Legal

DPDP Disclosure

Last updated: 15 April 2026 · Effective: 15 April 2026 · Aligned with the Digital Personal Data Protection Act, 2023

Plain-English summary. Under the DPDP Act, 2023, you (the employer) are the Data Fiduciary for your workers' personal data. We (PeoplePulse) are the Data Processor — we only handle worker data on your documented instructions, using reasonable security safeguards, and only to deliver the Services you've subscribed to.

1. Roles under the DPDP Act, 2023

RoleWhoWhat it means
Data PrincipalThe worker whose data is processedThey have rights under the Act (access, correction, erasure, grievance redressal).
Data FiduciaryYou — the CustomerYou decide the purposes and means of processing. You are primarily accountable under the Act.
Data ProcessorPeoplePulseWe process worker data strictly on your written instructions and under this disclosure and our Terms.

2. What personal data we process

  • Identity data: name, date of birth, gender, ID numbers collected during onboarding (Aadhaar reference, PAN, PF / UAN, ESI, bank account) — only what you choose to capture.
  • Contact data: phone, email, address.
  • Employment data: designation, department, wage structure, joining date, shift, leave balances.
  • Attendance data: timestamped check-in / check-out, GPS location of punch, selfie image (for face-match verification).
  • Payroll data: wage computation, overtime, statutory deductions, net pay, payslips.
  • Account & usage data: login events, device info, access logs — for security & audit.

3. Purposes & legal basis

We process worker data only to deliver the Services you have subscribed to — attendance tracking, payroll computation, statutory register generation, payslip issuance, dashboard reporting, and compliance support. The legal basis is the contract between you and us (these Terms) and your documented instructions as Data Fiduciary. Where the DPDP Act requires worker consent (e.g. biometric face-match), the consent is captured and stored on your behalf at the point of worker onboarding.

4. Consent & notices you must provide

As Data Fiduciary, you warrant to us that before uploading or capturing any worker's personal data through PeoplePulse, you have:

  • Given the worker the notice required under §5 of the DPDP Act (purposes, rights, grievance officer).
  • Obtained free, specific, informed, unconditional and unambiguous consent (for biometric / sensitive data) — in English and, where reasonably required, in the worker's native language.
  • Made the notice and consent record available in the worker's preferred language per the Act's communications schedule.

Our platform provides template notices and consent screens to make this easier — but the legal obligation rests with you.

5. Security safeguards

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Data is stored on servers physically located in India.
  • Role-based access controls; every administrative access is logged and audited.
  • Passwords stored as salted hashes; multi-factor authentication available on all admin accounts.
  • Regular vulnerability scans and periodic third-party penetration tests.
  • Least-privilege access for our engineering team; production access is logged and time-boxed.

6. Data retention

Data typeRetention period
Worker active data (while employed)For the entire period the worker is on your rolls
Separated-worker data3 years after separation (matches Labour-Code statutory retention), then deleted unless you instruct otherwise
Payroll records, Forms I / IV / V / IX / XRetained for 3 years as required by the Labour Codes; exportable anytime
Account data after subscription ends30 days for export, then permanently deleted within 90 days
Security & audit logs12 months

7. Data-subject rights (Data Principal rights)

Workers have the following rights under the DPDP Act. As Data Fiduciary, you are the first point of contact for these requests; we support you operationally:

  • Right to information about processing (§11)
  • Right to correction and erasure (§12)
  • Right to grievance redressal (§13)
  • Right to nominate (§14)

You can use the platform's built-in tools to correct, download or delete a worker's record. For anything that needs us, email support@peoplepulse.co.in.

8. Breach notification

In the event of a personal-data breach affecting your worker data, we will notify you without undue delay and in any case within 72 hours of confirming the breach. We will provide the information you need to fulfil your own §8(6) notification obligations to the Data Protection Board of India and to affected Data Principals.

9. Sub-processors

We use a small set of trusted sub-processors to operate the platform (cloud hosting in India, transactional email, SMS / WhatsApp, payment gateway). Sub-processors are bound by written data-processing agreements that mirror this disclosure. A current list is available on request from admin@peoplepulse.co.in.

10. International transfers

Worker data is stored and processed in India. We do not transfer personal data outside India. Any future change to this stance will be notified and you will have the right to opt out.

11. Grievance officer

Our designated Grievance Officer under the Information Technology Act & DPDP Act can be reached at:

Grievance Officer — PeoplePulse
Email: grievance@peoplepulse.co.in
WhatsApp: +91 91577 39743
Response window: within 30 days of receipt.

12. Updates to this disclosure

We may update this disclosure to reflect changes in law, sub-processors, or platform features. Material changes are notified on the dashboard and by email at least 15 days in advance.

13. Contact

Questions on how we handle data? Email admin@peoplepulse.co.in.

© 2026 PeoplePulse. All rights reserved.