Legal · GR Systems

Privacy Policy

How GRSMONIT collects, uses, protects, and respects the personal data of your workforce and organisation.

Effective Date: 1 January 2025
Last Updated: 24 February 2025
Compliant with IT Act 2000 & PDPB
01 — Overview

Who We Are & What This Policy Covers

GR Systems ("we", "us", "our") is the developer and operator of GRSMONIT, an enterprise Human Resource Management System (HRMS) designed for Indian organisations. Our registered office is located in India, and we operate the GRSMONIT platform accessible at grsystems.co.in.

This Privacy Policy explains how we collect, process, store, share, and protect personal data when you use GRSMONIT — whether you are an employer (our client), an HR administrator, a manager, or an employee accessing the platform through your organisation's subscription.

📋 Scope of This Policy

This policy applies to all users of the GRSMONIT web application, mobile application (Android & iOS), APIs, and any related services provided by GR Systems. It does not apply to third-party services linked from our platform — each has its own privacy policy.

By using GRSMONIT, you acknowledge that you have read and understood this Privacy Policy. If you do not agree to these terms, please discontinue use of our services and contact your HR administrator or GR Systems support.

02 — Data We Collect

Information We Collect

GRSMONIT collects personal data in the course of providing HR management services. The type of data we collect depends on your role within the platform and your organisation's configured modules.

Category Data Types Source
Identity Data Full name, employee ID, date of birth, gender, nationality, photograph Employer / Employee input
Contact Data Official email, personal email, mobile number, residential address Employer / Employee input
Employment Data Designation, department, reporting manager, employment type, joining date, salary grade Employer / HR admin
Financial Data Bank account details, PAN, salary structure, TDS declarations, expense claims Employee / Payroll team
Statutory Identifiers PAN, Aadhaar (masked), PF UAN, ESI number, passport/visa details Employee self-service
Attendance & Location Login/logout timestamps, biometric punch data, GPS coordinates (geo-fence check-in) Biometric device / Mobile app
Performance Data KPIs, appraisal scores, goal progress, 360° feedback HR admin / Manager / Employee
Technical Data IP address, device type, browser/OS, session tokens, usage logs Automatically via system

⚠️ Sensitive Personal Data

Some data we process (e.g., biometric data, financial identifiers, health information for leave purposes) qualifies as Sensitive Personal Data or Information (SPDI) under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. We handle such data with additional safeguards as described in Section 05.

03 — How We Use Data

Purposes of Processing

We process personal data only for specified, explicit, and legitimate purposes. Below are the primary purposes for which GRSMONIT uses personal data:

  • HR Administration: Managing employee records, onboarding, transfers, promotions, and exit formalities on behalf of the employing organisation.
  • Payroll Processing: Computing salaries, processing statutory deductions (PF, ESI, TDS, PT), disbursing payments, and generating payslips and compliance returns.
  • Attendance Management: Recording and reporting employee attendance, leave balances, overtime, and shift schedules.
  • Performance Management: Facilitating appraisal cycles, goal tracking, and feedback collection between employees and managers.
  • Statutory Compliance: Filing returns, generating Form 16, 24Q, PF/ESI challans, and maintaining records mandated by Indian labour laws.
  • Employee Self-Service: Enabling employees to access their own payslips, apply for leave, raise requests, and manage their personal details.
  • Security & Fraud Prevention: Monitoring system access, detecting unauthorised activity, and maintaining audit logs.
  • Product Improvement: Analysing aggregated, anonymised usage data to improve platform performance and features. No individual is identified in this process.
  • Customer Support: Responding to queries, resolving issues, and providing onboarding assistance to HR administrators.

🔒 Lawful Basis

Processing is performed under a contractual obligation between GR Systems and the employing organisation (our client). Employees' data is processed on behalf of their employer as a data processor. We do not use employee data for any purpose beyond the contracted HR services.

04 — Data Sharing

Who We Share Data With

GR Systems does not sell, rent, or trade personal data. We share data only in the limited circumstances described below.

  • With Your Employer: As a data processor, we share all HR data with the employing organisation (our client) who acts as the data controller. Your employer's privacy policies govern how they handle your data.
  • Government & Regulatory Authorities: We share statutory data (PF, ESI, TDS returns) with relevant Indian government bodies (EPFO, ESIC, Income Tax Department) as required by law.
  • Payroll & Banking Partners: Salary disbursement details are shared with designated banks or payment processors under strict data processing agreements.
  • Technology Sub-processors: We engage cloud infrastructure providers and third-party technology vendors who process data solely on our behalf and under our instructions. All sub-processors are bound by data processing agreements.
  • Legal Obligations: We may disclose personal data to law enforcement or courts when required by applicable Indian law, court order, or governmental authority.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to equivalent privacy protections.

We never share personal data with advertisers, data brokers, or any third party for marketing purposes.

05 — Storage & Security

How We Store & Protect Your Data

GR Systems implements industry-standard technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, or destruction.

🛡️ Data Residency

All GRSMONIT data is stored on servers located within the Republic of India, in compliance with applicable data localisation requirements. We do not transfer employee data outside India without explicit contractual provisions and appropriate safeguards.

  • Encryption in Transit: All data transmitted between clients and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at Rest: Sensitive data fields (including Aadhaar, PAN, bank details) are encrypted using AES-256 at rest.
  • Role-Based Access Control (RBAC): Access to personal data is restricted to authorised personnel only, based on their functional role within the platform.
  • Biometric Data Handling: Biometric data (fingerprint templates) is stored only on-device or within the employer's biometric device and is not transmitted to GR Systems servers in raw form.
  • Audit Logs: All access and modification events are logged with timestamps and user identifiers for accountability.
  • Security Assessments: We conduct periodic vulnerability assessments and penetration testing to identify and address security risks.
  • Incident Response: In the event of a data breach affecting your personal data, we will notify the concerned organisation and regulatory authorities as required by law, within the mandated timelines.
06 — Data Retention

How Long We Keep Your Data

We retain personal data for as long as necessary to fulfil the purposes described in this policy or as required by applicable Indian law, including statutory retention obligations under the Employees' Provident Funds Act, Income Tax Act, and other labour legislation.

Data Type Retention Period Basis
Employee Records Duration of employment + 7 years Legal / Statutory
Payroll & Salary Data 8 years from date of processing Income Tax Act
PF / ESI Records 5 years minimum post-separation EPF & ESI Act
Attendance Logs 3 years from date of record Contract / Compliance
Audit & System Logs 1 year from creation Security Policy
Recruitment Records 2 years from application date Contract

Upon expiry of the retention period, data is securely deleted or anonymised in accordance with our data destruction policy. Backup copies are purged within 90 days of scheduled deletion.

07 — Your Rights

Your Data Rights

Subject to applicable law and the role of GR Systems as a data processor (on behalf of your employer), individuals have the following rights with respect to their personal data:

👁️

Right to Access

Request a copy of the personal data we hold about you, including the categories and purposes of processing.

✏️

Right to Correction

Request correction of inaccurate or incomplete personal data. Employees can update many details directly via the self-service portal.

🗑️

Right to Erasure

Request deletion of personal data where there is no legal basis for continued processing, subject to statutory retention obligations.

📦

Right to Portability

Request your personal data in a structured, machine-readable format (CSV/PDF) for transfer to another service or employer.

⏸️

Right to Restrict Processing

Request that we restrict processing of your personal data in certain circumstances, such as when accuracy is contested.

🚫

Right to Object

Object to processing of your personal data for purposes beyond what is strictly necessary for your employment relationship.

📌 How to Exercise Your Rights

Since GRSMONIT processes data on behalf of your employer, most data rights requests should first be directed to your HR department. For requests that must be addressed directly by GR Systems, email us at privacy@grsystems.co.in. We will respond within 30 days of receiving a verifiable request.

08 — Cookies

Cookies & Tracking Technologies

GRSMONIT uses cookies and similar tracking technologies to operate the web application and ensure a secure, functional experience. We do not use advertising or behavioural tracking cookies.

Cookie Type Purpose Duration
Session Cookies Essential Maintain user authentication and session state during login Session (deleted on logout)
Security Cookies Essential CSRF protection and request integrity verification Session
Preference Cookies Functional Remember user interface preferences (language, theme, date format) 12 months
Analytics Cookies Functional Anonymised usage statistics to improve platform performance. No personal identifiers are tracked. 90 days

Essential cookies cannot be disabled as they are necessary for the application to function. Functional cookies can be managed through your browser settings. Blocking cookies may affect certain features of the platform.

09 — Third-Party Services

Third-Party Integrations

GRSMONIT may integrate with third-party services as part of your organisation's configured setup. Where such integrations involve transfer of personal data, we ensure appropriate contractual safeguards are in place.

  • Biometric Device Vendors: Integration with third-party attendance hardware (e.g., ZKTeco, Essl) for punch data sync. Data is transmitted over encrypted channels.
  • Banking & Payment Gateways: Salary disbursement integrations with NEFT/RTGS systems. Only the minimum data required for the transaction is shared.
  • Government Portals: Automated filing with EPFO Unified Portal, ESIC portal, and TRACES for TDS returns.
  • Cloud Infrastructure: We use reputable cloud providers with data centre locations in India for hosting and backup services.

GR Systems is not responsible for the privacy practices of third-party services. We encourage you to review the privacy policies of any third-party service with which your organisation integrates.

10 — Children's Privacy

Children's Privacy

GRSMONIT is an enterprise software platform intended solely for use by organisations and their adult employees. Our services are not directed at individuals under the age of 18.

We do not knowingly collect personal data from minors. If you believe that a minor's personal data has been submitted to our platform in error, please contact us immediately at privacy@grsystems.co.in and we will take prompt action to delete such data.

11 — Policy Changes

Changes to This Policy

GR Systems reserves the right to update or modify this Privacy Policy at any time to reflect changes in our practices, legal requirements, or business operations. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page.
  • Notify subscribed organisation administrators via email with a summary of the changes.
  • Display an in-application notification for all users upon their next login.
  • Provide at least 14 days' notice before major changes take effect, except where required by law to act sooner.

Your continued use of GRSMONIT after the effective date of any changes constitutes acceptance of the revised Privacy Policy. We encourage you to review this page periodically to stay informed of updates.

12 — Contact

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please reach out to us through the following channels:

Data Protection Officer

GR Systems
India

privacy@grsystems.co.in

General Support

For product queries and technical support related to GRSMONIT.

support@grsystems.co.in grsystems.co.in ↗

⏱️ Response Timeline

We are committed to responding to all privacy-related queries within 30 calendar days of receipt. For urgent data breach notifications or legal requests, please mark your email as URGENT for prioritised handling.