πŸ“ž +91 8373 9000 76 βœ‰οΈ info@shurttech.com πŸ“ C-101, Sector 2, Noida, UP
πŸ”’ Legal & Compliance

Privacy Policy

Your privacy and data security are important to us. Learn how SHURT HRMS collects, uses, stores, and protects information.

πŸ”’ Secure by Design
πŸ“… Effective: January 2025
🏒 Shurt Tech Pvt. Ltd.

Our Policy

SHURT HRMS (β€œwe”, β€œour”, or β€œus”) respects your privacy and is committed to protecting the personal and organisational data shared with us. This Privacy Policy explains how information is collected, used, stored, and protected when using our HRMS platform and related services.

By using SHURT HRMS, you agree to the practices described in this policy.

1. Scope & Data Controller / Processor

This Privacy Policy ("Policy") describes how Shurt TechSol ("we", "us", "our") collects, uses, stores, shares, and protects personal data when you access or use the Shurt HRMS platform.

This Policy is prepared to comply with:

  • Digital Personal Data Protection Act, 2023 (DPDPA) β€” India
  • Information Technology Act, 2000 and IT (Amendment) Act, 2008 β€” India
  • IT (SPDI) Rules, 2011 β€” Sensitive Personal Data protection
  • Google Play Store Data Safety Policy and Families Policy
  • Apple App Store App Privacy Details requirements and Review Guidelines
  • GDPR β€” to the extent applicable for EEA-based users

1.1 Data Controller vs. Data Processor

As Data Processor: With respect to Employee personal data, Shurt TechSol processes data on behalf of the Organisation (the data controller) per the Organisation's instructions and a Data Processing Agreement.

As Data Controller: With respect to Organisation Admin account data and data collected for the Company's own purposes (billing, security, product improvement), Shurt TechSol is the data controller.

2. Legal Bases for Processing

Legal Basis Application
Contractual Necessity Processing required to perform the Subscription agreement, including providing HR modules and payroll services.
Consent Processing of biometric (facial) data and background location data β€” requires explicit, granular, informed consent from each Employee.
Legitimate Interests Security monitoring, fraud prevention, aggregated/anonymised platform analytics, and product improvement β€” where not overridden by individual rights.
Legal Obligation Statutory payroll reporting (PF, ESI, TDS), tax compliance, and lawful regulatory/authority requests.

3. Categories of Personal Data Collected

Category Data Points Source
Identity & Account Full name, employee ID, designation, department, profile photo, date of birth, gender Organisation / Employee
Contact Work email, work mobile, emergency contact Organisation / Employee
Biometric (Special Category) Facial feature vectors (encrypted mathematical embeddings); liveness detection data Captured via app with Employee consent
Location GPS latitude/longitude, timestamp, accuracy radius, device identifier Captured via app during active sessions
Attendance & Time Clock-in/out timestamps, shift data, working hours, regularisation records, leave balances Platform / Employee
Financial & Payroll Salary structure, CTC, PAN, bank details, PF/ESI numbers, tax declarations, payslips, expense claims and receipts Organisation / Employee
Task & Work Data Task assignments, status, comments, timestamps, attachments Platform / Employee / Admin
Device & Technical Device model, OS version, app version, IP address, device UUID, push token, crash logs Automatically collected
Usage Analytics Feature usage patterns, session duration (anonymised) Automatically collected
ℹ️
We collect only data necessary for stated purposes. We do not collect health information, racial/ethnic origin, political opinions, religious beliefs, or criminal records, except as strictly required for statutory payroll compliance with appropriate legal basis.

4. Biometric Data β€” Special Category

⚠️ Sensitive Personal Data: Facial biometric data is classified as sensitive personal data under the DPDPA 2023 and is subject to the highest level of protection and additional compliance obligations.

4.1 What We Capture & Store

We do not store raw facial photographs in our primary operational database. The AI attendance system converts facial images into encrypted mathematical feature vectors (embeddings) β€” numerical representations that cannot be reverse-processed to reconstruct a recognisable photograph.

Original images may be temporarily retained as an audit record for attendance disputes, subject to the retention schedule in Section 8.

4.2 Consent & Withdrawal

Biometric enrolment is voluntary and requires explicit, informed, documented consent from each Employee prior to activation.

