Skip to content
EmployeeSight

Legal

Privacy policy.

Last reviewed · 15 May 2026

Working draft · counsel review pending

This Privacy Policy is a working draft prepared from public Indian statutes (Digital Personal Data Protection Act 2023, IT Rules 2011 SPDI, Indian Contract Act 1872) and standard SaaS contractual practice. It is pending review by Indian SaaS legal counsel. For any current contractual relationship, the executed Master Agreement and DPA signed between the parties govern. Questions: email sales@employeesight.com with subject “Legal — Privacy Policy”.

1. Who we are

EmployeeSight (“EmployeeSight”, “we”, “us”) is a software service operated by EmployeeSight Technologies Private Limited, with its registered office at Iconic Tower, The Corenthum, Sector 62, Noida 201309, Uttar Pradesh, India.

Under the Digital Personal Data Protection Act, 2023 (“DPDP Act”), EmployeeSight acts as the Data Fiduciary for personal data of administrators and billing contacts at our customer organisations, and as the Data Processor for personal data of our customers’ employees, processed strictly on their documented instructions.

2. Personal data we collect

We collect the following categories of personal data:

  • Account identifiers — name, work email, role, and employer organisation of the people you set up as users.
  • Billing data — billing address, GST number, and the last four digits of a payment method (full card numbers are processed by our payment processor and never stored by us).
  • Usage telemetry — pages visited, features used, error reports, and IP address. Aggregated and de-identified for product-improvement purposes.
  • Customer-employee data — the employee records you create or upload (salary, attendance, project hours, biometric attendance signals, payroll-related identifiers). Processed only on the documented instructions of our customer (your employer).

3. Lawful basis for processing

For administrator and billing data, we process on the basis of your consent obtained at account creation. For customer-employee data, we rely on the legitimate use ground under DPDP s.7 — we process this data solely to perform our service contract with the customer.

4. How we use your data

  • Providing the EmployeeSight service to your organisation.
  • Billing and account administration.
  • Customer support, including responding to your requests.
  • Security, fraud prevention, and audit logging.
  • Compliance with applicable Indian law (e.g., GST invoicing, payroll record retention under the Income Tax Act, 1961).
  • Product improvement — using aggregated, de-identified telemetry.

5. Your rights as a Data Principal

Under the DPDP Act, you have the right to:

  • Access a summary of the personal data we process about you.
  • Correct or complete inaccurate or incomplete personal data.
  • Update your data after it changes.
  • Erase personal data that is no longer necessary for the purpose collected, subject to statutory retention (see §10).
  • Nominate a person to exercise your rights in the event of death or incapacity.
  • Grievance redressal through our Grievance Officer (see §6).

Account admins can do most of this from the in-product Settings > Data page. For anything that isn’t self-serve, write to sales@employeesight.com with the subject “DPDP Rights Request”. We respond within thirty (30) days.

6. Grievance Officer

In accordance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 and DPDP s.8(10):

  • Name: Grievance Officer, EmployeeSight
  • Email: sales@employeesight.com
  • Address: Iconic Tower, The Corenthum, Sector 62, Noida 201309, Uttar Pradesh, India
  • Response SLA: thirty (30) days from receipt of a verifiable grievance.

7. Children’s data

EmployeeSight is a workplace platform; we do not knowingly process personal data of individuals under the age of eighteen (18). Where personal data of a minor is processed (e.g., dependents listed in an employee’s benefit-nominee record), processing requires the verifiable consent of the parent or legal guardian, and we do not undertake any behavioural monitoring or targeted advertising of minors per DPDP s.9.

8. Data residency & cross-border transfer

All customer data is stored and processed in India by default, on Amazon Web Services in the Mumbai region (ap-south-1). We do not transfer personal data outside India unless the customer explicitly enables a cross-border feature and the destination jurisdiction has not been restricted by the Central Government under DPDP s.16.

9. Breach notification

In the event of a personal-data breach, we will:

  • Notify CERT-In within six (6) hours of becoming aware of a reportable cyber incident, per the CERT-In Directions 2022.
  • Notify the Data Protection Board of India and affected Data Principals as prescribed under DPDP s.8(6).
  • Provide affected customers with the information they need to meet their own notification obligations.

10. Retention

Active customer data is retained while the account is active and for ninety (90) days after cancellation, during which you can re-activate without loss. After ninety (90) days, data is deleted from primary systems and purged from backups within an additional thirty-five (35) days.

Payroll records and tax-relevant data are retained for a minimum of eight (8) years from the relevant assessment year, in line with the Income Tax Act, 1961.

11. Sub-processors

We use a small set of sub-processors (cloud hosting in AWS Mumbai, transactional email, payment processing, error tracking). The current list is maintained in the Data Processing Addendum at /legal/dpa. We notify customers in writing at least thirty (30) days before adding a new sub-processor.

12. Workforce product specifics

For customers of EmployeeSight Work: screenshots are off by default and the screenshot agent never runs on personal devices we don’t have an agent installed on. Keystrokes are never captured. Activity during admin-configured private hours is not recorded on the server. The full posture is documented on the Work product page and is contractually backed in the DPA.

13. Cookies & site analytics

Our marketing website may use first-party cookies and aggregate analytics (Google Analytics 4 and similar) to understand how visitors use the site. We do not run behavioural advertising or cross-site tracking. To opt out, use your browser’s privacy controls or write to the address in §6.

14. Changes to this policy

We may update this policy from time to time. Material changes are announced on this page with a revised “last reviewed” date and, where the change is significant, by email to administrators.

15. Contact

Questions about this policy or our data practices? Write to sales@employeesight.com or to the postal address in §6. One inbox routes everything for now.