EmpTrack AI — Privacy Policy
Operator: EmpTrack AI, a workforce intelligence and Human Resource Management System (HRMS) platform founded and operated by Lakshay Devendra Porchattiwar (Founder & CEO) (the "Company", "EmpTrack AI", "we", "us", or "our").
Registered Office: 53B, Deepakamale Layout, Trilok Nagar, Duttawadi, Wadi, Nagpur - 440021, Maharashtra, India Contact / Grievance Email: user.support@emptrackai.online Governing Country: India
Effective Date: [Insert Date] Version: 1.0 Last Updated: [Insert Date] Platform Status: Under active development (beta / pre-release)
This Privacy Policy explains how EmpTrack AI collects, uses, discloses, secures, and retains personal data through the EmpTrack AI platform (the "Platform"). It should be read together with our Terms and Conditions, Acceptable Use Policy, and, for organizations, our Data Processing Agreement (DPA). This Policy is issued in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules).
1. Our Commitment and Constitutional Basis
1.1. EmpTrack AI is committed to protecting the privacy of individuals whose data is processed through the Platform. We recognize that the right to privacy is a fundamental right under Article 21 of the Constitution of India, as affirmed by the Supreme Court of India in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017).
1.2. We follow the core data-protection principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.
2. Scope and Roles (Who Is Responsible for Your Data)
2.1. This Policy applies to: (a) organizations that subscribe to the Platform ("Customers"); (b) the employees, applicants, and other individuals whose data a Customer processes through the Platform ("Data Principals"); and (c) visitors to our websites.
2.2. Roles under the DPDP Act, 2023:
- For employee, applicant, payroll, and other HR data uploaded by a Customer, the Customer is the Data Fiduciary (it decides the purpose and means of processing) and EmpTrack AI acts as a Data Processor, processing such data only on the Customer's documented instructions.
- For data we collect directly for our own purposes (e.g., account registration, billing, website analytics, and support), EmpTrack AI acts as the Data Fiduciary.
2.3. If you are an employee or applicant and have questions about how your employer uses your data, please contact your employer (the Customer / Data Fiduciary) in the first instance.
3. Personal Data We Collect
We collect the following categories of data:
3.1. Account and Customer data: name, business email, phone number, organization name, role, billing details, and authentication data.
3.2. HR and workforce data (processed on behalf of the Customer): employee and applicant records, attendance and leave data, payroll and compensation data, performance data, documents, and asset assignments.
3.3. Sensitive Personal Data or Information (SPDI): financial information such as bank account or payment details, and, where a Customer chooses to upload it, other sensitive categories. Such data is handled under the heightened safeguards of the SPDI Rules, 2011 (Rule 8) and Section 43A of the IT Act, 2000.
3.4. Technical and usage data: IP address, device and browser information, log data, audit-log activity, and usage analytics.
3.5. Communications: support requests, emails, and OTP/verification records.
3.6. We practise data minimization — we do not intentionally collect more data than is necessary for the stated purposes.
4. Lawful Basis and Consent
4.1. Where EmpTrack AI is the Data Fiduciary, we process personal data on the basis of consent or another legitimate use permitted under Sections 4–7 of the DPDP Act, 2023 (for example, to provide a service you requested, for billing, or to comply with law).
4.2. Where EmpTrack AI is the Data Processor, the Customer is responsible for establishing the lawful basis, obtaining consent from Data Principals, and providing the required notice under Section 5 of the DPDP Act, 2023.
4.3. You may withdraw consent at any time (see Clause 10); withdrawal does not affect processing carried out before withdrawal or processing required by law.
5. How We Use Personal Data
We use personal data to:
5.1. provide, operate, maintain, and secure the Platform and its HR modules;
5.2. authenticate users (including OTP and MFA) and enforce Role-Based Access Control;
5.3. process subscriptions, billing, and support;
5.4. generate reports, analytics, and AI-driven insights for the Customer's own HR purposes (see Clause 6);
5.5. maintain audit logs for security, accountability, and legal compliance;
5.6. comply with Applicable Law and respond to lawful requests from authorities; and
5.7. communicate service, security, and administrative notices.
We do not sell personal data.
6. AI Features and Personal Data
6.1. The Platform includes AI features (AI Analytics, AI Assistant, AI Insights, Productivity Analytics) that process data to generate suggestions and analytics to support, not replace, human decision-making. Meaningful human oversight applies to HR decisions, consistent with Article 14 of the Constitution of India (non-discrimination).
6.2. AI outputs may be imperfect or incomplete and must be validated by the Customer before reliance.
6.3. We do not use a Customer's identifiable personal or confidential data to train generative AI models for third parties without consent. We may use aggregated, de-identified, or anonymized data to improve and secure the service.
7. Cookies and Similar Technologies
7.1. Our websites and Platform may use cookies and similar technologies for authentication, security, preferences, and analytics. Details are provided in our Cookie Policy. You can manage non-essential cookies through your browser or our consent tools.
