# Privacy Policy — Talpro Temp Lifecycle Platform
**Version:** 1.0 (DRAFT — pending counsel review)
**Last updated:** 19 April 2026
**Operator:** Talpro India Pvt. Ltd. · legal@talproindia.com
**Data Protection Officer (once designated by DPB as Significant DF):** dpo@talproindia.com
**Grievance Officer (IT Rules 2021 Rule 3(2) + CPA §14 + DPDP §14):** Bhaskar Anand · bhaskar@talproindia.com · 48h ack · 30d resolution
---
## 0. Statutory framework
This Policy is written to comply with, and should be interpreted in light of, the following Indian statutes and rules, as amended from time to time:
- **Digital Personal Data Protection Act, 2023** (DPDP) and rules/notifications thereunder.
- **Information Technology Act, 2000** (IT Act), particularly §43A (compensation for failure to protect data), §66E (violation of privacy), §72 (breach of confidentiality), §72A (disclosure in breach of contract).
- **IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011** ("SPDI Rules").
- **IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021**.
- **Telecommunications Act, 2023** and TRAI regulations for communications.
- **Consumer Protection Act, 2019** and E-Commerce Rules, 2020.
- **Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016** and Regulations, especially on use/non-storage of Aadhaar numbers.
- **Prevention of Money Laundering Act, 2002** (KYC retention).
- **Reserve Bank of India** payment-system directions (tokenisation, data-localisation).
- **Income Tax Act, 1961**, EPF Act, ESI Act, Code on Wages — statutory retention for payroll data.
- **Bhartiya Sakshya Adhiniyam, 2023 / Indian Evidence Act, 1872 §65B** — electronic-record evidentiary requirements.
- **General Data Protection Regulation (EU) 2016/679** — to the limited extent any EU resident is processed (we do not actively target EU).
## 1. Scope and roles
This Policy applies to all Personal Data we handle in operating the Talpro Temp Lifecycle Platform (the "Service"). Roles:
- For Worker, Client, and Agency-staff data uploaded or generated through the Agency's tenant, **the Agency is the Data Fiduciary** (DPDP §2(i)) and Talpro is the **Data Processor** (§2(k)).
- For Owner authentication, Talpro-billing, security telemetry, and Talpro-website-visitor data, **Talpro is the Data Fiduciary**.
Where we act as Processor, Agency is responsible for publishing its own privacy notice to the data principals and for securing their consent under DPDP §6 before any upload.
## 2. Data we collect and process
### 2.1 Categories, examples, purpose, legal basis
| Category | Examples | Purpose | Legal basis (DPDP §§6–7; SPDI Rule 5) |
|---|---|---|---|
| Identity | Name, gender, DOB, phone (E.164), email, preferred language | Account setup, KYC, communications | Consent (§6) · Contract performance (§7(ii)) |
| Government IDs | Aadhaar (masked VID + last-4 only; we **do NOT** store raw Aadhaar numbers), PAN last-4, UAN, ESIC IP, passport/driving-licence last-4 for optional enhanced KYC | Statutory compliance (EPF/ESI/TDS), eligibility checks | Legal obligation (§7(ii)), compliance with a judgment/order (§7(iii)), performance of State function (§7(vi)) where applicable |
| Financial | Bank account number last-4, IFSC, UPI handle, Razorpay customer / subscription / payout token | Payroll payout, subscription billing | Contract (§7(ii)) |
| Employment | Role, designation, site, shift, rate card, wage, timesheet, attendance, leave, bonus, advance, exit data | Core Service functionality | Contract (§7(ii)) · Legitimate Use (§7) |
| Device / log | IP address, user-agent, device fingerprint, session JWT, clock-in geolocation rounded to ± 500 m, rate-limit counters | Security, fraud prevention, IT Act §65B evidence | Security / prevention of unlawful activity (§7(vii)) |
| Communications | WhatsApp message IDs, opt-in artefacts, call recordings (if/when enabled), SMS gateway IDs, email tracking pixels (disabled by default) | Delivery, consent ledger, grievance | Consent (§6) |
| Biometric / OCR artefacts | DigiLocker-issued XML reference, Aadhaar offline-eKYC photograph hash (not the image) | KYC identity binding | Consent (§6), Aadhaar Act where applicable |
| Sensitive Personal Data or Information ("SPDI" under Rule 3 SPDI Rules) | Passwords (hashed), financial info, biometric info, health info (if/when leave-reason sub-flow enabled) | Access control, fair-use verification | Consent (§6); Rule 5(1) SPDI |
| Billing | GSTIN, place of supply, TAN, invoice line-items | Invoicing, GST / TDS compliance | Legal obligation (§7(ii)) |
| Telemetry | Page views on marketing site (aggregated, no cross-site tracking) | Product improvement (aggregated) | Legitimate use (§7(i)) — publicly available / voluntarily made public |
### 2.2 Data we deliberately do **NOT** collect or store
- Full Aadhaar numbers; CVV; card PAN; full bank account numbers (always last-4 with full number encrypted under pgcrypto AES-256 if regulator demands).
- Biometric templates (fingerprint/iris/face vectors).
- Politically-protected categories (caste, religion) unless you volunteer them for lawful HR purposes and mark consent explicitly.
- Children's data under 18 (processing blocked; if accidentally received, erased within 24 hours per DPDP §9).
- Data of non-Indian residents beyond incidental marketing-site visits.
## 3. How we collect
- **Direct entry** via web app, PWA, WhatsApp bot.
- **Upload** by Agency via CSV, bulk API, or third-party integrations you authorise.
- **Auto-capture** on clock-in (geolocation ± 500 m, device, timestamp, hash-chained for §65B evidence).
- **DigiLocker** when you authorise Aadhaar / DL / other ID fetch (we receive offline-eKYC XML; we store only `id_type`, last-4, masked VID, and the XML-reference pointer).
- **Razorpay** when you make a payment (we receive tokens and status; we do not see card PAN or CVV — those are tokenised by Razorpay per RBI directions on Card-on-File tokenisation).
- **EPFO / ESIC / GSTN / NIC IRP** when you authorise a filing.
- **Cookies** (see §12).
## 4. Purposes of processing (Purpose Limitation — DPDP §8(2))
We use Personal Data only for the purposes enumerated below. Any new purpose triggers a fresh consent request:
- Provide, operate, secure, monitor and improve the Service.
- Authenticate Users and prevent unauthorised access.
- Compute EPF, ESI, PT, LWF, TDS and GST amounts; generate payslips; produce e-invoices.
- Process payroll and payouts through Razorpay.
- Send transactional messages (account, billing, alerts, reset, OTP) by WhatsApp/SMS/email.
- Send marketing communications with clear opt-out (only after consent).
- Respond to support queries and enforce these Terms.
- Detect, prevent and investigate fraud, abuse, or security incidents.
- Comply with laws, regulators, gazette notifications, and lawful orders of courts / tribunals.
- Exercise and defend legal claims (civil, criminal, arbitral, tribunal).
- Conduct aggregate analytics (de-identified) to improve features.
We will **not** use Personal Data for:
- Selling or renting data to third parties.
- Targeted behavioural advertising on authenticated pages.
- Automated profiling producing legally significant decisions about an individual without a human-in-the-loop override.
- Processing children's data.
- Any purpose inconsistent with the consent captured.
## 5. Sharing with third parties
We share Personal Data only with the categories of recipients below, each bound by a written Data Processing Agreement ("DPA") with DPDP-equivalent safeguards.
| Recipient | Location | Purpose | Safeguard |
|---|---|---|---|
| Razorpay Software Pvt. Ltd. | India (Bangalore) | Payment / payout processing | PCI-DSS Level 1, RBI-authorised PA/PG, DPA in place |
| Meta Platforms Inc. (WhatsApp Cloud API) | USA / Ireland | Business messaging you initiate | Meta BA DPA; only message ID + recipient phone |
| Hostinger International Ltd. | India (Mumbai region) + Lithuania HQ | Infrastructure hosting | ISO 27001; DPA; data-residency in Mumbai |
| Resend Inc. | USA | Transactional email | SCCs; DPA; minimised fields (to / subject / template payload) |
| NIC IRP | India (Government) | GST e-invoice IRN generation | Statutory portal |
| EPFO / ESIC / state PT portals | India (Government) | Statutory filings | Statutory portals; only where you initiate |
| UIDAI / DigiLocker | India (Government) | Offline Aadhaar / document eKYC | Statutory; we receive signed XML only |
| Google (Gmail API, where user-initiated integration) | USA / India | Inbox automation (opt-in) | Google-Workspace DPA |
| Chartered Accountants / external counsel | India | Our own compliance and legal advice | Professional-secrecy obligations |
| Law enforcement / regulators | India | Only on valid written order (IT §91, CrPC/BNSS §94, DPDP) | Judicial / administrative authority |
| Acquirer in M&A | India | Asset transfer | DPDP §17; advance notice; equivalent protections |
International transfers (Razorpay is domestic; Meta / Resend are outside India) are governed by DPDP §16 and the General Rules notified thereunder; where SCCs apply, they are executed.
## 6. Retention
| Data type | Active retention | Post-deletion hold | Statutory override |
|---|---|---|---|
| Account profile | Duration of contract + 30 days (export window) | 90-day hard-purge per DPDP §8(7) | — |
| Consent ledger | Life of account + 7 years | — | IT Act §79 / DPDP §6 auditability |
| Wage / payroll records | Life of account + 7 years | — | Income Tax Act §44AA, EPFO, ESIC |
| Invoice / GST data | Life of account + 8 years | — | CGST Act §36 |
| Audit log (IT Act §65B evidence) | 7 years from generation | — | IT Act §67C, Evidence Act |
| Attendance events (hash-chained) | 7 years | — | Labour-law evidence |
| KYC artefacts | 5 years post-relationship | — | PMLA Rule 10(c) |
| Security telemetry / access logs | 365 days rolling | — | Cyber-incident investigation |
| Session tokens | Until expiry (≤ 15 min access, ≤ 30 days refresh) | — | — |
| Marketing leads (non-signed) | 18 months or until opt-out | — | — |
**Erasure mechanics.** On receipt of a valid erasure request: immediate anonymisation in hot tables (day 0), archival with restricted access (day 0–30), encrypted archive (day 30–90), cryptographic key destruction + row-level purge at day 90, with VACUUM FULL run on the next maintenance window. Backup tapes are encrypted; keys are destroyed at the tape's own retention expiry.
## 7. Rights of data principals (DPDP §§11–15)
You have the right to:
### 7.1 Right to access (§11)
Export your Personal Data in machine-readable JSON via `/v1/me/export`. Response ≤ 30 days; free once every 30 days; subsequent requests may incur reasonable fee as notified by rules.
### 7.2 Right to correction and erasure (§12)
- Correction: via `/v1/me/profile` or your Agency admin.
- Erasure: via `/v1/me/erase`. Owners cannot erase while holding an active agency (orphaning of employee data); transfer ownership via `/v1/team/transfer-ownership` first.
- Erasure SLA: 30 days (statutory). Hard-purge at day 90.
- Exceptions: retention required by §6 above; subject of on-going legal claim; fraud-prevention records.
### 7.3 Right to withdraw consent (§13)
Via in-app consent-ledger toggle. Withdrawal applies prospectively; prior lawful processing remains lawful. We will stop consent-based processing immediately and purge according to §6.
### 7.4 Right of grievance redressal (§14)
First recourse: Grievance Officer Bhaskar Anand · bhaskar@talproindia.com. Acknowledgement ≤ 48 hours, resolution ≤ 30 days.
### 7.5 Right to nominate (§15)
You may nominate another individual to exercise your rights in the event of death or incapacity, via `/v1/me/nominee`.
### 7.6 Right to data portability
Your `/v1/me/export` bundle uses an open JSON schema. We will make commercially reasonable efforts to provide machine-readable exports suitable for direct import by another compliant service.
### 7.7 Right to escalate
If unresolved, you may lodge a complaint with the **Data Protection Board of India** (https://dpbi.gov.in once operational) or the appropriate **Consumer Commission** under CPA § 2(7)/§35.
## 8. Security measures (DPDP §8(4)/(5); SPDI Rule 8)
Talpro implements reasonable security practices commensurate with the risk:
### 8.1 Technical
- **Transport:** TLS 1.3; HSTS (max-age 15 552 000, includeSubDomains, preload); TLS certificate via Let's Encrypt auto-renewed.
- **At-rest encryption:** pgcrypto AES-256-GCM on PII-CRITICAL columns (Aadhaar, PAN, bank account). Session key per tenant via `set_config('app.pii_key', …)`.
- **Passwords:** Argon2id (memory 64 MB, iterations 3, parallelism 4).
- **Tokens:** JWT HS256 with 15-minute access TTL, 30-day refresh TTL.
- **Row-Level Security FORCE** on every tenant table — a cross-tenant leak is architecturally impossible without a superuser credential.
- **Audit log** partitioned monthly, 7-year retention, append-only RLS policy.
- **Hash-chained attendance events** (SHA-256 of prev_hash || canonical JSON) for IT Act §65B evidentiary value.
- **Rate limiting:** 120 req/min global; stricter per-route; 429 on excess.
- **Input validation:** Zod on every route; Helmet; CSP strict.
- **Dependency management:** `pnpm audit` on every build; Renovate/Dependabot PRs.
- **Secrets:** stored only in `/opt/talpro-temp/.secrets/*.env` (chmod 600 root-only) and process memory; never committed.
- **Backups:** nightly encrypted pg_dump, 35-day retention, restore drills quarterly.
- **Monitoring:** Uptime Kuma + Grafana + Langfuse + Rakshak 17-audit weekly + Prahari 6-hour heartbeat.
### 8.2 Organisational
- Least-privilege access with role-based IAM.
- Mandatory security training for all staff.
- Vendor risk assessment before any new sub-processor.
- Incident-response runbook with named roles and 4-hour P1 ack SLA.
- Quarterly penetration test; annual third-party SOC-2-equivalent review (when applicable).
- Background-verified engineers; NDA + DPA before access.
- Clean-desk / clean-screen; encrypted laptop disks; remote-wipe enabled.
### 8.3 Physical
- Hosting in ISO 27001-certified Hostinger Mumbai data centre.
- No on-prem customer data; offices hold only de-identified analytics copies.
### 8.4 Breach notification
- Internal detection 24×7 via Prometheus + Sentry-equivalent.
- Confirmed Personal Data Breach triggers: (a) 24-hour notice to affected Agency (Fiduciary); (b) Agency notifies data principals and DPB per DPDP §8(6)'s 72-hour SLA; (c) Talpro assists with facts, mitigation, and affected-principal list.
- For Talpro-as-Fiduciary breaches (Owner/billing data): Talpro notifies DPB within 72 hours and principals promptly.
## 9. Cross-border transfers
Default: data stored and processed in India. Third-party processors outside India (Meta, Resend) receive only the minimum data necessary and are contractually bound by DPDP-equivalent protections through Standard Contractual Clauses. If the Central Government notifies a country-restriction list under DPDP §16, we will cease transfers to listed countries.
## 10. Automated decision-making and AI
**10.1** The Service uses machine-learning models (Anthropic Claude, Google Gemini, OpenAI Whisper, local Ollama) for:
- WhatsApp intent classification, payslip Q&A, weekly briefs, anomaly detection, compliance Q&A, OCR of uploaded documents, and similar assistive features.
**10.2** We **do not** make any legally-significant decision (hiring, firing, wage deduction, KYC rejection, account suspension) solely based on automated output. Every such decision has a human-in-the-loop override.
**10.3** We **do not** train third-party general-purpose models on your Personal Data without your explicit opt-in. Inference calls are scrubbed of raw PII before being sent to any model endpoint; a deterministic PII scanner runs pre-prompt.
**10.4** You may ask for an explanation of any assistive-AI output via support@talproindia.com.
## 11. Children
The Service is not directed to persons under 18. Uploading a minor's data without verifiable parental consent (DPDP §9) is prohibited by these Terms. If we detect such data, it is quarantined and erased within 24 hours; we notify the Agency.
## 12. Cookies, tracking, and analytics
### 12.1 Cookies we set
| Cookie | Type | Purpose | Retention |
|---|---|---|---|
| `talpro_session` | Essential | Authentication | 30 days / on logout |
| `talpro_csrf` | Essential | CSRF token | Session |
| `talpro_locale` | Preference | Language / region | 1 year |
| `talpro_consent` | Essential | Record of cookie consent | 1 year |
### 12.2 What we do NOT do
- No Google Analytics on authenticated pages.
- No Facebook Pixel, TikTok Pixel, LinkedIn Insight Tag on authenticated pages.
- No third-party advertising cookies anywhere.
- No fingerprinting beyond rate-limit anti-abuse hashes.
### 12.3 Do-Not-Track / GPC
We respect Global Privacy Control (GPC) headers and DNT where technically feasible.
## 13. Marketing and transactional communications
- **Transactional** (account, billing, OTP, security alerts, filing reminders) — sent without opt-in because necessary for Service provision under contract.
- **Marketing** (product updates, webinars, newsletters) — only after explicit opt-in; clear unsubscribe in every message; aligned with TRAI / Telecommunications Act unsolicited-commercial-communications rules.
- **WhatsApp** — only after Meta-defined opt-in and within the 24-hour service window or via approved templates.
## 14. Law-enforcement requests
We respond to valid Indian legal process (court order, CrPC/BNSS notice, IT Act §91 request, DPB direction). We push back on requests that are overbroad, unlawful, or fishing expeditions. We publish an annual transparency report summarising numbers of requests received and honoured (commencing 2027 cycle).
## 15. Changes to this Policy
Material changes are emailed to Agency Owners and in-app-banner'd to Users ≥ 30 days before effect. Change history in `docs/legal/PRIVACY-CHANGELOG.md`.
## 16. Jurisdiction
This Policy is governed by Indian law. Disputes in relation to this Policy are resolved under the Terms of Service §19 (Mumbai seat arbitration; Bombay High Court for interim relief; Consumer Commissions for consumer remedies).
## 17. Contact
| Purpose | Channel |
|---|---|
| General privacy queries | dpo@talproindia.com |
| Data-subject rights requests | `/v1/me/export` · `/v1/me/erase` · `/v1/me/profile` · or email dpo@talproindia.com |
| Grievance (48h ack, 30d resolve) | Bhaskar Anand · bhaskar@talproindia.com |
| Breach notification | security@talproindia.com · +91-[TBF] (24×7) |
| Escalation | Data Protection Board of India · https://dpbi.gov.in |
---
*Drafted by Talpro CTO legal-function in autonomous mode. Requires Bar-Council-of-India-registered counsel review and sign-off before public publication. Sign-off metadata will be logged in `docs/legal/CHANGELOG.md`.*