TERMS OF USE & LEGAL POLICY

Last modified: 21st May 2026

These Terms of Use and Legal Policy (“Terms”) govern access to and use of the website, platforms, dashboards, APIs, and related services (“Website” and “Services”) operated by Cresce Technology Private Limited, a company incorporated under the laws of India and having its Corporate office at 10th Floor, Tower C, Unitech Cyber Park, Unit No. 1002 & 1003, Sector 39, Gurugram, Haryana 122003 (“Company”, “we”, “us”, or “our”).

By accessing or using the Website or Services, you agree to be bound by these Terms.

1. DEFINITIONS

For the purposes of these Terms:

  • “Client” / “Customer” means any organization or entity that has entered into a commercial arrangement with the Company for HR, payroll, remuneration, or related services.
  • “End-User” / “User” means any individual accessing the Services, including employees, consultants, contractors, or authorized representatives of a Client.
  • “Applicable Law” includes, without limitation:
    • India: Digital Personal Data Protection Act, 2023
    • EU: GDPR (EU) 2016/679
    • USA: Applicable federal and state privacy, payroll, and consumer protection laws
    • Singapore: Personal Data Protection Act, 2012

2. SCOPE OF SERVICES

The Company provides technology-enabled services including, but not limited to:

  • Payroll and remuneration processing
  • Employee compensation and benefits administration
  • HR data management and reporting
  • Statutory and compliance-related processing
  • Financial transaction facilitation connected to employment

The Company does not act as an employer of record unless expressly agreed in writing.

Subscription and Payment Dependency
Access to and use of the Services is subject to the Client’s compliance with applicable subscription, billing, and payment terms. The Company reserves the right to suspend, restrict, or terminate Services in the event of non-payment, failed transactions, or expiry of subscription in accordance with applicable agreements.

3. ELIGIBILITY & AUTHORITY

By accessing or using the Website or Services, you represent that:

  • You are legally competent to enter into binding obligations; and
  • If you are accessing the Services on behalf of a Client, you are duly authorised to do so.

4. DATA PROTECTION ROLES & CONSENT RESPONSIBILITY

4.1 Client as Controller / Data Fiduciary

The Client acknowledges and agrees that it acts as the Data Controller / Data Fiduciary in respect of Personal Data of its employees and End-Users.

4.2 Client Obligation to Obtain Consent

The Client is solely responsible for:

  • Providing legally compliant privacy notices to its employees / End-Users;
  • Obtaining and maintaining all required consents, authorisations, or lawful bases under Applicable Law before sharing Personal Data with the Company;
  • Ensuring that such data is lawfully collected, accurate, and limited to what is necessary.

The Company relies on the Client’s representations and does not independently obtain consent from End-Users, except where mandatory under Applicable Law.

5. COMPANY’S ROLE AS SERVICE PROVIDER / PROCESSOR

The Company:

  • Acts as a data processor / service provider / data intermediary;
  • Processes Personal Data solely on documented instructions of the Client;
  • Does not determine the purpose of employee data processing;
  • Shall not be liable for any failure by the Client to obtain valid consent or comply with Applicable Law.
  • The Company may use anonymised and aggregated data derived from the use of the Services for analytics, product improvement, service optimisation, and development or promotion of its offerings, provided such data does not identify any individual.

6. USER OBLIGATIONS

Users agree to:

  • Access the Services only for lawful and authorised purposes;
  • Not misuse, interfere with, or disrupt the Website or Services;
  • Maintain confidentiality of login credentials;
  • Immediately notify the Company of unauthorised access or security incidents.
  • The Client shall be responsible for managing user access rights, maintaining confidentiality of credentials, and implementing internal controls. Any activity performed using valid credentials shall be deemed authorised by the Client, and the Company shall not be liable for any data loss, deletion, or alteration arising from such authorised use.
  • The Services may collect device-level, usage, and location-based data where enabled by the Client. The Client shall be responsible for ensuring appropriate notice and consent for such data collection.
6A. USER CONTENT AND COMMUNICATIONS

The Company provides a technology platform for the transmission, storage, and management of content by Clients and End Users and does not monitor, review, or control such content. The Client shall be solely responsible for any announcements, notices, communications, or materials shared through the Services, including ensuring compliance with applicable laws and avoiding content that is unlawful, offensive, or infringing. The Company shall not be liable for any such content or its consequences.

7. DATA SUBJECT REQUESTS

End-Users acknowledge that:

  • Requests relating to access, correction, deletion, restriction, or withdrawal of consent must be routed through the Client;
  • The Company shall act on such requests only upon lawful instruction from the Client, unless directly required by Applicable Law and in a timeframe that is reasonably possible & in line with company’s internal SOPs.
  • Where deletion or erasure requests are received and approved by the Client, the Company shall take reasonable steps to delete such data from its systems and communicate such requests to relevant third-party processors, subject to technical feasibility and legal obligations.