8. Disclosure and Sharing of Data
We share personal data only as necessary and lawful:
8.1. Sub-processors / service providers: vetted third parties (e.g., cloud hosting, email, payment processing) engaged under contractual data-protection obligations equivalent to this Policy and our DPA.
8.2. Legal and regulatory: where required by Applicable Law, court order, or a competent authority (including CERT-In under the IT Act, 2000).
8.3. Business transfers: in connection with a merger, acquisition, or reorganization, subject to continued protection of the data.
8.4. We do not otherwise disclose personal data to third parties for their independent purposes.
9. Cross-Border Data Transfers
9.1. Personal data is primarily processed in India. Where data is transferred or hosted outside India, we do so in accordance with the DPDP Act, 2023 and any restrictions notified by the Central Government, and we ensure appropriate safeguards. Customers are informed of the location(s) where their data is hosted.
10. Your Rights as a Data Principal
Subject to Applicable Law and verification of identity, you have the right to:
10.1. access a summary of your personal data and its processing;
10.2. correction, completion, and updating of inaccurate or incomplete data;
10.3. erasure of your personal data where no longer required or where consent is withdrawn;
10.4. grievance redressal through our Grievance Officer (Clause 14);
10.5. nominate another individual to exercise your rights in the event of death or incapacity; and
10.6. withdraw consent where processing is based on consent.
To exercise these rights where EmpTrack AI is the Data Fiduciary, contact us at user.support@emptrackai.online. Where your data was uploaded by your employer, we will refer or assist the request to the relevant Customer (Data Fiduciary).
11. Children's Data
11.1. The Platform is not directed at children (persons below 18 years of age). Consistent with the DPDP Act, 2023, we do not knowingly process a child's personal data without verifiable parental/guardian consent, and we do not undertake tracking, behavioural monitoring, or targeted advertising directed at children.
12. Data Security — Keeping Your Data Safe
We implement reasonable security practices and procedures as required under Section 43A of the IT Act, 2000 and the SPDI Rules, 2011, and informed by recognized standards (ISO/IEC 27001, ISO/IEC 27701, OWASP, NIST). These include:
12.1. encryption in transit (TLS) and at rest;
12.2. access controls — RBAC, MFA, OTP verification, and least-privilege access;
12.3. audit logging of critical activity;
12.4. secure development, API security, rate limiting, and secrets management;
12.5. backups, disaster recovery, and business continuity aligned with the goals of ISO 22301; and
12.6. incident response consistent with the CERT-In Directions dated 28 April 2022 (Section 70B(6), IT Act, 2000).
While we apply strong safeguards, no system can guarantee absolute security. As the Platform is under active development, we continually enhance our controls. Security is a shared responsibility between EmpTrack AI and the Customer.
13. Data Breach Notification
13.1. In the event of a personal data breach, we will act promptly to contain and assess it, notify the affected Customer without undue delay, and report reportable cyber incidents to CERT-In as required.
13.2. Where EmpTrack AI is the Data Fiduciary, we will notify affected Data Principals and the Data Protection Board of India where required under the DPDP Act, 2023. Where EmpTrack AI is the Data Processor, the Customer (Data Fiduciary) is responsible for such notifications, with our assistance.
14. Data Retention
14.1. We retain personal data only as long as necessary for the purposes described in this Policy or as required by Applicable Law (including tax, labour, and company-law record-keeping).
14.2. On termination of a Customer's subscription, HR data is made available for export for a limited period and then deleted or anonymized, subject to legal retention requirements, in line with our Terms and DPA.
15. Grievance Officer / Data Protection Contact
In compliance with the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the grievance-redressal requirements of the DPDP Act, 2023, our designated contact is:
- Name: Lakshay Devendra Porchattiwar
- Designation: Founder & CEO / Grievance Officer & Data Protection Contact
- Email: user.support@emptrackai.online
- Address: 53B, Deepakamale Layout, Trilok Nagar, Duttawadi, Wadi, Nagpur - 440021, Maharashtra, India
Grievances will be acknowledged within [48 hours] and resolved within the timelines prescribed under Applicable Law.
16. Changes to This Policy
16.1. We may update this Policy to reflect changes in law, technology, or our practices. Material changes will be notified through the Platform or by email. Continued use after the effective date constitutes acknowledgement of the updated Policy.
17. Contact Us
EmpTrack AI Founder & CEO: Lakshay Devendra Porchattiwar Email: user.support@emptrackai.online Registered Office: 53B, Deepakamale Layout, Trilok Nagar, Duttawadi, Wadi, Nagpur - 440021, Maharashtra, India
Legal Disclaimer: This Privacy Policy is a professionally structured template aligned with Indian law as of its drafting date and does not constitute legal advice. Before publishing, complete all bracketed placeholders and have it reviewed by a qualified advocate/attorney licensed in India. Confirm the currently commenced provisions of the Digital Personal Data Protection Rules with counsel, as they are being brought into force in phases.