Last Updated: 1 January 2025

Privacy Policy

We take your privacy seriously. This policy explains what data HRPay collects, why we collect it, how it is protected, and the rights you hold over your information.

Effective: 1 Jan 2025
~10 min read
Compliant with PDPB & IT Act
01

Data We Collect

HRPay collects data that is necessary to deliver our payroll, compliance, and HR management services. The categories of data we collect include:

Account & Identity Data
Name, email, phone, designation, employee ID, and company details provided during registration or profile setup.
Payroll & Financial Data
Salary components, CTC structure, bank account details, PAN, PF UAN, tax declarations, and reimbursement claims.
Attendance & Leave Data
Login/logout times, geo-location (if geo-fencing is enabled), leave applications, approvals, and loss-of-pay records.
Usage & Technical Data
IP address, browser type, device identifiers, pages visited, features used, and session duration for platform analytics.

We only collect data that is necessary for a specific, legitimate purpose. HRPay does not collect sensitive personal data (biometrics, health data) unless explicitly required for a compliance feature and with your organisation's consent.

02

How We Use Your Data

We process your data for the following purposes, each tied to a lawful basis under applicable data protection law:

  • Payroll Processing: Computing net pay, tax deductions (TDS), PF/ESI contributions, and generating payslips and Form 16.
  • Statutory Compliance: Filing PF ECR, ESIC challans, TDS returns, and other regulatory submissions on behalf of your employer.
  • Platform Delivery: Providing access to the HRPay dashboard, attendance tools, leave management, and reports.
  • Customer Support: Responding to queries, resolving disputes, and troubleshooting account issues.
  • Product Improvement: Analysing aggregated usage patterns to improve features, performance, and user experience.
  • Security & Fraud Prevention: Detecting suspicious activity, preventing unauthorised access, and maintaining audit logs.
  • Communications: Sending service notifications, compliance reminders, product updates, and (with consent) marketing emails.
03

Data Sharing & Disclosure

HRPay does not sell or rent your personal data. We share data only in the following controlled circumstances:

  • Government & Regulatory Bodies: PF, ESIC, income tax authorities, and other statutory bodies as required by law.
  • Your Employer Organisation: HR administrators and finance teams within your organisation have access to your payroll and attendance data as part of our B2B service model.
  • Trusted Sub-Processors: Cloud hosting (AWS), email delivery (SendGrid), analytics (Google Analytics), and customer support (Intercom) — all bound by data processing agreements.
  • Legal Compliance: When required by court order, governmental directive, or applicable law.
  • Business Transfers: In the event of a merger or acquisition, with prior notice and equivalent privacy protections maintained.

All sub-processors used by HRPay are contractually bound to process data solely on our instructions and are prohibited from using your data for their own purposes.

04

Data Security

  • Encryption: AES-256 encryption at rest; TLS 1.3 for all data in transit.
  • Access Controls: Role-based access control (RBAC) with principle of least privilege; MFA for all admin accounts.
  • Infrastructure: Hosted on ISO 27001-certified AWS data centres in Mumbai (ap-south-1) with geo-redundancy.
  • Auditing: Immutable audit logs for all data access; regular third-party penetration testing.
  • Incident Response: Dedicated security team with a documented breach notification procedure.
05

Data Retention

Data CategoryRetention PeriodBasis
Payroll Records 8 years post-employment Income Tax Act, 1961
PF / ESIC Records 5 years post-filing EPF & MP Act, 1952
Attendance & Leave Logs3 years Contract / Legitimate Interest
Account & Profile Data Duration of contract + 2 yearsContractual Obligation
Platform Usage / Analytics 24 months (aggregated) Legitimate Interest
Support Tickets 3 years Legitimate Interest

Upon expiry of the applicable retention period, data is securely deleted or anonymised per our data disposal procedure.

06

Your Rights

  • Right to Access: Request a copy of the personal data HRPay holds about you.
  • Right to Correction: Request correction of inaccurate or incomplete data.
  • Right to Deletion: Request deletion of your data, subject to statutory retention obligations.
  • Right to Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interest, including direct marketing.
  • Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.

To exercise any right, email privacy@hrpay.in. We respond within 30 business days.

07

Cookies

HRPay uses cookies and similar tracking technologies. For full details on types used, third-party providers, and how to manage your preferences, please refer to our Cookie Policy.

08

Children's Privacy

HRPay is a B2B enterprise platform not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data through our platform, contact us at privacy@hrpay.in and we will promptly delete it.

09

Policy Changes

Material changes will be communicated via in-app notification and email at least 14 days before taking effect. The "Last Updated" date at the top of this page reflects the most recent revision.

10

Contact & Grievances

Data Protection Officer: dpo@hrpay.in
Privacy Grievances: privacy@hrpay.in
Response SLA: 30 business days
Address: HRPay Technologies Pvt. Ltd., 4th Floor, Magnum House, BKC, Mumbai – 400051, Maharashtra, India

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority under the Digital Personal Data Protection Act, 2023.