Privacy Policy

1. Introduction

Welcome to HRSaathi (the "Platform"), operated by Skysoft IT Services Pvt. Ltd. ("we," "us," or "our"), a CMMI Level 3 and ISO 27001:2013 certified company. This Privacy Policy explains how we collect, use, disclose, process, and safeguard your information when you use our Platform, including both the HRSaathi web platform and mobile application.

This Privacy Policy is designed to help you understand:

• What personal information do we collect
• How do we use your information
• How do we share your information
• How do we protect your information
• Your rights regarding your information
• How to contact us with questions

By accessing or using HRSaathi, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree with our practices, please do not use the Platform.

2. Information We Collect

We collect the following types of information:

2.1 Personal Information

• Identity Information: Full name, email address, phone number, job title, company details, profile photos
• Authentication Information: Login credentials (username and password)
• Government-issued Identification: For verification purposes, where required by law or for specific functionality
• Financial Information: Bank account details, tax identification numbers (for payroll processing)

2.2 Employee and HR Data

• Employment Records: Name, contact details, department, position, employment history, education, skills
• Attendance Data: Clock-in/out times, work hours, shift schedules, overtime records
• Leave Management Data: Applied leaves, approvals, leave balances, leave history
• Payroll Information: Salary details, tax information, allowances, deductions
• Performance Data: Evaluations, feedback, goals, achievements

2.3 Location Data

• Precise Location: GPS-based location when using geo-attendance features (with your permission)
• Approximate Location: General location based on IP address or network information

2.4 Media and Files

• Photos and Videos: Profile pictures, uploaded documents, scanned records
• Audio Files: Voice recordings, audio notes, music files, and other audio content
• Documents and Files: PDF files, spreadsheets, presentations, and other uploaded documents

2.5 Usage and Technical Data

• Device Information: IP address, browser type, operating system, device model, unique device identifiers
• Activity Data: Login timestamps, session duration, feature usage, actions performed
• Cookies and Tracking Technologies: Cookies, web beacons, pixels, and similar technologies
• Log Data: Error reports, performance data, system activity, hardware settings

2.6 Communication Data

• Messages: Emails, in-app messages, support requests
• Notifications: Information about notifications sent via WhatsApp, email, or SMS
• Feedback: Surveys, suggestions, reported issues

3. HRSaathi Mirror — Biometric Data Processing

Certain customers deploy HRSaathi Mirror, a kiosk application that uses face-recognition technology to mark employee attendance. When this application is used, the following additional processing applies.

What we collect:

• Face images: captured by the kiosk camera during enrollment and during each attendance event.
• Face embeddings: numerical representations (vector data) derived from face images, used for identity verification. Embeddings cannot be reversed into a recognizable photo.

Why we collect it:

To authenticate the employee marking attendance on a shared kiosk device.

Legal basis:

Explicit, informed consent obtained from the employee during the enrollment step. Consent may be withdrawn at any time; see "Your Rights and Choices" below.

How it is stored:

• On the kiosk device: encrypted at rest using AES-256-GCM (Android Jetpack Security / iOS Keychain).
• On HRSaathi servers: encrypted at rest and accessible only to authorised systems for the employee's organisation.

How long we keep it:

For as long as the employee is active with the Customer organisation. On separation or written deletion request, biometric data is deleted from servers within 30 days and from the kiosk on next sync.

Sharing:

Face data is never shared with third parties. Face detection is performed using on-device Google ML Kit (no images sent to Google's servers); face recognition runs locally using a TensorFlow Lite model embedded in the application.

DPDP Act 2023:

HRSaathi acts as a Data Processor for biometric data on behalf of the Customer organisation, which is the Data Fiduciary. You may exercise your rights of access, correction, erasure, and consent withdrawal under the Digital Personal Data Protection Act, 2023 by contacting the support email listed below or your organisation's HR administrator.

4. How We Collect Information

4.1 Direct Collection

• Information you provide when registering an account
• Data entered while using the Platform's features
• Information submitted through forms, uploads, or communications

4.2 Automated Collection

• Cookies and similar tracking technologies
• Server logs and analytics tools
• Mobile device permissions (when granted)

4.3 Third-Party Sources

• Information from your employer (if HRSaathi is provided by your organization)
• Integration with other HR systems or applications (with proper authorization)
• Public sources, where permitted by law

5. Data Security

We implement industry-standard security measures to protect your information:

5.1 Technical Safeguards

• Encryption: Data is encrypted during transmission (TLS/SSL) and at rest
• Access Controls: Strict access controls and authentication mechanisms
• Network Security: Firewalls, intrusion detection, and prevention systems
• Regular Security Testing: Vulnerability assessments and penetration testing

5.2 Organizational Measures

• Employee Training: Regular security awareness training for all staff
• Access Limitations: Access to personal data is limited to authorized personnel
• Security Policies: Comprehensive information security policies and procedures
• Regular Audits: Periodic security audits to ensure compliance with ISO 27001:2013 standards

6. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

• Access and Portability: Request access to the personal information we hold about you and receive a copy in a structured, commonly used, and machine-readable format
• Correction and Update: Correct inaccurate or incomplete personal information and update your personal details when they change
• Deletion and Restriction: Request deletion of your personal data (subject to legal obligations) or restriction of processing in certain circumstances
• Objection and Withdrawal of Consent: Object to processing based on legitimate interests or withdraw consent previously given for specific processing activities

To exercise these rights, please contact us using the information provided in our contact section. We will respond to your request within the timeframe required by applicable law.

7. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at: