Indian HRM: Privacy Policy

Plain-language summary of how we handle personal and employee data. The full legal text is on the rendered page. If anything in the legal version contradicts this summary, the legal version controls. We're aiming for honesty and clarity over legal padding.

What Data We Collect

From the customer (employer). Company name, GST number, billing contact, admin email, payment method. Standard SaaS account info.

From employees inside the tenant. Name, employee code, contact details, PAN, Aadhaar (if you choose to store it), bank account number, salary structure, attendance logs, leave balances, tax declarations and proofs, performance review history, documents the employer or employee uploads. Whatever HR functions need to operate.

Automatically. Usage logs (what features are used and when), error reports, IP addresses for security. We don't track users across other websites or sell behavioural data.

How We Use It

To run the service: process payroll, render payslips, generate Form 16, route leave approvals, calculate TDS. To provide support: when you raise a ticket, our team can access your tenant with your written permission. To improve the product: aggregate usage signals (what features are popular, where users get stuck) inform our roadmap. We do not use your data to train AI models, and we never sell it.

Where Data Is Stored

India region (AWS Mumbai, ap-south-1). Backups are encrypted at rest with AES-256. Data in transit is TLS 1.3. Personal data does not leave Indian soil unless you explicitly enable an integration that sends it abroad (for example, syncing payroll to an overseas parent company's GL).

Who We Share Data With

Sub-processors we use to run the service: AWS (hosting), AWS SES (transactional email), Razorpay (subscription billing for the customer, not for employee payroll), Twilio or Meta (WhatsApp Business API). The list is published on a sub-processors page and we update it when it changes. We do not share data with advertisers, data brokers, or AI training companies.

Your Rights Under DPDP Act

India's Digital Personal Data Protection Act gives data principals (employees in your tenant) the right to access, correct, and delete their personal data. The system has a self-service data-export feature in the employee portal. Deletion requests come to HR, who can fulfil them through the admin tools. We support the customer in their data-fiduciary obligations under the Act.

How Long We Keep Data

While the subscription is active, your data is retained as you configure it (typically the legal minimum for payroll records is 8 years in India; we retain longer if you ask). After cancellation, data is accessible for 90 days, then deleted on request, then permanently within 30 days. Backups roll out within 90 days of deletion.

Cookies & Tracking

We use a session cookie to keep you signed in. We use Google Analytics on the marketing pages (not on the dashboard) with IP anonymisation. We don't use third-party trackers, retargeting pixels, or session recorders inside the product. The marketing site has a cookie banner where you can opt out of analytics.

Security

Role-based access control with 132+ granular permissions. Audit logs on every read of sensitive data. Two-factor authentication available on every plan. Penetration testing annually. Employee laptops encrypted, production access on hardware-keyed SSO. We disclose security incidents that affect customer data within 72 hours.

Children's Data

We don't knowingly collect data from anyone under 18 except where the customer is explicitly storing dependents' details for HR purposes (for example, ESI dependent records).

Changes to This Policy

If we update this policy materially, we email all admin users at least 30 days before the change takes effect.

Contact

Email privacy@indianhrm.com for data-protection questions. We respond within 7 business days. Our Data Protection Officer is reachable at the same address for DPDP Act requests.