Privacy Policy

Last updated · 22 May 2026 Version · 1.0 Entity · Infomaze Sphere LLP

This Privacy Policy describes how Infomaze Sphere LLP ("Infomaze," "we," "us," or "our") collects, uses, discloses, and protects personal data in connection with the hrPLANR platform (the "Service"), our website at hrplanr.com, and related communications.

This Policy is published under the Digital Personal Data Protection Act, 2023 (the "DPDP Act") and applies to personal data of website visitors, prospective customers, current customers, and individuals whose data is processed by the Service.

Lawyer review required This Policy has been prepared as a working draft based on common industry practice. It must be reviewed and finalised by qualified legal counsel before publication. Items marked [BRACKETED] require confirmation specific to your business.

Who we are

Infomaze Sphere LLP is a limited liability partnership registered in India. We operate the hrPLANR platform — an AI-driven workforce operations platform for Indian companies. Our role under the DPDP Act varies depending on the data and the context:

For website visitor data and prospect/sales data: we act as the Data Fiduciary — we decide why and how we process this personal data.
For employee data processed inside customer tenants: we act as the Data Processor on behalf of our customer, who is the Data Fiduciary. Our DPA, available at hrplanr.com/legal/dpa, governs that processing.

This Policy primarily addresses our role as Data Fiduciary. For our role as Data Processor handling employee data on behalf of our customers, refer to our DPA and the Privacy Policy of the customer you work for.

Registered office	[ADDRESS — to be added by lawyer/founder], Bengaluru, Karnataka, India
LLP Identification Number	[LLPIN — to be added]
GST Identification Number	[GSTIN — to be added]
Contact	privacy@hrplanr.com

Personal data we collect

We collect personal data in three contexts. Each is described below with the specific data fields involved.

Website visitor data

When you visit hrplanr.com:

Technical data: IP address, browser type, device type, operating system, referrer URL, pages visited, time spent — collected via privacy-friendly analytics (Plausible Analytics)
Cookies: a minimal set of strictly necessary cookies (session, CSRF protection). See our Cookie Policy for details.
Communications: if you contact us via chat or email, we collect the content of those communications

Prospect & sales data

When you request a demo, sign up for a free trial, or correspond with our sales team:

Name, work email address, company name, job title, phone number, country/city
Company size (employee count range), industry, current HR/payroll system (if disclosed)
Records of demos attended, conversations held, proposals exchanged

Customer account data

When your organisation purchases a hrPLANR subscription, we collect (from the contracting party):

Billing contact name, email, phone, billing address, GSTIN
Payment information (processed by our payment gateway; we do not store card details)
Designated administrators and their roles within the platform

Platform & employee data

For employee data that flows through the hrPLANR platform — payslips, attendance, leave, KYC documents, Aadhaar references, PAN, bank details — our customer (the employer) is the Data Fiduciary. We process this data only on the customer's instructions per the DPA. This data is not used for our own purposes and is not subject to this Privacy Policy in the way our own data collection is. See our DPA for details.

How we use personal data

We process personal data for the following purposes:

Purpose	Legal basis (DPDP Act)
Operating our website — serving pages, security, debugging	Legitimate use
Responding to enquiries — demo requests, sales calls, support questions	Consent + legitimate use
Sending product communications — onboarding, product updates, security notices	Consent
Sending marketing emails — newsletters, product news	Consent (opt-in; opt-out anytime)
Billing and accounting — invoicing, GST compliance, financial records	Legal obligation
Improving the platform — aggregate usage analytics, error monitoring	Legitimate use
Statutory compliance — Income Tax, GST, Companies Act, DPDP Act	Legal obligation
Security and fraud prevention — abuse detection, account protection	Legitimate use

What we do not do: we do not sell personal data. We do not share personal data with advertisers. We do not use personal data of employees in customer tenants to train AI models — see our AI page and DPA for our explicit commitments on this.

AI and machine learning

Our platform uses AI for specific features described on our AI capabilities page: resume parsing, payroll anomaly detection, smart records extraction, filing verification, and (with the Premium AI Pack or Enterprise plan) AI HR Assistant, predictive attrition, workforce analytics, and engagement insights.

Where AI inference happens

For Enterprise customers, AI inference runs on AWS Mumbai (ap-south-1) in-region.
For other plans, AI inference uses standard regional cloud LLM endpoints; the specific provider is listed in our DPA sub-processor schedule.

What AI does not do with your data

Your data does not train models. We use zero-retention contracts with inference providers. There is an explicit no-training clause in our DPA.
AI features are opt-in at the feature level. Tenant administrators can turn off any AI feature at any time.
AI suggests, humans decide. AI outputs (anomaly flags, fit scores, attrition risk scores) are advisory. They do not produce automated decisions that have legal effects on individuals.

