Privacy Policy
Effective date: May 23, 2026 | Last updated: June 22, 2026
Verdeshell Technologies Pvt. Ltd. ("Verdeshell", "we", "our", or "us") operates the Verdeshell HRMS web application at https://hrms.verdeshell.comand the Verdeshell HRMS mobile application (collectively, the "Service"). This Privacy Policy explains how we collect, use, share, and protect personal information when you use the Service.
Role clarification. Verdeshell is a software-as-a-service provider and acts as a Data Processor on behalf of the organisation (your employer or tenant) that subscribes to the Service. Your employer is the Data Controller: it determines the purposes and means for which your data is processed, establishes the lawful basis for processing, and is responsible for obtaining any consents and providing any notices required by law (including for location, photograph, and biometric data). Under India's Digital Personal Data Protection Act, 2023 ("DPDP Act") these roles correspond to Data Fiduciary (your employer) and Data Processor (Verdeshell), and you are the Data Principal. Verdeshell processes personal data only on your employer's documented instructions and is not responsible for the lawfulness of those instructions or for the employment or other decisions your employer makes. For questions about your employer's data practices, please contact your HR or IT department.
1. Information We Collect
1.1 Account and Identity Data
- Full name, email address, phone number
- Employee ID / staff number assigned by your organisation
- Date of birth, gender, nationality (where provided by your employer)
- Profile photograph
- Hashed password (we never store your password in plain text)
1.2 Employment and Payroll Data
- Designation, department, reporting hierarchy, join and exit dates
- Salary structure, pay components, bank account details (for payroll disbursement)
- PF, ESI, Professional Tax, TDS-related identifiers as required by Indian law
- Leave entitlements, leave requests, and leave balances
1.3 Attendance and Location Data
- Check-in and check-out timestamps, GPS coordinates (latitude and longitude), and reverse-geocoded address at the time of attendance marking
- Location accuracy notice.GPS coordinates are provided by the device's location hardware and may be imprecise indoors, in areas of poor signal, or on older devices. Human-readable addresses are derived using OpenStreetMap's Nominatim geocoding service, which is community-maintained and may not reflect the exact address in all locations. Location data is indicative and should not be treated as legally definitive evidence of physical presence.
- Selfie photograph captured at check-in or check-out for biometric verification
- Regularisation requests and approval decisions
1.4 Timesheet and Project Data
- Hours logged against projects and tasks, weekly timesheet submissions
- Manager approval decisions on submitted timesheets
1.5 Documents
- Employee documents uploaded to the Service (e.g., identity proofs, educational certificates, offer letters) — stored on AWS S3 with server-side encryption
1.6 Device and Usage Data
- Firebase Cloud Messaging (FCM) push notification tokens for in-app alerts
- IP address, browser type, and session timestamps (server logs)
- App version and operating system (mobile)
1.7 Biometric Face Data
- If you choose to enrol in kiosk face check-in, the mobile app captures a selfie which is transmitted to our servers. A facial geometry embedding (a mathematical representation of your facial features, not the raw image) is computed and stored server-side. This embedding is used solely to recognise you at kiosk terminals for attendance marking.
- The raw enrollment photograph is discarded after the embedding is computed and is not retained.
- Face embeddings are permanently deleted when your employment record is removed from the Service or when you unenrol via the mobile app.
- Face check-in enrolment is entirely optional. You may withdraw at any time through the app's Face Enrollment screen; standard GPS-based check-in remains available.
2. How We Use Your Information
We use personal data only to deliver and improve the Service as instructed by your employer:
- Authenticating your identity and maintaining your account
- Recording and managing attendance, leave, and timesheets on behalf of your employer
- Processing payroll, generating payslips, and filing statutory returns
- Delivering push notifications for approvals, alerts, and announcements
- Reverse-geocoding check-in/check-out coordinates into human-readable addresses
- Generating HR analytics and reports for your employer's administrators
- Sending transactional emails (payslips, leave decisions, regularisation updates)
- Ensuring security, detecting fraud, and maintaining audit logs
3. Legal Basis for Processing
We process personal data under the following lawful bases (applicable per jurisdiction):
- Contract performance — processing necessary to deliver the Service to your employer and fulfil the employment relationship
- Legal obligation — payroll, statutory deductions (PF/ESI/TDS), and statutory reporting required by Indian law
- Legitimate interests — security logging, fraud prevention, and service improvement where these interests are not overridden by your rights
- Consent— location and camera access on mobile devices (required by device OS permissions); biometric face enrolment for kiosk check-in (optional, explicitly opted in). You may withdraw any of these consents via device settings or the app's Face Enrollment screen (this may limit certain features).
4. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data. We share data only in the following circumstances:
- Your employer (Data Controller) — HR administrators and authorised managers within your organisation see your employment and attendance data as part of the HR workflow
- Sub-processors — third-party service providers engaged under data processing agreements, including:
- Amazon Web Services (AWS) — cloud hosting and file storage
- Google Firebase — push notification delivery (FCM)
- OpenStreetMap / Nominatim — reverse geocoding (coordinates only, no personal identifiers sent)
- Microsoft (MS Graph API) — transactional email delivery
- Razorpay — subscription billing for your employer (payment data)
- Legal requirements — where required by law, court order, or regulatory authority
- Business transfer — in the event of a merger or acquisition, subject to the same privacy protections
5. Data Retention
We retain personal data for as long as your employer's subscription is active. Upon subscription termination, data is retained for 90 days to allow export, then permanently deleted unless a longer retention period is required by applicable law (e.g., Indian payroll records must be retained for 8 years under various statutes). Biometric face embeddings are deleted immediately upon unenrolment or when the associated employee record is removed, whichever comes first.
6. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data. Requests should be directed to your employer first; we will assist your employer in fulfilling them within the timelines described in our Data Processing Agreement. You may also contact us directly at support@verdeshell.com and we will route your request appropriately.
6.1 Under GDPR (EU/UK users)
- Right to access — obtain a copy of your personal data
- Right to rectification — correct inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object to processing based on legitimate interests
- Right to lodge a complaint with a supervisory authority (e.g., your national Data Protection Authority)
6.2 Under DPDP Act 2023 (India)
- Right to access information about personal data processed
- Right to correction and erasure
- Right to grievance redressal
- Right to nominate a representative for post-mortem data decisions
6.3 Under CCPA (California, USA)
- Right to know what personal information is collected and how it is used
- Right to delete personal information
- Right to opt out of sale (we do not sell personal data)
- Right to non-discrimination for exercising your rights
7. International Data Transfers
Data is primarily stored on AWS servers in the Asia Pacific (Mumbai) region. When data is transferred to sub-processors in other regions (e.g., EU-based GDPR-regulated services), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required by GDPR.
8. Security
We implement industry-standard security measures, including:
- TLS encryption in transit for all API communications
- AES-256 server-side encryption at rest for files on AWS S3
- Bcrypt password hashing — passwords are never stored in plain text
- Row-Level Security (RLS) in PostgreSQL — strict tenant data isolation
- Role-Based Access Control (RBAC) — employees see only data they are authorised to access
- Audit logs for all sensitive actions (login, approvals, data exports)
- Automatic session expiry and secure HTTP-only cookies
No method of transmission over the Internet is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.
9. Technology Accuracy and Limitations
The Service automates complex HR calculations and workflows. While we work to maintain high accuracy, no software system is free of defects or edge-case errors. You should be aware of the following limitations:
- Payroll and statutory calculations— payroll figures, statutory deductions (PF, ESI, TDS, Professional Tax), and related outputs are computed based on configuration set by your employer and the rules programmed into the system. They may not account for every possible edge case, policy change, or jurisdiction-specific rule. Your employer's HR and finance teams are responsible for verifying these figures before use.
- Location and geocoding — GPS coordinates depend on device hardware and signal quality. Reverse-geocoded address descriptions are sourced from OpenStreetMap (Nominatim), a community-maintained service, and may be approximate or unavailable in some locations.
- Biometric recognition — face recognition operates at a configured similarity threshold and may occasionally misidentify or fail to identify an enrolled individual in challenging lighting or appearance conditions.
- Reports and analytics — HR analytics and canned reports are generated from data entered into the system. Incomplete or incorrect input data will produce inaccurate outputs.
Verdeshell provides software tools only and is not liable for decisions made by employers or employees based on outputs from the Service without independent verification, nor for any unlawful or improper use of the Service by any user. See our Terms of Service (Sections 8, 11, and 13) for the full disclaimer and allocation of responsibility.
10. Children's Privacy
The Service is designed for use by adults in a professional employment context. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided data through the Service, please contact us immediately.
11. Cookies and Tracking
The web application uses HTTP-only session cookies for authentication. We do not use third-party advertising cookies or behavioural tracking cookies. The mobile application does not use cookies; it uses secure device storage for session tokens.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes — including changes to data categories collected, purposes of processing, sharing arrangements, or your rights — we will notify the Customer organisation by email and post an in-app notice at least 30 days before the changes take effect. For non-material updates (corrections, clarifications, or formatting changes), we will update the "Last updated" date at the top of this page. Your continued use of the Service after the effective date of any update constitutes acceptance of the revised policy.
13. Contact Us
For privacy-related questions, data subject requests, or to report a concern, please contact:
Verdeshell Technologies Pvt. Ltd.
Sector 58, Gurgaon, Haryana, India – 122011
Email: support@verdeshell.com