Privacy PolicyTerms of ServiceCookie Policy

Privacy Policy

Last updated: May 6, 2026

This Privacy Policy explains how CorePHP LLC ("CorePHP", "we", "us") collects, uses, and protects information when you use Core Day Off (the "Service"). It applies to anyone with a Core Day Off account and to visitors of our marketing website.

1. Information we collect

Account information

When you create an account or accept an invitation, we store:

  • Your full name and email address
  • A securely hashed password (we never store passwords in plain text)
  • Your country and, when applicable, state of residence — used to apply the correct labor-law and holiday rules
  • Your role within your company (admin, manager, employee) and assigned permissions
  • Your timezone
  • Optional: profile avatar, two-factor authentication secrets and recovery codes

Operational data

To make the product work, we store:

  • Day-off requests you submit or approve, including category, dates, status, notes, and approval history
  • Your work schedule (default mode, weekly pattern, per-day overrides)
  • Squad/team membership, job role, and direct manager assignments
  • Notification preferences (email and desktop push) and push subscription endpoints provided by your browser
  • Application logs needed to investigate errors and abuse

Information from third parties

We import public-holiday data from third-party sources (currently Nager.Date) for the countries your team works in. We do not send any of your data to that service — only the country code and the year being requested.

Information we do not collect

  • We do not run third-party analytics, advertising trackers, or session-replay tools on the application
  • We do not collect biometric data, geolocation, or device sensor data
  • We do not sell, rent, or trade personal data — ever

2. How we use information

We process information only to operate, secure, and improve the Service:

  • Authenticate users and protect accounts (including 2FA)
  • Route day-off requests to the correct approver and notify reviewers
  • Apply country and state-specific labor-law checks to surface compliance warnings
  • Display attendance, schedules, and team availability to people in your company
  • Send transactional emails (account, security, request status) and optional desktop push notifications
  • Detect abuse, debug failures, and enforce our Terms of Service

3. Who can see your information

Within your company:

  • Other employees can see your name, schedule, day-off dates and category, and current attendance mode
  • Managers and administrators can see additional fields needed to manage the team (job role, manager, squad, request notes)

Outside your company:

  • We share data only with infrastructure subprocessors needed to operate the Service (hosting, transactional email, push delivery)
  • We disclose information when legally required (subpoena, court order) and notify you unless prohibited by law

4. International transfers

Core Day Off is hosted on infrastructure that may store and process data outside your country of residence. We rely on Standard Contractual Clauses (SCCs) where applicable to safeguard cross-border transfers under the GDPR and equivalent regimes.

5. Data retention

  • Active accounts: data is retained while your company maintains a Core Day Off subscription
  • Closed accounts: personal data is deleted within 30 days of account closure, except where retention is required to comply with legal obligations or resolve disputes
  • Anonymized usage logs may be retained longer for security and abuse-prevention purposes

6. Your rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data
  • Delete your personal data (right to be forgotten)
  • Receive a portable copy of your personal data
  • Object to or restrict certain processing
  • Withdraw consent for optional processing (e.g., desktop push notifications)
  • Lodge a complaint with your data protection authority (e.g., ANPD in Brazil, supervisory authorities under the GDPR)

To exercise any of these rights, email [email protected]. We respond to verified requests within 30 days.

7. Security

We use HTTPS for all traffic, hash passwords with bcrypt, support two-factor authentication, and apply standard application-security practices (CSRF protection, parameterized queries, framework-level input validation). No system is perfectly secure — if you believe your account was compromised, contact us immediately.

8. Children's privacy

Core Day Off is intended for workplace use and is not directed at individuals under 16. We do not knowingly collect data from children. If we learn we have, we will delete it promptly.

9. Changes to this policy

We may update this Privacy Policy as our practices or applicable law change. Material changes will be announced via email or in-product notice at least 14 days before they take effect. The "Last updated" date at the top reflects the current version.

10. Contact

Privacy questions, requests, or complaints: [email protected]

Questions? Contact [email protected].