Privacy Policy
This Privacy Policy explains how Raging Waters Tech Labs, S.L. ("areuworking", "we", "us", or "our") collects, uses, shares, and protects personal data when you visit areuworking.com, use our web application at app.areuworking.com, or interact with our APIs, MCP server, or support channels (together, the "Service").
We process personal data in line with Regulation (EU) 2016/679 ("GDPR"), Spanish Organic Law 3/2018 on Personal Data Protection and Digital Rights ("LOPDGDD"), and Law 34/2002 on Information Society and E-Commerce Services ("LSSI").
1. Data controller
The data controller for the Service is:
Raging Waters Tech Labs, S.L.NIF: B72611817
Calle Colombia 9, 10º-A, 28823 Coslada, Madrid, Spain
Inscrita en el Registro Mercantil de Madrid, Tomo 44256, Folio 55, Hoja M-780194.
Privacy contact: privacy@areuworking.com
We have not appointed a Data Protection Officer because we are not required to do so under Article 37 GDPR. For any data-protection matter, write to privacy@areuworking.com.
2. Whose data we handle
We process personal data of three groups of people:
- Account holders and admins — the person who signs up, manages billing, and administers a team in the Service.
- Team members — employees, contractors, or collaborators added to an account by an admin so they can request time off and see team availability.
- Website visitors — anyone who visits our public landing pages without signing up.
For team members invited by an employer, that employer is the controller of the underlying employment data and we act as a processor on their behalf. Sections 3, 4, and 5 below describe both roles.
3. What data we collect
3.1 Account data
- Name, work email address, and password hash.
- Company name, team name, role, and reporting relationships you choose to add.
- Profile preferences (timezone, language).
3.2 Time-off and availability data
- Leave requests, approvals, and comments.
- Leave types (holiday, sick, personal, bank holiday), dates, and durations.
- Allowance balances, overrides, and rollovers.
- Public holiday calendars associated with your team.
3.3 Billing data
- Billing contact name and email, company name, billing address, VAT number.
- Plan, seat count, invoice history.
- Payment card details are entered directly into our payment processor and are never stored on our servers. We receive only a token and the last four digits.
3.4 Technical and usage data
- IP address, browser type, device type, operating system, and approximate location.
- Pages visited, features used, timestamps, and referrer.
- Session identifiers and authentication tokens.
- Diagnostic data and error reports, including stack traces, when something goes wrong.
- API and MCP request metadata: API key identifier, endpoint, status code, and request volume (for rate-limit enforcement).
3.5 Support data
- The content of emails you send us and our replies.
We do not knowingly collect special categories of personal data (Article 9 GDPR).
4. Why we use it and on what legal basis
| Purpose | Legal basis |
|---|---|
| Creating and operating your account, providing the Service, processing time-off requests, syncing balances, and answering support requests. | Performance of a contract with you (Art. 6(1)(b) GDPR), or with your employer where you were invited as a team member. |
| Charging your subscription, issuing invoices, and complying with Spanish tax law. | Performance of a contract (Art. 6(1)(b)) and compliance with a legal obligation (Art. 6(1)(c)). |
| Securing the Service, preventing fraud and abuse, enforcing rate limits, and keeping audit logs. | Legitimate interests (Art. 6(1)(f)) — running a secure and reliable Service. |
| Product analytics: understanding which features are used so we can improve them. | Legitimate interests (Art. 6(1)(f)). For non-essential cookies on the public website, consent (Art. 6(1)(a)) is the basis. |
| Sending operational emails (invitations, approvals, password resets, billing notices). | Performance of a contract (Art. 6(1)(b)). |
| Sending product updates or marketing to account holders. | Legitimate interests (Art. 6(1)(f)) for existing customers, with an opt-out in every message; consent (Art. 6(1)(a)) otherwise. |
| Responding to legal requests and defending legal claims. | Compliance with a legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)). |
You can object to processing based on legitimate interests at any time by writing to privacy@areuworking.com.
5. How we share data
We do not sell personal data and we do not share it with advertisers. We share it only with the providers we need to deliver the Service, and only as required for that purpose.
5.1 Subprocessors
| Provider | Purpose | Location |
|---|---|---|
| Application hosting and database | Running the Service and storing customer data | European Union |
| Stripe Payments Europe Ltd. | Subscription billing and card processing | Ireland (EU), with controlled transfers to the United States |
| SendGrid (Twilio Inc.) | Transactional email (invitations, approvals, password resets, billing notices) | United States |
| PostHog | Product and website analytics (events, no session replay) | European Union region |
| Sentry | Error monitoring and diagnostics | European Union region |
| Purelymail | Hosting our support and corporate inboxes | United States |
| Netlify | Hosting our public website (areuworking.com) | Global CDN with EU edge |
An up-to-date list of subprocessors is available on request at privacy@areuworking.com.
5.2 International transfers
The Service stores customer data in the European Union. Some subprocessors above are based in, or transfer data to, the United States. For those transfers we rely on the EU–U.S. Data Privacy Framework, where the provider is certified, or on Standard Contractual Clauses adopted by the European Commission, with supplementary measures where appropriate.
5.3 Other recipients
We may also share personal data with:
- Professional advisers (lawyers, auditors, accountants) under duties of confidentiality.
- Authorities, courts, or regulators when legally required.
- A successor entity in the event of a merger, acquisition, or sale of assets, subject to this Privacy Policy.
6. How long we keep data
- Active accounts — for as long as your account is active.
- Closed accounts — for 90 days after closure, then permanently deleted from production systems. Backups are overwritten on a rolling cycle and fully purged within a further 30 days.
- Billing and tax records — retained for the periods required by Spanish commercial and tax law (generally six years).
- Support emails — retained for up to 24 months after the last interaction.
- Security and audit logs — retained for up to 12 months.
7. Your rights
You have the following rights under the GDPR:
- Access — get a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — ask us to delete your data, subject to legal retention rules.
- Restriction — limit how we process your data in certain cases.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests or for direct marketing.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
- Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
To exercise any of these rights, write to privacy@areuworking.com. We will respond within one month and may extend that period by up to two further months for complex requests.
If you were invited to the Service by an employer, we will pass requests about employment data to that employer, who is the controller, and notify you of the handover.
You also have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, www.aepd.es) or with the supervisory authority in your country of residence.
8. Cookies and similar technologies
We use a small number of cookies and similar technologies on our website and inside the web application:
- Strictly necessary cookies — for authentication, session management, and load balancing. These are required for the Service to work and do not need consent.
- Analytics cookies — set by PostHog to measure how the website and product are used. We do not enable session replay. These cookies are not strictly necessary and are only set with your consent where required.
You can manage cookies through your browser settings and clear them at any time. Where a cookie banner is shown, you can also withdraw consent through it. Disabling strictly necessary cookies will break parts of the Service.
9. Security
We protect personal data with technical and organisational measures appropriate to the risk, including encryption in transit (TLS), encryption at rest for our production database, role-based access controls, audit logging, and least-privilege access for staff. No system is perfectly secure; if a personal data breach occurs we will notify the competent supervisory authority and, where required, affected users in line with Articles 33 and 34 GDPR.
10. Children
The Service is intended for businesses and not for children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact privacy@areuworking.com and we will delete it.
11. Data Processing Agreement
Where you use the Service to manage your own team's time off, we act as a processor for the personal data of your team members. A Data Processing Agreement that complies with Article 28 GDPR is available on request at privacy@areuworking.com.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will change the "Last updated" date at the top and, where the changes are material, notify account holders by email at least 30 days before they take effect.
13. Contact
Questions or concerns? Write to privacy@areuworking.com or by post to Raging Waters Tech Labs, S.L., Calle Colombia 9, 10º-A, 28823 Coslada, Madrid, Spain.