Contact Us
Contact Us

Privacy Policy

Last Updated: May 27, 2026

At effiHR (“effiHR”, “we”, “our”, or “us”), we are committed to protecting the privacy,
confidentiality, and security of personal data processed through our People OS platform,
websites, mobile applications, integrations, and related services (collectively, the “Services”).

This Privacy Policy explains how we collect, use, store, disclose, and protect personal data when you use:

  • effiHR People OS platform
  • effiHR mobile applications
  • effihr.ai and related websites
  • Customer support, onboarding, implementation, and communication channels
  • Third-party integrations connected to our Services

This Privacy Policy is designed to align with:

  • India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”)
  • General Data Protection Regulation (“GDPR”), where applicable
  • Industry-standard security and privacy expectations for enterprise SaaS platforms
  • Google Workspace Marketplace and enterprise security review expectations

1. Scope of this Policy

This Privacy Policy applies to:

  • Visitors to our websites
  • Prospective customers
  • Customers using the effiHR platform
  • Employees, contractors, and users managed by our customers within the platform
  • Individuals interacting with effiHR support, sales, or marketing channels

Customer-Controlled Data

When organizations use effiHR as their HR and workforce management platform,
effiHR generally acts as a Data Processor on behalf of the customer organization.
The customer organization remains responsible for:

  • Determining the purpose of processing
  • Managing employee notices and lawful processing grounds
  • Responding to employee privacy requests where legally required

effiHR processes such personal data only in accordance with:

  • Customer instructions
  • Applicable agreements
  • Applicable laws

2. Information We Collect

Depending on how you interact with effiHR, we may collect the following categories of personal data.

A. Information You Provide Directly

This may include:

  • Name
  • Work email address
  • Phone number
  • Company name
  • Job title
  • Business address
  • Support requests and communications
  • Demo or onboarding information
  • Information submitted through forms, surveys, or chat

B. Workforce and HR Data Processed on Behalf of Customers

Customers may upload or manage workforce-related data through the platform, including:

  • Employee identification information
  • Employment records
  • Attendance and leave information
  • Payroll and compensation information
  • Performance and goal management data
  • Organizational structure and reporting data
  • Documents uploaded by customers or employees

Such information is processed solely to provide the Services.

C. Automatically Collected Information

We may automatically collect limited technical and usage information, including:

  • IP address
  • Device and browser information
  • Operating system
  • Login timestamps
  • Usage analytics
  • Error logs and diagnostics
  • Session and authentication information

D. Cookies and Similar Technologies

We use cookies and similar technologies for:

  • Authentication and session management
  • Security and fraud prevention
  • Performance monitoring
  • Product analytics
  • Remembering user preferences

Where legally required, users may manage cookie preferences through browser settings or consent tools.

E. Limited Use Disclosure

effiHR’s use and transfer of information received from Google APIs to any other app will adhere to
the Google API Services User Data Policy, including the Limited use requirements.

We do not use intrusive tracking technologies or sell personal data to advertising networks.

3. Purpose of Processing

We process personal data only for legitimate and necessary business purposes, including:

  • Providing and operating the Services
  • User authentication and access management
  • Payroll, attendance, HR, and workforce management workflows
  • Customer onboarding and implementation
  • Customer support and issue resolution
  • Security monitoring and fraud prevention
  • Product improvement and analytics
  • Legal, regulatory, and compliance obligations
  • Business communications related to the Services

We may also process limited business contact information for:

  • Product updates
  • Service announcements
  • Event invitations

4. Legal Basis for Processing

Depending on applicable law and jurisdiction, we process personal data based on:

  • Performance of contractual obligations
  • Compliance with legal obligations
  • Legitimate business interests
  • Customer instructions
  • User consent, where required

Under the DPDP Act, we process personal data for lawful purposes after providing appropriate notice
and obtaining consent where required.

5. Data Sharing and Disclosure

We do not sell personal data.

We may share personal data only with:

A. Authorized Service Providers

Third-party vendors and subprocessors that support:

  • Cloud hosting
  • Security monitoring
  • Customer support
  • Analytics
  • Communication services
  • Payment processing
  • Infrastructure operations

All such providers are contractually bound by confidentiality and security obligations.

B. Customer Organizations

Where individuals use the Services through their employer or organization, personal data may be
accessible to authorized administrators of that organization.