Consent may be withdrawn at any time by written request to the Organisation Admin or our Grievance Officer. Biometric data will be permanently deleted within 7 business days of verified withdrawal.

4.3 Storage & Access Controls

  • Feature vectors are stored with AES-256 encryption under separately managed keys from other data categories.
  • Biometric data is physically and logically segregated at the database level.
  • Access is restricted to the automated AI inference system. No Shurt TechSol employee accesses individual biometric vectors in unencrypted form.
  • All access to biometric data stores is subject to comprehensive audit logging.

4.4 No Third-Party Disclosure

Biometric data is never sold, rented, licensed, or disclosed to any third party β€” including advertisers, data brokers, or government authorities β€” except pursuant to a valid, legally enforceable court order.

Any such compelled disclosure will be notified to the Organisation to the extent permitted by law.

5. Location Data

5.1 Collection Basis & Frequency

Location data is collected only when an Employee has an active clock-in session and location tracking has been enabled by the Organisation.

Collection occurs at intervals of every 15 to 30 minutes and upon specific trigger events. No location data is collected outside active work sessions.

5.2 Permission Levels

  • Foreground ("While Using App"): Captured while the app is actively open. Used for standard attendance geo-verification.
  • Background ("Always Allow"): Captured while the app runs in background. Required only for field employee configurations. Employees receive a clear system-level permission dialog and must explicitly grant permission.

5.3 Purpose Limitation

Location data is processed exclusively for attendance geo-verification, field workforce monitoring, route validation, and operational compliance reporting.

It is not used for advertising, cross-app tracking, personal profiling unrelated to employment, or disclosed to data brokers.

5.4 Employee Transparency

Employees can view their own historical location data through the mobile application. Admin access is governed by role-based permissions configured at the Organisation level.

6. Purposes of Processing

  • Platform Service Delivery: Providing attendance, payroll, task, expense, shift, leave, and regularisation functionality.
  • Identity Verification: Running AI facial recognition for attendance marking.
  • Payroll Processing: Computing salaries, statutory deductions (PF, ESI, TDS, PT), and generating payslips and compliance reports.
  • Workforce Management: Enabling Organisations to manage shifts, tasks, expenses, and field operations.
  • Security & Fraud Prevention: Detecting and preventing unauthorised access, attendance spoofing, expense fraud, and data breaches.
  • Legal & Regulatory Compliance: Complying with labour, tax, and data protection law; responding to lawful authority requests.
  • Support & Communication: Responding to support requests; sending service-critical notifications.
  • Product Improvement: Using anonymised, aggregated data to improve features and AI model accuracy.
  • Billing & Account Management: Processing Subscriptions, invoicing, and managing contracts with Organisations.
ℹ️
We do not use personal data for targeted advertising, behavioural profiling for commercial purposes, or sale to third parties. No personal data is shared with advertisers.

7. Data Sharing & Third-Party Disclosure

We do not sell personal data. We disclose it only in the following circumstances and only to the minimum extent necessary:

Recipient Data Disclosed Legal Basis Safeguard
Your Organisation (Admin) Employee attendance, tasks, location, expense, payroll data Contract / Employment RBAC; DPA in place
Cloud Infrastructure (AWS / Azure) All encrypted Platform data Contract SOC 2 Type II; AES-256; DPA
Payment Gateway (Razorpay / Stripe) Billing/payment data only Contract PCI-DSS; DPA
Email Service (SendGrid) Email address, name Legitimate interests DPA; transactional use only
Crash Analytics (Firebase) Anonymised crash logs, device type Legitimate interests Anonymised; no PII
Legal Authorities / Courts As required by valid legal order Legal obligation Minimum disclosure; Organisation notified where permitted

All third-party processors are bound by Data Processing Agreements restricting use to stated purposes and requiring equivalent data protection standards.

8. Data Retention Schedule

Data Category Retention Period Post-Retention Action
Attendance Records 3 years from date of record Permanent irreversible deletion
Biometric (Facial) Data Duration of employment + 90 days; or immediately on consent withdrawal Cryptographic erasure and permanent deletion
Location Data 12 months from date of capture Automatic purge
Payroll & Financial Records 7 years (statutory β€” Indian tax law) Permanent deletion
Expense Records 5 years Permanent deletion
Task & Work Data 3 years or Subscription duration (whichever shorter) Permanent deletion
Account & Identity Data Until deletion + 60-day grace period Permanent deletion
Device / Technical Logs 90 days Automatic purge
Security & Audit Logs 2 years Permanent deletion

Upon Subscription termination, data remains available for export for 60 days. After this period, all data is permanently and irreversibly deleted from all live and backup systems.

9. Data Security

  • Encryption in Transit: All data transmitted between clients and servers is encrypted using TLS 1.3.
  • Encryption at Rest: All stored data is encrypted using AES-256. Biometric data has an additional encryption layer with separately managed keys.
  • Access Controls: Role-based access control (RBAC) with least-privilege principles. MFA is enforced for all internal Shurt TechSol administrative access.
  • Infrastructure Security: Hosted on SOC 2 Type II certified cloud infrastructure. Regular independent penetration testing is conducted.
  • Audit Logging: All access to and modifications of personal data are logged in tamper-resistant logs retained for 2 years.
  • Vulnerability Management: A formal programme addresses identified vulnerabilities within defined SLAs.
  • Data Isolation: Biometric data is physically and logically segregated from all other data categories.
πŸ›‘οΈ
Breach Response: In the event of a personal data breach, we will notify affected Organisations and, where required by law, the relevant regulatory authority, within 72 hours of becoming aware.

10. Your Rights as a Data Principal

  • Right of Access: Request confirmation of and access to personal data.
  • Right to Correction: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of personal data where legally permitted.
  • Right to Withdraw Consent: Withdraw consent for biometric or location processing.
  • Right to Data Portability: Request a machine-readable copy of your data.
  • Right to Nominate: Nominate another individual to exercise rights in the event of incapacity.
  • Right to Grievance Redressal: Lodge a complaint with our Grievance Officer.
  • Right to Object (GDPR): Object to processing based on legitimate interests.

Requests are acknowledged within 48 hours and resolved within 30 days.

11. Children's Privacy

The Shurt HRMS Platform is exclusively for employed adults. It is not directed at or intended for use by children under the age of 18.

We do not knowingly collect personal data from minors. If we become aware of such collection, we will delete it immediately.

12. Cookies & Tracking Technologies

12.1 Web Application

  • Strictly Necessary Cookies: Authentication session tokens and CSRF protection.
  • Security Cookies: Fraud detection and anomalous login detection.
  • Functional Cookies: UI preferences and language settings.
  • Analytics Cookies: Anonymised usage analytics for product improvement.

We do not use cookies for advertising or cross-site tracking.

12.2 Mobile Application

The app uses device-local secure storage for authentication tokens and preferences only.

13. Third-Party SDKs & Integrations

Service / SDK Provider Purpose Data Processed
Google Maps SDK Google LLC Location display & geo-fencing GPS coordinates
Firebase Crashlytics Google LLC Crash reporting & stability Anonymised crash logs
Firebase Cloud Messaging Google LLC Push notification delivery Device push token
Razorpay / Stripe Razorpay / Stripe Inc. Subscription payment processing Billing/payment data only
AWS / Microsoft Azure Amazon / Microsoft Cloud hosting & data storage All encrypted Platform data
SendGrid Twilio Inc. Transactional email delivery Email address, name

14. International Data Transfers

Personal data is primarily stored and processed on servers located within India.

Where cloud providers process data outside India, we ensure adequate safeguards are in place, including SCCs and Data Processing Agreements.

15. Policy Updates

We may update this Policy to reflect changes in data practices, legal obligations, or regulatory guidance.

For material changes, we will update the β€œLast Updated” date and notify Organisation Admins.

16. Grievance Officer & Contact

In accordance with applicable laws, Shurt TechSol has designated a Grievance Officer for privacy concerns and complaints.

Grievance Officer β€” Shurt TechSol

Acknowledgement within 48 hrs Β· Resolution within 30 days

If your grievance is unresolved, you may escalate to the Data Protection Board of India (once constituted under DPDPA 2023) or a court of competent jurisdiction. EEA-based users may also lodge a complaint with their local data protection supervisory authority.