Data Protection Policy

1. Introduction and Scope

Vertali Group ("we," "our," "us," or "Vertali Group") is committed to protecting the privacy and security of personal data collected, processed, stored, and otherwise handled in connection with the Vertali Group Festive Leave Application ("Service" or "Application"). This Data Protection Policy ("Policy") describes our commitment to data protection and our practices regarding the collection, processing, storage, and protection of personal data in accordance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy legislation.

This Policy applies to all processing of personal data in connection with the Service, including but not limited to personal data collected from users, processed by us, or shared with third parties. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with this Policy, you must immediately discontinue your use of the Service.

This Policy is incorporated by reference into the Terms & Conditions of Use and the Privacy Policy and should be read in conjunction therewith. Capitalized terms used but not defined in this Policy shall have the meanings ascribed to them in the Terms & Conditions of Use or the Privacy Policy.

2. Definitions and Legal Framework

For purposes of this Policy, the following definitions shall apply, consistent with applicable data protection laws:

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
• "Processing" means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction;
• "Data Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For purposes of this Policy, Vertali Group is the Data Controller;
• "Data Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller;
• "Data Subject" means the natural person to whom personal data relates;
• "Consent" means any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
• "Sensitive Personal Data" or "Special Categories of Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation;
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
• "Supervisory Authority" means an independent public authority established by a member state of the European Union to monitor the application of data protection laws;
• "Binding Corporate Rules" means personal data protection policies which are adhered to by Vertali Group for transfers of personal data within a group of undertakings, or group of enterprises engaged in a joint economic activity;
• "Standard Contractual Clauses" means standard contractual clauses approved by the European Commission or other supervisory authorities for the transfer of personal data to third countries;
• "Adequacy Decision" means a decision by the European Commission or other supervisory authority that a third country, territory, or one or more specified sectors within a third country, ensures an adequate level of protection of personal data.

This Policy is designed to comply with applicable data protection laws, including but not limited to:

• The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), applicable to data subjects within the European Economic Area (EEA);
• The California Consumer Privacy Act (CCPA), applicable to California residents;
• The Health Insurance Portability and Accountability Act (HIPAA), where applicable to health information;
• Other applicable federal, state, and local privacy laws and regulations in the United States and other jurisdictions.

3. Legal Basis for Processing

We process personal data only where we have a valid legal basis for such processing under applicable data protection laws. The legal bases for processing personal data in connection with the Service include, but are not limited to:

3.1. Contractual Necessity

Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract. This includes but is not limited to processing leave applications, managing accounts, and providing access to the Service.

3.2. Legal Obligation

Processing is necessary for compliance with a legal obligation to which Vertali Group is subject. This includes but is not limited to employment law requirements, tax obligations, regulatory requirements, and court orders or legal process.

3.3. Legitimate Interests

Processing is necessary for the purposes of the legitimate interests pursued by Vertali Group or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data. This includes but is not limited to managing leave applications, ensuring security, preventing fraud, improving the Service, and complying with legal obligations.

3.4. Consent

Processing is based on the Data Subject's explicit consent to the processing of his or her personal data for one or more specific purposes. Where processing is based on consent, the Data Subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

3.5. Vital Interests

Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person. This includes but is not limited to emergency situations or health and safety concerns.

3.6. Public Interest

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Vertali Group, where applicable.

4. Data Protection Principles

We process personal data in accordance with the following data protection principles, as set forth in applicable data protection laws:

• Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and in a transparent manner in relation to the Data Subject;
• Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• Data Minimization: Personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
• Accuracy: Personal data is accurate and, where necessary, kept up to date; every reasonable step is taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
• Storage Limitation: Personal data is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data is processed;
• Integrity and Confidentiality: Personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures;
• Accountability: Vertali Group is responsible for and able to demonstrate compliance with these principles.

We implement appropriate technical and organizational measures to ensure compliance with these principles and to protect the rights and freedoms of Data Subjects.

