Scope & Data Controller / Processor
This Privacy Policy ("Policy") describes how Shurt TechSol ("we", "us", "our") collects, uses, stores, shares, and protects personal data when you access or use the Shurt HRMS platform.
This Policy is prepared to comply with:
- Digital Personal Data Protection Act, 2023 (DPDPA) — India
- Information Technology Act, 2000 and IT (Amendment) Act, 2008 — India
- IT (SPDI) Rules, 2011 — Sensitive Personal Data protection
- Google Play Store Data Safety Policy and Families Policy
- Apple App Store App Privacy Details requirements and Review Guidelines
- GDPR — to the extent applicable for EEA-based users
1.1 Data Controller vs. Data Processor
As Data Processor: With respect to Employee personal data, Shurt TechSol processes data on behalf of the Organisation (the data controller) per the Organisation's instructions and a Data Processing Agreement.
As Data Controller: With respect to Organisation Admin account data and data collected for the Company's own purposes (billing, security, product improvement), Shurt TechSol is the data controller.
Legal Bases for Processing
| Legal Basis | Application |
|---|---|
| Contractual Necessity | Processing required to perform the Subscription agreement, including providing HR modules and payroll services. |
| Consent | Processing of biometric (facial) data and background location data — requires explicit, granular, informed consent from each Employee. |
| Legitimate Interests | Security monitoring, fraud prevention, aggregated/anonymised platform analytics, and product improvement — where not overridden by individual rights. |
| Legal Obligation | Statutory payroll reporting (PF, ESI, TDS), tax compliance, and lawful regulatory/authority requests. |
Categories of Personal Data Collected
| Category | Data Points | Source |
|---|---|---|
| Identity & Account | Full name, employee ID, designation, department, profile photo, date of birth, gender | Organisation / Employee |
| Contact | Work email, work mobile, emergency contact | Organisation / Employee |
| Biometric (Special Category) | Facial feature vectors (encrypted mathematical embeddings); liveness detection data | Captured via app with Employee consent |
| Location | GPS latitude/longitude, timestamp, accuracy radius, device identifier | Captured via app during active sessions |
| Attendance & Time | Clock-in/out timestamps, shift data, working hours, regularisation records, leave balances | Platform / Employee |
| Financial & Payroll | Salary structure, CTC, PAN, bank details, PF/ESI numbers, tax declarations, payslips, expense claims and receipts | Organisation / Employee |
| Task & Work Data | Task assignments, status, comments, timestamps, attachments | Platform / Employee / Admin |
| Device & Technical | Device model, OS version, app version, IP address, device UUID, push token, crash logs | Automatically collected |
| Usage Analytics | Feature usage patterns, session duration (anonymised) | Automatically collected |
Biometric Data — Special Category
4.1 What We Capture & Store
We do not store raw facial photographs in our primary operational database. The AI attendance system converts facial images into encrypted mathematical feature vectors (embeddings) — numerical representations that cannot be reverse-processed to reconstruct a recognisable photograph. Original images may be temporarily retained as an audit record for attendance disputes, subject to the retention schedule in Section 8.
4.2 Consent & Withdrawal
Biometric enrolment is voluntary and requires explicit, informed, documented consent from each Employee prior to activation. Consent may be withdrawn at any time by written request to the Organisation Admin or our Grievance Officer. Biometric data will be permanently deleted within 7 business days of verified withdrawal.
4.3 Storage & Access Controls
- Feature vectors are stored with AES-256 encryption under separately managed keys from other data categories.
- Biometric data is physically and logically segregated at the database level.
- Access is restricted to the automated AI inference system. No Shurt TechSol employee accesses individual biometric vectors in unencrypted form.
- All access to biometric data stores is subject to comprehensive audit logging.
4.4 No Third-Party Disclosure
Biometric data is never sold, rented, licensed, or disclosed to any third party — including advertisers, data brokers, or government authorities — except pursuant to a valid, legally enforceable court order. Any such compelled disclosure will be notified to the Organisation to the extent permitted by law.
Location Data
5.1 Collection Basis & Frequency
Location data is collected only when an Employee has an active clock-in session and location tracking has been enabled by the Organisation. Collection occurs at intervals of every 15 to 30 minutes and upon specific trigger events. No location data is collected outside active work sessions.
5.2 Permission Levels
- Foreground ("While Using App"): Captured while the app is actively open. Used for standard attendance geo-verification.
- Background ("Always Allow"): Captured while the app runs in background. Required only for field employee configurations. Employees receive a clear system-level permission dialog and must explicitly grant permission. Disclosed in data safety declarations on Google Play and App Store.
5.3 Purpose Limitation
Location data is processed exclusively for attendance geo-verification, field workforce monitoring, route validation, and operational compliance reporting. It is not used for advertising, cross-app tracking, personal profiling unrelated to employment, or disclosed to data brokers.
5.4 Employee Transparency
Employees can view their own historical location data through the mobile application. Admin access is governed by role-based permissions configured at the Organisation level.
Purposes of Processing
- Platform Service Delivery: Providing attendance, payroll, task, expense, shift, leave, and regularisation functionality.
- Identity Verification: Running AI facial recognition for attendance marking.
- Payroll Processing: Computing salaries, statutory deductions (PF, ESI, TDS, PT), and generating payslips and compliance reports.
- Workforce Management: Enabling Organisations to manage shifts, tasks, expenses, and field operations.
- Security & Fraud Prevention: Detecting and preventing unauthorised access, attendance spoofing, expense fraud, and data breaches.
- Legal & Regulatory Compliance: Complying with labour, tax, and data protection law; responding to lawful authority requests.
- Support & Communication: Responding to support requests; sending service-critical notifications.
- Product Improvement: Using anonymised, aggregated data to improve features and AI model accuracy. No individual is identifiable from data used for this purpose.
- Billing & Account Management: Processing Subscriptions, invoicing, and managing contracts with Organisations.
Data Sharing & Third-Party Disclosure
We do not sell personal data. We disclose it only in the following circumstances and only to the minimum extent necessary:
| Recipient | Data Disclosed | Legal Basis | Safeguard |
|---|---|---|---|
| Your Organisation (Admin) | Employee attendance, tasks, location, expense, payroll data | Contract / Employment | RBAC; DPA in place |
| Cloud Infrastructure (AWS / Azure) | All encrypted Platform data | Contract | SOC 2 Type II; AES-256; DPA |
| Payment Gateway (Razorpay / Stripe) | Billing/payment data only | Contract | PCI-DSS; DPA |
| Email Service (SendGrid) | Email address, name | Legitimate interests | DPA; transactional use only |
| Crash Analytics (Firebase) | Anonymised crash logs, device type | Legitimate interests | Anonymised; no PII |
| Legal Authorities / Courts | As required by valid legal order | Legal obligation | Minimum disclosure; Organisation notified where permitted |
All third-party processors are bound by Data Processing Agreements restricting use to stated purposes and requiring equivalent data protection standards.
Data Retention Schedule
| Data Category | Retention Period | Post-Retention Action |
|---|---|---|
| Attendance Records | 3 years from date of record | Permanent irreversible deletion |
| Biometric (Facial) Data | Duration of employment + 90 days; or immediately on consent withdrawal | Cryptographic erasure and permanent deletion |
| Location Data | 12 months from date of capture | Automatic purge |
| Payroll & Financial Records | 7 years (statutory — Indian tax law) | Permanent deletion |
| Expense Records | 5 years | Permanent deletion |
| Task & Work Data | 3 years or Subscription duration (whichever shorter) | Permanent deletion |
| Account & Identity Data | Until deletion + 60-day grace period | Permanent deletion |
| Device / Technical Logs | 90 days | Automatic purge |
| Security & Audit Logs | 2 years | Permanent deletion |
Upon Subscription termination, data remains available for export for 60 days. After this period, all data is permanently and irreversibly deleted from all live and backup systems.
Data Security
- Encryption in Transit: All data transmitted between clients and servers is encrypted using TLS 1.3.
- Encryption at Rest: All stored data is encrypted using AES-256. Biometric data has an additional encryption layer with separately managed keys.
- Access Controls: Role-based access control (RBAC) with least-privilege principles. MFA is enforced for all internal Shurt TechSol administrative access.
- Infrastructure Security: Hosted on SOC 2 Type II certified cloud infrastructure. Regular independent penetration testing is conducted.
- Audit Logging: All access to and modifications of personal data are logged in tamper-resistant logs retained for 2 years.
- Vulnerability Management: A formal programme addresses identified vulnerabilities within defined SLAs.
- Data Isolation: Biometric data is physically and logically segregated from all other data categories.
Your Rights as a Data Principal
- Right of Access: Request confirmation of and access to personal data we hold about you, including processing purposes.
- Right to Correction: Request correction of inaccurate, incomplete, or outdated data.
- Right to Erasure: Request deletion of personal data where no longer necessary, subject to legal retention obligations.
- Right to Withdraw Consent: Withdraw consent for biometric or background location processing at any time without affecting prior lawful processing.
- Right to Data Portability: Request a copy of your data in a structured, machine-readable format.
- Right to Nominate (DPDPA 2023): Nominate another individual to exercise rights on your behalf in the event of death or incapacity.
- Right to Grievance Redressal: Lodge a complaint with our Grievance Officer (Section 16).
- Right to Object (GDPR, where applicable): Object to processing based on legitimate interests for EEA data subjects.
Employee rights requests should be directed to the Organisation's HR Admin in the first instance. Direct requests may also be submitted to our Grievance Officer. Requests are acknowledged within 48 hours and resolved within 30 days (extendable by 30 days for complex matters, with notice).
Children's Privacy
The Shurt HRMS Platform is exclusively for employed adults. It is not directed at, designed for, or intended for use by children under the age of 18 (or the minimum legal working age in the jurisdiction, if higher). We do not knowingly collect personal data from minors. If we become aware of such collection without verifiable consent, we will delete it immediately.
This disclosure complies with the Google Play Families Policy, Apple App Store Review Guidelines (Guideline 1.3), and DPDPA 2023 provisions on children's data.
Cookies & Tracking Technologies
12.1 Web Application
- Strictly Necessary Cookies: Authentication session tokens, CSRF protection — essential for core functionality; cannot be disabled.
- Security Cookies: Fraud detection, anomalous login detection, session integrity.
- Functional Cookies: UI preferences, language settings, dashboard layout.
- Analytics Cookies: Anonymised usage analytics for product improvement — opt-out available via Cookie Preferences in the web application.
We do not use cookies for advertising or cross-site tracking. No third-party advertising cookies are placed.
12.2 Mobile Application
The app uses device-local secure storage for authentication tokens and preferences only. It does not track users across third-party apps or websites and does not use advertising identifiers (GAID/IDFA) for advertising purposes.
Third-Party SDKs & Integrations
| Service / SDK | Provider | Purpose | Data Processed |
|---|---|---|---|
| Google Maps SDK | Google LLC | Location display & geo-fencing | GPS coordinates |
| Firebase Crashlytics | Google LLC | Crash reporting & stability | Anonymised crash logs, device type |
| Firebase Cloud Messaging | Google LLC | Push notification delivery | Device push token |
| Razorpay / Stripe | Razorpay / Stripe Inc. | Subscription payment processing | Billing/payment data only |
| AWS / Microsoft Azure | Amazon / Microsoft | Cloud hosting & data storage | All encrypted Platform data |
| SendGrid | Twilio Inc. | Transactional email delivery | Email address, name |
All third-party integrations are bound by their own privacy policies and a Data Processing Agreement with the Company. This list may be updated; material changes will be reflected in Policy updates.
International Data Transfers
Personal data is primarily stored and processed on servers located within India. Where cloud providers process data outside India for redundancy or operational purposes, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms and Data Processing Agreements requiring equivalent data protection standards.
For EEA-based users, transfers outside the EEA are conducted in compliance with GDPR Chapter V requirements.
Policy Updates
We may update this Policy to reflect changes in data practices, legal obligations, or regulatory guidance. For material changes, we will: (a) update the "Last Updated" date; (b) deliver in-app and email notice to Organisation Admins at least 15 days before the change takes effect; and (c) seek fresh consent for changes affecting the legal basis of biometric data processing.
Continued use after the effective date constitutes acceptance. If you do not accept the updated Policy, you must discontinue use and may request data deletion.
Grievance Officer & Contact
In accordance with the Information Technology Act, 2000, IT (SPDI) Rules, 2011, and DPDPA 2023, Shurt TechSol has designated a Grievance Officer for privacy concerns, data rights requests, and complaints:
Grievance Officer — Shurt TechSol
Acknowledgement within 48 hrs · Resolution within 30 days
If your grievance is unresolved, you may escalate to the Data Protection Board of India (once constituted under DPDPA 2023) or a court of competent jurisdiction. EEA-based users may also lodge a complaint with their local data protection supervisory authority.
