1. Introduction
Xpertech Innovations Private Limited ("Company", "we", "us", or "our") operates the Xalary HRMS platform. We are committed to protecting your personal information in accordance with applicable Indian data protection laws, including:
- Information Technology Act, 2000
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")
- Digital Personal Data Protection Act, 2023 ("DPDP Act")
This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Services.
2. Information We Collect
2.1 Information You Provide
We collect information that you or your employer provides directly to us:
- Account Information: Name, email address, phone number, job title, and organization details
- Employee Data: Names, contact details, employment history, salary information, bank details, tax identifiers (PAN, Aadhaar), and other HR-related information
- Financial Information: Payroll data, tax declarations, investment proofs, and reimbursement claims
- SSO Registration: Information received from identity providers during single sign-on
2.2 Information Collected Automatically
When you use our Services, we automatically collect certain information:
- Log Data: IP address, browser type and version, device identifiers, operating system, and usage patterns
- Cookies and Tracking: We use cookies and similar technologies for authentication, improving user experience, and analyzing usage trends
2.3 Mobile Application Data
If you use our mobile application, we may collect additional data with your consent:
- Location Data: GPS location for attendance tracking (if enabled by your employer)
- Biometric Data: Facial recognition data for identity verification (if enabled by your employer)
- Device Information: Device model, operating system, and app version
Important Note on Sensitive Personal Data
Biometric data (facial recognition) is classified as sensitive personal data under the SPDI Rules. We collect this data only with your explicit consent and implement enhanced security measures for its protection.
3. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Description |
|---|---|
| Service Delivery | To provide, maintain, and improve our HR and payroll management services |
| Authentication | To verify your identity and manage your account access |
| Technical Support | To respond to your inquiries and provide customer support |
| Communications | To send service notifications, updates, and administrative messages |
| Marketing | To send promotional communications (only with your consent) |
| Analytics | To analyze usage patterns and improve our Services (using anonymized data) |
| Legal Compliance | To comply with applicable laws and regulatory requirements |
4. Information Sharing
We may share your information in the following circumstances:
4.1 With Your Employer
If you are an employee using Xalary through your employer, your employer (as the data controller) has access to your employment-related data within the platform.
4.2 With Service Providers
We engage trusted third-party vendors to assist in providing our Services:
- Cloud hosting and infrastructure providers
- Database management services
- Analytics and monitoring services
- Customer support tools
These providers are contractually bound to protect your data and use it only for the purposes we specify.
4.3 Legal Requirements
We may disclose your information when required by law, court order, or government authority, or when necessary to:
- Comply with legal obligations
- Protect our rights and property
- Prevent fraud or security threats
- Protect the safety of users or the public
4.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change.
5. Data Security
We use the following security measures to protect your information:
- Encryption in Transit: All data transmitted between your device and our servers is protected using TLS encryption
- Encryption at Rest: Sensitive data is encrypted in our databases using industry-standard encryption algorithms
- Secure Infrastructure: Our services are hosted on secure, certified cloud infrastructure
- Access Controls: Role-based access controls ensure only authorized personnel can access your data
- Security Practices: We follow OWASP-aligned secure coding practices and conduct periodic vulnerability assessments
- Monitoring: Continuous monitoring for security threats and anomalies
Data Breach Notification
In the event of a data breach that affects your personal information, we will notify the appropriate authorities and affected individuals as required by the DPDP Act and other applicable laws.
6. Your Rights
Under applicable data protection laws, you have the following rights regarding your personal information:
6.1 Right to Access
You can request a copy of the personal information we hold about you.
6.2 Right to Correction
You can request that we correct any inaccurate or incomplete personal information.
6.3 Right to Erasure
You can request that we delete your personal information, subject to legal retention requirements.
6.4 Right to Restrict Processing
You can request that we limit how we use your personal information.
6.5 Right to Withdraw Consent
Where processing is based on your consent, you can withdraw that consent at any time.
6.6 How to Exercise Your Rights
For Employees: If you are an employee accessing Xalary through your employer, please contact your employer's HR department to exercise your rights, as they are the primary data controller for your employment data.
For All Users: You may also contact us directly at support@xalary.in for privacy-related inquiries.
7. Data Retention
We retain your personal information as follows:
- Active Subscription: Customer data is retained throughout the subscription period
- Post-Termination: Data is retained for one (1) month after subscription termination to allow for account reactivation or data export
- Backup Purging: Backup copies are purged within 30 days of the retention period expiry
- Legal Requirements: Some data may be retained longer if required by law (e.g., tax records, statutory compliance)
8. Cookies and Tracking
8.1 What Are Cookies
Cookies are small text files stored on your device that help us provide and improve our Services.
8.2 Types of Cookies We Use
- Essential Cookies: Required for authentication and basic functionality
- Preference Cookies: Remember your settings and preferences
- Analytics Cookies: Help us understand how users interact with our Services
8.3 Managing Cookies
You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our Services.
9. Cross-Border Data Transfers
Our Services may involve the transfer of data to servers located outside India. When we transfer data internationally, we ensure appropriate safeguards are in place to protect your information in accordance with applicable data protection laws.
10. Children's Privacy
Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website
- Updating the "Last Updated" date
- Sending email notification for significant changes (where appropriate)
Your continued use of our Services after such changes constitutes your acceptance of the updated policy.
12. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
Xpertech Innovations Private Limited
Email: support@xalary.in
We will acknowledge your request within 24 hours and aim to resolve your concerns within 15 days.