Privacy Policy

Effective Date: March 27, 2026  |  Last Updated: March 27, 2026

1. Introduction

This Privacy Policy applies to your use of GrooveHR ("we", "our", "us"), a cloud-based HR management software platform available at groovehr.com.

GrooveHR provides HR solutions including employee management, payroll processing, attendance tracking, leave management, HR document generation, and related services.

By accessing or using our Platform, you agree to the collection and use of information in accordance with this Privacy Policy and the Digital Personal Data Protection Act, 2023 ("DPDP Act").

This Privacy Policy should be read together with our Terms and Conditions.

2. Information We Collect

We may collect the following types of information:

2.1 Account & Registration Information
  • Name of the authorized representative
  • Email address
  • Phone number
  • Company/organization name and details
  • Login credentials (passwords are stored in encrypted form)
  • Subdomain preference
2.2 Employee & HR Data

As an HR software platform, GrooveHR processes employee-related data on behalf of organizations. This may include:

  • Employee names, contact details, and addresses
  • Date of birth, date of joining, and employment details
  • Department, designation, and reporting structure
  • Attendance and check-in/check-out records
  • Salary, allowances, deductions, and payroll information
  • Leave balances, applications, and history
  • HR documents (offer letters, experience certificates, etc.)
2.3 Sensitive Personal Data

The Platform may process the following sensitive personal data as defined under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the DPDP Act, 2023:

  • PAN (Permanent Account Number)
  • Aadhaar number
  • Bank account numbers and IFSC codes
  • UAN (Universal Account Number) for Provident Fund
  • ESI number
  • Salary and financial information

This data is collected and processed solely for the purpose of HR operations, payroll processing, and statutory compliance. It is entered by the employer (data controller) who is responsible for obtaining appropriate consent from employees.

2.4 Biometric Data

GrooveHR supports importing attendance data from biometric devices. The Platform processes biometric attendance logs (timestamps and employee identifiers) uploaded by the employer. We do not collect, store, or process raw biometric data such as fingerprints or facial scans.

2.5 Usage & Technical Data
  • IP address
  • Browser type and version
  • Device information and operating system
  • Pages accessed and features used
  • Date, time, and duration of usage
  • Referring URL

3. How We Use Information

We use the collected information for the following purposes:

  • To provide, operate, and maintain our HR software services
  • To create and manage user accounts and tenant (company) profiles
  • To process payroll, attendance, leave, and HR document operations
  • To ensure statutory compliance (PF, ESI, Professional Tax, TDS calculations)
  • To improve platform performance, features, and user experience
  • To provide customer support and respond to inquiries
  • To send important service-related communications (billing, maintenance, security alerts)
  • To ensure security, prevent fraud, and detect unauthorized access
  • To comply with legal obligations and regulatory requirements

4. Data Processing & Responsibility

GrooveHR operates under a data processor model:

  • The employer/organization (client) is the Data Fiduciary (data controller) as defined under the DPDP Act, 2023
  • GrooveHR is the Data Processor, processing data on behalf of and as instructed by the client
  • The client is responsible for obtaining consent from employees, ensuring data accuracy, and complying with applicable data protection laws
  • GrooveHR processes employee data solely for the purposes specified by the client and does not use it for any independent purpose

5. Sharing of Information

We do not sell, rent, or trade your personal data to any third party.

We may share data only in the following limited cases:

  • Service providers: With trusted third-party service providers who assist in operating the Platform (cloud hosting, email delivery, payment processing via Razorpay), bound by confidentiality agreements
  • Legal requirements: When required by law, court order, or government authority
  • Protection of rights: To protect our legal rights, enforce our Terms, and prevent fraud or security threats
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity with prior notice

6. Data Storage & Location

Your data is stored on secure cloud servers located in India. We use industry-standard cloud infrastructure with data centres that comply with ISO 27001 and SOC 2 standards.

We do not transfer your data outside of India unless explicitly required and consented to by you.

7. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Hashed password storage (bcrypt)
  • Role-based access controls within the Platform
  • Complete tenant data isolation (each company's data is logically separated)
  • Regular security updates and vulnerability monitoring
  • Secure server infrastructure with access controls

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Data Breach Notification

In the event of a personal data breach that is likely to cause harm to data principals:

  • We will notify the affected client (Data Fiduciary) within 72 hours of becoming aware of the breach
  • We will notify the Data Protection Board of India as required under the DPDP Act, 2023
  • We will provide details of the breach, data affected, and steps taken to mitigate the impact
  • The client is responsible for notifying their employees (data principals) as required by law

9. Cookies & Tracking

GrooveHR uses cookies to enhance your experience. The types of cookies we use:

  • Essential cookies: Required for authentication, session management, and CSRF protection. These cannot be disabled.
  • Functional cookies: Remember your preferences such as language and timezone settings
  • Analytics cookies: Help us understand usage patterns and improve the Platform (e.g., page views, feature usage)

We do not use third-party advertising or tracking cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the Platform from functioning correctly.

10. Your Rights

Under the DPDP Act, 2023 and applicable Indian laws, you have the following rights:

  • Right to Access: Request a summary of your personal data being processed and the processing activities
  • Right to Correction: Request correction or updating of inaccurate or incomplete personal data
  • Right to Erasure: Request deletion of your personal data, subject to legal retention requirements
  • Right to Withdraw Consent: Withdraw your consent for data processing at any time. Note that withdrawal of consent does not affect the lawfulness of processing done prior to withdrawal, and may result in discontinuation of services.
  • Right to Grievance Redressal: File a complaint with our Grievance Officer or the Data Protection Board of India
  • Right to Nominate: Nominate an individual to exercise your rights in case of death or incapacity, as per the DPDP Act

To exercise any of these rights, please contact our Grievance Officer (details below) or email support@groovehr.com. We will respond to your request within 30 days.

11. Children's Data

GrooveHR is designed for use by businesses and their employees. We do not knowingly collect personal data from individuals under 18 years of age. If we become aware that we have inadvertently collected data from a minor, we will take steps to delete it promptly.

12. Data Retention

We retain data based on the following guidelines:

  • Active accounts: Data is retained for as long as your subscription is active
  • After termination: Data is retained for 15 days post-termination to allow data export, after which it is permanently deleted
  • Legal retention: Certain records (invoices, payment records, statutory compliance data) may be retained for up to 8 years as required by Indian tax and labour laws
  • Usage/analytics data: Aggregated and anonymized data may be retained indefinitely for service improvement purposes

13. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do:

  • We will update the "Last Updated" date at the top of this page
  • For material changes, we will notify you via email at least 15 days before the changes take effect
  • Continued use of the Platform after the updated policy takes effect constitutes acceptance

14. Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, the details of our Grievance Officer are as follows:

Name: Grievance Officer, GrooveHR
Email: grievance@groovehr.com
Response Time: We will acknowledge your grievance within 48 hours and resolve it within 30 days.

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India as constituted under the DPDP Act, 2023.

15. Contact Us

If you have any questions about this Privacy Policy, you can contact us:

GrooveHR
Website: groovehr.com
Email: support@groovehr.com
Grievance: grievance@groovehr.com