Privacy Policy

Effective Date: 01 August 2025

At Xpertech Innovations Private Limited., including our subsidiaries and affiliated companies ("Company," "we," "our," "us," "Xpertech," "Xalary," "Xalary Mobile Application," "Service," "Site," or "Product"), we respect your privacy and are committed to protecting the personal information that we process ("Customer Data").

This Privacy Policy explains how we collect, use, store, disclose, and safeguard personal data. By using our Site or Services, you agree to this Privacy Policy and to our Terms of Service. If you do not agree, please discontinue use of the Site and Services.

1. Compliance with Indian Law

This Privacy Policy is published in compliance with:

• Section 43A of the Information Technology Act, 2000,
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and
• The Digital Personal Data Protection Act, 2023.

2. Scope of this Policy

This Privacy Policy applies to:

• Customers – individuals or entities who subscribe to our Services under a valid agreement.
• End-Users – individuals (such as employees or contractors) who gain access to our Services through a Customer.

3. Sensitive Personal Data or Information (SPDI)

Under Indian law, Sensitive Personal Data or Information (SPDI) includes but is not limited to:

• Passwords,
• Financial information (bank account, card details, etc.),
• Health conditions or medical records,
• Biometric information (facial scans, fingerprints, etc.),
• Sexual orientation, and
• Any detail relating to the above categories.

We will collect, process, store, and disclose such SPDI only:

1. With your consent, and
2. For the purposes specified at the time of collection or as required by law.

You may withdraw your consent at any time by contacting us (see Section 13).

4. Information We Collect

(a) Customer Data (Provided by Customers)

Customers may upload, store, or manage information through our Services. This may include:

• Personally Identifiable Information (PII) such as names, emails, phone numbers, addresses, employee details.
• Non-PII such as aggregated operational or usage data.

We do not control or determine the type of Customer Data stored, and Customers remain responsible for informing End-Users and obtaining any required consent.

(b) Information You Provide

• Referrals: If you use our referral service, we may collect your colleague's/friend's name, email, phone, and organization details.
• Single Sign-On (SSO): If you register using Google, Zoho, Microsoft, LinkedIn, Facebook, etc, we may receive your name, email, and other information permitted by those services.

(c) Information We Collect Automatically

• Cookies & Tracking: We use cookies and similar technologies for authentication, improving user experience, analyzing trends, and remembering preferences.
• Log Data: Includes IP address, browser type, settings, device identifiers (UDID), operating system, timestamps, product usage logs, clicks, scrolls, conversions, and drop-offs.
• Location Data (Mobile App): If enabled by your employer, we may capture GPS data for attendance/timekeeping. We may also require device access (camera for facial/selfie recognition, storage for file uploads).
• Analytics: We may work with third-party providers to collect anonymized usage insights for analysis and improvements.

5. How We Use Your Information

We use personal information to:

• Deliver, operate, and improve our Services.
• Authenticate users and provide secure access.
• Provide support, resolve issues, and enforce our Terms of Service.
• Send service-related communications, updates, and notifications.
• Send marketing or promotional materials (where permitted and with consent).
• Generate anonymized/aggregated insights to improve features and develop new products.

We do not access or review Customer Data except:

• To resolve technical or support issues.
• At the request of the Customer.
• To comply with legal obligations.

6. Legal Basis for Processing

• Contractual Necessity: Processing is required to deliver our Services to Customers.
• Legitimate Interests of Customers: For example, maintaining employee records, compliance, and operational efficiency.
• Consent (where required): Especially for collection/use of SPDI.
• Legal Obligations: Where processing is required by law.

7. Data Security

We implement robust security measures to protect data, including:

• TLS encryption for data in transit.
• Encryption of data at rest.
• Secure hosting environments with firewalls and intrusion prevention.
• Role-based access control, strong authentication, and restricted personnel access.
• OWASP-aligned secure coding practices.
• Periodic third-party vulnerability assessments.

In case of a security breach, we will notify affected parties as required by Indian law and other applicable regulations.

8. Information Sharing

We may share information only in the following cases:

1. Affiliates: With subsidiaries/affiliated entities consistent with this Policy.
2. Sub-Processors: With trusted vendors providing hosting, database, analytics, or support services (bound by confidentiality and data protection obligations).
3. Legal Requirements: Where disclosure is required to comply with applicable laws or enforce rights.
4. Business Transactions: In case of mergers, acquisitions, or sale of assets, Customer Data may be transferred.
5. Public/Voluntary Information: Any data voluntarily shared in public areas of the Service will be treated as non-confidential.

9. Links to Third-Party Sites

Our Site may link to third-party websites. We are not responsible for their privacy practices, and we encourage you to review their policies before sharing information.

10. Children's Privacy

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect data from minors. If you believe a minor has submitted personal information, please contact us, and we will take steps to delete it.

11. Your Rights (Data Subjects / Data Principals)

Depending on applicable law, you may have the right to:

• Access your personal data.
• Request correction, update, or deletion.
• Withdraw consent (for SPDI or where consent is the basis of processing).
• Restrict or object to processing.
• File a grievance if you believe your data has been mishandled.

12. Data Retention

• Customer Data is retained for the duration of the subscription agreement.
• After termination, data is retained for 1 month unless otherwise agreed, after which it is permanently deleted.
• Backup copies are purged within 30 days of deletion.
• In case of disputes or legal obligations, data may be retained longer as necessary.

13. Grievance Officer

In accordance with Indian law, the Company has designated a Grievance Officer:

The Grievance Officer shall acknowledge and resolve grievances within the timelines prescribed under applicable Indian law.

14. Governing Law & Jurisdiction

This Privacy Policy and any disputes arising from it shall be governed by and construed in accordance with the laws of India. The courts at Bangalore, (Karnataka, India) shall have exclusive jurisdiction.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Updates will be posted on this page with a revised Effective Date. We may also notify you via email or Service notices where required. Continued use of the Services constitutes acceptance of the updated Policy.

16. Contact Us

If you have questions or concerns regarding this Privacy Policy or our data practices, please contact: