PRIVACY POLICY

sumHR Software Private Limited (“sumHR”, “Company”, “we”, “us”, or “our”), a wholly owned subsidiary of Amica Financial Technologies Private Limited (“AFTPL”), operates the sumHR Human Resource Management System platform, accessible via the web application, Android application, and iOS application (collectively, the “Platform”). This Privacy Policy explains how we collect, use, disclose, share, and protect information obtained through the Platform.

In this Privacy Policy, “Customer” refers to the corporate entity or employer that subscribes to the Platform; “Authorised User” or “User” refers to the employees, contractors, and other individuals whose information is processed on the Platform on behalf of the Customer; and “Group Companies” refers to AFTPL and its subsidiaries, affiliates, and associated entities from time to time.

By accessing or using the Platform, or by providing information to us, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use the Platform.

2. Information We Collect

We may collect the following categories of information through the Platform:

2.1 Information Provided by the Customer

• Organisation details: company name, registered address, GST/PAN details, industry type, and other business identifiers.
• Administrator credentials: name, designation, email address, and contact number of the authorised administrator(s).
• Billing and payment information: billing address, bank account details, credit/debit card information, and invoicing details.
• Employee data uploaded or entered by the Customer, including but not limited to employee names, employee codes, designations, departments, dates of birth, dates of joining, compensation details, bank account details, PAN, Aadhaar, phone number, email ID and other identity documents as required for payroll and compliance.

2.2 Information Provided by or Collected from Users

• Personal details: name, email address, phone number, date of birth, gender, photograph, and emergency contact information.
• Employment-related information: designation, department, reporting manager, date of joining, employment type, and compensation details.
• Identity and financial information: PAN, Aadhaar number, passport details, bank account details, UPI ID, and tax-related information.
• Attendance and leave data: clock-in/clock-out timestamps, GPS location data (where enabled by the Customer), leave records, and shift details.
• Documents and files: uploaded identity documents, offer letters, HR letters, expense receipts, and any other files shared through the Platform.
• Performance and feedback data: goal-setting records, performance review data, OKR progress, feedback forms, and 360-degree review responses.

2.3 Automatically Collected Information

• Device information: device type, operating system, browser type, unique device identifiers, and mobile network information.
• Usage data: pages visited, features used, time spent on the Platform, clickstream data, and interaction patterns.
• Log data: IP address, access timestamps, error logs, and crash reports.
• Location data: approximate location (IP-based) and precise GPS location (only where explicitly enabled by the Customer for attendance tracking).
• Cookies and similar technologies: session cookies, analytics cookies, and local storage data. Details are set out in Section 10 below.

3. Purpose of Data Collection and Use

We use the information collected for the following purposes:

3.1 Platform Operations and Service Delivery

• To provide, operate, maintain, and improve the Platform and its features, including employee database management, onboarding, attendance tracking, leave management, payroll processing, expense claims, performance reviews, and all other HRMS functionalities.
• To process transactions, generate invoices, and manage billing and subscriptions.
• To authenticate Users, manage access permissions, and ensure Platform security.
• To provide customer support, respond to queries, and resolve disputes.

3.2 Communication

• To send service-related communications, including onboarding emails, billing notifications, system updates, security alerts, and policy changes.
• To contact Customers and Users for feedback, research, surveys, and product improvement purposes.

3.3 Analytics and Improvement

• To analyse usage patterns, generate aggregated and anonymised insights, and improve the functionality and user experience of the Platform.
• To conduct internal research and development for new features and services.

3.4 Legal and Regulatory Compliance

• To comply with applicable laws, regulations, statutory obligations, and governmental requests.
• To enforce our terms of service, protect our legal rights, and prevent fraud or illegal activities.

4. Sharing of Information with Group Companies

sumHR is a wholly owned subsidiary of AFTPL. As part of the AFTPL group, we may share information collected through the Platform with AFTPL and its other subsidiaries, affiliates, and associated entities (“Group Companies”) for the purposes set out below:

4.1 Product and Service Offerings

Group Companies may use the contact information and professional details of Users (such as name, email address, phone number, employer name, designation, and salary band) to inform them about, offer, market, and cross-sell products and services offered by Group Companies. These products and services may include, but are not limited to:

• Banking and financial services (savings accounts, salary accounts, fixed deposits, and other deposit products);
• Lending products (personal loans, consumer credit, and other credit facilities);
• Prepaid payment instruments, including meal wallets, gift cards, and other benefit cards;
• Insurance and investment products (offered either directly or through distribution partnerships);
• Employee benefits and rewards programmes;
• Any other financial, technology, or value-added products and services that may be offered by Group Companies from time to time.

4.2 Personalisation and Eligibility Assessment

Group Companies may use information shared by sumHR to assess the eligibility of Users for specific products and services, personalise offers, and provide tailored recommendations. This may involve the use of automated processing, analytics, and profiling techniques, subject to applicable law.

4.3 Operational and Administrative Purposes

Group Companies may use shared information for internal operational purposes, including but not limited to audit, risk management, compliance, fraud prevention, and customer support coordination across Group Company platforms.

4.4 Basis of Sharing

The sharing of information with Group Companies is undertaken on the basis that:

• The Customer has been informed, through this Privacy Policy and the terms of the service agreement with sumHR, of such sharing and the purposes thereof;
• Group Companies are bound by appropriate data protection and confidentiality obligations;
• Users may opt out of receiving marketing communications from Group Companies at any time by following the unsubscribe mechanism provided in such communications or by writing to the contact details set out in Section 14.

5. Disclosure of Information to Third Parties

Apart from sharing with Group Companies as described in Section 4, we may disclose information to the following categories of third parties:

5.1 Service Providers

We engage third-party service providers to assist in operating the Platform, including cloud hosting providers, payment gateways, analytics services, communication tools, and customer support platforms. These service providers are granted access to information only to the extent necessary to perform their functions and are contractually bound to maintain confidentiality and data security.

5.2 Professional Advisors

We may share information with our legal, financial, and professional advisors where necessary for obtaining advice, managing disputes, or ensuring compliance with legal obligations.

5.3 Law Enforcement and Regulatory Authorities

We may disclose information where required by applicable law, regulation, legal process, or governmental request, or where we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation; (b) protect the rights, property, or safety of sumHR, our Customers, Users, or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) respond to a court order, subpoena, or other legal process.

5.4 Business Transfers

In the event of a merger, acquisition, reorganisation, sale of assets, or similar corporate transaction, information collected through the Platform may be transferred to the successor entity. We will notify Customers of any such transfer and any changes to this Privacy Policy arising therefrom.

5.5 With Customer Consent

We may share information with additional third parties where the Customer or User has provided express consent for such sharing.

We do not sell, rent, or trade personal information to third parties for their independent marketing purposes, except as expressly set out in this Privacy Policy with respect to Group Companies.

6. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting requirements. Specifically:

• Customer account data and billing information are retained for the duration of the service agreement and for a period of eight (8) years thereafter, in accordance with applicable tax and commercial laws.
• Employee data uploaded by Customers is retained for the duration of the service agreement. Upon termination of the agreement, the Customer may request deletion or export of such data within ninety (90) days, after which sumHR may delete the data from its active systems.
• Usage logs and analytics data may be retained in anonymised or aggregated form indefinitely for analytical and product improvement purposes.
• Data shared with Group Companies will be retained by each Group Company in accordance with its own retention policies and applicable regulatory requirements.

7. Data Security

We implement commercially reasonable technical and organisational measures to protect the information processed through the Platform against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption of data in transit (TLS/SSL) and at rest;
• Role-based access controls and multi-factor authentication;
• Regular security audits and vulnerability assessments;
• Secure cloud infrastructure with reputable hosting providers;
• Incident response protocols and breach notification procedures.

Notwithstanding the above, no method of electronic transmission or storage is entirely secure, and we cannot guarantee absolute security of information. Users are encouraged to use strong passwords and to report any suspected security incidents to us promptly.

8. User Rights and Choices

Subject to applicable law and the terms of the Customer’s agreement with sumHR, Users and Customers may exercise the following rights:

• Access: Request access to the personal data held about them on the Platform.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of personal data, subject to legal and contractual retention requirements.
• Data Portability: Request a copy of their data in a structured, commonly used, and machine-readable format.
• Opt-Out of Marketing: Opt out of receiving promotional or marketing communications from sumHR or Group Companies by using the unsubscribe link in such communications or by writing to us at the contact details provided below.
• Withdraw Consent: Where processing is based on consent, withdraw such consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Since employee data on the Platform is typically managed by the Customer (employer), Users may need to direct certain data-related requests to their employer in the first instance. We will cooperate with the Customer to fulfil such requests in accordance with applicable law.

9. Customer Responsibilities

Customers are responsible for ensuring that they have obtained all necessary consents, permissions, and authorisations from their employees and other individuals before uploading or processing their personal data on the Platform. Customers warrant that the processing of employee data through the Platform, and the sharing of such data with Group Companies as described in this Privacy Policy, is in compliance with applicable employment laws, data protection laws, and internal policies. Customers shall ensure that their employees are made aware of this Privacy Policy and the potential use of their data as described herein.

10. Cookies and Tracking Technologies

The Platform uses cookies and similar technologies for the following purposes:

• Essential cookies: Required for the functioning of the Platform, including session management and authentication.
• Analytics cookies: Used to understand how Users interact with the Platform, measure performance, and identify areas for improvement. We may use third-party analytics services such as Google Analytics and Amplitude for this purpose.
• Functional cookies: Used to remember User preferences and settings.

You may manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform.

11. Third-Party Links and Services

The Platform may contain links to third-party websites or services that are not operated by sumHR. We are not responsible for the privacy practices or content of such third-party sites. We encourage Users to review the privacy policies of any third-party websites they visit. The inclusion of a link does not imply endorsement by sumHR.

12. Children’s Privacy

The Platform is not intended for use by individuals under the age of eighteen (18) years. We do not knowingly collect personal information from children. If we become aware that a child under the age of 18 has provided us with personal information, we will take steps to delete such information. If you are a parent or guardian and believe that your child has provided information to us, please contact us at the details set out below.

13. Changes to this Privacy Policy

We reserve the right to modify or update this Privacy Policy at any time. Any changes will be effective upon posting the revised Privacy Policy on the Platform with an updated effective date. Where changes are material, we will endeavour to notify Customers through the Platform or via email. Continued use of the Platform after the posting of changes constitutes acceptance of the revised Privacy Policy.

14. Grievance Officer and Contact Information

In accordance with the Information Technology Act, 2000 and the rules made thereunder, the name and contact details of the Grievance Officer are as follows:

Grievance Officer: Pritesh Gaikwad

Email: grievance@sumhr.com

Address: Office No 31, 3rd Floor, 124, Viraj Premises CHS Ltd, S V Road, Khar West Mumbai MH 400052 IN

For any queries, concerns, or complaints regarding this Privacy Policy or the processing of your data, you may also write to us at:

General Queries: help@sumhr.com

Data Protection Queries: privacy@sumhr.com

We shall endeavour to address your concerns within thirty (30) days of receipt.

15. Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts in Mumbai, Maharashtra.