5. Technical and Organizational Security Measures

We implement comprehensive technical and organizational measures to protect personal data against unauthorized access, use, disclosure, alteration, or destruction, including but not limited to:

5.1. Technical Measures

• Encryption: We use industry-standard encryption protocols to protect data in transit and at rest, including but not limited to Transport Layer Security (TLS), Secure Sockets Layer (SSL), and Advanced Encryption Standard (AES-256);
• Access Controls: We implement strict access controls, including but not limited to authentication, authorization, role-based access control (RBAC), multi-factor authentication (MFA), and least privilege principles, to ensure that only authorized personnel can access personal data;
• Network Security: We implement network security measures, including but not limited to firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and security monitoring, to protect against unauthorized network access;
• Secure Storage: We store personal data on secure servers with restricted physical and digital access, including but not limited to data centers with physical security measures, access controls, and environmental controls;
• Data Backup: We maintain regular backups of personal data to prevent data loss and ensure business continuity, including but not limited to encrypted backups stored in secure locations;
• Secure Transmission: We use secure transmission protocols to protect data in transit, including but not limited to HTTPS, TLS, and VPN connections;
• Vulnerability Management: We conduct regular vulnerability assessments, penetration testing, and security audits to identify and address security vulnerabilities;
• Patch Management: We maintain up-to-date software and security patches to protect against known vulnerabilities;
• Anti-Malware: We implement anti-malware software and monitoring to protect against malicious software and cyberattacks;
• Logging and Monitoring: We maintain comprehensive logs and monitoring systems to detect unauthorized access or suspicious activity.

5.2. Organizational Measures

• Employee Training: We provide regular training to employees and agents on data protection, security best practices, and privacy policies;
• Access Management: We implement access management policies and procedures, including but not limited to access reviews, access revocation, and segregation of duties;
• Data Classification: We classify personal data by sensitivity and apply appropriate security measures based on classification;
• Data Minimization: We collect and retain only the personal data necessary for the purposes set forth in this Policy;
• Data Retention: We implement data retention policies and procedures to ensure that personal data is retained only for as long as necessary;
• Data Disposal: We implement secure data disposal procedures to ensure that personal data is securely deleted or anonymized when no longer needed;
• Incident Response: We maintain incident response procedures to detect, respond to, and recover from security incidents, including but not limited to data breaches;
• Business Continuity: We maintain business continuity and disaster recovery plans to ensure the availability of personal data and the Service;
• Third-Party Management: We implement policies and procedures for managing third-party service providers and ensuring that they protect personal data in accordance with applicable data protection laws;
• Compliance Monitoring: We conduct regular compliance monitoring and audits to ensure compliance with data protection laws and this Policy.

5.3. Ongoing Review and Improvement

We regularly review and update our technical and organizational security measures to ensure that they remain effective and appropriate in light of evolving threats, technologies, and legal requirements. We conduct regular security assessments, audits, and penetration testing to identify and address security vulnerabilities.

Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially reasonable means to protect personal data, we cannot guarantee its absolute security. You acknowledge and agree that you use the Service at your own risk and that Vertali Group shall not be liable for any unauthorized access, use, disclosure, alteration, or destruction of personal data, except to the extent such unauthorized access, use, disclosure, alteration, or destruction results directly from Vertali Group's gross negligence or willful misconduct.

6. Data Subject Rights

Under applicable data protection laws, Data Subjects have certain rights regarding their personal data. These rights may include, but are not limited to:

6.1. Right of Access (Article 15 GDPR)

Data Subjects have the right to obtain from Vertali Group confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information:

• The purposes of the processing;
• The categories of personal data concerned;
• The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
• Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• The existence of the right to request from Vertali Group rectification or erasure of personal data or restriction of processing of personal data concerning the Data Subject or to object to such processing;
• The right to lodge a complaint with a supervisory authority;
• Where the personal data are not collected from the Data Subject, any available information as to their source;
• The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

Where personal data are transferred to a third country or to an international organization, the Data Subject has the right to be informed of the appropriate safeguards relating to the transfer.

6.2. Right to Rectification (Article 16 GDPR)

Data Subjects have the right to obtain from Vertali Group without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the Data Subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

6.3. Right to Erasure ("Right to be Forgotten") (Article 17 GDPR)

Data Subjects have the right to obtain from Vertali Group the erasure of personal data concerning them without undue delay, and Vertali Group has the obligation to erase personal data without undue delay where one of the following grounds applies:

• The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• The Data Subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
• The Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
• The personal data have been unlawfully processed;
• The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which Vertali Group is subject.

However, the right to erasure does not apply where processing is necessary for compliance with a legal obligation, for the performance of a task carried out in the public interest, for the establishment, exercise, or defense of legal claims, or for other legitimate reasons.

6.4. Right to Restriction of Processing (Article 18 GDPR)

Data Subjects have the right to obtain from Vertali Group restriction of processing where one of the following applies:

• The accuracy of the personal data is contested by the Data Subject, for a period enabling Vertali Group to verify the accuracy of the personal data;
• The processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
• Vertali Group no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise, or defense of legal claims;
• The Data Subject has objected to processing pending the verification whether the legitimate grounds of Vertali Group override those of the Data Subject.

6.5. Right to Data Portability (Article 20 GDPR)

Data Subjects have the right to receive the personal data concerning them, which they have provided to Vertali Group, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from Vertali Group, where:

• The processing is based on consent or on a contract; and
• The processing is carried out by automated means.

In exercising his or her right to data portability, the Data Subject has the right to have the personal data transmitted directly from Vertali Group to another controller, where technically feasible.

6.6. Right to Object (Article 21 GDPR)

Data Subjects have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on legitimate interests or public interest, including profiling. Vertali Group shall no longer process the personal data unless Vertali Group demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of legal claims.

6.7. Rights Related to Automated Decision-Making and Profiling (Article 22 GDPR)

Data Subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except where:

• Such decision is necessary for entering into, or performance of, a contract between the Data Subject and Vertali Group;
• Such decision is authorized by Union or Member State law to which Vertali Group is subject and which also lays down suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests; or
• Such decision is based on the Data Subject's explicit consent.

6.8. Right to Withdraw Consent

Where processing is based on consent, Data Subjects have the right to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

6.9. Right to Lodge a Complaint

Data Subjects have the right to lodge a complaint with a supervisory authority if they consider that the processing of personal data relating to them infringes applicable data protection laws. In the United States, Data Subjects may contact the Federal Trade Commission (FTC) or their state's attorney general. In the European Union, Data Subjects may contact the supervisory authority in their member state.

6.10. How to Exercise Your Rights

To exercise any of your data protection rights, please contact us using the contact information provided in Section 11 below. We will respond to your request within one (1) month of receipt, though this period may be extended by two (2) further months where necessary, considering the complexity and number of requests. We may require you to provide proof of identity before processing your request to ensure the security of your personal data.

We may charge a reasonable fee for repetitive, unfounded, or excessive requests, or we may refuse to act on such requests, in accordance with applicable law. We will inform you of any such fee or refusal and provide you with an explanation of our decision.

7. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes set forth in this Policy and the Privacy Policy, unless a longer retention period is required or permitted by law. Our retention periods are based on the following factors:

• Purpose of Processing: We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including but not limited to processing leave applications, managing accounts, and providing access to the Service;
• Legal and Regulatory Requirements: We retain personal data for as long as required by applicable law, including but not limited to employment law requirements, tax obligations, regulatory requirements, and statute of limitations for potential legal claims;
• Operational and Business Needs: We retain personal data for as long as necessary for operational and business purposes, including but not limited to record-keeping, accounting, and administrative functions;
• Contractual Obligations: We retain personal data for as long as necessary to fulfill contractual obligations with Data Subjects or third parties;
• Dispute Resolution: We retain personal data for as long as necessary to resolve disputes, enforce agreements, or defend against legal claims;
• Consent: We retain personal data for as long as the Data Subject maintains consent, where processing is based on consent.

When personal data is no longer necessary for the purposes set forth in this Policy, we will securely delete or anonymize such data in accordance with our data retention policies and applicable law. We use secure deletion methods to ensure that personal data cannot be recovered or reconstructed.

However, we may retain certain personal data in anonymized or aggregated form for statistical, research, or other legitimate business purposes, where such retention does not identify Data Subjects personally and is not incompatible with the purposes for which the data was collected.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of Data Subjects, we will notify the affected Data Subjects without undue delay and in accordance with applicable data protection laws. We will also notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, where required by law.

