Privacy

How we handle the data your workspace trusts us with.

Breakdayz is a processor for the organisation running your workspace. This policy documents what we hold, why, where it lives, and how you can exercise control over it.

Effective 01 February 2026Updated 15 April 2026

Overview

Breakdayz operates a multi-tenant human-resources platform that helps organisations run attendance, leave, payroll inputs, policies, projects, and internal announcements. This policy explains what we collect, the reason we collect it, how long we keep it, and the choices available to you.

Where a Breakdayz customer (your employer) uses the platform to manage you as an employee, that customer is the data controller and Breakdayz acts as a processor on their instructions. Direct requests for access or deletion of employment records should be raised with them first.

Data we collect

We collect only what is required to run the product and the contract signed with the customer workspace:

  • Account identity — name, work email, phone, job title, profile photo, and workspace role.
  • Employment records — employment type, shift policy, designation, reporting line, joining and separation dates.
  • Financial information — bank account holder name, account number, IFSC / routing codes, and supporting bank documents required for payroll processing.
  • Personal history & family — academic qualifications, previous employment history, and emergency contact or family details (names, relations, and dates of birth).
  • Operational telemetry — attendance punches, activity screenshots (where enabled by your workspace for monitoring), leave applications, announcements read, device and browser metadata.
  • Content you submit — documents uploaded to a policy library, attachments in leave or bank info requests, comments on projects, and images attached to announcements.
  • Security signals — IP address, user agent, CSRF token, and the access / refresh cookies described in the Cookies section.

We do not purchase marketing data and we do not correlate your identity with third-party advertising networks.

How we use data

Data is used strictly to deliver contracted functionality and keep the service secure:

  • Authenticating you into the correct workspace and applying the permission set assigned by your admin.
  • Processing payroll inputs by verifying submitted bank details and documents.
  • Routing leave, inbox, and approval workflows to the correct reviewer.
  • Tracking compliance with internal company policies (e.g., verifying that you have read and accepted policy documents uploaded by your employer).
  • Showing real-time notifications (via our socket channel) when announcements, policy updates, or inbox requests concern you.
  • Generating the reports and exports your workspace administrators are entitled to run.
  • Detecting abuse — repeated 401s, brute-force patterns, CSRF anomalies, and suspicious device reuse.

We never train generic large-language-models on your workspace content and we never make your employment records available to other workspaces.

Cookies & local storage

Breakdayz uses a strict, first-party cookie set. Every cookie is prefixed with __Host- so it is locked to our domain, served over HTTPS, and never accessible to third-party scripts.

  • __Host-aid-v1 — short-lived access token used for API calls.
  • __Host-rmb-v1 — remember-me marker; extends refresh lifetime to seven days.
  • __Host-ovk-v1 — OTP verification token, scoped to the /verify flow.
  • __Host-wsid-v1 — workspace access token once you have chosen a workspace.

A minimal amount of non-sensitive UI state (preferred email for OTP retry, theme preferences, last-viewed workspace) is stored in localStorage. Clearing your browser data will remove it without affecting your account.

Sharing & sub-processors

We engage a short, audited list of sub-processors. They are bound by written data-protection agreements:

  • Amazon Web Services (ap-south-1, eu-west-1) — primary compute, database, and object storage.
  • Cloudflare — edge delivery and bot mitigation.
  • Cloudinary — optimised delivery of profile imagery and announcement attachments.
  • Google Identity Platform — only when a user explicitly clicks “Continue with Google”.
  • Transactional email provider — authentication, password reset, and workspace invite emails.

We do not sell personal data. We will only disclose data to law-enforcement under a properly-scoped, jurisdictionally-valid legal order, and — where lawful — after notifying the customer workspace.

Google user data

Breakdayz provides an optional integration with Google Calendar. When you choose to sync your account:

  • We request access to the calendar.readonly scope to fetch your upcoming events and display them within the Breakdayz dashboard.
  • We do not store your calendar events on our servers; they are retrieved in real-time on the client-side to provide you with a unified schedule view.
  • We do not share this data with third parties or use it for advertising or training models.

Breakdayz’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Retention

Active workspace data is retained for the life of the customer contract. When a workspace is closed, we mark its records for deletion on day 30 and complete scrubbing (including encrypted backups) on day 90. Audit logs required for tax, labour-law, or security investigations may be kept for up to seven years, in line with the retention schedule agreed with the customer.

Individual employee records — for example, when an employee leaves a company — follow the tenure rules set by the workspace admin in their retention policy.

Your rights

Subject to applicable law (GDPR, India DPDP 2023, and equivalent regimes), you may request access to, correction of, or deletion of your personal data; you may object to a specific processing purpose; and you may ask for a machine-readable export of records about you.

If your workspace admin does not resolve a request within a reasonable period, you can escalate to us and we will respond within thirty days.

Security posture

Breakdayz is protected by CSRF tokens on every state-changing request, HTTPS-only cookies with the __Host- prefix, per-tenant data isolation at the row level, encrypted backups (AES-256 at rest), and a bug-bounty channel reviewed by the security team.

We run quarterly penetration tests and follow a documented incident-response protocol: affected workspaces are notified within 72 hours of confirmation of a personal-data breach.

Changes to this policy

Material changes are announced in-product and via email to workspace owners at least fourteen days before they take effect. The “Last updated” timestamp at the top of this page always reflects the most recent revision.

Contact

Reach the Breakdayz privacy team at info@intelexea.com. Written correspondence can be addressed to Breakdayz — Attn: Data Protection Officer.