C. Legal and Regulatory Authorities

We may disclose information where required to:

  • Comply with law or legal process
  • Respond to lawful government requests
  • Protect rights, security, and integrity
  • Prevent fraud or abuse

D. Business Transfers

In connection with a merger, acquisition, financing, reorganization, or sale of assets,
personal data may be transferred subject to appropriate safeguards.

6. International Data Transfers

Personal data may be processed in jurisdictions outside the country where users reside.

Where cross-border transfers occur, effiHR implements appropriate safeguards, including:

  • Contractual protections, including adherence to the Standard Contractual Clauses (SCCs) where required for EU/EEA and UK data transfers.
  • Access controls
  • Encryption
  • Security reviews of subprocessors
  • Data processing agreements where applicable
  • A list of effiHR’s current subprocessors is maintained on a separate, dedicated webpage.

7. Data Retention

We retain personal data only for as long as necessary to:

  • Provide the Services
  • Fulfill contractual obligations
  • Meet legal, tax, audit, or compliance requirements
  • Resolve disputes
  • Enforce agreements

Upon termination of Services, customer data is deleted or anonymized in accordance with contractual
obligations and our internal Data Retention and Deletion Policy, typically within 90 days following
service termination, unless longer retention is legally required.

8. Security Measures

effiHR maintains administrative, technical, and organizational safeguards designed to protect personal
data against unauthorized access, disclosure, alteration, or destruction.

Security measures include:

  • Encryption in transit using TLS
  • Encryption at rest where applicable
  • Role-based access controls
  • Single Sign On authentication
  • Secure cloud infrastructure
  • Audit logging and monitoring
  • Vulnerability management processes
  • Restricted employee access based on business need
  • Security awareness practices

While we maintain industry-standard safeguards, no system can guarantee absolute security.

9. Your Privacy Rights

Depending on applicable laws, individuals may have rights regarding their personal data, including:

  • Right to access personal data
  • Right to correction or updating
  • Right to withdraw consent where processing is consent-based
  • Right to request deletion, subject to legal obligations
  • Right to grievance redressal
  • Right to nominate another person under applicable Indian law
  • Right to object to certain processing activities where applicable
  • Right to data portability where legally applicable

To exercise privacy rights, contact:

We may require identity verification before processing requests.

Where effiHR acts solely as a processor on behalf of a customer organization, users may be redirected
to their employer or organization administrator.

10. DPDP Act Compliance

In accordance with India’s Digital Personal Data Protection Act, 2023:

  • effiHR processes personal data only for lawful purposes
  • We implement reasonable security safeguards
  • We support correction and erasure requests where applicable
  • We notify relevant authorities and affected parties of data breaches, where legally required, in accordance with applicable law and within specific contractual timelines (e.g., within 72 hours).
  • We maintain grievance redressal mechanisms
  • We limit processing to necessary business purposes
  • We support consent withdrawal mechanisms where applicable

For grievances or privacy concerns, users may contact:

11. Children’s Privacy

The Services are intended for business and workforce management purposes and are not directed toward children.

We do not knowingly collect personal data from individuals below the age required under applicable law
without appropriate authorization.

12. Third-Party Services and Integrations

The Services may integrate with third-party platforms and services.

This Privacy Policy does not govern third-party products or services that operate independently of effiHR.
Users should review the privacy policies of those third parties separately.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

Material changes will be communicated through appropriate channels, including website notices or platform notifications.

The “Last Updated” date at the top of this policy indicates the latest revision date.

14. Enterprise Commitments and Compliance

To meet the rigorous standards of our enterprise customers and external security reviews,
effiHR commits to the following:

  • Data Processing Agreement (DPA): For all enterprise customers, we execute a dedicated
    Data Processing Agreement (DPA) that explicitly includes GDPR Standard Contractual Clauses (SCCs).
    The DPA will govern the specific terms of data processing and takes precedence over this Privacy Policy.
  • Subprocessor Transparency: A complete and up-to-date list of all third-party subprocessors
    involved in processing personal data is maintained and publicly available on our website.
  • Security Certifications: We maintain or are actively pursuing industry-standard certifications,
    including ISO 27001 and SOC 2 Type II reports. These certifications demonstrate our commitment to security
    and operational control effectiveness.
  • Internal Security Policies: For due diligence purposes, we maintain the following foundational internal policies:
      • Information Security Policy
      • Incident Response Policy
      • Data Retention & Deletion Policy
      • AI Usage & Responsible AI Policy (if applicable to platform features)

15. Contact Information

For privacy-related questions, requests, or concerns, contact: