Privacy Policy

Last updated: October 31, 2025

1. Introduction and Scope

natalabs L.L.C-FZ ("Company", "we", "our", "us", or "Wherabout") is committed to protecting personal data in accordance with applicable data protection laws. This Privacy Policy explains how we collect, process, store, and protect information when you use our time-off management platform at https://wherabout.com (the "Service").

Scope and Applicability: This policy applies to all users of the Service, including company administrators, managers, and employees. The Service is designed exclusively for business-to-business (B2B) use for employment data management. We process employee data on behalf of customer organizations who remain the data controllers for their employee data.

Age Restriction: The Service is not intended for individuals under 16 years of age or below the minimum legal working age in their jurisdiction, whichever is higher. We do not knowingly collect data from individuals under the legal working age. If you become aware such data has been provided, contact us immediately for removal.

2. Data Controller and Processor Roles

2.1 When We Are a Data Processor: For employee data entered into the Service by customer organizations (such as employee names, time-off records, leave balances), your organization is the data controller and we act as a data processor under their instructions. Your organization is responsible for obtaining employee consents and complying with employment data protection laws. Our processing is governed by our Data Processing Addendum.

2.2 When We Are a Data Controller: For account registration data, billing information, usage analytics, and service communications, we act as the data controller and process such data under the legal bases described below.

3. Information We Collect and Legal Basis (GDPR Article 6)

3.1 Account and Registration Data

  • Data: Name, email address, company name, job title, password (hashed)
  • Legal Basis: Contractual necessity (GDPR Art. 6(1)(b)) - required to create and maintain your account
  • Source: Provided directly by you during registration

3.2 Employee Data (Processed on Behalf of Customer)

  • Data: Employee names, email addresses, start dates, employment status, department, manager assignments, work schedules, time-off requests, approval history, leave balances, location data, holiday assignments
  • Legal Basis: Processed under customer's instructions as data processor. Customer organization determines legal basis (typically employment contract or legitimate interests)
  • Source: Provided by customer organization (employer)

3.3 Billing and Payment Data

  • Data: Billing email, payment method details (credit card information is processed and stored by our payment processor, not by us), transaction history, invoice records
  • Legal Basis: Contractual necessity (GDPR Art. 6(1)(b)) - required to process subscription payments
  • Source: Provided directly by you or your organization

3.4 Technical and Usage Data

  • Data: IP addresses, browser type and version, device information, operating system, log data, access times, pages viewed, feature usage patterns, error reports, performance metrics
  • Legal Basis: Legitimate interests (GDPR Art. 6(1)(f)) - to ensure service security, prevent fraud, diagnose technical issues, and improve service performance
  • Source: Automatically collected when you use the Service

3.5 Communications Data

  • Data: Email correspondence, support tickets, chat transcripts, feedback submissions
  • Legal Basis: Contractual necessity (GDPR Art. 6(1)(b)) for service-related communications; Legitimate interests (GDPR Art. 6(1)(f)) for support and improvement purposes
  • Source: Provided directly by you when contacting us

3.6 Marketing and Communications Data

  • Data: Email address provided during signup, marketing preferences, communication history
  • Legal Basis: Consent (GDPR Art. 6(1)(a)) - only with your explicit opt-in consent during signup or through communication preference updates
  • Collection: During account signup, you may choose to opt in to receive product updates, feature announcements, and promotional communications. This is entirely optional and separate from accepting Terms of Service and Privacy Policy.
  • Purpose: To send you marketing emails about new features, product updates, industry insights, promotional offers, and company news
  • Transactional vs Marketing: We distinguish between transactional emails (account notifications, security alerts, billing reminders) which do not require marketing consent, and marketing emails (product updates, promotional content) which require your explicit opt-in
  • Opt-Out: You may withdraw marketing consent at any time by clicking the unsubscribe link in any marketing email or updating your communication preferences in your account settings. This will not affect transactional emails necessary for Service delivery