Sharing personal data

We share personal data only as necessary and only in the following circumstances:

With service providers (sub-processors)

We engage carefully vetted third-party service providers — hosting (AWS), email (Resend), payment processing, analytics (Plausible), customer support tooling, and AI inference. Each is bound by a data processing agreement that incorporates DPDP-equivalent obligations. The full sub-processor list is published in our DPA, including which AI inference provider serves which customer plan.

With your organisation

If you use hrPLANR through your employer, your employer (as Data Fiduciary) controls how your personal data is used within the platform. Refer to your employer's HR or privacy policy.

For legal reasons

We may disclose personal data if required to do so by law — for example, in response to a valid order from an Indian court, the Income Tax Department, or other lawful authority. We notify affected customers where lawful and practical to do so.

In a business transfer

If Infomaze is involved in a merger, acquisition, or asset sale, personal data may transfer to the successor entity. We will notify customers in advance and the successor will be bound by this Policy (or equivalent terms).

Data residency and storage

All customer data is stored in India.

Primary region: AWS Mumbai (ap-south-1) — production databases, application servers, logs.
Disaster recovery region: AWS Hyderabad (ap-south-2) — cross-region replica, backups.
No cross-border data transfer. Customer data is not transferred outside India for storage or processing. The only exception is when AI inference for non-Enterprise plans uses standard regional cloud LLM endpoints — see the DPA sub-processor schedule for the specific region.

Detailed technical commitments — encryption, backups, recovery objectives, access controls — are published on our Security page.

How long we keep personal data

We retain personal data only as long as necessary for the purposes described in this Policy:

Data category	Retention period
Website analytics	26 months (Plausible default)
Sales prospect data (no purchase)	24 months from last interaction, then deleted
Customer account data (active subscription)	For the duration of the subscription + 90 days after termination
Customer financial records (invoices, GST)	8 years (per Income Tax Act and Companies Act)
Platform employee data on subscription termination	30-day grace period for export, then deleted within 90 days unless statutory retention applies
Marketing email lists (subscribed)	Until unsubscribe
Support tickets	5 years
Backup retention	35 days rolling

Where statutory retention obligations apply (Income Tax, GST, employment records), we honour the longer of our retention period or the statutory period. Detailed termination data handling for customer tenants is in the DPA.

Your rights under the DPDP Act

As a Data Principal under the DPDP Act, you have the following rights with respect to personal data we hold about you:

Right to access — confirmation of whether we process your personal data, and a summary of the data and processing purposes.
Right to correction and erasure — request correction of inaccurate or incomplete data, or erasure of data no longer necessary for the purpose.
Right to grievance redressal — raise a complaint with our Grievance Officer (contact below). If unresolved, you may approach the Data Protection Board of India.
Right to nominate — nominate another person to exercise your rights in case of death or incapacity.
Right to withdraw consent — where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of these rights, email privacy@hrplanr.com. We respond within 15 business days. We may need to verify your identity before acting on a request.

For employees of our customers: if you want to exercise rights regarding personal data your employer has processed through hrPLANR, please contact your employer directly. They are the Data Fiduciary for that data; we will assist them in fulfilling your request.

Security

We maintain technical and organisational measures to protect personal data, including:

Encryption at rest (AES-256-GCM) using AWS KMS, per-tenant keys
Encryption in transit (TLS 1.3), HSTS enforced
Multi-factor authentication (MFA) on all plans; Single Sign-On (SSO) on Enterprise
Role-based access control with audit logging
Daily automated backups with 35-day retention, cross-region replicated
Annual third-party penetration testing by a CERT-In empanelled firm
ISO 27001:2022 certification in progress (target Q4 2026)
24-hour on-call response for security incidents; 72-hour breach notification per DPDP Act

For complete details, see our Security page.

Cookies and tracking

We use a minimal set of cookies to operate the website. We do not use advertising cookies, cross-site tracking, or third-party trackers for marketing purposes.

Detailed information about each cookie we set is in our Cookie Policy. You can change your preferences at any time through the cookie banner.

Children

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data of a child, contact us at privacy@hrplanr.com and we will delete it.

Changes to this Policy

We may update this Policy from time to time. When we do, we will:

Update the "Last updated" date at the top of this page
Notify customers via email of material changes at least 30 days before they take effect
Maintain prior versions in a public archive at hrplanr.com/legal/privacy/archive

Continued use of the Service after the effective date of an updated Policy constitutes acceptance of the updated terms.

Contact us

Grievance Officer

For grievances regarding personal data processing under the DPDP Act:

Name	[GRIEVANCE OFFICER NAME — to be designated]
Email	grievance@hrplanr.com
Postal address	[ADDRESS], Bengaluru, Karnataka, India
Response time	15 business days

Note on DPO requirement The DPDP Act 2023 requires a designated Data Protection Officer for organisations classified as "Significant Data Fiduciaries" (criteria to be notified by the Government). If hrPLANR is classified as such in future, a DPO will be designated and contact details will be published here.

General privacy queries

For other privacy questions: privacy@hrplanr.com

Security disclosures

To report a security vulnerability: security@hrplanr.com — see our Security page for the responsible disclosure policy and PGP key.