Privacy Policy

Last modified: 21st May 2026

This Privacy Policy (“Policy”) describes how Cresce Technology Private Limited, a company incorporated under the laws of India and having its corporate office at 10th Floor, Tower C, Unitech Cyber Park, Unit No. 1002 & 1003, Sector 39, Gurugram, Haryana 122003 (“Company”, “we”, “us”, or “our”), collects, uses, stores, discloses, transfers, and protects Personal Data in connection with its human resources technology platforms, payroll processing, employee remuneration management, benefits administration, and related services (“Services”).

This Policy is framed in compliance with applicable data protection and privacy laws in India, the European Union, the United States of America, and Singapore, and applies to all users of our Services, including Clients, Customers, End-Users, and other Data Subjects.

 

1. DEFINITIONS

For the purposes of this Policy:

  • “Applicable Law” includes, without limitation:
    • India: Digital Personal Data Protection Act, 2023 (“DPDP Act”)
    • European Union: General Data Protection Regulation (EU) 2016/679 (“GDPR”)
    • United States: Applicable federal and state privacy laws including CCPA/CPRA, GLBA (where applicable), and state payroll or financial data protection laws
    • Singapore: Personal Data Protection Act, 2012 (“PDPA”)
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Sensitive Personal Data / Special Category Data” includes financial data, bank details, government identifiers, health or benefits-related data, biometric identifiers (if any), and any data classified as sensitive under Applicable Law.
  • “Client” means an organization that has entered into a commercial agreement with the Company.
  • “End-User” / “User” means an individual employee, consultant, contractor, or authorized representative whose data is processed through the Services.
  • “Processing” includes collection, recording, storage, structuring, use, disclosure, transfer, deletion, or destruction.

2. SCOPE AND APPLICABILITY

This Policy applies to:

  • Clients using the Company’s HR Tech platforms;
  • End-Users whose Personal Data is processed as part of payroll, compensation, benefits, compliance, or financial transactions;
  • Visitors to our websites, portals, dashboards, mobile applications, or APIs;
  • Third parties interacting with us in a business or service delivery context.

Processing of Personal Data may be subject to the Client’s subscription status, payment compliance, and service continuity terms as defined in applicable agreements. Suspension or termination of services may impact data access and processing.

Where there is a conflict between this Policy and a specific Data Processing Agreement (DPA) or Master Services Agreement (MSA) executed with a Client, the contractual terms shall prevail to the extent permitted by Applicable Law.

3. ROLES UNDER DATA PROTECTION LAWS

Depending on the nature of engagement:

  • The Company may act as (in line with the Geographical Law as defined in this section):
    • Data Processor (or “Data Fiduciary acting on behalf of another”) where it processes Personal Data on documented instructions of the Client; or
    • Independent Data Controller where it determines the purposes and means of Processing (e.g., platform security, compliance, billing, analytics).
  • Clients typically act as Data Controllers in relation to employee Personal Data. Consent obligations primarily vest with the Client.
  • The Company acts solely as a technology service provider and does not assume the role of employer, employer of record, or agent. All employment-related obligations remain solely with the Client.
  • Under Global Laws the definitions shall be:
    • India (DPDP Act, 2023)
      • Client = Data Fiduciary; Company = Data Processor acting on instructions
    • EU (GDPR)
      • Client = Controller (Articles 4 & 24); Company = Processor (Article 28)
    • USA (CCPA/CPRA, payroll context)
      • Company = Service Provider / Processor; Client = Business
    • Singapore (PDPA)
      • Client retains consent and notification obligations; Company acts as Data Intermediary

4. CATEGORIES OF PERSONAL DATA COLLECTED

We may collect and process the following categories of data:

4.1 Identification & Contact Data
  • Name, date of birth, gender
  • Email address, phone number
  • Residential address
  • Employee ID or unique identifiers
4.2 Employment & HR Data
  • Employment status, designation, department
  • Salary structure, compensation components
  • Attendance, leave, payroll records
  • Performance-linked remuneration data (where applicable)
4.3 Financial & Transaction Data
  • Bank account details
  • Salary disbursement records
  • Tax deduction and statutory contribution details
  • Invoices, payment confirmations, reimbursement records
4.4 Government & Statutory Data
  • PAN, Aadhaar (where lawfully required and permitted)
  • Social security, provident fund, insurance identifiers
  • Tax identification numbers
4.5 Technical & Usage Data
  • IP address, device identifiers
  • Login logs, audit trails
  • Platform usage metrics
4.6 Sensitive / Special Category Data
  • Benefits-related health information (only where required)
  • Biometric data (only if explicitly enabled and consented)
  • Any data classified as sensitive under Applicable Law
4.7 Location and Device-Level Data

The Platform may collect, process, and store real-time or periodic location data (including GPS-based location, IP-based location, or geo-coordinates) and device-level information (including device identifiers, operating system, application usage, and diagnostic data) where such features are enabled by the Client or permitted by the End-User.

