Privacy Policy
Version v2.0 · Last updated: 12 May 2026 · Provider: StafFixHR Strategies & Software Services, Vadodara, Gujarat, India ("StafFixHR").
1. Roles under data-protection law
When a Client's HR admin or employee uses the Service, StaffixHR acts as a data processor on behalf of the Client, who is the data controller of its employees' personal data. Our obligations as processor are set out in the Data Processing Agreement.
For the small set of data we collect directly from the Client's admin signing up (name, email, billing details, IP/device data, consent records), we act as data controller. This Privacy Policy applies to that data.
2. What we collect
Account data — name, work email, phone, password (stored only as a bcrypt hash, never plaintext), company name, company address.
Billing data — invoice address, GSTIN/VAT number, payment method metadata (last 4 digits, brand, expiry). Full card numbers and CVV never touch our servers — they are handled by our payment processors (Razorpay, Stripe).
Usage & device data — IP address, user-agent, country (from Cloudflare CF-IPCountry header), language, login timestamps, page views, feature usage, API requests, error logs.
Consent data — every consent grant or refusal you make (Terms, Privacy, Data Processing, Marketing), pinned to the document version + IP + user-agent + timestamp + country.
Support communications — tickets, emails, screen captures, chat transcripts.
We do not collect special-category data (health, race, religion, sexual orientation, etc.) about Client admins. If Client Data contains such data about employees, responsibility for lawful basis lies with the Client controller (see DPA).
3. Why we use it (legal basis under GDPR Art. 6)
| Purpose | Lawful basis |
|---|---|
| Provide the Service, authenticate users, fulfil the contract | Performance of contract (6(1)(b)) |
| Bill the Client and collect payments | Performance of contract (6(1)(b)) |
| Detect fraud, secure the platform, prevent abuse | Legitimate interest (6(1)(f)) |
| Comply with statutory record-keeping (invoices, tax returns) | Legal obligation (6(1)(c)) |
| Send optional marketing emails | Consent (6(1)(a)) — opt-in only, revocable any time |
| Send transactional emails (receipts, security alerts) | Performance of contract |
4. Who we share with
- Sub-processors we engage to run the Service. Current list (will be kept current on /sub-processors):
- Railway (us-east) — hosting + Postgres database
- Cloudflare — DNS, CDN, IP-geolocation cookie
- Cloudflare R2 — object storage for uploaded files
- Razorpay (India) — payment processing (when configured)
- Stripe (international, when enabled) — payment processing
- Google Analytics — aggregated traffic analytics on the marketing site only
- Legal authorities — when compelled by valid law (subpoena, court order). We will challenge over-broad requests and notify the Client unless legally prohibited.
- Successors — in the event of merger, acquisition, or sale of substantially all assets. Successors are bound by this Policy or one no less protective.
We do not sell, rent, or trade personal data. We do not use Client Data for advertising or for training AI/ML models that benefit other clients.
5. Where data is stored (international transfers)
The primary database is hosted in the United States (Railway us-east region). Object storage uses Cloudflare R2 (global edge, primary writes in the EU/US depending on bucket region). Backups are stored in the same regions for 365 days.
Transfers from the EEA / UK / Switzerland to a third country rely on the European Commission's Standard Contractual Clauses (SCCs, 2021 module) and equivalent UK IDTA addendum. We will provide a copy on request.
Data-residency in the customer's region is on our roadmap for Enterprise plans. Contact legal@staffixhr.com if you require it.
6. How long we keep it
- Account & profile data: for the life of the account + 30 days after termination, then deletion within 90 days from active systems and 365 days from backups.
- Client Data: per the DPA and the Client's instructions.
- Billing records: at least 8 years to meet Indian Companies Act / GST and equivalent overseas statutory retention.
- Consent records: indefinitely while the account exists; 3 years after termination as audit evidence.
- Logs / audit trails: 12 months rolling.
- Support tickets: 3 years.
7. Your rights
Under GDPR / UK GDPR / CCPA / DPDP Act 2023 (India) and similar laws, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Erase your data (subject to legal-retention exceptions).
- Restrict or object to processing.
- Receive your data in a portable format.
- Withdraw consent at any time (without affecting prior processing).
- Lodge a complaint with your local data-protection authority.
Exercise these rights by emailing privacy@staffixhr.com from the email on your account. We will respond within 30 days (or sooner where mandatory). For Client employees, route your request through your HR — the Client (data controller) is the primary contact.
8. Cookies
We use only essential cookies (auth, session, CSRF, locale, Cloudflare IP-country). We do not use third-party advertising or tracking cookies. Google Analytics on the public marketing site uses anonymised IPs and is the only optional analytics cookie; you can opt out via browser DNT or the Google opt-out add-on.
9. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child's data is on the Service, contact us and we will delete it.
10. Security
See Section 11 of the Terms of Service. Notwithstanding our measures, no system is 100% secure. Report suspected vulnerabilities to security@staffixhr.com.
11. Changes to this Policy
Material changes are notified by email and posted in-product 30 days before they take effect. Each version is version-pinned in our consent log.
12. Governing law & jurisdiction
Any dispute arising under or in connection with this Privacy Policy is governed by the laws of India and subject to the exclusive jurisdiction of the courts at Vadodara, Gujarat, India, without prejudice to any non-waivable data-subject right to lodge a complaint with their local supervisory authority.
13. Contact
- Privacy / data-subject requests: privacy@staffixhr.com
- Data Protection Officer (DPO): dpo@staffixhr.com — currently a designated lead within StaffixHR; we will appoint an external DPO when EU customer headcount requires it.
- Postal: StafFixHR Strategies & Software Services, Vardhman Enclave, Vadodara 390012, Gujarat, India.
- EU representative under GDPR Art. 27: to be appointed once we onboard EU-established customers. Until then, the controller for EU-resident personal data is the Client.
Disclaimer: This Policy is a best-practice draft. It does not constitute legal advice and may need adaptation for specific jurisdictions (e.g. Brazil LGPD, California CCPA/CPRA, Singapore PDPA). Please have it reviewed by qualified counsel before relying on it commercially.