How DecentroHR (a product of BitDecentro) collects, uses, shares, secures and retains personal data — and the rights you have over it under India's DPDP Act 2023 and the EU/UK GDPR.
This document is written in good faith and in plain language. It is not legal advice; for a binding agreement tailored to your jurisdiction, request our signed master services agreement and Data Processing Addendum (DPA) at [email protected].
DecentroHR (“DecentroHR”, “we”, “us”, “our”) is an AI-native HR and payroll platform operated by BitDecentro. This Privacy Policy explains how we handle personal data across our websites, applications, APIs and related services (together, the “Service”).
This policy is written to align with the Digital Personal Data Protection Act, 2023 (India), and, where applicable, the EU and UK General Data Protection Regulation (GDPR). By using the Service you acknowledge the practices described here.
This policy covers personal data we process as part of running our business and delivering the Service. It does not replace any agreement between DecentroHR and a customer organisation, which governs the employee data that organisation stores in the Service.
Data-protection law distinguishes the party that decides why and how data is processed (the controller / data fiduciary) from the party that processes it on their behalf (the processor / data processor).
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account & identity | Name, work email, role, hashed password, 2FA secrets, API tokens (hashed) | You / your employer |
| Employee & HR records | Profiles, documents, org placement, attendance, leave — entered by our customers | Our customer (controller) |
| Payroll & financial | Salary structures, statutory IDs (PF/ESI/PAN), bank details (encrypted), payslips | Our customer (controller) |
| Usage & device | IP address, browser/device type, log timestamps, feature usage, audit events | Automatically |
| Billing | Company name, billing contact, plan, payment status (card data held by our processor) | You |
| Support & comms | Messages, demo requests, and lead-capture form submissions | You |
We do not intentionally collect special-category data beyond what is strictly required for statutory payroll (for example, certain government identifiers). We never require more than is necessary for the stated purpose.
We process personal data for these purposes and on these legal bases:
We do not sell personal data, and we do not use customer or employee data to train third-party AI models.
The DecentroHR AI assistant operates on your workspace data to answer questions and perform permitted actions, always bound by the requesting user’s role-based permissions.
Prompts and the data needed to answer them may be sent to our AI sub-processor (Anthropic) purely to generate a response. That data is not used to train their or any models, is not retained by the model provider for training, and remains subject to this policy and our DPA.
We use a small number of strictly necessary cookies (for sessions, security and CSRF protection) and privacy-respecting product analytics. We do not use third-party advertising cookies.
You can control cookies through your browser settings; blocking essential cookies will prevent you from signing in.
Indian customer data can be kept in-region (AWS ap-south-1). Where data is transferred outside its country of origin — for example to an email or AI sub-processor — we rely on appropriate safeguards such as Standard Contractual Clauses and equivalent contractual protections, and we minimise what is transferred.
We retain personal data only as long as needed for the purposes above, or as required by law.
We protect personal data with controls enforced in code, not merely in policy: per-tenant isolation via Postgres row-level security, AES-256 encryption at rest, TLS 1.2+ in transit, field-level encryption for secrets, TOTP two-factor authentication, scoped and hashed tokens, and an append-only, hash-chained payroll ledger. See our security page for detail.
Subject to applicable law, you have the right to:
Employees of a customer should direct requests to their employer (the controller); we will assist the customer in responding. To exercise rights for data we control, contact [email protected]. We respond within statutory timeframes and do not charge for reasonable requests.
The Service is intended for use by businesses and their workforce, not by children. We do not knowingly collect personal data from anyone under the age required to be an employee. If you believe a child’s data has been provided to us, contact us and we will delete it.
We maintain an incident-response process. In the event of a personal-data breach likely to result in risk, we will notify affected customers and the relevant authorities (including the Data Protection Board of India and, where applicable, GDPR supervisory authorities) without undue delay and within statutory timeframes, and provide the information needed to meet your own obligations.
We may update this policy to reflect changes in the Service or the law. We will post the new version here with an updated “Last updated” date and, for material changes, provide additional notice (for example by email or in-product). Continued use after the effective date constitutes acceptance.
For any privacy question, request or complaint, contact our Grievance Officer / Data Protection point of contact:
We will acknowledge grievances promptly and resolve them within the timelines required by the DPDP Act, 2023.