Privacy Policy

Account Information: When you create an account, we collect your name, email address, organization name, and password.

Usage Data: We automatically collect information about how you interact with our platform, including pages visited, features used, and time spent.

Device Information: We collect device type, browser type, operating system, IP address, and general location data.

Leave & HR Data: Information you enter into the platform such as leave requests, time entries, expense reports, and uploaded documents.

Cookies: We use cookies and similar technologies. See our Cookie Policy for details.

Third-Party Account Data: When you connect third-party services (such as Google, Microsoft, or Intuit QuickBooks Online), we collect your account email address, profile name, and OAuth authentication tokens necessary to maintain the connection. See Sections 8 and 9 for full details on third-party integrations.

MCP (AI Integration) Data: When you connect a third-party AI client (such as Claude, Cursor, or VS Code) via the Model Context Protocol (MCP), the AI client may access your workspace data — including leave requests, expense reports, time entries, schedules, project information, and organizational data — scoped to your user role and permissions. See Section 7 for full details.

We use the information we collect to:

• Provide, operate, and maintain our platform
• Process leave requests, time tracking, and expense management
• Send you service-related communications and updates
• Improve and personalize your experience
• Analyze usage patterns to enhance our features
• Sync leave requests to your connected calendar services (Google Calendar, Outlook) when you enable calendar integration
• Sync approved expense reports, time entries, and employee data to your connected QuickBooks Online account when you enable the QuickBooks integration
• Serve your workspace data (leave, expenses, time tracking, schedules, projects, and organizational data) to authorized MCP-connected AI clients acting on your behalf
• Send you marketing communications about product updates, new features, and promotions related to BookYourPTO (you may opt out at any time — see Section 10)
• Detect, prevent, and address technical or security issues
• Comply with legal obligations

We do not sell your personal data. We may share information with:

• Service Providers: Third-party vendors who help us operate our platform (hosting, analytics, email delivery)
• Your Organization: Administrators within your organization can access HR-related data you submit
• Legal Requirements: When required by law, regulation, or legal process
• Business Transfers: In connection with a merger, acquisition, or sale of assets

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law.

Specific retention periods include:

• Account data: Retained while your account is active. When you delete your account, personal data is anonymized or removed within 30 days
• Leave and HR records: Retained for up to 7 years after creation for tax, payroll, and legal compliance purposes, unless a shorter period is required by your jurisdiction
• Financial records (expense reports, billing): Retained for up to 7 years for accounting and tax compliance
• Audit logs and sign-in logs: Retained for up to 7 years for security monitoring and compliance
• Notifications and chat messages: Retained for up to 7 years, then automatically purged
• OAuth tokens (Google, Microsoft, QuickBooks): Deleted immediately when you disconnect the integration or delete your account

Organization administrators may configure shorter retention periods through the platform settings. Automated cleanup processes periodically purge data that exceeds the configured retention period.

Depending on your location, you may have the following rights under GDPR, CCPA, or other applicable privacy laws:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to processing of your personal data
• Restriction: Request restriction of processing
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time

How to Exercise Your Rights

You can exercise several of these rights directly from your BookYourPTO account settings. You may also contact us at privacy@anhourtec.com for any request. We will respond to verifiable requests within 30 days (GDPR) or 45 days (CCPA).

California Residents (CCPA)

If you are a California resident, you have the right to: (1) know what personal information we collect and how it is used, (2) request deletion of your personal information, (3) opt out of the sale or sharing of your personal information (we do not sell personal information), and (4) not be discriminated against for exercising your rights. To submit a request, email privacy@anhourtec.com with the subject line "CCPA Request."

European Economic Area (GDPR)

If you are in the EEA, you have the right to lodge a complaint with your local data protection authority if you believe your rights have not been adequately addressed. You may also contact us directly and we will work to resolve your concern.

We implement multiple layers of security to protect your data. However, no method of transmission or storage is 100% secure.

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security). All internal communications between our application servers, database, and cache are also encrypted in transit.

