AYM Infotech LLP ("we", "our", or "us") operates PhiSelect HRMS, a cloud-based Human Resource Management System. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you or your organisation uses our platform. Please read this policy carefully. By using PhiSelect HRMS you agree to the practices described herein.
1. Overview
PhiSelect HRMS is a multi-tenant B2B SaaS platform. Your organisation (the "Tenant" or "Data Controller") owns all employee data stored in the platform. AYM Infotech LLP acts as a Data Processor on your behalf and processes personal data only as instructed by the Tenant.
We comply with applicable data protection laws including India's Digital Personal Data Protection Act, 2023 (DPDP Act) and, where applicable, the General Data Protection Regulation (GDPR).
2. Data We Collect
We collect the following categories of personal data on behalf of your organisation:
| Category | Details |
|---|---|
| Employee Identification | Full name, employee ID, profile photo, date of birth, gender, nationality |
| Contact Information | Work email, personal email, phone number, residential address |
| Employment Details | Department, designation, reporting manager, joining date, employment type, salary grade |
| Payroll & Compensation | Salary structure, CTC, bank account details, PAN, PF/ESI numbers, tax regime preference |
| Attendance & Leave | Login/logout timestamps, shift schedule, leave applications and balances |
| Documents | Offer letters, identity proof, educational certificates, Form 16, experience letters |
| Performance Data | Appraisal records, KPIs, training completions, certifications |
| Account Credentials | Hashed passwords (bcrypt), refresh tokens, login history, failed attempt count |
| Usage Data | IP address, browser type, pages visited, session duration (for platform security) |
3. How We Use Data
We use personal data solely to provide and improve the PhiSelect HRMS service. Specific purposes include:
- Processing payroll, generating payslips, and computing statutory deductions (PF, ESI, PT, TDS)
- Managing employee records, attendance, leave, and performance
- Sending system notifications and password reset emails
- Enabling role-based access control and tenant data isolation
- Providing AI-powered HR assistant features (queries are anonymised before LLM processing)
- Generating compliance reports required by law
- Fraud detection, security monitoring, and abuse prevention
- Customer support, product improvements, and bug resolution
4. Data Sharing & Third Parties
We do not sell personal data. We share data only in these circumstances:
Service Providers
Cloud infrastructure (AWS), email delivery (Microsoft Graph API), and object storage (Amazon S3). All providers are bound by Data Processing Agreements.
Legal Obligation
When required by Indian law, court order, or government authority.
Business Transfer
In the event of a merger or acquisition, data is transferred only with equivalent privacy protections in place.
With Your Consent
Any other sharing requires explicit written consent from the Tenant.
5. Data Security
We implement industry-standard technical and organisational measures to protect your data:
Encryption at Rest
AES-256 encryption for stored data and documents
Encryption in Transit
TLS 1.3 for all data in motion
Access Controls
Role-based access; tenant data is fully isolated
Password Security
bcrypt hashing with salt; never stored in plaintext
Token Management
Short-lived JWT tokens (15 min access, 7 day refresh)
Audit Logging
All data access and modifications are logged
Infrastructure
Hosted on AWS with VPC isolation and security groups
Penetration Testing
Regular security assessments and vulnerability scans
6. Data Retention
We retain personal data for as long as your organisation's subscription is active and as required by applicable law:
| Category | Details |
|---|---|
| Active Employment Records | Duration of subscription + 7 years (statutory requirement) |
| Payroll & Tax Records | 8 years from financial year end (Income Tax Act requirement) |
| PF/ESI Records | 5 years after last contribution (EPF/ESI Act) |
| Audit Logs | 3 years |
| Deleted Employee Data | Purged within 90 days of deletion request, except statutory records |
| Account Credentials | Immediately purged on account termination |
7. Your Rights
Under the DPDP Act 2023 and applicable law, you have the following rights regarding your personal data:
Right to Access
Request a copy of your personal data held by the platform
Right to Correction
Request correction of inaccurate or incomplete data
Right to Erasure
Request deletion of your data (subject to statutory retention requirements)
Right to Portability
Receive your data in a structured, machine-readable format
Right to Grievance Redressal
Raise a complaint with our Data Protection Officer
Right to Nominate
Nominate a person to exercise rights on your behalf in case of death or incapacity
To exercise your rights, contact your HR administrator or email our Data Protection Officer at privacy@phiselect.com. We will respond within 30 days.
9. Children's Privacy
PhiSelect HRMS is a professional workplace platform intended for use by organisations and their employees (aged 18 and above). We do not knowingly collect personal data from anyone under 18 years of age. If you believe we have inadvertently collected such data, contact us immediately at info@phiselect.com.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify Tenant administrators of material changes via email at least 30 days before they take effect. Continued use of PhiSelect HRMS after the effective date constitutes acceptance of the updated policy.
Previous versions are available upon request at privacy@phiselect.com.
11. Governing Law & Dispute Resolution
This Privacy Policy is governed by the laws of India. Any dispute arising out of this Privacy Policy shall be subject to the exclusive jurisdiction of the courts in India.
Before initiating legal proceedings, parties agree to attempt good-faith resolution through direct negotiation for at least 30 days. Unresolved disputes may be referred to arbitration under the Arbitration and Conciliation Act, 1996.
12. Contact Us
Postal Address:
AYM Infotech LLP, Bangalore, Karnataka, India
© 2026 AYM Infotech LLP. All rights reserved.