This Privacy Policy explains how HRSetu ("we", "us", "our") collects, uses, stores, and protects information when you use our payroll management platform ("Service"). We are committed to protecting the privacy and security of the data entrusted to us by our users and their employees.
Effective Date: April 2026 | Last Updated: April 2026
1. Information We Collect
Given the nature of payroll processing, we collect and process several categories of information:
Company Information
- Company name, registration number, and legal entity details
- Company address and contact information
- GST number, PF establishment code, and ESIC registration number
- Bank account details for payroll disbursement
- Administrator name, email address, and login credentials
Employee Personally Identifiable Information (PII)
- Full name, date of birth, and gender
- Contact details (email, phone number, address)
- Employee photograph
- Department, designation, and date of joining
- Emergency contact information
Sensitive Employee Data
- PAN (Permanent Account Number)
- Aadhaar number
- UAN (Universal Account Number) for PF
- ESIC IP number
- Bank account number and IFSC code
Salary & Payroll Data
- CTC (Cost to Company) and salary structure breakdowns
- Monthly payroll records including gross pay, deductions, and net pay
- Attendance records and leave data
- Increment and revision history
- Full & Final settlement details
- Statutory contribution amounts (PF, ESIC, PT, Bonus, Gratuity)
2. How We Use Information
We use the information collected solely for the purpose of providing and improving the Service:
| Purpose | Data Used |
|---|---|
| CTC calculation & salary structuring | CTC amount, statutory profile, company configuration |
| Monthly payroll processing | Salary structure, attendance, LOP, statutory rates |
| Statutory compliance (PF, ESIC, PT) | Employee PII, salary data, statutory IDs (UAN, ESIC IP) |
| Full & Final settlement | Service history, salary data, leave balance, gratuity eligibility |
| Report generation & exports | Aggregated payroll and employee data |
| Account management & authentication | Admin credentials, company association, role assignments |
3. Data Storage
Your data is stored securely with the following measures:
- Database: All data is stored in PostgreSQL databases with encryption at rest.
- Server Location: Our servers are located in India, ensuring your data remains within Indian jurisdiction.
- Backups: Regular automated backups are performed to prevent data loss.
- File Storage: Employee documents and photographs are stored in encrypted file storage with access controls.
- Environment Isolation: Each company's data is logically isolated in our multi-tenant architecture, ensuring no cross-company data access.
4. Data Sharing
We take data sharing very seriously. Your data is handled as follows:
- Never Sold: We will never sell your data or employee data to any third party, under any circumstances.
- Statutory Filing: Data may be shared with government statutory bodies (EPFO, ESIC, Income Tax Department) only for the purpose of statutory filing, and only with the explicit consent and action of the Company Administrator.
- Service Providers: We may use third-party service providers (e.g., hosting, email) who process data on our behalf under strict data processing agreements.
- Legal Requirement: We may disclose data if required by Indian law, court order, or government regulation.
- No Marketing Use: Employee data is never used for marketing, advertising, or any purpose unrelated to the Service.
5. Employee Data Protection
We recognise that employee data processed through HRSetu is highly sensitive. Special protections apply:
- PAN & Aadhaar: These national identity numbers are stored in encrypted form and displayed only in masked format (e.g., XXXXX1234A) in the user interface.
- Bank Details: Bank account numbers and IFSC codes are encrypted at rest and only accessible to authorised company administrators.
- Salary Information: Salary data is strictly confidential and accessible only through role-based permissions set by the Company Administrator.
- Access Logging: All access to sensitive employee data is logged in our audit trail for accountability.
- Employee Consent: The Company Administrator is responsible for obtaining appropriate consent from employees for data processing through the platform.
6. Data Retention
We retain your data according to the following policy:
- Active Account: All data is retained for as long as your account remains active and in good standing.
- After Termination: Upon account termination or cancellation, your data is retained for 30 days to allow for data export. After this period, data is permanently deleted from our active systems.
- Backup Retention: Data may persist in encrypted backups for up to 90 days after deletion from active systems, after which backups are purged.
- Legal Obligations: Certain records may be retained longer if required by Indian labour law, tax law, or other applicable regulations.
- Deletion Request: You may request deletion of your data at any time by contacting us. We will process deletion requests within 30 business days, subject to legal retention requirements.
7. Security Measures
We implement comprehensive security measures to protect your data:
- Role-Based Access Control (RBAC): Users can only access data and features they are explicitly authorised for. Super Admin, Company Admin, and User roles have distinct permission sets.
- Audit Logs: All significant actions — data access, modifications, payroll processing, exports — are logged with timestamps and user identification.
- Encrypted Passwords: All passwords are hashed using bcrypt and are never stored or transmitted in plain text.
- Session Management: Automatic session timeout after periods of inactivity. Concurrent session controls prevent unauthorised access.
- TLS/SSL Encryption: All data in transit between your browser and our servers is encrypted using TLS 1.2 or higher.
- Input Validation: All user inputs are validated and sanitised to prevent injection attacks and data corruption.
- Regular Updates: Our platform and infrastructure are regularly updated with the latest security patches.
8. Your Rights
As a user of HRSetu, you have the following rights regarding your data:
- Right to Access: You may request a copy of all data we hold about your company and employees at any time.
- Right to Correction: You may update or correct any inaccurate data through the platform interface, or request corrections by contacting us.
- Right to Deletion: You may request deletion of your data, subject to legal retention requirements and the 30-day export window after account termination.
- Right to Export: You may export your data in standard formats (Excel, CSV, PDF) using the platform's built-in export features at any time.
- Right to Restrict Processing: You may request that we limit processing of certain data while a dispute or correction request is being resolved.
- Right to Object: You may object to any processing of data that goes beyond what is necessary for providing the Service.
9. Cookies
HRSetu uses cookies and similar technologies for the following purposes:
- Essential Cookies: Required for authentication, session management, and security. These cannot be disabled as they are necessary for the Service to function.
- Preference Cookies: Store your settings and preferences (e.g., language, dashboard layout) for a better user experience.
- Analytics Cookies: Help us understand how the platform is used so we can improve features and performance. These are anonymised and do not track individual users.
We do not use advertising or tracking cookies. No employee data is ever stored in cookies.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes:
- The "Last Updated" date at the top of this page will be revised.
- For material changes affecting how we handle employee data, we will notify all registered Company Administrators via email at least 15 days before the changes take effect.
- Continued use of the Service after the updated policy takes effect constitutes acceptance of the changes.
- If you do not agree with the updated policy, you may terminate your account and request data deletion.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:
- Platform: HRSetu – Bridging HR & Compliance
- Email: privacy@hrsetu.com
- Support Email: support@hrsetu.com
- Website: hrsetu.com
We will respond to all privacy-related inquiries within 15 business days.