Such data is collected for legitimate purposes including attendance tracking, workforce management, fraud prevention, security monitoring, and service optimisation. The Client is responsible for ensuring that appropriate notice and consent have been obtained from End-Users for such data collection, in accordance with applicable law.

5. PURPOSES OF PROCESSING

The Company acts solely as a technology platform enabling the transmission, storage, and management of content by Clients and End Users. The Company does not monitor, review, or control such content and shall not be responsible for any announcements, communications, or materials shared through the Platform. The Client remains solely responsible for ensuring that such content complies with applicable laws.

Payroll outputs generated through the Platform are based solely on Client-provided inputs and configurations. The Company does not independently verify such data and shall not be responsible for inaccuracies arising from incorrect inputs or configurations.

Personal Data is processed for the following lawful purposes:

  • Provision and administration of payroll and remuneration services
  • Execution of employment-related financial transactions
  • Statutory compliance (taxation, labour laws, social security)
  • Client account management and service delivery
  • Identity verification and fraud prevention
  • Platform security, audit logging, and risk management
  • Customer support and grievance redressal
  • Legal, regulatory, and contractual compliance
  • Business analytics and service improvement (in anonymized or aggregated form)
  • Use of anonymised and aggregated data for analytics, product improvement, service optimisation, and development or promotion of Company offerings

6. LEGAL BASIS FOR PROCESSING

Processing is undertaken based on one or more of the following legal grounds:

  • Performance of a contract
  • Compliance with legal obligations
  • Explicit consent (where required)
  • Legitimate business interests
  • Protection of vital interests
  • Employment and social security obligations under Applicable Law

7. CONSENT MANAGEMENT

7.1 ROLE OF CLIENT IN OBTAINING CONSENT

The Client / Customer acknowledges and agrees that:

  • It is the Data Controller / Data Fiduciary in respect of Personal Data of its employees, consultants, contractors, and other end-users (“End-Users”);
  • It is solely responsible for providing legally compliant privacy notices and obtaining all necessary consents, authorisations, and lawful bases from End-Users prior to sharing such Personal Data with the Company;
  • Any Personal Data shared with the Company has been lawfully collected and disclosed in accordance with Applicable Law.

The Company relies on the Client’s representations and warranties in this regard and does not independently obtain consent from End-Users unless expressly required by Applicable Law.

7.2 CONSENT MANAGEMENT

Consent Responsibility

Where consent or lawful authorisation is required under Applicable Law, such consent shall be obtained and managed by the Client, and not by the Company.

Without limitation, the Client shall ensure that:

  • Consent is free, specific, informed, unconditional, and unambiguous, where required;
  • End-Users are informed of:
    • The categories of Personal Data being processed;
    • The purposes of processing;
    • The role of the Company as a service provider / processor;
    • Any cross-border data transfers;
  • Records of consent or other lawful bases are maintained and auditable.

Company’s Position

The Company:

  • Processes Personal Data solely on the documented instructions of the Client;
  • Does not verify, validate, or independently collect End-User consent unless required by mandatory law;
  • Shall not be liable for any deficiency, invalidity, withdrawal, or inadequacy of consent obtained by the Client.
7.3 WITHDRAWAL OF CONSENT

Where an End-User withdraws consent or exercises a data subject right:

  • Such withdrawal or request shall be communicated to the Client, who remains responsible for assessing its impact;
  • The Client shall promptly instruct the Company regarding:
    • Suspension, restriction, deletion, or continued lawful processing (where another legal basis exists);
  • The Company shall act on such instructions subject to Applicable Law and contractual obligations.

The Client acknowledges that withdrawal of consent may affect the availability or continuity of certain Services, including payroll or statutory processing.

7.4 CLIENT REPRESENTATIONS & INDEMNITY

The Client represents, warrants, and undertakes that:

  • It has complied with all Applicable Laws in collecting and sharing Personal Data with the Company;
  • All required notices and consents have been obtained prior to data transfer;
  • Data shared is accurate, relevant, and limited to what is necessary.

The Client shall indemnify and hold harmless the Company against any claims, penalties, regulatory actions, or losses arising from:

  • Failure to obtain valid consent;
  • Unlawful disclosure of Personal Data;
  • Inaccurate or excessive data shared with the Company.

8.1 DISCLOSURE AND DATA SHARING

Personal Data may be disclosed to:

  • Authorized Client representatives
  • Banks, payment gateways, and financial institutions
  • Government authorities where legally mandated
  • Auditors, legal advisors, and compliance professionals
  • Cloud hosting, IT, and security service providers
  • Affiliates or group entities (where applicable)

All disclosures are governed by confidentiality obligations and data protection safeguards. Data is shared by Clients pursuant to valid consent or lawful authority.

Marketing and Partner Sharing
The Client provides express consent for the Company to share limited Client-related information, including contact details, with affiliates or business partners for marketing or promotional purposes. The Company shall not be responsible for any representations or services provided by such third parties.

8.2 USE OF THIRD-PARTY TOOLS AND INTERNATIONAL SERVICE PROVIDERS

The Company may utilise third-party tools, platforms, and service providers located in India and other jurisdictions for the purposes of hosting, analytics, security, communication, payment processing, and service delivery. In the course of such use, limited Personal Data may be shared with such third parties strictly on a need-to-know basis and in accordance with applicable data protection laws.

All such third-party service providers are contractually bound to implement appropriate technical and organisational safeguards and process Personal Data in compliance with applicable laws.

In the event of a valid data deletion request from a Client or End-User, the Company shall take reasonable steps to delete such Personal Data from its systems and shall also communicate such deletion requests to relevant third-party processors, subject to technical feasibility and legal obligations. The Company shall not be liable for any delay or failure attributable to such third parties.

9. CROSS-BORDER DATA TRANSFERS

Personal Data may be transferred outside India, the EU, the USA, or Singapore where necessary for service delivery, subject to:

  • Adequate safeguards (Standard Contractual Clauses, intra-group agreements)
  • Compliance with transfer restrictions under Applicable Law
  • Data localization requirements (where applicable)

The Client acknowledges and consents to such cross-border transfers where necessary for service delivery, including transfers to third-party service providers engaged by the Company.

10. DATA RETENTION

The Company retains Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including for the provision of Services, compliance with contractual obligations, resolution of disputes, enforcement of legal rights, and adherence to applicable statutory and regulatory requirements.

Retention periods may vary depending on the nature of data and applicable legal obligations, including tax, employment, and financial regulations. Upon expiry of the applicable retention period, or upon receipt of valid deletion instructions from the Client, Personal Data shall be securely deleted, anonymised, or irreversibly de-identified, unless retention is required or permitted under applicable law.

The Client acknowledges that backup systems and archival storage may retain data for a limited period beyond deletion in accordance with standard data recovery practices.

11. DATA SECURITY MEASURES

11.1 The Company implements appropriate technical and organizational measures, including:
  • Encryption of data at rest and in transit
  • Role-based access controls
  • Multi-factor authentication
  • Secure audit logs
  • Regular vulnerability assessments and penetration testing
  • Incident response and breach notification procedures
11.2 User Access and Data Control

The Client is responsible for managing user access permissions, safeguarding login credentials, and implementing internal controls. Any activity performed using valid credentials shall be deemed authorised by the Client. The Company shall not be liable for any data loss, deletion, or alteration resulting from actions taken by authorised users.

11.3 Service Availability

The Platform is provided on an “as available” basis. The Company does not guarantee uninterrupted or error-free service. Any downtime or service disruption may occur due to maintenance, technical issues, or third-party dependencies. To the extent applicable, service credits (if offered) shall be the sole remedy.

11.4. INTELLECTUAL PROPERTY

All intellectual property rights in and to the Platform, including but not limited to software, algorithms, databases, designs, trademarks, content, and underlying technology, shall remain the exclusive property of the Company, its parent entity, and its subsidiaries or affiliates. Nothing contained in this Policy shall be construed as transferring any ownership rights to the Client or End-User, except for limited rights to use the Platform in accordance with applicable agreements.