3.7 Signup Flow Data Collection

  • Data: During the signup process to create your account, we collect the following additional data: IP address, country code (ISO 3166-1 alpha-2 format, e.g., US, GB, FR), timezone, browser user agent and language preference, HTTP referrer (the page you came from), and signup timestamp. This data is distinct from your account profile and is retained separately in our signup audit trail.
  • Legal Basis:
    • IP Address: Legitimate interests (GDPR Art. 6(1)(f)) - for fraud prevention, security audit trail, and compliance with legal jurisdiction requirements
    • Country Code: Legitimate interests (GDPR Art. 6(1)(f)) - to determine which data protection regulations apply to your personal data (GDPR for EU/UK users, CCPA for California users, etc.). Used exclusively for legal compliance determination. NOT used for geolocation-based services, behavioral tracking, or targeted advertising.
    • Timezone and Language Preference: Contractual necessity (GDPR Art. 6(1)(b)) - required to provide the Service in your preferred language and timezone
    • Browser User Agent: Legitimate interests (GDPR Art. 6(1)(f)) - for security analysis and device compatibility assessment
    • HTTP Referrer: Legitimate interests (GDPR Art. 6(1)(f)) - for marketing attribution analysis and fraud prevention
  • Purpose:
    • Provide accurate signup audit trail for compliance and security investigation
    • Determine applicable data protection laws based on your jurisdiction
    • Prevent fraud and unauthorized access attempts
    • Analyze marketing channel effectiveness and user acquisition sources
    • Improve Service performance and user experience
  • Security Note: All signup data is encrypted in transit (TLS 1.3) and at rest (AES-256). This data is not shared with third parties and is accessible only to authorized company personnel and service providers necessary for security and legal compliance.

3.8 Email Addresses and Contact Information

We collect and process different types of email addresses for distinct purposes under different legal bases:

Registration Email Address

  • Collected: During signup when you create an account and accept our Terms of Service and Privacy Policy
  • Legal Basis: Consent (GDPR Article 6(1)(a)) for accepting legal terms; Contractual necessity (GDPR Article 6(1)(b)) for account access
  • Purpose:
    • Account access and authentication (magic link login)
    • Service-related communications and notifications
    • Marketing communications (only if you opted in during signup)
    • Tracking who accepted Terms of Service and Privacy Policy on behalf of your organization
  • Your Rights: You can withdraw consent for marketing communications at any time via the unsubscribe link in emails or account settings. Account access and service notifications remain necessary for service delivery while your subscription is active.

Billing Email Address

  • Collected: During payment checkout when subscribing to our Service
  • Legal Basis: Contractual necessity (GDPR Article 6(1)(b)) - required for payment processing and service delivery
  • Purpose:
    • Payment processing and transaction confirmations
    • Invoices and receipts
    • Subscription management and renewal notifications
    • Service delivery and account access
    • Billing-related support
  • Your Rights: This email is required for service delivery and cannot be removed while your subscription is active. You can update it in your account billing settings.

Using Different Email Addresses

You may provide different email addresses for registration and billing purposes. This is common in business contexts where:

  • Registration email: Your work email for account access and notifications
  • Billing email: Your finance department email or corporate card email

Both email addresses will be linked to your account in our records. We maintain this linkage to:

  • Track consent (which email accepted Terms of Service and Privacy Policy)
  • Deliver services to the appropriate contact based on purpose
  • Send communications to the correct recipient (service vs. billing vs. marketing)
  • Maintain audit trail for legal compliance

Marketing Communications Policy

IMPORTANT: Marketing emails are sent ONLY to the registration email address and ONLY if you explicitly opted in during signup. We do NOT send marketing communications to billing email addresses without separate consent.

You can unsubscribe from marketing emails at any time by:

  • Clicking the unsubscribe link in any marketing email
  • Updating communication preferences in your account settings
  • Contacting support@wherabout.com

Service Communications

Service-related emails (login links, password resets, subscription notifications, security alerts) are sent to the email address associated with your account (typically the billing email for service delivery). These communications are necessary for service delivery and cannot be opted out while your subscription is active.

4. How We Use Your Information

We process personal data only for specified, explicit, and legitimate purposes:

  • Service Delivery: To provide time-off management features, process requests, calculate leave balances, send notifications, generate reports (Contractual necessity)
  • Account Management: To create and maintain user accounts, authenticate access, manage subscriptions (Contractual necessity)
  • Payment Processing: To process subscription fees, issue invoices, handle billing disputes (Contractual necessity)
  • Customer Support: To respond to inquiries, troubleshoot issues, provide technical assistance (Contractual necessity and Legitimate interests)
  • Marketing Communications: To send product updates, feature announcements, and promotional emails to users who have explicitly opted in (Consent - GDPR Art. 6(1)(a))
  • Security and Fraud Prevention: To detect and prevent unauthorized access, abuse, security incidents, and fraudulent activity (Legitimate interests)
  • Service Improvement: To analyze usage patterns, identify bugs, develop new features, optimize performance (Legitimate interests)
  • Legal Compliance: To comply with legal obligations, respond to lawful requests, enforce our Terms, protect our rights (Legal obligation and Legitimate interests)

Data Minimization: We collect and process only data that is necessary for the specified purposes. We do not use personal data for purposes incompatible with those disclosed in this policy.

