Privacy Policy
1. Introduction
This Privacy Policy ("Policy") is issued by Megamax Services Pvt. Ltd. ("Megamax", "we", "us", "our"), a company incorporated under the Companies Act, 2013 having Company Cin U74140DL2015PTC282288, Company GST 09AAJCM8185E2Z0, 101, Pratap Nagar Mayur Vihar, Phase-1 East Delhi, Delhi-110091, INDIA and the owner and operator of the Kasturi HR application (“App”) and the website KasturiHR.com (“Website”), collectively referred to as the “Platform”.
The Platform is a Human Resource Management System ("HRMS") designed to serve enterprises, HR administrators, managers, and employees across India and globally. This Policy describes how Megamax collects, uses, stores, shares, transfers, and deletes personal data, and sets out the rights of Data Principals and Data Subjects under applicable law.
This Policy forms part of and must be read alongside the Terms and Conditions of the Platform. By registering on, accessing, or using the Platform, you confirm that you have read, understood, and consent to this Policy. If you do not agree, you must discontinue use immediately and contact support@kasturihr.com.
The term “Designated Countries” refers to countries in the European Union (“EU”), the European Economic Area (“EEA”), Switzerland, and the United Kingdom (“UK”). Users located in these regions are subject to additional rights under Megamax’s GDPR aligned obligations. Where Indian law and GDPR overlap, Megamax shall apply the stricter standard. The terms “Data Principal” (DPDP Act, 2023) and “Data Subject” (GDPR) are used interchangeably throughout this Policy.
1.1 Legal Framework
Megamax's privacy practices are governed by and comply with the following statutes and regulations:
| Law/Regulation | Primary Obligations |
|---|---|
| Digital Personal Data Protection Act, 2023 ("DPDP Act") | Consent, Purpose Limitation, Data Minimisation, Data Principal Rights, Cross-border Transfers, Grievance Redressal |
| Information Technology Act, 2000 & IT (Amendment) Act, 2008 | Reasonable security practices; SPDI Rules, 2011 |
| IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules") | Consent, access, correction, and grievance redressal for sensitive personal data |
| GDPR 2016/679 (for EEA/UK users) | Lawful basis, Data Subject Rights, DPO appointment, Cross-border Transfer Safeguards (Standard Contractual Clauses) |
| Data Fiduciary | As defined under the Digital Personal Data Protection Act, 2023 ("DPDP Act") — an entity that, alone or in conjunction with others, determines the purpose and means of processing digital personal data. |
| Companies Act, 2013 | Record-keeping and statutory filings as a corporate entity |
| Applicable Indian Labour Laws & Codes (e.g., Code on Social Security, 2020; Code on Wages, 2019) | Lawful collection, processing, and retention of employee personal and sensitive data (e.g., KYC, bank details, health records, biometrics) for statutory payroll, social security contributions (EPFO/ESIC), and maintaining mandatory employment registers. |
| Indian Contract Act, 1872 | Offer, acceptance, and valid consent underpinning the Terms and this Policy |
1.2 Identity of the Data Fiduciary / Controller
Under the DPDP Act, 2023, Megamax Services Pvt. Ltd. is the "Data Fiduciary". Under the GDPR, Megamax acts as the "Data Controller" for users located in the EEA or UK. The particulars of the Data Fiduciary are as follows:
| Particulars | Details |
|---|---|
| Legal Name | Megamax Services Pvt. Ltd. |
| Incorporation | Companies Act, 2013 (Indian Law) |
| Grievance Officer / Data Protection Contact | Mr. Yaduvansh Gaurav Compliance Officer | legal@megamaxservices.com |
| Grievance Response Time | Within 7 business days of receipt |
| Jurisdiction | Courts of Delhi, India |
1.3 Dual Roles - Data Fiduciary / Controller and Data Processor
Megamax operates in two distinct capacities depending on the context of processing:
| Role | Context and Scope |
|---|---|
| Data Fiduciary / Controller | In respect of website visitors, direct registrants, newsletter subscribers, demo attendees, and job applicants — Megamax independently determines the purpose and means of processing personal data. |
| Data Processor / Sub-Processor | In respect of employee data uploaded by enterprise customers ("Clients") through the Kasturi HR SaaS platform — Megamax processes data solely on behalf of and under the documented instructions of the Client, who bears the role of Data Fiduciary / Controller and full legal responsibility for the lawfulness, accuracy, and compliance of such data. |
1.4 Relationship with Other Megamax Documents(New)
This Policy forms part of, and is incorporated by reference into, the Terms and Conditions of Service governing the Platform (“T&C”), together with the Data Processing Agreement and the Acceptable Use Policy referenced therein. In the event of any conflict between this Policy and the T&C in relation to a matter expressly governed by the T&C (including dispute resolution, limitation of liability, and governing law), the T&C shall prevail. Disputes concerning this Policy shall be resolved in accordance with Clause 15.3 (Dispute Resolution) of the T&C.