Encryption at Rest

Your data is protected by multiple layers of encryption at rest:

• Database-level encryption: Our entire database is encrypted using AES-256 via AWS Key Management Service (KMS)
• Field-level encryption: Sensitive personal data fields — including phone numbers, physical addresses, tax identifiers, emergency contacts, and banking details — are additionally encrypted at the application level using AES-256-GCM before being stored in the database
• Third-party credentials: OAuth tokens for Google, Microsoft, and QuickBooks integrations are encrypted using AES-256-GCM. Access to decryption keys is restricted to application servers that require them
• File storage: Uploaded documents, receipts, and signed files are encrypted at rest using server-side AES-256 encryption

Authentication Security

• Passwords are hashed using bcrypt with salt (never stored in plaintext)
• Authentication tokens are stored in HTTP-only, secure cookies that cannot be accessed by JavaScript
• Access tokens are short-lived (15 minutes) with automatic rotation
• Two-factor authentication (TOTP) is available with encrypted secret storage and hashed backup codes
• Rate limiting is applied to login, password reset, and verification endpoints to prevent brute-force attacks

Infrastructure Security

• Hosted on AWS with private network isolation (VPC with private subnets)
• Database is not publicly accessible — only reachable from application servers
• Security headers including Content Security Policy, HSTS, X-Frame-Options, and Referrer-Policy are applied to all responses
• Webhook URLs are validated against private IP ranges and cloud metadata endpoints to prevent server-side request forgery (SSRF)
• Regular dependency vulnerability scanning with automated patching

Access Controls

• Role-based access control (Employee, Department Head, Administrator, Executive) enforced on every API request
• Organization-level data isolation — users can only access data within their own organization
• Comprehensive audit logging of security-relevant actions

7.1  Receipt Scanning & Document Analysis

BookYourPTO uses third-party AI language models (Anthropic and OpenAI) for specific features such as receipt scanning and document analysis within our Expense Management module.

• Only data you explicitly submit (e.g., uploaded receipts or documents) is sent to AI providers for processing
• AI providers process data according to their respective privacy policies and do not use your data to train their models under our commercial agreements
• No leave data, calendar data, time tracking data, or personal account information is sent to AI providers for receipt scanning or document analysis

7.2  MCP (Model Context Protocol) Integration

BookYourPTO offers an MCP server that allows you to connect third-party AI clients (such as Claude, Cursor, VS Code, Claude Desktop, and Windsurf) to your BookYourPTO workspace. When you connect an MCP-compatible AI client:

• The AI client can access your workspace data — including leave requests, expense reports, time entries, schedules, project information, people data, and organizational data — through 28 tools across 8 categories
• All data access is scoped to your user role and permissions. The AI client can only access and modify data that you are authorized to access and modify through the regular BookYourPTO interface
• The MCP server acts as a stateless bridge — it does not store, cache, or log your data. It simply relays requests between your AI client and the BookYourPTO API
• Authentication uses OAuth 2.0 with PKCE. You sign in through your browser on BookYourPTO. Your password and credentials are never shared with or accessible to the AI client
• A short-lived JWT token scoped to your role is issued to the AI client. No password or long-lived credentials are included in the token
• Once your data is received by a third-party AI client, it is processed according to that client's own privacy policy (e.g., Anthropic's privacy policy for Claude, Microsoft's for VS Code). BookYourPTO has no control over how third-party AI clients process data after receipt

7.3  Self-Hosted MCP Server (Docker)

BookYourPTO provides a public Docker image that allows you to run the MCP server on your own infrastructure. When self-hosting:

• Your BookYourPTO credentials are stored as environment variables on your own server — they never pass through BookYourPTO's infrastructure
• All communication between the self-hosted MCP server and BookYourPTO's API occurs over TLS-encrypted (HTTPS) connections
• You are responsible for securing your self-hosted server, including access controls and credential management

BookYourPTO offers optional integrations with Google Calendar and Microsoft Outlook Calendar to sync your leave requests as calendar events. These integrations are entirely opt-in — no third-party data is accessed unless you explicitly connect your account.

8.1  Google Calendar Integration

When you connect your Google account, we request the following permissions (scopes):

• openid, email, profile: To identify your Google account and display your connected account email
• calendar.events.owned: To create, update, and delete leave-related calendar events on calendars you own

8.2  What Google User Data We Collect

• Your Google account email address and display name
• OAuth access and refresh tokens (used to maintain the calendar connection)
• Google Calendar event IDs (to track which leave events have been synced)

We do not read, store, or access your existing Google Calendar events. We only create, update, and delete events that BookYourPTO itself has created for your leave requests.