5. Data Storage, Security, and Infrastructure

We implement appropriate technical and organizational security measures to protect personal data against unauthorized access, accidental loss, destruction, or damage:

  • Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
  • Access Controls: Role-based access controls (RBAC), multi-factor authentication (MFA), and strict password requirements
  • Infrastructure Security: Cloud hosting with enterprise-grade physical and network security, regular security patches and updates
  • Monitoring: Continuous security monitoring, intrusion detection systems, automated threat detection
  • Incident Response: Documented security incident response procedures and breach notification protocols
  • Employee Training: Regular security awareness training for all personnel with data access

Storage Location: Data is primarily stored in secure cloud infrastructure located in the United States and European Union. We use industry-leading infrastructure providers with ISO 27001, SOC 2 Type II, and other relevant security certifications.

Limitations: While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security and are not liable for unauthorized access resulting from circumstances beyond our reasonable control. You are responsible for maintaining the confidentiality of your account credentials.

6. Data Retention and Deletion

We retain personal data only as long as necessary for the purposes outlined in this policy and as required by law:

  • Active Account Data: Retained for the duration of your active subscription plus 30 days after termination
  • Employee Records: Retained according to your organization's retention policies as data controller, typically for employment record-keeping requirements (varies by jurisdiction, commonly 7 years)
  • Financial Records: Retained for 7 years from the transaction date for tax and accounting compliance
  • Support Communications: Retained for 3 years for customer service quality and dispute resolution
  • Technical Logs: Retained for 90 days for security monitoring and troubleshooting purposes
  • Backup Data: Deleted from backup systems within 90 days after primary deletion

Account Deletion: Upon account termination or cancellation, you have 30 days to export your data. After 30 days, all Customer Data is permanently and irreversibly deleted from active systems. Backup systems are purged within 90 days. We are not obligated to retain or provide data after this period.

Legal Holds: We may retain data beyond specified periods if required by legal proceedings, regulatory investigations, or enforceable governmental requests. Data subject to legal holds is segregated and retained only for the duration of the legal requirement.

7. Data Sharing and Third-Party Sub-Processors

No Data Sales: We do not sell, rent, or trade personal data to third parties for marketing purposes.

7.1 Within Your Organization: Employee data is accessible to authorized users within your organization based on role permissions (company administrators, managers, HR personnel). Access is controlled by your organization's account settings.

7.2 Service Providers and Sub-Processors (GDPR Art. 28): We engage carefully vetted third-party service providers who process data on our behalf under strict contractual obligations:

  • Supabase Inc. (United States): Cloud database hosting and authentication services
  • Render Services Inc. (United States): Application hosting and infrastructure
  • LemonSqueezy LLC (United States): Payment processing and subscription billing
  • Resend Inc. (United States): Transactional email delivery

All sub-processors are bound by data protection agreements (DPAs) compliant with GDPR Article 28 requirements. We conduct due diligence on security practices and compliance certifications before engagement. We will notify customers of sub-processor changes with 30 days advance notice via email and Service announcements.

7.3 Legal Disclosures: We may disclose personal data when required by law or in good faith belief that such disclosure is necessary to:

  • Comply with legal obligations, court orders, or lawful government requests
  • Enforce our Terms of Service or investigate potential violations
  • Protect the rights, property, or safety of the Company, our users, or the public
  • Detect, prevent, or address fraud, security, or technical issues

We will challenge overbroad or unlawful requests and notify affected users unless legally prohibited.

7.4 Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the successor entity. We will notify users via email and prominent Service notice before data is transferred and becomes subject to a different privacy policy.

8. International Data Transfers

The Service operates globally and data may be transferred to, stored in, and processed in countries outside your country of residence, including the United States, European Union, and United Arab Emirates.

