LeavePort Privacy Policy
Effective Date: 6/15/2026 · Last Updated: 6/15/2026
This Privacy Policy explains how LeavePort, LLC ("LeavePort," "we," "us," or "our") collects, uses, discloses, and protects information in connection with the LeavePort platform (the "Service").
Who this policy is for and who is responsible for what. LeavePort provides the Service to employers ("Customer," "your employer") who use it to administer employee leave. If you are an employee submitting a leave request through LeavePort, your employer is the data controller responsible for decisions about your leave data - what's collected, how long it's kept, and how requests about your data are handled. LeavePort acts as your employer's data processor (sometimes called a "service provider" under certain state laws): we process data on your employer's instructions and are contractually bound by the terms of our agreement with them. If you have questions about your rights regarding your data, start with your employer's HR department. If you have questions about how LeavePort secures or technically handles data, contact us using the information in Section 11.
1. Categories of Information We Collect
We organize this by sensitivity, because we treat these tiers differently on the back end - not all leave data lives behind the same access controls.
1.1 Account and Identity Information
Name, work email address, employee identification number, job title, department, and - where used for eligibility calculations - date of birth, payroll information, benefit enrollment information, and hire date.
1.2 Leave Administration Information
Leave type (e.g., FMLA, state-specific paid or unpaid leave, Customer-configured Custom Leave), requested and approved dates, hours or days requested, accrual and balance information, approval status, and related workflow history (who approved, denied, or requested additional information, and when).
1.3 Sensitive Health-Related Information
Physician certification documents, medical provider statements, and any diagnosis-adjacent or treatment-related narrative fields submitted in connection with a leave request. This is the most sensitive category of data in the Service, and it is subject to restricted, role-based access controls separate from general leave administration data - only personnel your employer has specifically authorized to review medical certifications can access this tier, regardless of what other leave-administration access they hold. This segregation reflects best practices under the Americans with Disabilities Act and the Genetic Information Nondiscrimination Act for keeping medical information in files separate from general personnel records, implemented here as an access-control boundary rather than a physical one.
1.4 Technical and Usage Information
Login timestamps, IP address, device and browser information, two-factor authentication logs, and general platform usage/audit logs.
2. Sources of Information
- Directly from you, when you submit a leave request, upload supporting documentation, or update your account.
- From your employer, including through HRIS integrations (e.g., payroll/HR system data feeds) where your employer has configured them.
- Generated automatically by the Service, such as login and access logs used for security and audit purposes.
We do not collect physician certification documents directly from healthcare providers; these are submitted to the Service by you or by your employer's authorized personnel on your behalf.
3. How We Use Information
We process the categories of information above to:
- Administer and process leave requests, including eligibility determinations under FMLA, applicable state/local leave law, and Customer-configured leave policies;
- Support approval workflows and communication between employees and authorized HR/leave administration personnel;
- Maintain leave and accrual balance records;
- Generate reporting for your employer's leave administration and recordkeeping obligations;
- Maintain the security, integrity, and audit trail of the Service, including through access logging and two-factor authentication;
- Comply with applicable legal and recordkeeping requirements.
We do not use your information for advertising, and we do not sell your information.
4. How Information Is Shared
4.1 Within Your Employer's Organization
Access is limited to personnel your employer has authorized, and is scoped by role - general leave administration data is visible to authorized HR/leave administrators; physician certification and medical narrative data is restricted to the subset of personnel your employer has specifically authorized to review medical documentation, per Section 1.3.
4.2 Subprocessors
We share information with a limited number of service providers who help us operate the Service, under contractual confidentiality and data protection obligations. As of the date of this policy, our subprocessors include:
| Subprocessor | Purpose |
|---|---|
| Supabase | Database hosting, authentication, row-level security enforcement |
| Vercel | Application hosting |
| Resend | Transactional notifications |
4.3 Legal Requirements
We may disclose information if required to do so by law, subpoena, or other legal process, or where necessary to protect the rights, property, or safety of LeavePort, our Customers, or others.
4.4 Business Transfers
If LeavePort is involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction, subject to the confidentiality commitments in this policy continuing to apply.