12. DATA SUBJECT RIGHTS

Subject to Applicable Law, Data Subjects may exercise the following rights:

  • Right to access
  • Right to correction or rectification
  • Right to erasure (right to be forgotten)
  • Right to data portability
  • Right to restrict or object to processing
  • Right to withdraw consent
  • Right to grievance redressal and complaint

Requests may be made as per Section 15 of this Policy. Requests are routed via the Client, except where law mandates direct handling

13. AUTOMATED DECISION-MAKING

The Company does not engage in fully automated decision-making with legal or significant effects on individuals, unless expressly agreed and permitted by law.

14. CHILDREN’S DATA

The Services are not intended for individuals below the age of 18. We do not knowingly process children’s Personal Data.

15. GRIEVANCE REDRESSAL & CONTACT DETAILS

Grievance Officer / Data Protection Officer

Name: Vishal Arora
Email: grievanceofficer@salarybox.in 
Address:  10th Floor, Unitech Cyber Park, Unit No, 1002 & 1003, Sector 39, Gurugram, Haryana 122003

Complaints shall be addressed within timelines prescribed under Applicable Law.

16. CHANGES TO THIS POLICY

We may update this Policy from time to time. Material changes will be notified through appropriate channels.

17. Cookies and Similar Technologies

17.1. Use of Cookies and Tracking Technologies

The Company uses cookies and similar tracking technologies, including pixels, web beacons, software development kits (SDKs), and local storage objects (collectively, “Cookies”), on its website and mobile applications (collectively, the “Platform”) to ensure the proper functioning of the Platform, enhance user experience, maintain security, analyze usage trends, and support service delivery.

Cookies are small data files stored on a user’s device that enable the Platform to recognize the device, retain certain information, and facilitate efficient navigation and use of the Platform.

17.2. Categories of Cookies Used

The Company may use the following categories of Cookies:

  1. Strictly Necessary Cookies
    These Cookies are essential for the operation of the Platform and enable core functionalities such as user authentication, secure login, session management, access control, and fraud prevention. The Platform cannot function properly without these Cookies.
  2. Functional Cookies
    These Cookies allow the Platform to remember user preferences such as language selection, regional settings, and user-specific configurations to provide enhanced and personalized functionality.
  3. Performance and Analytics Cookies
    These Cookies collect aggregated and anonymized information regarding how users interact with the Platform, including pages visited, features accessed, error logs, and response times. Such data is used solely for improving system performance, service efficiency, and user experience.
  4. Security and Compliance Cookies
    Certain Cookies are deployed to monitor suspicious activities, prevent unauthorized access, detect security incidents, and comply with applicable legal and regulatory obligations.
17.3. Third-Party Cookies

The Platform may integrate third-party service providers for analytics, security monitoring, hosting, and application performance management. These third parties may place Cookies on the user’s device in accordance with their respective privacy policies. The Company does not control such third-party Cookies and disclaims liability arising from their use, except to the extent required under applicable law.

17.4. Cookies in Relation to HR, Payroll, and Salary Management Services

Given the nature of the Company’s HR-tech services, certain Cookies are necessary to ensure secure access to salary information, payroll processing modules, employee dashboards, audit logs, and compliance features. These Cookies do not store financial credentials or sensitive personal data in readable form and are used strictly for system integrity, access control, and transactional continuity.

17.5. Consent and Control

Where required under applicable law, the Company obtains user consent before deploying non-essential Cookies. Users may manage or withdraw their Cookie preferences at any time through browser or device settings. However, disabling certain Cookies may impact the availability or functionality of the Platform.

For users accessing the Platform through employer-provided accounts, consent for the use of Cookies may be obtained by the employer as part of its contractual and employment documentation, and the Company shall rely on such consent to the extent permitted under applicable law.

17.6. Legal Basis for Processing

The use of Cookies is based on one or more of the following lawful grounds, as applicable:

  • performance of a contract;
  • compliance with legal obligations;
  • legitimate interests in operating and securing the Platform; and
  • user consent, where mandated.
17.7. Updates to Cookies Practices

The Company reserves the right to modify its Cookies usage from time to time in line with technological changes, business requirements, or legal obligations. Any material changes shall be reflected in this Privacy Policy, and continued use of the Platform shall constitute acknowledgment of such updates.

17.8. Contact Information

For any queries or concerns relating to the use of Cookies or tracking technologies, users may contact the Company at the contact details provided in this Privacy Policy.

18. GOVERNING LAW

This Policy shall be governed by and construed in accordance with the laws of India, without prejudice to mandatory rights available under other Applicable Laws.