8.3  How We Use Google User Data

• To create calendar events when you submit a leave request
• To update calendar events when a leave request is approved, modified, or its status changes
• To delete calendar events when a leave request is rejected, cancelled, or deleted

We use your Google user data solely to provide and improve the calendar sync feature within BookYourPTO. We do not use Google user data for advertising, marketing, or any purpose unrelated to the calendar sync functionality you have enabled.

8.4  Storage & Protection of Google User Data

• Google OAuth tokens (access and refresh tokens) are encrypted at rest using AES-256-GCM encryption before being stored in our database
• All communication with Google APIs occurs exclusively over TLS-encrypted (HTTPS) connections
• Only Google Calendar event IDs are stored on our servers to track synced events — no calendar event content (titles, descriptions, attendees) from your existing events is stored
• Access to encryption keys is restricted to application servers that require them, with no human access to decrypted tokens

8.5  Sharing of Google User Data

We do not sell, rent, lease, or disclose your Google user data to any third parties. Google user data is not shared with any other service, subprocessor, or entity except Google itself (via Google Calendar API calls made on your behalf). Specifically:

• Google user data is not used for serving advertisements
• Google user data is not transferred to third parties for purposes unrelated to the calendar sync feature
• Google user data is not provided to data brokers or information resellers

8.6  Retention & Deletion of Google User Data

• Google OAuth tokens are retained only while your calendar integration remains active and connected
• When you disconnect your Google Calendar integration from within BookYourPTO, your OAuth tokens are immediately and permanently deleted from our systems
• When you delete your BookYourPTO account, all Google-related data (OAuth tokens, event ID references) is deleted within 30 days
• You may also revoke BookYourPTO's access at any time from your Google Account permissions page

8.7  Microsoft Outlook Calendar Integration

When you connect your Microsoft account, we request permissions to create, update, and delete calendar events on your behalf via the Microsoft Graph API. The same data collection, usage, storage, protection, sharing, retention, and deletion policies described above for Google Calendar apply equally to your Microsoft Outlook Calendar data. You may revoke access at any time from your Microsoft account permissions page.

8.8  iCal Calendar Subscriptions

BookYourPTO also offers read-only iCal feed URLs that you can subscribe to from any calendar application. These feeds:

• Do not require OAuth or any third-party account connection
• Are protected by a unique, cryptographically-generated token in the URL
• Only expose leave data that the subscribing user is authorized to view
• Can be deleted at any time, immediately revoking access

BookYourPTO offers an optional integration with Intuit QuickBooks Online (QBO) to sync employee data, approved expense reports, and approved time entries. This integration is entirely opt-in and available on Business and Enterprise plans only. No data is sent to Intuit unless an organization administrator explicitly connects your QuickBooks account.

9.1  What Data We Access from QuickBooks

When you connect your QuickBooks Online account, we may read:

• Company information (company name, currency, and fiscal year settings)
• Employee records (names, email addresses, and department assignments)
• Chart of Accounts (account names and IDs for expense mapping)
• Department and Customer/Job lists (for mapping purposes)

This data is used solely to configure the integration and display mapping options within BookYourPTO.

9.2  What Data We Send to QuickBooks

When sync is enabled, BookYourPTO pushes the following data to your QuickBooks Online account:

• Expense Reports: Approved expense reports are created as Bills in QBO, including line items, per diems, mileage, amounts, and GL account references
• Time Entries: Approved time entries are created as TimeActivities in QBO, including hours, rates, project references, and billable status
• Employee Data: Employee names, email addresses, and department assignments may be pushed or pulled to keep records in sync

9.3  Storage & Protection of QuickBooks Credentials

• QuickBooks OAuth tokens (access and refresh tokens) are encrypted at rest using AES-256-GCM encryption before being stored in our database
• All communication with Intuit APIs occurs exclusively over TLS-encrypted (HTTPS) connections
• The OAuth authorization flow uses HMAC-signed state tokens to prevent cross-site request forgery
• Only organization administrators and executives can manage the QuickBooks connection
• Each organization's QuickBooks data is completely isolated — no cross-organization access is possible

9.4  Sharing of QuickBooks Data

We do not share your QuickBooks data with any third parties other than Intuit itself (via QuickBooks API calls made on your behalf). QuickBooks data is not used for advertising, analytics, or any purpose unrelated to the accounting sync feature.

