Privacy Policy

Introduction:

Asanify provides an HRMS application that is used by our customers to manage HR and payroll activities. This Asanify privacy policy applies to all our customers as well as other general users/ website visitors. Our Privacy Policy describes how Asanify collects, uses and discloses information, and what choices you have with respect to the information.

Services:

We at Asanify are committed towards your privacy regarding any information that we collect, while you use our software applications and websites, collectively called the Services. This Privacy Policy applies when you use our Services. Asanify operates a web based application and chatbots called Asanify that is a part of the service that we offer. The application consists of various modules and all such products, applications, chatbots, websites are collectively called “Services”.

Data Controller and Data Processor:

We process two main types of personal data.

1. Customer Data – Personal data that forms part of data that is provided by our customers and their end-users for processing. We are Processor of this data.

2. Other Data – Personal data about our client owners, visitors and other individuals that is collected and processed directly for marketing purpose. We are Controller of this data.

What information do we collect?

Customer Data: As customers, you provide us with data for processing as part of usage of our Asanify application. Customer Data is processed by us when the customers or their end-users, provide us or upload information into the service.For example, customers who use our application may upload Customer Data about themselves or their employees. This data includes recruitment related data, payroll data, employee details, employee bank details, tax records etc.

Other Data: Customers data that is necessary to create user accounts. For creation of user accounts, customers provide their name, email address, password, job title, telephone number, correspondence address, etc.

We collect data when you use our applications/websites or provide it directly to us.

● Log Data – Our servers automatically collect information when you access or use our applications and services. This data is recorded in log files. Examples of such data include IP Address.

● Session Data: We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity.

Additionally, we use this information for site optimization and fraud/security purposes. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

● Subscription Data – We also collect the information that you provide to us as part of signing up for our newsletters, or request a demo of our products.

● Contact Us Data – When you inquire about our products and services, we collect and store this data to communicate with you and respond to your enquiry.

● Seminars and Conferences – We collect and retain the information that you provide during any events and seminars.

● Usage Data – Information about how you use our site, such as pages visited, time spent on pages, and links clicked.

● Device Information – Details about the device you use to access our site, including IP address, browser type, and operating system

● Facial Images – When an organization enables selfie-based attendance verification in the app, we may collect a facial image (selfie photograph) at the time of attendance check-in. This data is collected only to support attendance verification as part of the customer’s internal policies. Facial images do not include biometric identifiers, facial templates, or faceprints used for identity recognition.

Other data – We may also combine this information collected automatically with other data we receive from third-party sources, such as data providers and marketing partners, to create a more complete profile of you. We then use this profile to communicate with you, including providing personalized advertising and promotional content based on your interests and browsing behavior. You may opt out of this at any time.

Other data that we collect: Apart from data that you provide us directly, we also collect data from social media websites such as Facebook, LinkedIn, etc. for our marketing and sales purposes.

Your Rights Under Indonesia PDPL
Indonesian users have the right to access, correct, delete, or withdraw consent for their data processing. Requests can be sent to dpo@asanify.com.
Asanify will notify affected Indonesian users and the KOMINFO authority within 3×24 hours in case of a data breach, as required under PDPL Article 46.

Cookies

We collect data through cookies.

Asanify uses cookies to help ourselves identify and track visitors, their usage of Asanify website, and their website access preferences. Asanify visitors can control cookies through your browser settings. Refer to our Cookie Policy for more details

How We Use Your Data?

How we use your personal data depends on which Services you use and how you use those Services.

Customer Data will be used by Asanify in accordance with Customer’s instructions, including any applicable terms in the Customer Agreement and as required by applicable law. Asanify is a processor of Customer Data and Customer is the controller.

Facial images collected for selfie attendance are used only to support attendance verification when enabled by a customer’s internal policy. These images are captured to provide visual confirmation of presence at the time of clock-in and are not used for biometric identification, facial recognition, emotion analysis, or any form of automated profiling.

Facial images collected for attendance are never shared with third parties for advertising, analytics, marketing, or biometric services. Access to these images is restricted to authorized administrators within the customer organization for attendance or compliance purposes and to our personnel as necessary to provide the Services.

Other Data is used to send our newsletters and to communicate with you effectively by responding to your requests, comments and questions.

Lawful basis for processing

We have lawful bases to process your personal data. We have a legitimate interest in processing, in some cases use your consent as basis for lawfully processing your personal data. We process your personal data only when we have a lawful basis. Presently, our lawful basis is performance of contract for processing of Customer Data and Legitimate Interest or Consent for processing Other Data. In some cases, we may also have a legal obligation to collect personal information from you. Note: As you agree to a particular processing of your data with us, you also have a right to withdraw your consent at any time.

For users located in Indonesia, Asanify processes data under PDPL-recognized bases — your explicit consent, contractual necessity, or legal obligations as defined in UU No. 27/2022.

How we use Customer data?

We use your data to authenticate and authorize access to our services.

We only process Customer Data on behalf of our customers and in accordance with their instructions provided in the applicable Services agreement or Terms of Service with us. We use your data to provide you a better experience and thus support you with our service. In each case, Asanify collects such information only when it is extremely necessary or appropriate to fulfil the purpose of the interaction with our services.

● To provide Services. We process Customer Data as a Data Processor to provide services to our clients through the Asanify application.

● To send emails and other communications. We may send you service, technical and other administrative emails, messages and other types of communications. We may also contact you to inform you about changes in our Services and our Services offerings. These communications are considered part of the Services and you may not opt out of them unless you choose not to use our Services.

● Customer Support. If you send us a request (for example via a support email or via one of our feedback mechanisms), we respond to your request and assist you in resolving the issue faster.

● Other purposes: For any other purpose as provided for in the Services Agreement between Asanify and the customer, or as otherwise authorized by the customer. In accordance with or as may be required by law.

How we use Other data? We may send you service related messages or marketing / promotional materials. You may choose to restrict the collection or use of your personal information We use Other Data to arrange demos of our products that you request, send you promotional material and updates about the company or invite you to conferences and events that are relevant to you. Direct marketing is carried out only if you give us consent to receive such communications from us.

Cross-border Data Transfers (Indonesia PDPL)
Personal data of users in Indonesia may be processed in India, EU or other regions via secure, encrypted AWS infrastructure. Such transfers comply with PDPL Article 55 and equivalent international standards (SOC 2 Type II, ISO 27001).

Users under 16 years of age

The Sites and Services do not knowingly collect personal information from users under the age of 16. If you are under the age of 16, you are not permitted to use the Services or to disclose Personal Information. If we learn we have collected or received Personal Information from a child under 16, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us.

Data Retention Policy

Facial images used for attendance verification are retained in accordance with customer-defined retention policies and as required by applicable laws or regulatory compliance obligations. After the retention period expires or upon customer instruction, facial images are deleted or anonymized in accordance with the Data Processing Addendum and applicable data retention practices.

Refer to our Data Processing Addendum for more details

Security Measures to Protect your Data:

We implement reasonable security controls to prevent breaches and unauthorised access to your data. We maintain reasonable and appropriate security measures to protect Customer Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Examples of security measures include physical access controls, HTTPS, restricted access to data, monitoring for threats and vulnerabilities etc. Asanify is certified under the ISO 27001:2022.

Our Commitment to Data Protection

Asanify is committed to respecting the privacy of individuals and complying with all applicable data protection laws, including but not limited to the Digital Personal Data Protection Act, 2023 (India), UK General Data Protection Regulation (UK GDPR), the General Data Protection Regulation (EU GDPR), Indonesia’s Personal Data Protection Law (UU No. 27 Tahun 2022).

We process personal data fairly, lawfully, and transparently for legitimate purposes such as HR operations, payroll processing, compliance with legal obligations, and improving user experience.

We implement appropriate technical and organizational safeguards to protect your data and only share it with authorized third parties under strict confidentiality.

If you are an individual whose data we process, you may contact us to:

  • Access your data

  • Request corrections or deletion

  • Withdraw consent or restrict processing

For all data privacy-related queries or grievances, you can reach out to our Data Protection Officer (DPO) at:

Name: Priyom Sarkar
Email: dpo@asanify.com

You may also contact us at our mailing address below:

ASANIFY TECHNOLOGIES PRIVATE LIMITED

3rd floor, P-23 Raja Basanta Roy Road,

Kolkata – 700029

India.

Representative

We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the following regions:
  • European Union (EU)
Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: https://app.prighter.com/portal/14620431650

 

Your Rights Under the GDPR

You have certain rights if you are within the EU. This includes:

  • Right to access. This right allows you to obtain a copy of your personal data, as well as other supplementary information.

  • Right to restrict processing. You have the right to restrict the processing of your personal data in certain circumstances.

  • Right to rectification. You have the right to have any incomplete or inaccurate information we hold about you corrected.

  • Right to object to processing. The right to object allows you to stop or prevent us from processing your personal data. This right exists where we are relying on a legitimate interest as the legal basis for processing your personal data. You also have the right to object where we are processing your personal data for direct marketing purposes.

  • Right to erasure. You have the right to ask us to delete or remove personal data when the personal data is no longer necessary for the purpose which you originally collected or processed.

  • Right to data portability. You have the right to receive the personal data which you have provided to us, in a way that is accessible and machine-readable.

Privacy policy change

Asanify may change this Privacy Policy from time to time, at our sole discretion. Asanify encourages its visitors and customers to frequently check this page for any changes to its Privacy Policy. We will notify you of material changes in advance by email when you log in to the Sites and Services or both. You confirm your continued use of our services after any change in this Privacy Policy will constitute your acceptance of such changes, and you agree to be subject to the revised privacy policy.

Data and Record Retention and Deletion Policy

PURPOSE

To ensure storage and retention of information, data, and records per contractual and legalrequirements and protection from loss, falsification, destruction, unauthorized access, andunauthorized release.