The notification to Data Subjects will include, at a minimum:

• A description of the nature of the breach;
• The name and contact details of the data protection officer or other contact point where more information can be obtained;
• A description of the likely consequences of the breach;
• A description of the measures taken or proposed to be taken by Vertali Group to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

We maintain incident response procedures to detect, respond to, and recover from data breaches, including but not limited to containment, investigation, remediation, and notification procedures. We conduct regular training and drills to ensure that our incident response procedures are effective and up to date.

9. International Data Transfers

Your personal data is primarily processed and stored within the United States of America. However, in certain circumstances, we may transfer your personal data to countries outside the United States, including but not limited to countries within the European Economic Area (EEA) or other jurisdictions.

When we transfer personal data to countries outside the United States, we ensure that appropriate safeguards are in place to protect your personal data in accordance with applicable data protection laws, including but not limited to:

• Standard Contractual Clauses: We may use standard contractual clauses approved by the European Commission or other supervisory authorities to ensure adequate protection of personal data;
• Adequacy Decisions: We may transfer personal data to countries that have been determined to provide adequate protection by the European Commission or other supervisory authorities;
• Binding Corporate Rules: We may implement binding corporate rules to ensure consistent protection of personal data across our organization;
• Consent: We may transfer personal data with your explicit consent, where required by applicable law;
• Other Safeguards: We may implement other appropriate safeguards as required by applicable data protection laws.

By using the Service, you consent to the transfer of your personal data to countries outside the United States in accordance with this Policy and applicable data protection laws. If you have questions or concerns about international data transfers, please contact us using the contact information provided in Section 11 below.

10. Third-Party Data Processors

We may engage third-party service providers, contractors, or agents ("Data Processors") to assist with data processing in connection with the Service. These Data Processors are contractually obligated to protect your personal data and may only process it in accordance with our instructions and applicable data protection laws.

We enter into data processing agreements with all Data Processors that include, at a minimum:

• Clear instructions regarding the purposes and means of processing;
• Obligations to protect personal data in accordance with applicable data protection laws;
• Obligations to implement appropriate technical and organizational security measures;
• Obligations to notify us of any data breaches or security incidents;
• Obligations to assist us in responding to Data Subject requests;
• Obligations to return or delete personal data upon termination of the processing relationship;
• Prohibitions on using personal data for purposes other than those specified in the agreement;
• Prohibitions on sharing personal data with third parties without our prior written consent.

We regularly review and audit our Data Processors to ensure that they comply with their contractual obligations and applicable data protection laws. We require all Data Processors to maintain appropriate security measures and to comply with applicable data protection laws.

11. Contact Information and Data Protection Officer

If you have any questions, concerns, or requests regarding this Data Protection Policy or our data protection practices, or if you wish to exercise any of your data protection rights, please contact us at:

We will use reasonable efforts to respond to your inquiries, requests, or complaints within one (1) month of receipt, though this period may be extended by two (2) further months where necessary, considering the complexity and number of requests. We may require you to provide proof of identity before processing your request to ensure the security of your personal data.

12. Changes to This Data Protection Policy

We may update this Data Protection Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes to this Policy by posting the updated Policy on the Service and updating the "Last Updated" date at the top of this Policy. We may also notify you of material changes via email or other means, where required by law or where we deem it appropriate.

Your continued use of the Service following any changes to this Policy constitutes your acceptance of such changes. If you do not agree to any changes to this Policy, you must immediately discontinue your use of the Service and contact us to request deletion of your personal data, subject to our right to retain certain information where required by law.

We encourage you to review this Policy periodically to stay informed about how we protect your personal data. The "Last Updated" date at the top of this Policy indicates when this Policy was last revised.

13. Acknowledgment

BY ACCESSING OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS DATA PROTECTION POLICY. IF YOU DO NOT AGREE WITH THIS POLICY, YOU MUST IMMEDIATELY DISCONTINUE YOUR USE OF THE SERVICE.

You further acknowledge that you understand how we protect your personal data and that you consent to our data protection practices as described in this Policy. If you have any questions or concerns about this Policy, please contact us using the contact information provided in Section 11 above.