Privacy Policy

Privacy Policy

Last Updated: 23/06/2026

1. Introduction

ZenflowHR ("we", "us", or "our") is a cloud-based Human Resource Management System (HRMS) developed and operated by Zenflow Pvt Ltd, incorporated under the laws of India.
This Privacy Policy explains how we collect, use, store, share, and protect information when you access or use our platform at zenflowhr.com, our mobile application, and all associated services (collectively referred to as the "Platform").
We are committed to protecting your personal data in compliance with:
•    The Digital Personal Data Protection Act, 2023 (DPDP Act)- India
•    The Information Technology Act, 2000 and IT (Amendment) Act, 2008
•    The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
•    The General Data Protection Regulation (GDPR)- for users in the European Economic Area

By accessing or using ZenflowHR, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the Platform immediately.

2. Who This Policy Applies To
This Privacy Policy applies to:
•    Business Customers ("Organisations")- companies that subscribe to ZenflowHR to manage their HR operations
•    End Users ("Employees")- employees, managers, HR administrators, and other individuals whose data is processed through the Platform on behalf of the Organisation
•    Visitors- individuals who visit our website at zenflowhr.com without creating an account
•    Consultants and HR Professionals- third parties who use ZenflowHR to manage HR for multiple client organisations

ZenflowHR acts as a Data Processor for employee data on behalf of the Organisation (Data Controller). The Organisation is responsible for ensuring they have a lawful basis to input employee data into the Platform.

3. Information We Collect
3.1 Information Provided by Organisations
When an Organisation subscribes to ZenflowHR and configures the Platform, they may provide:
•    Company name, registered address, and business identification details
•    GST number, PAN, and other statutory identifiers
•    Leave policies, shift configurations, attendance rules, and HR policy documents
•    Organisational structure including departments, designations, and reporting hierarchies
•    Billing and payment information (processed securely through our payment gateway partners)

3.2 Employee Data Inputted by Organisations
Organisations may upload or input the following employee data into the Platform:
•    Full name, employee ID, date of birth, gender, and photograph
•    Contact details- personal email address, mobile number, and residential address
•    Employment details- designation, department, date of joining, employment type, and reporting manager
•    Government-issued identifiers- Aadhaar number, PAN card, passport number, and driving licence (where required for statutory compliance)
•    Bank account details for payroll processing
•    Leave records, attendance logs, shift assignments, and roster data
•    Signed policy documents and consent acknowledgements
•    Emergency contact information
•    Educational qualifications and work experience (where captured during onboarding)

3.3 Information Collected Automatically
When users access the Platform, we automatically collect:
•    IP address, browser type, operating system, and device identifiers
•    Log data including pages visited, features accessed, timestamps, and session duration
•    GPS coordinates- only when an employee uses mobile GPS-based attendance check-in, and only at the moment of check-in
•    Cookies and similar tracking technologies (see Section 10 for details)

3.4 Information From Third-Party Integrations
If your Organisation connects ZenflowHR with third-party services such as Google Workspace or Microsoft 365 for single sign-on or employee directory sync, we may receive basic profile information (name, email address, and profile photograph) from those services, subject to your authorisation.

4. How We Use Your Information
We use the information collected for the following purposes:

4.1 Platform Operation and Service Delivery
•    Providing leave management, attendance tracking, shift scheduling, roster management, employee management, and consent management features
•    Processing multi-tenant access so authorised users can manage multiple organisations from a single login
•    Sending automated notifications for leave approvals, attendance alerts, shift changes, and policy acknowledgements
•    Generating HR reports, analytics dashboards, and compliance documentation

4.2 Account and Security Management
•    Authenticating users and managing role-based access control
•    Maintaining tamper-proof audit trails of all actions taken within the Platform
•    Detecting and preventing unauthorised access, fraud, and security incidents
•    Enforcing our Terms of Service and Platform usage policies

4.3 Communication
•    Sending transactional emails related to account setup, password reset, and system notifications
•    Providing onboarding support, product updates, and service announcements
•    Responding to customer support requests and feedback

4.4 Platform Improvement
•    Analysing aggregated, anonymised usage patterns to improve Platform features and performance
•    Conducting internal research and development to build new HR capabilities

4.5 Legal and Regulatory Compliance
•    Complying with applicable Indian laws, including the DPDP Act 2023, the IT Act 2000, and labour law regulations
•    Responding to lawful requests from government authorities, courts, or regulatory bodies
•    Establishing, exercising, or defending legal claims

We do not use your personal data for advertising purposes. We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

5. Legal Basis for Processing Personal Data
Under the DPDP Act 2023 and applicable data protection laws, we process personal data on the following legal bases:
•    Contractual necessity- processing required to deliver the services you have contracted with us
•    Legitimate interests- processing necessary for the security, integrity, and improvement of the Platform, where such interests are not overridden by the rights of data principals
•    Legal obligation- processing required to comply with applicable laws and regulations
•    Consent- where required by law, we obtain explicit consent before processing certain categories of sensitive personal data

Organisations are responsible for establishing a valid legal basis for processing employee data inputted into the Platform.

