How We Protect Your Data
Learn how ZFour technology private limited collects, uses, stores, and protects your personal data in full compliance with Indian data protection laws and global privacy standards.
Plain English Summary
ZFour is an HR software platform. We collect your business and employee data solely to provide our services. We do not sell your data. We store all Indian business data in India. You control your data and can request deletion at any time.
1. Who We Are
ZFour HRMS is a cloud-based Human Resource Management System operated by ZFour technology private limited , a company incorporated under the Companies Act 2013, with its registered office in New Delhi, India (CIN: U62099DL2024PTC432363).
For the purposes of this Privacy Policy, ZFour technology private limited is the Data Controller for information collected through our website at zfour.in and our HRMS platform, and a Data Processor for employee personal data that our business clients (the Data Controllers) input into the platform.
When you use ZFour as an employer or HR administrator, you are the Data Controller for your employees' personal data that you enter into the platform. We process that data on your behalf as a Data Processor under the terms of our Data Processing Agreement, which forms part of our Terms of Service.
This Privacy Policy governs all personal data collected, processed, and stored by ZFour technology private limited in connection with our website, sales and marketing activities, customer support, and platform operations. For questions about how your employer uses your data within the ZFour platform, please contact your employer's HR department.
2. Information We Collect
We collect information in three ways: information you provide directly to us, information collected automatically through your use of our services, and information received from third parties.
Information You Provide Directly
- Account registration data: Name, business email address, phone number, company name, company size, and role when you create a ZFour account or request a demo.
- Payment information: Billing name, billing address, GST number, and payment method details (processed securely through our payment gateway partners — we do not store card numbers).
- Communication data: The content of messages you send us through our contact form, email, or live chat support.
- Employee data (as Data Processor): When you use the ZFour platform, you may upload employee personal data including names, employee IDs, date of birth, contact information, bank account details for payroll, PAN and Aadhaar numbers for statutory compliance, salary information, attendance records, and leave records. This data is processed by us solely on your instructions as your HR service provider.
- Survey and feedback data: Responses to surveys, NPS scores, product feedback, and case study participation.
Information Collected Automatically
- Usage data: Pages visited, features used, time spent on pages, click patterns, and navigation paths within the ZFour platform and website.
- Device and browser data: IP address, browser type and version, operating system, device type, screen resolution, and language settings.
- Log data: Server logs recording your access to our services, including timestamps, request types, response codes, and bytes transferred.
- Location data: Approximate geographic location derived from your IP address. For mobile app users who grant location permission, precise GPS location is collected for attendance and GPS tracking features.
- Cookies and similar technologies: See our Cookie Policy for full details.
Information from Third Parties
- Business contact information from lead generation partners and professional networks used to identify potential customers.
- Payment verification data from our payment gateway partners.
- Authentication data when you use Google or Microsoft SSO to log in to the ZFour platform.
3. How We Use Your Information
We use the information we collect for the following purposes:
Providing and Improving Our Services
- Creating and managing your ZFour account and subscription.
- Processing payroll, attendance, leave, and compliance workflows as configured by your organisation.
- Providing customer support and responding to your queries and requests.
- Sending service-related communications including invoices, payment receipts, account alerts, and system maintenance notifications.
- Analysing usage patterns to improve platform features, fix bugs, and optimise performance.
- Conducting security monitoring and fraud prevention across all platform activity.
Marketing and Sales (with your consent or our legitimate interest)
- Sending you product updates, case studies, HR industry insights, and promotional offers by email — where you have opted in or where we have a legitimate interest as an existing customer.
- Retargeting advertising on third-party platforms (Google, LinkedIn, Meta) based on your interaction with our website.
- Conducting sales outreach to business contacts who may have an interest in our services.
Legal and Compliance Obligations
- Maintaining records required by Indian law including the Companies Act, Income Tax Act, and applicable GST regulations.
- Responding to lawful requests from government authorities, courts, or regulatory bodies.
- Enforcing our Terms of Service and protecting the legal rights of ZFour technology private limited .
We do not use your employee data (data you enter into the platform as an employer) for any purpose other than providing the ZFour service. We do not sell, rent, or share employee data with any third party for marketing or commercial purposes.
4. Legal Basis for Processing
Under applicable Indian data protection law (the Digital Personal Data Protection Act 2023) and principles aligned with international best practices, we process your personal data on the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and service delivery | Contract performance — necessary to provide the service you have agreed to use |
| Payment processing and billing | Contract performance and legal obligation |
| Customer support communications | Contract performance and legitimate interest |
| Security monitoring and fraud prevention | Legitimate interest — protecting our systems and customers |
| Product improvement analytics | Legitimate interest — improving our service quality |
| Marketing emails (existing customers) | Legitimate interest — subject to your right to opt out at any time |
| Marketing emails (prospective customers) | Consent — where you have opted in, or legitimate interest for B2B outreach |
| Legal and regulatory compliance | Legal obligation |
| Employee data processing (as Data Processor) | Your instructions as Data Controller under our Data Processing Agreement |
5. Data Sharing and Disclosure
We share your data only in the following circumstances, and only to the extent necessary for the stated purpose:
Service Providers and Sub-Processors
We engage carefully vetted third-party service providers to help us deliver our services. These include cloud infrastructure providers (data stored in India), payment gateway operators, email delivery services, customer support software providers, and analytics tools. All service providers are bound by data processing agreements that prohibit them from using your data for any purpose other than providing services to us.
Business Group and Affiliates
We may share data with our parent company, subsidiaries, or affiliates for operational and administrative purposes, subject to the same privacy standards described in this policy.
Legal Requirements
We will disclose your data to government authorities, law enforcement, or courts when required to do so by applicable Indian law, a valid court order, or a lawful government request. Where legally permitted, we will notify you of such requests before complying.
Business Transfers
If ZFour technology private limited is involved in a merger, acquisition, or sale of all or substantially all of its assets, your data may be transferred to the acquiring entity. We will notify you of such a transfer and the acquiring entity will be bound by this Privacy Policy or a substantially similar policy.
With Your Consent
We will share your data with third parties in any other circumstances only with your explicit consent.
We never sell your data. ZFour does not sell, rent, or trade your personal data or your employees' data to any third party for commercial purposes. This is an unconditional commitment.
6. Data Storage and Security
All data processed by ZFour for Indian business customers is stored on servers located in India. We use AWS and/or Azure data centres with Indian regional endpoints to ensure that your business and employee data does not leave India except in the limited circumstances described in Section 11 (International Data Transfers).
We implement industry-standard security measures to protect your data, including:
- Encryption in transit: All data transmitted between your browser or mobile app and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: All data stored in our databases and storage systems is encrypted using AES-256 encryption.
- Access controls: Access to customer data within our organisation is restricted to personnel who need it to perform their job functions, governed by role-based access controls and logged in our audit system.
- Regular security testing: We conduct periodic penetration testing and vulnerability assessments of our platform and infrastructure.
- Backup and recovery: Your data is backed up daily with point-in-time recovery capability. Backups are encrypted and stored in geographically redundant Indian data centres.
- Multi-factor authentication: MFA is available and strongly recommended for all ZFour administrator accounts.
Despite our security measures, no system is entirely secure. In the event of a data breach that is likely to result in risk to your rights, we will notify you and the relevant Indian data protection authority within 72 hours of becoming aware of the breach, as required by applicable law.
7. Data Retention
We retain your data for as long as necessary to provide our services and meet our legal obligations. Our standard retention periods are:
| Data Category | Retention Period |
|---|---|
| Active account data (employer and employee records) | Duration of active subscription plus 30 days post-termination |
| Payroll and compliance records | 8 years from the relevant financial year (as required by the Income Tax Act 1961) |
| PF, ESI, and statutory compliance records | 8 years (as required by EPFO and ESIC regulations) |
| Customer support communications | 3 years from the date of last interaction |
| Marketing contact data | Until you opt out or 3 years from last engagement, whichever is earlier |
| Website analytics data | 26 months (anonymised after 13 months) |
| Payment records | 7 years (GST and accounting requirements) |
| Security and audit logs | 1 year for general logs, 5 years for security incident logs |
Upon expiry of the applicable retention period, we securely delete or anonymise your data. For account terminations, you may request an export of your data within 30 days of termination before it is deleted from our systems.
8. Your Rights
Under the Digital Personal Data Protection Act 2023 and applicable Indian law, you have the following rights with respect to your personal data:
- Right to Access: You have the right to request a copy of the personal data we hold about you and information about how we process it.
- Right to Correction: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
- Right to Erasure: You have the right to request that we delete your personal data, subject to our legal retention obligations.
- Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances.
- Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transfer it to another service provider.
- Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
- Right to Object: You have the right to object to processing of your personal data for direct marketing purposes. You can opt out of marketing communications at any time.
- Right to Grievance Redressal: You have the right to have your grievance related to data processing addressed expeditiously by our Data Protection Officer.
To exercise any of these rights, please email our Data Protection Officer at hello@zfour.in with your request. We will respond within 30 days. For complex requests, we may extend this period by an additional 30 days with notice to you.
Please note: If you are an employee whose data has been entered into ZFour by your employer, the rights described above with respect to your employment data should be directed to your employer as the Data Controller. Your employer controls how your employment data is used within the platform.
10.Children's Privacy
ZFour is a business software platform intended for use by adults in an employment context. We do not knowingly collect personal data from individuals under the age of 18. If you become aware that a person under 18 has provided us with personal data without appropriate consent, please contact us at hello@zfour.in and we will take steps to delete such information promptly.
11. International Data Transfers
As described in Section 6, all Indian business and employee data is stored in Indian data centres. Limited categories of data may be processed outside India in the following circumstances:
- Technical support provided by our engineering team, who may access log data and anonymised debugging information from any location.
- Email delivery services may route communications through servers outside India.
- Analytics data may be processed by our analytics service providers in their global infrastructure, subject to appropriate data transfer safeguards.
In all cases where data is transferred outside India, we ensure appropriate safeguards are in place including contractual data transfer agreements, standard contractual clauses, or adequacy decisions as applicable under Indian law.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by email (using the email address associated with your account), by a prominent notice on our website, or through an in-platform notification at least 30 days before the changes take effect.
We encourage you to review this Privacy Policy periodically. Your continued use of ZFour after the effective date of any update constitutes your acceptance of the revised policy. If you do not agree with the updated policy, you may terminate your account by contacting us at hello@zfour.in.
The date this policy was last updated is shown at the top of this document. A complete history of changes to this policy is available upon request.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact:
Data Protection Officer
ZFour technology private limited
Email: hello@zfour.in
Phone: +91 93547 61565
Address: New Delhi, India
CIN: U62099DL2024PTC432363
For complaints regarding our data processing practices, you also have the right to lodge a complaint with the Data Protection Board of India once established under the Digital Personal Data Protection Act 2023.
Questions about your data?
Our Data Protection Officer responds to all privacy queries within 30 days.