2. Information We Collect
Megamax collects only such personal data as is strictly necessary for the purposes and consent as described in this Policy, in accordance with the principle of data minimisation under the DPDP Act, 2023 and GDPR. The following categories of data are collected:
2.1 Data Provided Directly by the User
- Registration Data
- Profile Data
- Form and Uploaded Data
Upon account creation, Megamax collects the user's name, email address and/or mobile number, general location (city), company name, job title, and password. Subscription to premium services additionally requires payment and billing information with the consent of the client.
Users may optionally provide work experience, education, professional qualifications, skills, and a profile photograph. Users are solely responsible for the personal data they include in their profiles and should not upload data they would not wish to be accessible to their employer or other authorised users of the platform via consent.
Megamax collects personal data submitted through consent forms (including leave applications, expense claims, surveys, and recruitment submissions), as well as documents uploaded by users in the course of using the Platform.
2.2 Employee Data Uploaded by Employer-Clients
When an employer (Client) deploys the Kasturi HR platform for its organisation, it uploads employee data on behalf of its workforce. Such data may include the following categories:
- Full name, employee identification number, work email address, and mobile number;
- Date of birth, gender, nationality, residential address, and office address;
- Job title, department, reporting structure, contract type, and duration of employment;
- Working hours, leave entitlements, attendance records;
- Salary, payroll data, bank account details, Permanent Account Number (PAN), Provident Fund (PF), and Employees' State Insurance (ESI) numbers; entirely end to end encrypted.
- Performance ratings, key performance indicators, appraisal and evaluation history; entirely end to end encrypted.
- Training records, certifications, and professional qualifications;
- Workplace satisfaction and employee engagement survey responses;
- Disciplinary records (where applicable) and emergency contact information.
- Kasturi is an entirely end to end encrypted platform for the client and its end users.
Megamax does not independently collect this data. It is stored and processed solely as instructed by the employer-Client. The Client bears full legal responsibility for the legality, accuracy, and reliability of all data it uploads.
2.3 Technical and Usage Data
Megamax collects technical data only upon the Client’s approval or request, when the Platform is accessed or used, including through Web/mobile applications. This includes:
- Internet Protocol (IP) address, device type, operating system version, browser type and version, and App version; subject to client option and request.
- Unique device identifiers, log files, error reports, and session data;
- Pages visited, time spent on Platform, clickstream data, and search queries;
- Actions taken within the Platform (e.g., report generation, payslip access, content interactions).
2.4 Location Data
At the client’s request, and subject to the user’s explicit consent, Megamax collects live geo-location data solely to facilitate the geo-tracking attendance feature. Megamax obtains prior permission from the user before accessing GPS or similar location services, and tracking occurs exclusively during the active use of this feature. This data is strictly confidential, is not shared with third parties, and will be deleted upon the user’s or client’s request.
2.5 Cookie and Tracking Data
Megamax uses cookies, web beacons, tags, scripts, and similar tracking technologies as further described in Section 5 (Cookies and Tracking) of this Policy.
