Categories of Data:

Personal Data:

• Name, email, phone number, Aadhaar/PAN (for KYC).
• Business details (GSTIN, CIN, company address).

HR & Recruitment Data:

• Resumes, job applications, interview records.
• Employee payroll, attendance, performance reviews.

Technical & Usage Data:

• IP address, browser type, device ID, cookies.
• Clickstream data, session recordings, error logs.

Financial Data:

• Payment details (credit card, UPI, net banking).
• Invoice history, transaction records.

Biometric Data (Optional):

• Facial recognition for attendance (with explicit consent).

2. Purpose of Data Collection

We use your data to:

Improve User Experience:

• Personalize dashboards, recommend features, and optimize workflows.

Enhance Security:

• Detect/prevent fraud, hacking, and unauthorized access.

Develop AI Models:

• Train algorithms for recruitment, HRMS, and ERP+ (data anonymized).

Legal Compliance:

• GST filings, tax audits, and labour law adherence.

3. Data Security & Penalties

Security Protocols:

Military-Grade Encryption: AES-512 for data at rest/transit.

Zero-Trust Architecture: MFA, biometric verification, and quantum-safe encryption.

Annual Audits: Third-party security audits by CERT-In empaneled firms. India

Response Time: 48 hours for legal/security issues.

Penalties for Breaches:

Hackers/Unauthorized Access:

• ₹10 Crore penalty + criminal prosecution under Sections 43, 66, and 66B of the IT Act, 2000.
• Liability for damages under Section 43A of the IT Act (compensation for negligence).

IP Theft/Reverse-Engineering:

• ₹10 Crore penalty + damages under Copyright Act, 1957 and Section 378 of IPC (theft).
• Permanent injunction under Section 14 of the Specific Relief Act, 1963.

4. Data Sharing

We share data with:

1. Trusted Third Parties:

• Payment Processors : Razorpay (PCI-DSS compliant).
• Cloud Providers : AWS Mumbai (ISO 27001 certified).
• Analytics : Google Analytics (anonymized data only).

2. Legal Authorities:

• Income Tax Department, Ministry of Corporate Affairs, or courts under Indian law.

Contracts: Third parties must sign NDAs and comply with DPDPA, 2023.

5. Data Retention

• HR Data: 8 years (per Indian labour laws)
• Financial Data: 10 years (per Income Tax Act).
• Recruitment Data:3 years (unless deleted by user).
• Biometric Data: Deleted immediately after use (if consent is revoked).

6. Your Rights

Under the Digital Personal Data Protection Act (DPDPA), 2023, you can:

• Access/Portability: Request a copy of your data in CSV/JSON format.
• Correction: Update inaccurate data via your account dashboard.
• Deletion: Erase Data(excludes legal requirements).
• Deletion: Erase data (excludes legal requirements).
• Opt-Out: Withdraw consent for marketing emails or biometrics.
• Object: Challenge automated decision-making (e.g., AI recruitment scores).

Response Time: 7 days working for all requests.

Cookies & Tracking

• Strictly Necessary: Login sessions, payment gateways.
• Performance: Google Analytics, Hotjar (opt-out via browser settings).
• Advertising: None. We do not sell data to advertisers.

Cookies & Tracking

We do not knowingly collect data from users under 18. Violators will face account termination and legal action.

9. Updates & Notifications

• Policy changes will be notified via email and in-app alerts.
• Continued use after updates implies acceptance.

12. Grievance Redressal

Grievance Officer:

Name: Sheikh MD Kounain

Email: support@cruxhr.com

Address: Bangalore, Karnataka, India

Response Time:  48 hours for legal/security issues.