SCOPE

This policy applies to Asanify (herein referred to as Organization), its employees, includingcontractors, and its operations,

DEFINITION

Following is an explanation of various terms used within this document

ISMS: Information Security Management System

Information Security: Confidentiality, Integrity, Availability of information.

CEO: Chief Executive Officer

LT: Leadership Team

ISG: Information Security Group

Information: Meaningful Data

PII: Personally Identifiable Information

Electronic Data: Emails, Databases, Files, Scanned Images, and Data in storage devices suchas Hard Disks, USB Drives, Tapes, etc.

Non-Electronic Data: Hard Copy Documents, Printed Documents.

Record: Can be paper files, electronic documents, correspondence (including letters, faxes, andemails), and data used in business applications and databases.

Retention: Records retention is the term applied to the safeguarding of important records thatdocument decisions, policies, financial activities, and internal controls. A retention period is anaspect of records that identifies the duration of time for which the information should bemaintained or “retained,” irrespective of format (paper, electronic, or other).

Archival: Archiving means separating no longer actively utilized records from active records.This usually means moving hard-copy records to an offsite storage facility. Archiving may alsoinvolve updating the status of digital records and moving them to separate data storage.

RESPONSIBILITIES

The primary responsibility for implementing this policy is to have all departments and teamshandle data and records.

The ISG shall implement this Policy under the guidance of the Leadership Team and incoordination with Department Heads.

POLICY

IDENTIFICATION AND CLASSIFICATION OF DATA AND RECORDS

All departments shall identify the data and records that they create or handle.

All data and records belonging to Customers, External Persons, Entities, or Organizations shallalso be identified under External Origin Data or Records.

As shown below, organizational classification shall be applied to all data types and records. Formore details, refer to the Information Classification Policy.Confidential

Internal Use

Public

External Origin

All types of data and records existing within the organization shall be identified and documentedwithin the prescribed format, along with Custodian information and classification applied to thesame. (Ref: Annexure A – Retention Schedule)

RETENTION PERIOD OF DATA AND RECORDS

The department that creates or handles each type of data and record shall define and apply theretention period for that type of data and record.

While deciding the retention period, the following sequence shall be followed –

Check Statutory or Regulatory or Legislative requirement of retention for each type of Data orRecord,

Check if any Contractual requirement exists for the retention of each type of data or record,

Check Organizational policy about retention of data or records,

Select the highest applicable retention period and apply it to the concerned data or record.

In the case of externally provided data or records provided by an external person or entity, theretention period as specified by the external person or entity shall be referred to in addition tothe above-listed sequence.

The retention period defined and applied for each type of data and record shall also be appliedto the backups / archival of concerned data or records.

Records shall be appropriately archived during the retention period.

Once applied to any data or record, the retention period may not be changed without priorapproval from the Leadership Team.

The retention period for all types of data and records within the organization shall be definedand documented in the prescribed format. (Ref: Annexure A – Retention Schedule)

PROTECTION OF DATA AND RECORDS

Access to each type of data or record shall be provided based on the classification applied to it.

Corresponding policies shall govern the access provision and revocation to all types of data andrecords.

Risks for records shall be assessed, and mitigation controls shall be implemented to protect thedata and records.

Electronic data and records shall be protected from unauthorized access, theft, disclosure,corruption, changes, destruction, etc. Adequate provisions shall be made regarding the backupand redundancy of data and records in case of disaster.

Use of AI/LLM Subprocessors

Asanify may use external Large Language Models (LLMs), including OpenAI (ChatGPT) andAnthropic (Claude), to process data for enrichment, classification, or automation purposes.These subprocessors may receive personal data through prompts or programmatic queries.

Personal data shared may include names, email addresses, job descriptions, resumes, or free-text questions submitted by users.

The processing is governed by the same data protection and retention principles applicable toother subprocessors, and wherever feasible, anonymization or tokenization techniques areapplied.

All such subprocessors are listed in the Data Processing Inventory. Prompt logs are retained onlyas per subprocessor retention policies (e.g., 30 days for OpenAI by default).

DISPOSAL / DELETION / DESTRUCTION OF DATA AND RECORDS

Data and records shall be destroyed/deleted or disposed of securely when no longer required orat the end of the retention period to avoid unauthorized access.

All electronic data and records shall be disposed of/destroyed using secure controls such as –Delete + Purge of Electronic Data and Records.

The destruction, deletion, or disposal of data or records shall also be applied to backup orarchived copies at the end of the retention period.

Records of destruction, deletion, or disposal of Personal Data / PII / Confidential Informationshall be retained by the concerned Department for future audits and reference.seven

ANNEXURE A – RETENTION SCHEDULEType of Data

Retention Period

Application and relateddatabase

Client Personal data (ClientMaster setup in Products)

· Retain as long as the clientcontract continues

· Delete adter 1 year fromcleint termination date

Client’s end-user data oremployee data within theApplication hosted on AWS

· One year from thetermination date of the clientcontract, whichever is earlier.

Client’s data – Files andmedia within the cloud

· One year from thetermination date of the clientcontract, whichever is earlier.

Backup of Database

· One month

 

Last updated on 19 Jan 2026.