9.5  Retention & Deletion

• QuickBooks OAuth tokens are retained only while your integration remains active and connected
• When you disconnect the QuickBooks integration, OAuth tokens are immediately and permanently deleted from our systems. Employee and entity mapping records are marked inactive but preserved so they can be restored if you reconnect
• When you delete your BookYourPTO account, all QuickBooks-related data (OAuth tokens, mapping records, sync logs) is deleted within 30 days
• You may also revoke BookYourPTO's access at any time from your Intuit account settings

BookYourPTO's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In accordance with the Limited Use requirements:

• We only use Google user data to provide and improve the user-facing calendar sync feature within BookYourPTO
• We do not transfer Google user data to third parties except as necessary to provide or improve the calendar sync feature, to comply with applicable laws, or as part of a merger, acquisition, or asset sale with notice to users
• We do not use Google user data for serving advertisements
• We do not allow humans to read Google user data unless we have your affirmative consent for specific data, it is necessary for security purposes (e.g., investigating abuse), it is necessary to comply with applicable law, or our use is limited to internal operations and the data has been aggregated and anonymized

When an organization registers on BookYourPTO or when an organization administrator creates user accounts, the associated email addresses may be added to our marketing mailing list.

What you may receive: Marketing emails include product updates, feature announcements, tips, and promotional content related to BookYourPTO.

How to unsubscribe: You can unsubscribe from marketing emails at any time by clicking the "unsubscribe" link included at the bottom of every marketing email, or by contacting us at privacy@anhourtec.com. Unsubscribing from marketing emails will not affect transactional or service-related communications (e.g., password resets, leave request notifications, billing receipts).

Third-party provider: We use Zoho (Zoho Campaigns and Zoho CRM) as our marketing email and CRM platform to manage mailing lists and deliver marketing communications. Your email address and name may be stored in Zoho for this purpose. For details, see our Subprocessors page.

If you are in the European Economic Area (EEA), we process your personal data under the following legal bases:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the BookYourPTO service — including leave management, time tracking, expense management, document signing, and account administration
• Legitimate Interest (Art. 6(1)(f)): Processing necessary for security monitoring, fraud prevention, service improvement, and analytics — where our interests do not override your rights
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with tax, employment, and financial record-keeping laws
• Consent (Art. 6(1)(a)): Marketing communications and optional integrations (calendar sync, QuickBooks, MCP). You may withdraw consent at any time

Our servers are located in the United States. If you access BookYourPTO from outside the United States, your personal data will be transferred to, stored, and processed in the United States.

For users in the EEA, UK, or other regions with data transfer restrictions, we rely on:

• Standard Contractual Clauses (SCCs): As adopted by the European Commission, where applicable to our subprocessors
• Data Processing Agreements: We maintain data processing agreements with all subprocessors listed on our Subprocessors page

By using BookYourPTO, you acknowledge that your data may be processed in a country with different data protection laws than your country of residence.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by law
• Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms
• Document the breach, its effects, and the remedial actions taken

Organization administrators will be notified via email and in-app notification. Affected individuals will be notified directly when required by applicable law.

BookYourPTO is a business-to-business (B2B) workplace platform and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal data, please contact us at privacy@anhourtec.com.

Some browsers transmit "Do Not Track" (DNT) signals. We currently do not respond to DNT signals because there is no industry-standard way to interpret them. However, we do not engage in cross-site tracking of our users, and we do not sell personal data to third parties.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, by sending you a notification through the platform or by email.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

If you have questions about this Privacy Policy, our data practices, or wish to exercise your data protection rights, contact us at:

AnHourTec
Email: privacy@anhourtec.com
Website: anhourtec.com

For GDPR-related inquiries, you may also contact your local data protection authority. A list of EEA data protection authorities is available at edpb.europa.eu.