4.5 What We Don't Do
We do not sell information to third parties. We do not share information across unrelated Customers - each Customer's data is logically isolated and access-controlled so that no Customer or its employees can see another Customer's data.
5. Data Security
We maintain administrative, technical, and physical safeguards designed to protect information, including:
- Row-level security (RLS) enforced at the database layer, restricting data access based on authenticated user identity and role;
- Two-factor authentication required for all user logins;
- Encryption of data in transit and at rest;
- Access logging and audit trails for sensitive data categories, including physician certification access;
- Role-based access controls, with the additional restriction tier described in Section 1.3 for medical certification data.
No system is completely secure, and we cannot guarantee absolute security. If you believe your account has been compromised, contact your employer's HR department and LeavePort at leithead101@gmail.com immediately.
6. Data Retention
We retain information for as long as necessary to provide the Service to your employer and to satisfy applicable legal, recordkeeping, and contractual obligations, including:
- General leave administration records: consistent with FMLA recordkeeping requirements (generally three years under federal DOL regulations) and any longer period required by applicable state law or your employer's configured retention settings.
- Physician certification and medical documentation: retained only as long as necessary for the leave determination and applicable recordkeeping period, and subject to tighter deletion timelines than general leave records where your employer has configured that option.
- Upon termination of our agreement with your employer, data is retained, returned, or deleted in accordance with that agreement and our standard offboarding process, typically within 90 days of contract termination.
7. Your Rights
Because your employer is the data controller for your information, requests to access, correct, or delete your data should generally be directed to your employer's HR department first. LeavePort provides the technical mechanisms to support those requests once your employer directs us to act on them.
Depending on your state of residence, you may have additional rights under applicable law, including:
- Minnesota - rights under the Minnesota Consumer Data Privacy Act (effective 2025), where applicable thresholds are met;
- California - rights under the CCPA/CPRA, if applicable to your employer's processing;
- Illinois - note that the Biometric Information Privacy Act (BIPA) does not apply to the Service, as LeavePort does not collect or process biometric identifiers for authentication or any other purpose;
- Other states in which we operate, as applicable law develops.
8. Cookies and Tracking Technologies
LeavePort uses cookies and similar technologies only where strictly necessary for the Service to function. We do not use cookies for advertising, cross-site tracking, or behavioral profiling, and we do not use any analytics or marketing cookies.
The strictly necessary cookies and similar technologies used by the Service include:
| Name/Type | Purpose | Duration |
|---|---|---|
| Authentication/session token | Keeps you logged in and identifies your authenticated session | Session |
| Two-factor authentication state | Remembers that you've completed 2FA for the current session, so you aren't re-prompted on every page load | Session |
| CSRF protection token | Protects against cross-site request forgery attacks | Session |
Because these technologies are strictly necessary for the Service to operate securely - you cannot log in, stay authenticated, or complete two-factor authentication without them - we do not display a cookie consent banner, consistent with the strictly-necessary exemption recognized under applicable cookie/ePrivacy frameworks. Disabling these technologies in your browser will prevent you from using the Service.
If LeavePort later adds any non-essential cookies or tracking technologies (e.g., product analytics), this section will be updated in advance of that change, and a consent mechanism will be added if required by applicable law.
9. Children's Privacy
The Service is intended for use by working adults in connection with employment-related leave administration and is not directed to, and does not knowingly collect information from, individuals under 18.
10. International Users
The Service is currently designed for use solely within the United States.
11. Breach Notification
In the event of a confirmed security incident affecting your information, LeavePort will notify the affected Customer in accordance with the notification timeline specified in our Data Processing Addendum with that Customer, and will support your employer in meeting its own legal notification obligations to you and to applicable regulators.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be reflected by an updated "Last Updated" date, and where required by law, we will provide additional notice.
13. Contact Us
For questions about this Privacy Policy or LeavePort's data handling practices:
LeavePort, LLC; 455 Central Ave SE #812, Minneapolis MN, 55414; keaton@leithead.consulting
If your question relates to your own leave data specifically - access, correction, or deletion - please contact your employer's HR department first, as they control that data.