2.6 Communications Data
Megamax collects information relating to communications made through the Platform, including the identities of communicating parties and the timing of such communications. Kasturi HRMS may be used to detect and block content that violates the Terms of Use such as Brute Force, Unethical Hacking, Malware, Virus, Suspicious threats, Fireball and Network Protection
2.7 Sensitive Personal Data and Information(SPDI)
The following categories are classified as sensitive personal data under the IT (SPDI) Rules, 2011 and the DPDP Act, 2023, and are subject to enhanced protections and explicit consent requirements:
- Financial information including bank account details, salary, and PAN;
- Biometric data, where fingerprint or facial recognition-based attendance is enabled by the employer;
- Health or medical information, where provided in leave applications;
- Physical, physiological, or mental health conditions, where voluntarily disclosed.
Megamax collects SPDI only to the extent necessary for the contracted HRMS services and with explicit consent where required by law. Megamax does not sell, rent, or commercially exploit any SPDI.
2.8 Third-Party and Integration Data
Megamax may receive DATA based on the API shared by the third-party integrations, partner platforms, or services enabled by the employer-Client, including applicant tracking systems, payroll integrations, and HR data feeds. Such data is governed by the instructions of the Client and the terms of the applicable integration agreements.
3. How We Collect Information
Megamax collects personal data through the following means:
- Directly from the user upon registration, completion of profile or application forms, or communication through the Platform;
- Automatically through technical tracking mechanisms upon access to or interaction with the Platform, as described in Sections 2.4 and 5;
- From employer-Clients when they configure or manage the Platform for their organisation;
- From third-party integrations and partner platforms enabled by the employer-Client;
- When users attend webinars, product demonstrations, or online events hosted by Megamax.
3.1 Legal Basis for Processing
Megamax processes personal data only where a valid legal basis exists under the DPDP Act, 2023 and/or the GDPR, as set out below:
| Processing Activity | Legal Basis — DPDP Act, 2023 | Legal Basis — GDPR |
|---|---|---|
| Account creation and service delivery | Contractual necessity — Section 4 | Article 6(1)(b) |
| Customer support and inquiries | Legitimate use | Article 6(1)(f) |
| Payroll, statutory compliance, and filings | Legal obligation | Article 6(1)(c) |
| Geo-tracking attendance (opt-in) | Explicit Consent | Article 6(1)(a) |
| Marketing communications and newsletters | Explicit Consent | Article 6(1)(a) |
| Recruitment Processing | Consent and contractual necessity | Article 6(1)(a) and Article 6(1)(b) |
| Security monitoring and fraud prevention | Legitimate Use | Article 6(1)(f) |
| Webinars and online events | Consent | Article 6(1)(a) |
| Archiving and backups | Legal obligation and legitimate use | Article 6(1)(c) and Article 6(1)(f) |
| Aggregated research and analytics | Legitimate use | Article 6(1)(f) |
Consent may be withdrawn at any time via the user's account settings or by contacting Megamax at support@kasturihr.com. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal. Where processing is based on legitimate interest, the user has the right to object.
4. How We Use Your Information
Megamax uses personal data exclusively for the following specified and lawful purposes:
4.1 Platform Services (Core HRMS Functions)
- Creation and management of user accounts on the Kasturi HR Platform;
- Provision of HRMS functions including payroll processing, leave management, attendance tracking, performance management, and employee engagement;
- Processing of subscription and commercial transactions;
- Enabling geo-tracking attendance features where the user has expressly opted in;
- Facilitating communication between HR administrators, managers, and employees;
- Personalisation of the Platform experience based on user role and usage patterns.
4.2 Communication and Customer Support
- Responding to user inquiries through the App, Website, email, or telephone;
- Sending service notifications, updates, security alerts, and platform announcements;
- Providing technical support and issue resolution;
- Sending push notifications on Android and web platforms relating to service activity.
Users may not opt out of essential service communications (including security alerts and legal notices). Marketing and promotional communications may be opted out of at any time via the notification settings.
4.3 Recruitment
- Evaluation of job applications submitted through the Website or Platform;
- Conduct of interviews and employment assessments;
- Retention of applicant data for future vacancies with explicit consent, for a period not exceeding 36 months or until consent is withdrawn, whichever is earlier.
4.4 Marketing and Events
- Organisation of webinars, product demonstrations, and online events;
- Publication of online events — with consent, or on the basis of legitimate interest where the user is part of a larger group gathering.
- Product updates, and promotional content ; subject to prior consent.
4.5 Research, Analytics, and Service Development
- Research and development activities for improvement of Platform features, performance, and user experience;
- Analytics to produce aggregated, non-identifiable insights, including platform usage trends and workforce analytics for Clients;
- Internal reporting on feature engagement and usage statistics;
- Assessment and enhancement of the safety and regulatory compliance of Platform services.
Megamax may publish or share aggregated insights that do not identify any individual. Personal data is not sold for external research or advertising purposes.
4.6 Security, Fraud Prevention, and Legal Compliance
- Prevention of fraud, abuse, and unauthorised access; monitoring of Platform security;
- Investigation and resolution of security incidents and data breaches;
- Compliance with applicable laws, regulations, court orders, and governmental directions;
- Pursuit or defence of legal claims before courts and administrative bodies;
- Data archiving and backup in accordance with Megamax's internal archiving policy.
5. Cookies and Tracking
The Kasturi HR App and KasturiHR.com use cookies and similar technologies including session cookies to ensure Platform functionality, improve performance, personalise user experience, and support analytics. The categories of cookies used are as follows:
| Cookie Type | Purpose |
|---|---|
| Essential Cookies | Necessary for the Platform to function. Cannot be disabled. |
| Functional Cookies | Retain user settings and preferences, including language and session data. |
| Analytical Cookies | Track user interaction patterns to support Platform improvement (e.g., Google Analytics, Firebase). |
5.1 Managing Cookies
Cookies may be managed or disabled through the user's browser settings or via the cookie consent banner presented on first visit. Users may also opt out of targeted advertising through the NAI Opt-Out Tool (networkadvertising.org/choices), the Digital Advertising Alliance (aboutads.info), or Google Analytics Opt-Out (support.google.com/analytics/answer/181881). Disabling non-essential cookies may limit certain Platform features. Essential cookies cannot be disabled as they are required for Platform operation.
5.2 Do Not Track
Megamax respects "Do Not Track" (DNT) signals transmitted by a user's browser. Where a DNT signal is received, Megamax will not associate new data collected during that session with the user's stored profile for targeted advertising purposes. Certain data may continue to be collected for non-marketing purposes, including security monitoring and analytics.
6. Limited Sharing of Information
Megamax does not sell, rent, or trade personal data. Personal data is disclosed only in limited, controlled circumstances, such as hosting and processing data on Microsoft Azure cloud infrastructure. All such data transfers and storage are strictly governed by enterprise-grade security protocols, including end-to-end encryption in transit and at rest within Azure's secure environments.
6.1 Within the Platform (Employer-Client Access)
The employer-Client and its authorised users (including HR administrators and managers) have access to employee data on role based (RBAC) within the Platform to the extent necessary for HR administration.
6.2 Legal and Regulatory Authorities
Megamax may disclose personal data when required to do so by applicable law, court order, subpoena, or direction from a governmental or regulatory authority. Where legally permissible, Megamax will endeavour to notify affected users prior to disclosure. Megamax reserves the right to contest demands considered overbroad or lacking proper legal authority.
6.3 Business Transfers
In the event of a merger, acquisition, corporate restructuring, or sale of all or part of Megamax's business, personal data may be transferred to the successor entity. Such entity shall be required to honour the obligations and commitments set out in this Policy, unless the user separately consents to different terms.
6.4 Communications Archival
Where Clients or their employees are subject to legal or professional compliance obligations requiring the archival of communications or HR records, Megamax supports such archival outside the Platform in accordance with applicable law.
6.5 With User Consent
In all other circumstances, personal data may be shared with third parties only where the user has provided explicit and under informed consent in written basis or on records as per applicable laws. All third-party processors are required to maintain appropriate technical and organisational security measures and to process data solely for the purposes specified by Megamax.
7. International Data Transfers
Personal data is stored primarily on Microsoft Azure servers located in India. Data may, however, be transferred to and processed in countries outside India and the EEA in connection with AI features or international service providers. Megamax enforces strict data localization. All Indian user data is stored exclusively within the territorial boundaries of India to comply with the DPDP Act, 2023. Reciprocally, foreign user data is isolated and retained within servers located in its respective geographic region of origin (e.g., EEA data remains within the EEA under GDPR compliance).
Megamax ensures that all such transfers are subject to the following safeguards:
- Reliance on Standard Contractual Clauses (SCCs) or equivalent mechanisms for transfers to EEA/UK recipients under the GDPR;
- Confirmation that the receiving country or entity provides a standard of data protection equivalent to Indian law;
- Execution of data processing agreements with all international vendors;
- Compliance with all legal bases and any government-notified restrictions on cross-border data flows under the DPDP Act, 2023.
The laws of countries to which data may be transferred may not provide the same level of protection as Indian law or the user's domestic law. Megamax takes all reasonable steps to ensure that appropriate safeguards are in place prior to any such transfer.
8. Data Security
Megamax implements industry-standard technical and organisational security measures to protect personal data against unauthorised access, use, alteration, disclosure, or destruction. These measures include:
- Transport Layer Security (TLS/SSL) encryption for all data transmitted over the internet;
- Encryption of sensitive data at rest and transit on cloud and on premises enterprise-grade infrastructure;
- Encoded session identification, firewall protection, and advanced access controls;
- Role-based access controls to restrict data access to personnel with a documented legitimate need;
- Regular security assessments, vulnerability monitoring, and independent audits;
- Documented incident response procedures and breach notification processes in accordance with applicable law.
No method of electronic transmission or storage is entirely secure. While Megamax takes all reasonable precautions, it does not warrant absolute security. In the event of a personal data breach that poses a risk to the rights of Data Principals, Megamax shall notify affected individuals and relevant authorities in accordance with the DPDP Act, 2023 and any other applicable legal obligations.
9. Data Retention
Megamax retains personal data only for the period necessary to fulfil the purpose for which it was collected, or as required by applicable law. The following retention schedule applies:
| Data Category / Purpose | Retention Period |
|---|---|
| Contact and support inquiries | Duration of active correspondence; deleted upon resolution |
| Online events and webinars | Up to 12 months following the event |
| Legal claims and disputes | Until expiry of the applicable statutory limitation period |
| Legal compliance obligations | As long as necessary to demonstrate compliance with applicable law |
| Website analytics and security logs | Until a valid objection is raised, or as required by law |
| Recruitment data — active role | Until conclusion of the recruitment process or contract execution |
| Recruitment data — future roles (with consent) | Up to 36 months from the date of consent, or until withdrawn |
| Supplier and customer contract data | Duration of the contract plus the applicable statutory retention period |
| Employee data (SaaS platform) | As documented and instructed by the employer-Client |
| Archiving and backups | In accordance with Megamax's backup and archiving policy |
Upon account closure, personal data will generally cease to be visible to other Platform users within 24 hours and will be deleted within 30 days, except where retention is mandated by law, regulatory obligation, fraud prevention, security requirements, or ongoing dispute resolution. De-identified or aggregated data may be retained indefinitely.
10. Your Rights
Data Principals and Data Subjects have the following rights in relation to their personal data under the DPDP Act, 2023 and/or the GDPR, as applicable. All rights requests should be submitted to support@kasturihr.com. Megamax shall respond within 7-15 business days. Users located in Designated Countries may have additional rights under applicable local legislation.