8.1 Transfers from EEA/UK: For data transfers from the European Economic Area (EEA) or United Kingdom to third countries not recognized as providing adequate protection under GDPR Article 45:

  • We implement European Commission Standard Contractual Clauses (SCCs) as approved under GDPR Article 46(2)(c)
  • We conduct Transfer Impact Assessments (TIAs) to ensure appropriate safeguards
  • Sub-processors handling EEA data are contractually bound to equivalent protections

8.2 Transfers from UAE: We comply with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data requirements for cross-border data transfers, implementing appropriate contractual safeguards and ensuring recipient countries provide adequate protection.

8.3 Your Rights Regarding Transfers: You may request information about the safeguards we have implemented for international transfers by contacting us at hi@natalabs.com.

9. Your Data Protection Rights

9.1 GDPR Rights (EEA and UK Users)

Under the General Data Protection Regulation (GDPR), EEA and UK residents have the following rights:

  • Right of Access (Art. 15): Request copies of your personal data and information about processing
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to Erasure (Art. 17): Request deletion of your personal data under certain circumstances
  • Right to Restrict Processing (Art. 18): Request limitation of processing under certain conditions
  • Right to Data Portability (Art. 20): Receive your data in structured, machine-readable format and transmit to another controller
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing
  • Rights Related to Automated Decision-Making (Art. 22): Not be subject to solely automated decisions with legal or significant effects (not currently applicable as we do not use automated decision-making)
  • Right to Withdraw Consent: Where processing is based on consent, withdraw consent at any time without affecting prior lawful processing
  • Right to Lodge a Complaint: File a complaint with your national data protection supervisory authority

9.2 UAE Data Protection Rights

Under UAE Federal Decree-Law No. 45 of 2021, UAE residents have rights including:

  • Right to access personal data
  • Right to rectify inaccurate data
  • Right to delete data in certain circumstances
  • Right to object to processing for direct marketing
  • Right to file complaints with the UAE Data Office

9.3 Exercising Your Rights

To exercise any of these rights, contact us at hi@natalabs.com with the subject line "Data Subject Request". Include:

  • Your full name and email address associated with your account
  • Specific right you wish to exercise
  • Detailed description of your request
  • Verification information (we may request additional information to confirm identity)

Response Timeline: We will respond to verified requests within 30 days (GDPR) or as required by applicable law. Complex requests may require up to 60 days with notification of the extension. We will not charge fees for requests unless they are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse the request.

Employee Data Requests: If you are an employee and wish to exercise rights regarding data processed by your employer (data controller), you must direct your request to your employer's HR department. We will cooperate with your employer to facilitate such requests in our capacity as data processor.

Limitations: Certain rights may be limited by legal obligations, such as retention requirements for financial records or data needed for legal proceedings. We will explain any limitations when responding to your request.

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify relevant supervisory authorities within 72 hours of becoming aware (GDPR requirement)
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Provide information about the nature of the breach, likely consequences, and mitigation measures
  • Document all breaches for regulatory compliance

Notifications will be sent via email to the registered account email address and via prominent notice within the Service.

11. Cookies and Tracking Technologies

11.1 Essential Cookies (No Consent Required)

We use the following strictly necessary cookies required for the Service to function. These cookies are exempt from consent requirements under GDPR Article 6(1)(b) (necessary for contract performance) and ePrivacy Directive:

  • Authentication Cookies: Session tokens (sb-access-token, sb-refresh-token) to maintain your logged-in state securely. Expires: Session or 7 days
  • Security Cookies: CSRF tokens and security validation to protect against unauthorized access and attacks

11.2 Browser Local Storage (Not Cookies)

We store the following preferences locally in your browser using HTML5 localStorage (not cookies, no server transmission):

  • Language Preference (language): Your chosen interface language (en, fr, it)
  • Theme Preference (theme): Your display theme (light, dark, system)
  • Privacy Notice Acknowledgment: Records that you have reviewed this policy

This data remains on your device and is never transmitted to our servers. You can clear it through browser settings (Clear browsing data → Local storage).

11.3 No Analytics or Marketing Cookies Currently Used

We do not currently use analytics, advertising, or marketing cookies. We do not track users across websites or engage in behavioral profiling.

Future Implementation: If we introduce analytics services (e.g., Google Analytics, Mixpanel) or marketing tools in the future, we will:

  • Update this Privacy Policy with details of the technologies used
  • Implement a cookie consent banner compliant with GDPR and ePrivacy Directive
  • Obtain your explicit opt-in consent before placing any non-essential cookies
  • Provide granular cookie preference management (accept/reject by category)
  • Honor Do Not Track (DNT) browser signals
  • Notify active users via email of the policy update

11.4 Third-Party Cookies

Our sub-processors (Supabase, LemonSqueezy) may set their own cookies for security and functionality purposes when you interact with their embedded services (e.g., payment checkout). These are governed by their respective privacy policies. We do not control third-party cookies and recommend reviewing their policies.

12. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in our practices, legal requirements, or Service features. Material changes will be communicated via:

  • Updated "Last updated" date at the top of this policy
  • Email notification to registered account holders
  • Prominent notice within the Service for 30 days

For material changes affecting data processing, we may require re-acceptance or provide opt-out mechanisms. Continued use after the effective date constitutes acceptance of the revised policy. We encourage periodic review of this policy to stay informed about how we protect your data.

Archive: Previous versions of this policy are available upon request for transparency and accountability.

13. Children and Age Restrictions

The Service is intended exclusively for business use in employment data management. We do not knowingly collect or process personal data of individuals under 16 years of age or below the minimum legal working age in their jurisdiction, whichever is higher.

If you are a customer organization, you represent and warrant that all employee data entered into the Service pertains only to individuals who meet the minimum age requirements for employment in their jurisdiction. Common minimum working ages: 16 (most EU countries, UK), 14-16 (United States with restrictions), 15 (UAE for certain work).

If we become aware that we have inadvertently collected data of an individual below the legal working age, we will take immediate steps to delete such data. If you believe such data has been provided, contact us immediately at hi@natalabs.com.

14. Contact Information and Data Protection Officer

For privacy-related questions, data subject requests, or concerns, contact us at:

natalabs L.L.C-FZ
Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.
Email: hi@natalabs.com
Website: https://wherabout.com

Data Subject Requests: Email hi@natalabs.com with subject line "Data Subject Request"

Data Protection Officer: For GDPR-related inquiries, contact our Data Protection Officer at hi@natalabs.com

Legal Notices and Formal Complaints: All legal notices, breach notifications, and formal complaints MUST be sent to BOTH:

  • Physical address: Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.
  • Email: hi@natalabs.com

Supervisory Authority Complaints:

  • EEA/UK Users: You have the right to lodge a complaint with your national data protection authority. Find your authority at https://edpb.europa.eu/about-edpb/board/members_en
  • UAE Users: Contact the UAE Data Office at https://tdra.gov.ae/en/data-office

15. Supplementary Information

15.1 Data Processing Addendum (DPA)

For enterprise customers requiring a formal Data Processing Addendum under GDPR Article 28, please contact hi@natalabs.com. Our standard DPA includes:

  • Detailed processing instructions and scope
  • Security measures and audit rights
  • Sub-processor authorization and notification procedures
  • Data subject rights assistance
  • Breach notification obligations
  • Data deletion and return procedures
  • Standard Contractual Clauses for international transfers

15.2 California Privacy Rights (CCPA/CPRA)

California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). However, the B2B exemption applies to most data we process (employee data processed on behalf of businesses). For data where we act as a business (account holder data), California residents may:

  • Request disclosure of personal information collected and how it is used
  • Request deletion of personal information (subject to exceptions)
  • Opt-out of sale or sharing of personal information (we do not sell or share personal information)
  • Not be discriminated against for exercising privacy rights

To exercise California rights, email hi@natalabs.com with subject "California Privacy Request".

15.3 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE SHALL NOT BE LIABLE FOR ANY DAMAGES ARISING FROM: (A) UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR DATA DUE TO CIRCUMSTANCES BEYOND OUR REASONABLE CONTROL; (B) YOUR FAILURE TO MAINTAIN ACCOUNT SECURITY; (C) ACTIONS OF THIRD-PARTY SUB-PROCESSORS; OR (D) YOUR ORGANIZATION'S DATA PRACTICES AS DATA CONTROLLER. OUR LIABILITY FOR DATA PROTECTION VIOLATIONS IS LIMITED AS SET FORTH IN OUR TERMS OF SERVICE.