Data Protection & Processing Policy

How we safeguard your workforce data
Effective date: 8 June 2026 · ← Back to smartprs.com

SmartPRS holds some of the most sensitive data an organisation has — salaries, bank details, identity documents, GPS attendance and photographs. This policy explains exactly how that data is handled, in plain language, aligned with the Digital Personal Data Protection Act, 2023.

1. Roles — who controls what

PartyRoleMeaning
Your organisation (the Customer)Data Fiduciary / ownerDecides what employee data goes into SmartPRS and why; answers to its employees for it
AmetecsData ProcessorStores and processes that data only on the Customer's instructions, only to deliver the service

If you are an employee with a question about your records in SmartPRS, your first stop is your employer's HR team — they control the data. We assist them in fulfilling your request.

2. Categories of workspace data

  • Employee profiles — name, code, contact details, designation, department, photographs.
  • Identity and KYC documents the employer uploads — e.g. PAN, Aadhaar, address proof, DRA/PCC certificates.
  • Compensation — salary structures, payslips, bank account details, incentives, loans, advances.
  • Attendance — punches from web, mobile (including GPS coordinates and selfies where the employer enables them) and biometric devices.
  • Employment records — letters, transfers, performance, training, exits.

3. Purpose limitation

Workspace data is used only to provide SmartPRS to the Customer. It is never sold, never used for advertising, never used to train third-party AI models, and never shown to any other tenant. Aggregated, fully anonymised statistics (e.g. total platform usage counts) may be used to improve the product.

4. Security measures

  • Tenant isolation: every record is scoped to your workspace; cross-tenant access is structurally blocked in the application layer.
  • Encryption: HTTPS in transit; passwords stored hashed (never readable); payment gateway secrets, licence keys and similar credentials stored encrypted at rest.
  • Access control: role-based permissions inside your workspace (you decide who sees salaries); within Ametecs, production access is restricted to authorised personnel for support and operations only.
  • Audit trails: sensitive actions (approvals, edits to commission entries, licence events) are logged with who/when.
  • Backups: routine encrypted backups for disaster recovery, retained on a rolling cycle.

5. Where data is stored

Production data is hosted in a datacenter located in India. We do not move workspace data outside India in the ordinary course of service.

6. Sub-processors

ProviderWhat they process
Hosting provider (India)All application data (encrypted infrastructure)
RazorpaySubscription payments — name, email, mobile, amount; never your employee records
Interakt (WhatsApp API)Mobile numbers + message content for transactional WhatsApp the Customer triggers
SMTP email providerEmail addresses + message content for transactional email

We will update this list when providers change; subscribing organisations are notified of material changes by email.

7. Employee rights (Data Principals)

Employees may exercise DPDP rights (access, correction, erasure, grievance) through their employer, who controls the data. Where an employee contacts us directly, we verify and forward the request to the employer and assist with fulfilment. Employers can correct or delete employee records directly in the application.

8. Retention and deletion

  • Active subscription: data is retained as long as the Customer keeps it.
  • After subscription end: retained 90 days (export window), then permanently deleted from production, and from routine backups within the following backup cycle (up to 30 further days).
  • Customers can export their data at any time from within the application.

9. Breach notification

If we become aware of a personal data breach affecting your workspace, we will notify the workspace owner without undue delay — targeting within 72 hours of confirmation — with what happened, what data was involved, and what we are doing about it, and will cooperate with your obligations to authorities under the DPDP Act.

10. The live demo workspace

All data in the public demo (smartprs.com/demo) is fictional, exists for demonstration only, and the entire demo workspace is wiped and reseeded automatically every few hours. Do not enter real personal data into the demo.

11. Contact

Data protection questions and requests: support@ametecsindia.com (subject "Data protection"). Escalation: Grievance Redressal.