| Right | Description |
|---|---|
| Right to Access and Obtain a Copy | The right to request confirmation as to whether personal data is being processed and to obtain a copy. The first copy is provided free of charge; subsequent copies may be subject to a reasonable fee. |
| Right to Rectification | The right to request correction of inaccurate or incomplete personal data. Users may also update their own data directly within the Platform. |
| Right to Erasure | The right to request deletion of personal data in circumstances permitted by law. This right is not absolute — Megamax may be legally required to retain certain data. |
| Right to Restriction of Processing | The right to request that processing be limited in certain circumstances (e.g., while the accuracy of data is under dispute). |
| Right to Data Portability | The right to receive personal data in a structured, commonly used, and machine-readable format for transfer to another service provider, where technically feasible. |
| Right to Withdraw Consent | Where processing is based on consent, the right to withdraw consent at any time via account settings or by contacting Megamax. Withdrawal does not affect the lawfulness of prior processing. |
| Right to Object | The right to object to processing based on Megamax's legitimate interest. Processing shall cease unless Megamax demonstrates compelling legitimate grounds. |
| Right to Grievance Redressal | The right to lodge a complaint with the Grievance Officer (Mr. Yaduvansh Gaurav, Compliance Officer, Megamax Services Pvt. Ltd.) at support@kasturihr.com, legal@megamaxservices.com to escalate to the Data Protection Board of India (under the DPDP Act) or to the relevant supervisory authority (under the GDPR). |
| Right to Nominate a Representative | Under the DPDP Act, 2023, the right to nominate another individual to exercise data rights on the Data Principal's behalf in the event of death or incapacity. |
11. Children's Privacy
The Kasturi HR Platform is designed exclusively for professional business use and is not directed at individuals below the age of 18 years (or the applicable age of majority in the relevant jurisdiction). Megamax does not knowingly collect personal data from children. If it is determined or credibly reported that personal data of a minor has been inadvertently collected, Megamax shall delete such data promptly upon notification at support@kasturihr.com.
In accordance with the DPDP Act, 2023, Megamax does not knowingly process the personal data of children and does not engage in targeted advertising directed at children.
12. Third-Party Services
12.1 Third-Party Links
The Platform may contain hyperlinks to third-party websites or services. This Policy does not apply to such third-party platforms. Users are advised to review the privacy policies of any external websites they visit.
12.2 Third-Party Integrations
The Platform may integrate with third-party HR tools, payroll systems, applicant tracking platforms, and communication services as enabled by the employer-Client. Use of such integrations is subject to the privacy policies of the respective third parties. Megamax does not assume responsibility for the data practices of third-party integration providers.
12.3 Social Media Plug-ins
The Website may include social media plugins (including from LinkedIn, Facebook/Instagram, X/Twitter, and YouTube). When a user interacts with such plugins, the relevant provider may receive data from the user's browser, including where the user is not simultaneously logged in to that platform. Megamax does not control or bear responsibility for data collected by third-party social media providers through their plugins.
13. Contact Us
All queries, complaints, or rights requests relating to this Policy or the processing of personal data should be directed to:
| Particulars | Details |
|---|---|
| Company | Megamax Services Pvt. Ltd. |
| Platform | Kasturi HR App & KasturiHR.com |
| Compliance and Regulatory Reporting | legal@megamaxservices.com |
| support@kasturihr.com | |
| Response Time | Within 7 business days |
| Jurisdiction | Courts of Delhi, India |
Users also have the right to lodge a formal complaint with the Data Protection Board of India constituted under the DPDP Act, 2023, or with the relevant data protection supervisory authority in their country of residence (for users located in Designated Countries).
14. Abuse and Spam Reporting
Megamax is committed to preventing the misuse of the Platform for unsolicited communications. If you wish to report spam, abuse, or unauthorised use of the Platform, please contact our compliance team at legal@megamaxservices.com with the subject line “ABUSE REPORT”. Megamax reserves the right to audit consent documentation and recipient lists associated with any communications sent through the Platform.
15. Changes to This Privacy Policy
Megamax reserves the right to amend or update this Policy at any time to reflect changes in its products, services, applicable law, or industry standards. Any revised version of the Policy will be published on the Platform with an updated "Last Reviewed" date.
Where amendments are material in nature, Megamax shall notify users via email or a prominent notice on the Platform prior to the changes taking effect. Continued use of the Platform following the effective date of any revision constitutes acceptance of the revised Policy
Users are advised to bookmark this page and review it periodically. If a user wishes to close their account as a result of changes to this Policy, they may do so by contacting support@kasturihr.com.
Email: legal@megamaxservices.com
Registered Address: Megamax Services Pvt. Ltd., : 101, Pratap Nagar Mayur Vihar, Phase-1 East Delhi, Delhi-110091, INDIA.