 18 GDPR

Right to Data Portability

Receive your data in a structured, machine-readable format

Art. 20 GDPR

Right to Object

Object to processing based on legitimate interests

Art. 21 GDPR

Right to Withdraw Consent

Withdraw consent at any time

Art. 7(3) GDPR

Right Not to be Subject to Automated Decision-Making

Not be subject to decisions based solely on automated processing

Art. 22 GDPR

Right to Lodge a Complaint

File a complaint with a supervisory authority

Art. 77 GDPR

7.2 How to Exercise Your Rights

To exercise your rights, please contact us at:

Email: privacy@absentify.com
Phone: +49 251 9811573777

We will respond to your request within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

7.3 Identity Verification

To protect your privacy, we may need to verify your identity before processing your request. We will not charge a fee unless your request is manifestly unfounded or excessive.

8. Data Retention

We retain your data only as long as necessary to fulfill the purposes for which it was collected or to meet legal requirements.

8.1 Retention Periods

Data Type

Retention Period

Notes

Customer Application Data

Until account deletion

Deleted immediately upon account deletion

Backup Data

Maximum 14 days

Geo-redundant backups, then permanently deleted

Financial Records

Managed by Paddle

Subject to Paddle's GDPR-compliant policies

Application Logs

30 days

Azure Log Analytics

Security Audit Logs

365 days

Immutable storage for compliance

Database Audit Logs

30 days

Azure Log Analytics

Key Vault Access Logs

365 days

Immutable storage

Email Communications

12 months

Unless part of legal/audit matter

8.2 Data Disposal

When data is no longer required, it is securely deleted using industry-standard data destruction methods that ensure the data is not recoverable.

9. Cookies and Analytics

9.1 Cookie Categories

Our website and application use cookies for the following purposes:

9.2 Analytics

We use Amplitude Analytics GmbH for anonymized user behavior analysis. All analytics data is processed exclusively within the European Union (Frankfurt am Main, Germany).

9.3 Managing Cookies

You can manage your cookie preferences through:

Our cookie consent banner
Your browser settings
Our cookie settings page

10. Security and Certifications

10.1 Certifications

Certification

Status

ISO 27001

Certified (Information Security Management System)

Microsoft 365 App Certification

Certified

Microsoft Azure Compliance

ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3

10.2 Technical and Organizational Measures

We have implemented comprehensive security measures to protect your data:

Encryption:

At Rest: AES-256 encryption for all databases, storage, and backups
In Transit: TLS 1.2+ enforced on all connections, HTTPS-only with HSTS

Network Security:

Private endpoints for all sensitive services (no public IP addresses)
Web Application Firewall (WAF) with OWASP protection
DDoS protection with rate limiting
Dedicated Virtual Network with subnet segmentation

Access Control:

Role-based access control (RBAC)
Multi-factor authentication (MFA) for production access
Principle of least privilege
Regular access reviews
Direct database access restricted to top management only

Monitoring:

Microsoft Defender for Cloud for real-time threat detection
Continuous security monitoring and alerting
Immutable audit logs retained for 365 days

Incident Response:

Documented security incident response procedure
72-hour breach notification to supervisory authorities (where required)
Regular penetration testing and vulnerability assessments

11. Data Processing Agreement

For customers using absentify in a business context, we provide a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR / UK GDPR.

The DPA is available at: https://absentify.com/dpa

The DPA includes:

Standard Contractual Clauses (SCCs) for international transfers
Technical and Organizational Measures (TOMs)
ISO 27001 certificate as an appendix
List of subprocessors

12. Microsoft 365 Integration

absentify integrates with Microsoft 365 for authentication and optional features. We follow the principle of minimal data access.

12.1 Base Permissions (Login Only)

Permission

Purpose

email

View users' email addresses

openid

Sign users in

profile

View users' basic profile

User.Read

12.2 Optional Features (Admin Consent Required)

Each optional feature uses a separate Azure AD app registration to ensure minimal permission scope:

Feature

Permissions

What We Do

What We Do NOT Do

Calendar Sync

Calendars.ReadWrite

Create/update/delete absence events only

Read existing appointments

Out-of-Office

MailboxSettings.ReadWrite

Set automatic replies only

Access emails or mailbox content

Manager Sync

User.Read.All

Read manager relationships only

Access sensitive employee data

Group Sync

Group.ReadWrite.All, Directory.Read.All

Read group memberships only

Access files, chats, or group content

Our Commitment:

We only request permissions necessary for each feature
We only read the specific data fields required
We only store what is absolutely necessary
We never modify your Microsoft tenant beyond the stated purpose

13. Payment Processing

All payment processing is handled by Paddle.com Market Limited, acting as our Merchant of Record.

absentify does not store payment card details, bank information, or billing addresses
We only store reference IDs to Paddle records
Paddle is PCI DSS compliant and GDPR compliant

For billing inquiries: https://paddle.net Paddle Privacy Policy: https://www.paddle.com/legal/privacy

14. Children's Privacy

absentify is a business-to-business (B2B) service designed for organizational use. We do not knowingly collect personal data from children under 16 years of age. If you believe we have inadvertently collected such data, please contact us immediately at privacy@absentify.com.

15. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

Material changes will be communicated via email to registered users and/or via notice in the application
The "Last updated" date at the top of this policy indicates when it was last revised
We encourage you to review this policy periodically