8. DISCLOSURE OF INFORMATION

Personal Data may be disclosed to third parties (including banks, payment processors, government authorities, and service providers) only pursuant to the Client’s lawful authority, consent, or statutory obligation, and subject to contractual and security safeguards.

The Company may engage third-party service providers, including cloud hosting, analytics, security, and communication platforms, located in India and other jurisdictions. Personal Data may be shared with such service providers strictly for service delivery purposes and subject to contractual safeguards. The Company shall not be liable for acts or omissions of such third parties beyond its reasonable control.

9. INTELLECTUAL PROPERTY

All intellectual property rights in the Website, Services, software, algorithms, databases, trademarks, and related materials are owned by or licensed to the Company, its parent entity, and its subsidiaries or affiliates. No ownership rights are transferred to the Client or End User, except for a limited, non-exclusive, revocable right to use the Services in accordance with these Terms.

10. CONFIDENTIALITY

Each party shall maintain the confidentiality of proprietary, technical, commercial, or personal data received during the course of using the Services, except where disclosure is required by law.

11. DISCLAIMERS

  • The Website and Services are provided on an “as is” and “as available” basis.
  • The Company does not warrant uninterrupted or error-free operation.
  • The Company does not provide legal, tax, or employment advice unless expressly agreed in writing.
  • The Services operate based on inputs and configurations provided by the Client. The Company does not independently verify payroll calculations, tax computations, or statutory outputs and shall not be responsible for inaccuracies arising from incorrect data or configurations.
  • The Company acts solely as a technology service provider and does not act as an employer, co-employer, or employer of record. All employment-related obligations remain solely with the Client.
  • The Company does not guarantee uninterrupted or error-free availability of the Services. Downtime may occur due to maintenance, technical issues, or third-party dependencies. To the extent applicable, service credits shall constitute the sole and exclusive remedy.

12. LIMITATION OF LIABILITY

To the maximum extent permitted by Applicable Law:

  • The Company shall not be liable for indirect, incidental, consequential, or punitive damages;
  • The Company shall not be liable for claims arising from:
    • Client’s failure to obtain valid consent;
    • Unlawful data provided by the Client;
    • Instructions received from the Client;
  • Aggregate liability shall be limited to fees paid by the Client in the preceding twelve (12) months.
  • Any claim or dispute arising under these Terms must be raised within ninety (90) days from the date of occurrence, failing which such claim shall be deemed waived.

13. INDEMNITY BY CLIENT

The Client agrees to indemnify and hold harmless the Company against any claims, losses, penalties, or regulatory actions arising from:

  • Failure to obtain or maintain lawful consent;
  • Breach of Applicable Law by the Client;
  • Inaccurate or unlawful Personal Data shared with the Company.

14. THIRD-PARTY LINKS

The Website may contain links to third-party websites. The Company is not responsible for their content or practices.

15. TERMINATION

The Company may suspend or terminate access to the Website, or Services:

  • For breach of these Terms;
  • To comply with legal obligations;
  • For security or operational reasons.
15A. ASSIGNMENT

The Company may assign, transfer, or novate its rights and obligations under these Terms to any affiliate, successor, or third party, including in connection with any merger, acquisition, restructuring, or business transfer, without prior consent of the Client or User.

16. GOVERNING LAW & JURISDICTION

These Terms shall be governed by and construed in accordance with the laws of India.

In the event of any dispute, controversy, claim, or difference arising out of or in connection with these Terms, including any question regarding their existence, validity, interpretation, performance, breach, or termination (“Dispute”), the parties shall first attempt to resolve such Dispute amicably through good faith discussions within a period of fifteen (15) days from the date on which one party notifies the other of the Dispute.

If the Dispute is not resolved within the aforesaid period, the same shall be referred to and finally resolved by arbitration in accordance with the provisions of the Arbitration and Conciliation Act, 1996, as amended from time to time.

The arbitration shall be conducted by a sole arbitrator, who shall be appointed exclusively by the Company. The User and/or Client hereby expressly agrees to such appointment mechanism and waives any objection to the same.

The seat and venue of arbitration shall be Delhi NCR, India, and the arbitration proceedings shall be conducted in the English language.

The arbitral proceedings may be conducted physically or through virtual or online means, at the discretion of the arbitrator.

The arbitral award shall be final and binding on the parties and shall be enforceable in accordance with applicable law. The parties agree that no appeal shall lie against the arbitral award except as permitted under applicable law.

The costs and expenses of arbitration, including the arbitrator’s fees, shall be borne equally by the parties unless otherwise determined by the arbitrator.

Subject to the above, courts at Gurugram, Haryana, India shall have exclusive jurisdiction for the purposes of interim relief, enforcement of arbitral awards, or any matter not subject to arbitration.

17. CHANGES TO TERMS

The Company may update these Terms from time to time. Continued use of the Website/Application/Service constitutes acceptance of revised Terms.

18. CONTACT INFORMATION

Legal & Compliance Team

Email: compliance@salarybox.in 

Address: 10th Floor, Unitech Cyber park, Unit No 1002 & 1003, Sector 39, Gurugram, Haryana 122003

ANNEXURE A – INDIA (DPDP ACT, 2023)

A.1 Applicability

This Annexure applies where Personal Data is processed in connection with individuals located in India and is governed by the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and rules issued thereunder.

A.2 Roles
  • Client / Customer: Data Fiduciary
  • Company: Data Processor acting on behalf of the Data Fiduciary
A.3 Consent & Notice Responsibility

The Client confirms that it:

  • Has issued a valid DPDP-compliant notice to its employees / end-users;
  • Has obtained free, informed, specific, unconditional, and unambiguous consent, where required;
  • Has lawful authority to share Personal Data with the Company.

The Company processes Personal Data only on instructions of the Client and does not independently obtain consent.

A.4 Processing Without Consent

Where processing is undertaken under “legitimate uses” (employment, payroll, statutory compliance), the Client confirms that such processing is permitted under Section 7 of the DPDP Act.

A.5 Data Principal Rights

Requests for access, correction, erasure, or grievance redressal shall be routed through the Client. The Company shall assist the Client as required under law.

A.6 Grievance Redressal

Primary grievance responsibility lies with the Client. The Company shall designate a grievance contact for processor-level issues.

ANNEXURE B – EUROPEAN UNION (GDPR)

B.1 Applicability

This Annexure applies where Personal Data of individuals located in the European Economic Area (EEA) is processed and is governed by GDPR (EU) 2016/679.

B.2 Roles
  • Client: Data Controller (Articles 4(7), 24)
  • Company: Data Processor (Articles 4(8), 28)
B.3 Lawful Basis & Consent

The Client represents that:

  • A valid lawful basis under Article 6 (and Article 9 where applicable) exists;
  • Employee notices under Articles 13/14 have been issued;
  • Consent, where relied upon, is GDPR-compliant.

The Company does not determine the lawful basis and relies on the Client’s instructions.

B.4 Processor Obligations

The Company:

  • Processes data only on documented instructions;
  • Implements appropriate technical and organisational measures;
  • Assists the Client with DPIAs, breach response, and rights requests.
B.5 Data Subject Rights

Data subject requests shall be directed to the Client.
The Company shall not respond directly unless legally required.

B.6 Cross-Border Transfers

Transfers outside the EEA are carried out pursuant to:

  • Standard Contractual Clauses (SCCs), or
  • Other valid GDPR transfer mechanisms.

ANNEXURE C – UNITED STATES (CCPA / CPRA & PAYROLL DATA)

C.1 Applicability

This Annexure applies where Personal Data of individuals located in the United States is processed, including under:

  • California Consumer Privacy Act (CCPA)
  • California Privacy Rights Act (CPRA)
  • Applicable state payroll and employment privacy laws
C.2 Roles
  • Client: “Business”
  • Company: “Service Provider / Processor”
C.3 Collection & Notice

The Client confirms that:

  • It has provided required employee and contractor privacy notices;
  • Data shared with the Company is collected lawfully and for disclosed purposes.
C.4 Restrictions on Use

The Company:

  • Processes data solely to provide contracted services;
  • Does not sell or share Personal Data;
  • Does not use data for independent commercial purposes.
C.5 Consumer Rights

Requests relating to access, deletion, or correction must be submitted to the Client.
The Company will assist the Client as required under law.

ANNEXURE D – SINGAPORE (PDPA, 2012)

D.1 Applicability

This Annexure applies where Personal Data of individuals located in Singapore is processed under the Personal Data Protection Act, 2012 (PDPA).

D.2 Roles
  • Client: Organisation with primary consent and notification obligations
  • Company: Data Intermediary
D.3 Consent & Notification

The Client confirms that it:

  • Has notified individuals of purposes of processing;
  • Has obtained valid consent or relies on applicable PDPA exceptions;
  • Has authority to disclose Personal Data to the Company.
D.4 Intermediary Obligations

The Company:

  • Processes Personal Data only on behalf of the Client;
  • Implements reasonable security arrangements;
  • Does not use data for independent purposes.
D.5 Access & Correction

Requests shall be routed through the Client.
The Company shall provide reasonable assistance.