Your privacy and data security are important to us. Learn how SHURT HRMS collects, uses, stores, and protects information.
SHURT HRMS (βweβ, βourβ, or βusβ) respects your privacy and is committed to protecting the personal and organisational data shared with us. This Privacy Policy explains how information is collected, used, stored, and protected when using our HRMS platform and related services.
By using SHURT HRMS, you agree to the practices described in this policy.
This Privacy Policy ("Policy") describes how Shurt TechSol ("we", "us", "our") collects, uses, stores, shares, and protects personal data when you access or use the Shurt HRMS platform.
This Policy is prepared to comply with:
As Data Processor: With respect to Employee personal data, Shurt TechSol processes data on behalf of the Organisation (the data controller) per the Organisation's instructions and a Data Processing Agreement.
As Data Controller: With respect to Organisation Admin account data and data collected for the Company's own purposes (billing, security, product improvement), Shurt TechSol is the data controller.
| Legal Basis | Application |
|---|---|
| Contractual Necessity | Processing required to perform the Subscription agreement, including providing HR modules and payroll services. |
| Consent | Processing of biometric (facial) data and background location data β requires explicit, granular, informed consent from each Employee. |
| Legitimate Interests | Security monitoring, fraud prevention, aggregated/anonymised platform analytics, and product improvement β where not overridden by individual rights. |
| Legal Obligation | Statutory payroll reporting (PF, ESI, TDS), tax compliance, and lawful regulatory/authority requests. |
| Category | Data Points | Source |
|---|---|---|
| Identity & Account | Full name, employee ID, designation, department, profile photo, date of birth, gender | Organisation / Employee |
| Contact | Work email, work mobile, emergency contact | Organisation / Employee |
| Biometric (Special Category) | Facial feature vectors (encrypted mathematical embeddings); liveness detection data | Captured via app with Employee consent |
| Location | GPS latitude/longitude, timestamp, accuracy radius, device identifier | Captured via app during active sessions |
| Attendance & Time | Clock-in/out timestamps, shift data, working hours, regularisation records, leave balances | Platform / Employee |
| Financial & Payroll | Salary structure, CTC, PAN, bank details, PF/ESI numbers, tax declarations, payslips, expense claims and receipts | Organisation / Employee |
| Task & Work Data | Task assignments, status, comments, timestamps, attachments | Platform / Employee / Admin |
| Device & Technical | Device model, OS version, app version, IP address, device UUID, push token, crash logs | Automatically collected |
| Usage Analytics | Feature usage patterns, session duration (anonymised) | Automatically collected |
We do not store raw facial photographs in our primary operational database. The AI attendance system converts facial images into encrypted mathematical feature vectors (embeddings) β numerical representations that cannot be reverse-processed to reconstruct a recognisable photograph.
Original images may be temporarily retained as an audit record for attendance disputes, subject to the retention schedule in Section 8.
Biometric enrolment is voluntary and requires explicit, informed, documented consent from each Employee prior to activation.
Consent may be withdrawn at any time by written request to the Organisation Admin or our Grievance Officer. Biometric data will be permanently deleted within 7 business days of verified withdrawal.
Biometric data is never sold, rented, licensed, or disclosed to any third party β including advertisers, data brokers, or government authorities β except pursuant to a valid, legally enforceable court order.
Any such compelled disclosure will be notified to the Organisation to the extent permitted by law.
Location data is collected only when an Employee has an active clock-in session and location tracking has been enabled by the Organisation.
Collection occurs at intervals of every 15 to 30 minutes and upon specific trigger events. No location data is collected outside active work sessions.
Location data is processed exclusively for attendance geo-verification, field workforce monitoring, route validation, and operational compliance reporting.
It is not used for advertising, cross-app tracking, personal profiling unrelated to employment, or disclosed to data brokers.
Employees can view their own historical location data through the mobile application. Admin access is governed by role-based permissions configured at the Organisation level.
We do not sell personal data. We disclose it only in the following circumstances and only to the minimum extent necessary:
| Recipient | Data Disclosed | Legal Basis | Safeguard |
|---|---|---|---|
| Your Organisation (Admin) | Employee attendance, tasks, location, expense, payroll data | Contract / Employment | RBAC; DPA in place |
| Cloud Infrastructure (AWS / Azure) | All encrypted Platform data | Contract | SOC 2 Type II; AES-256; DPA |
| Payment Gateway (Razorpay / Stripe) | Billing/payment data only | Contract | PCI-DSS; DPA |
| Email Service (SendGrid) | Email address, name | Legitimate interests | DPA; transactional use only |
| Crash Analytics (Firebase) | Anonymised crash logs, device type | Legitimate interests | Anonymised; no PII |
| Legal Authorities / Courts | As required by valid legal order | Legal obligation | Minimum disclosure; Organisation notified where permitted |
All third-party processors are bound by Data Processing Agreements restricting use to stated purposes and requiring equivalent data protection standards.
| Data Category | Retention Period | Post-Retention Action |
|---|---|---|
| Attendance Records | 3 years from date of record | Permanent irreversible deletion |
| Biometric (Facial) Data | Duration of employment + 90 days; or immediately on consent withdrawal | Cryptographic erasure and permanent deletion |
| Location Data | 12 months from date of capture | Automatic purge |
| Payroll & Financial Records | 7 years (statutory β Indian tax law) | Permanent deletion |
| Expense Records | 5 years | Permanent deletion |
| Task & Work Data | 3 years or Subscription duration (whichever shorter) | Permanent deletion |
| Account & Identity Data | Until deletion + 60-day grace period | Permanent deletion |
| Device / Technical Logs | 90 days | Automatic purge |
| Security & Audit Logs | 2 years | Permanent deletion |
Upon Subscription termination, data remains available for export for 60 days. After this period, all data is permanently and irreversibly deleted from all live and backup systems.
Requests are acknowledged within 48 hours and resolved within 30 days.
The Shurt HRMS Platform is exclusively for employed adults. It is not directed at or intended for use by children under the age of 18.
We do not knowingly collect personal data from minors. If we become aware of such collection, we will delete it immediately.
We do not use cookies for advertising or cross-site tracking.
The app uses device-local secure storage for authentication tokens and preferences only.
| Service / SDK | Provider | Purpose | Data Processed |
|---|---|---|---|
| Google Maps SDK | Google LLC | Location display & geo-fencing | GPS coordinates |
| Firebase Crashlytics | Google LLC | Crash reporting & stability | Anonymised crash logs |
| Firebase Cloud Messaging | Google LLC | Push notification delivery | Device push token |
| Razorpay / Stripe | Razorpay / Stripe Inc. | Subscription payment processing | Billing/payment data only |
| AWS / Microsoft Azure | Amazon / Microsoft | Cloud hosting & data storage | All encrypted Platform data |
| SendGrid | Twilio Inc. | Transactional email delivery | Email address, name |
Personal data is primarily stored and processed on servers located within India.
Where cloud providers process data outside India, we ensure adequate safeguards are in place, including SCCs and Data Processing Agreements.
We may update this Policy to reflect changes in data practices, legal obligations, or regulatory guidance.
For material changes, we will update the βLast Updatedβ date and notify Organisation Admins.
In accordance with applicable laws, Shurt TechSol has designated a Grievance Officer for privacy concerns and complaints.
Acknowledgement within 48 hrs Β· Resolution within 30 days
If your grievance is unresolved, you may escalate to the Data Protection Board of India (once constituted under DPDPA 2023) or a court of competent jurisdiction. EEA-based users may also lodge a complaint with their local data protection supervisory authority.