Privacy Policy

Last updated: June 2026

---

1. Who we are

Offly ("we", "us", "the Service") is operated by DjoleCorp, a sole proprietor (preduzetnik) registered in Republic of Serbia (Belgrade, Serbia). The Service is reachable at offly.bydjole.com. For privacy questions write to [email protected].

This Policy explains what personal data we process when an employer (the "Customer") or an end user uses the Service. The employer is the data controller for employee records, leave history and notifications; we act as their data processor under their documented instructions. Where you interact with us directly (for example, when registering a new company tenant), we act as the controller for that limited interaction.

We comply with the EU General Data Protection Regulation 2016/679 ("GDPR") and the Serbian Zakon o zaštiti podataka o ličnosti ("ZZPL", Sl. glasnik RS, br. 87/2018). Where the two diverge, we apply the stricter standard to the data set in question.

2. Personal data we process

• Account data - first name, last name, work email address, password (stored as a bcrypt hash; we never see the plaintext).
• Employment context - department, line manager, start / end date, allowance overrides, working-week schedule.
• Leave records - requested dates, day parts, hourly times, status, employee and approver comments, and an audit trail of every status change with timestamp and actor.
• Integration identifiers (opt-in) - your Slack user ID and / or Telegram chat ID, stored only after you explicitly link them from your profile; short-lived Telegram link codes (auto-expire after 15 minutes).
• Notification preferences - which events you want, on which channels.
• Operational logs - request timestamps, IP addresses and user-agent strings in web server logs (kept up to 30 days), notification delivery audits, and authentication events (login, password reset, email verification).

We do not process special categories of data (Article 9 GDPR) such as health, religion or political opinions. The reason a leave is taken is not a required field; if your company customises the leave types, do not name them in a way that reveals such information.

3. Why we process it, and the legal basis

For end users (data controller is the employer):

• Performance of a contract (Art. 6(1)(b) GDPR; čl. 12 st. 1 t. 2 ZZPL) - operating the leave-management features your employer hired us to provide.
• Legal obligation (Art. 6(1)(c)) - retaining records your employer needs to satisfy labour and tax law.
• Legitimate interests (Art. 6(1)(f)) - keeping the audit trail to investigate disputes, and securing the platform against abuse. Balanced against your right to expect that an HR system records who approved what.

For company admins registering a new tenant (we are the controller):

• Performance of a contract with the company they represent.
• Legitimate interest in operating, securing and improving the Service.

4. Recipients and sub-processors

We do not sell or rent personal data. We share it only with the recipients below, each under a written Data Processing Agreement where applicable.

• Your employer's admins - admins of your company tenant can see all leave records, allowances and audit history for users in their company.
• Slack / Telegram (only if used) - when your admin connects an integration and you opt in, the notification body is delivered to those services so they can deliver it to you. We do not share leave records in bulk.
• Sub-processors operating the Service:
  • Hetzner Online GmbH - Server hosting (compute, storage, backups). Hosted in Nuremberg, Germany (EU). Privacy policy.
  • Hetzner Online GmbH (mailbox) - Transactional email delivery (password resets, notifications). Hosted in Nuremberg, Germany (EU). Privacy policy.
• Competent authorities - when compelled by valid legal process under Serbian law, or under GDPR-recognised lawful disclosure requests.

5. International transfers

All sub-processors above are based in the European Union. No personal data leaves the EU/EEA by default. If we ever onboard a non-EU sub-processor we will rely on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and document the transfer in this Policy before starting it.

6. Retention

• Active company tenants: leave records, audit entries and notification audits are retained for as long as the tenant exists.
• When a tenant cancels, we keep their data for up to 30 days for export, then delete or anonymise it.
• Web server access logs: up to 30 days, then rotated.
• Failed authentication attempts: kept long enough to operate rate-limiting (≤ 1 hour).
• Email and notification delivery audits: kept for the lifetime of the tenant, for diagnostic and compliance lookups.

7. Your rights

Under GDPR and ZZPL you have the right to:

• Access the personal data we hold about you (Art. 15 GDPR; čl. 26 ZZPL).
• Correct inaccurate data (Art. 16; čl. 29).
• Request erasure of your data (Art. 17; čl. 30).
• Restrict or object to processing (Art. 18 / 21; čl. 31 / 37).
• Receive your data in a portable, machine-readable form (Art. 20; čl. 36).
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with a supervisory authority - in Serbia, the Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti; in the EU, the data-protection authority of your member state.

Because your employer is the data controller for your employment record, please start access and deletion requests with your company admin. For requests we can act on directly, write to [email protected]. We respond within 30 days as required by Art. 12(3) GDPR.

8. Cookies and similar technologies

We use only strictly necessary first-party storage:

• Session cookie - keeps you logged in. Marked Secure, HttpOnly and SameSite=Lax. Cleared when you log out or after 2 hours of inactivity.
• CSRF cookie - prevents cross-site request forgery on form submissions.
• Local-storage UI preferences - light / dark theme, table page size. Stays on your device, never reaches our servers.

We do not use third-party tracking, advertising or analytics cookies.

9. Security

Passwords are hashed with bcrypt (12 rounds). Integration tokens (Slack bot tokens, Telegram bot tokens, webhook secrets) are stored on the server file system with restricted permissions. All HTTP traffic uses TLS 1.2+ enforced via HSTS. Sessions and password-reset endpoints are rate-limited to slow credential-stuffing. Tenant isolation is enforced both by routing scope and by per-model authorisation policies. We log security-relevant events for forensics.

No system is perfectly secure. If you discover a vulnerability, please report it responsibly to [email protected]. We aim to acknowledge within 72 hours.

10. Changes to this Policy

We will notify company admins of material changes at least 14 days in advance by email. The "Last updated" date above always reflects the most recent revision.

11. Contact

Operator: DjoleCorp
Address: Belgrade, Serbia
Privacy questions: [email protected]
Security disclosures: [email protected]