6. Data Sharing and Disclosure
We do not share your personal data with third parties except in the following circumstances:

6.1 Service Providers and Sub-processors
We engage trusted third-party service providers who assist us in operating the Platform. These include:
•    Cloud infrastructure providers for hosting and data storage
•    Payment gateway partners for processing subscription payments
•    Email and SMS delivery services for transactional communications
•    Analytics tools for aggregated, anonymised platform performance monitoring

All sub-processors are contractually bound to process data only on our instructions, maintain appropriate security measures, and comply with applicable data protection laws.

6.2 Within Multi-Tenant Accounts
In a multi-tenant configuration, an authorised administrator managing multiple organisations can access data across those organisations. Access is strictly limited to organisations they are explicitly authorised to manage. Data across different organisations is never shared or visible between unrelated accounts.

6.3 Legal Requirements
We may disclose personal data if required to do so by applicable law, court order, or government authority, or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of ZenflowHR, our users, or the public.

6.4 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of assets, personal data held by ZenflowHR may be transferred to the acquiring entity, subject to the same privacy protections described in this Policy. Affected users will be notified prior to any such transfer.

7. Data security

We implement reasonable security practices and procedures consistent with the SPDI Rules and DPDP Act, including:

• Encryption of data in transit (HTTPS/TLS);
• Passwords stored only as salted hashes (never in plain text);
• JWT-based authentication, optional multi-factor authentication, and trusted-device controls;
• Role- and permission-based access control with the principle of least privilege;
• Logical tenant isolation enforced at the data layer;
• Audit logging of changes;
• Secret management for third-party credentials (no secrets stored in source code).

No method of transmission or storage is completely secure; we cannot guarantee absolute security, but we work to protect your data and to respond promptly to incidents.

8. Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required by law.

•    Active account data is retained for the duration of the subscription
•    Upon termination of a subscription, we retain account data for 90 days to allow data export by the Organisation
•    After 90 days post-termination, data is permanently and irreversibly deleted from our systems
•    Audit logs are retained for 3 years from the date of creation
•    Financial and billing records are retained for 7 years in accordance with Indian accounting and tax laws
•    Where an Organisation is subject to a legal hold or ongoing dispute, data may be retained beyond the standard periods until the matter is resolved

Organisations may request earlier deletion of employee data at any time, subject to overriding legal retention obligations.

9. Your Rights as a Data Principal

Under the DPDP Act 2023 and applicable data protection regulations, individuals have the following rights regarding their personal data:

9.1 Right to Access
You have the right to obtain confirmation of whether we are processing your personal data and to access a summary of the data we hold about you.

9.2 Right to Correction
You have the right to request correction of inaccurate or incomplete personal data held about you.

9.3 Right to Erasure
You have the right to request deletion of your personal data where it is no longer necessary for the purpose it was collected, subject to overriding legal retention obligations.

9.4 Right to Withdraw Consent
Where we process your personal data on the basis of consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

9.5 Right to Grievance Redressal
You have the right to have your grievance regarding processing of your personal data addressed in a timely and effective manner. See Section 12 for our grievance redressal mechanism.

9.6 Right to Data Portability
Organisations may export their data from the Platform in standard formats (Excel, CSV, PDF) at any time during an active subscription.

Employee requests regarding personal data should first be directed to the Organisation's HR administrator, as the Organisation is the Data Controller for employee data. If the Organisation is unable to address your request, you may contact us directly at info@zenflowhr.com.

10. Cookies and Tracking Technologies

ZenflowHR uses cookies and similar technologies to enhance your experience on our Platform. We use the following types of cookies:

•    Essential Cookies- required for the Platform to function. These enable login sessions, security features, and core functionality. These cannot be disabled.
•    Performance Cookies- collect anonymised data on how users interact with the Platform to help us improve performance and usability.
•    Preference Cookies- remember your settings and preferences such as language, timezone, and dashboard configuration.

We do not use advertising cookies or sell cookie data to third parties.
You can manage cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the Platform.

11. Third-Party Links and Integrations

The Platform may contain links to third-party websites or support integrations with third-party services such as Google Workspace and Microsoft 365. These third parties have their own privacy policies, and we are not responsible for their data practices.
We recommend reviewing the privacy policies of any third-party services you connect to ZenflowHR before enabling integrations.

12. Children's Privacy

The Platform is intended for use by businesses and their adult workforce. We do not knowingly collect personal data of children (individuals under 18) except where provided by a Tenant for legitimate employment-related records, in which case the Tenant is responsible for the applicable consents under the DPDP Act.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable laws. When we make material changes, we will:
•    Update the 'Last Updated' date at the top of this Policy
•    Notify Organisation administrators via email at least 14 days before the changes take effect
•    Display a prominent notice on the Platform

Your continued use of ZenflowHR after the effective date of any updated Policy constitutes your acceptance of the revised terms. If you do not agree with the changes, you may terminate your subscription before the effective date.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Company: ZenflowHR
Support: info@zenflowhr.com
Website: www.zenflowhr.com