Effective Date: May 2026
Welcome to the Digital Book of India staffypie Platform ("Platform", "we", "us", or "our"). We are committed to protecting the privacy, security, and confidentiality of your personal and corporate data. This Privacy Policy outlines our practices regarding the collection, use, processing, and disclosure of information when you use our comprehensive Software-as-a-Service (SaaS) employee management system, which includes our main website, Company Admin Dashboard, Super Admin Dashboard, and Employee Mobile Application (available on Google Play Store and Apple App Store).
By accessing or using our Platform, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy. If you are using our services on behalf of an organization (e.g., your employer), your use of the Platform is additionally governed by your organization's internal privacy policies and administrative configurations.
We collect varying types of information depending on your interaction with our Platform—whether you are a Company Administrator managing employees or an Employee using our Mobile App.
IMPORTANT DISCLOSURE FOR MOBILE APP USERS (Google Play & App Store Compliance)
Our Employee Mobile App provides critical attendance and field tracking functionalities that require access to your device's location services.
Note: We do not track your location outside of your designated working hours, nor do we track you when you have not actively started a session. You can revoke location permissions at any time via your device settings, though this may prevent you from utilizing the attendance and field visit features.
BIOMETRIC DATA CONSENT
To prevent attendance fraud (such as "buddy punching"), our Platform utilizes advanced Face AI for identity verification.
We process the collected data solely to deliver, maintain, and improve our staffypie services:
Our Platform utilizes Firebase Cloud Messaging (FCM) to deliver critical push notifications. This includes:
We respect your privacy and limit data sharing to strict operational necessities:
We retain personal data for as long as your company maintains an active subscription with us, or as required by statutory labor and payroll laws.
Employee Monitoring Disclosure: By using the Platform, you acknowledge that your employer monitors your digital and physical footprint (via GPS and attendance logs) during designated work hours to ensure operational efficiency.
We implement enterprise-grade security protocols:
We operate in compliance with the Information Technology Act (India) and respect core privacy principles akin to GDPR. Depending on your jurisdiction, you have the right to:
Children's Privacy:
Our platform is designed strictly for corporate workforce management and is not intended for individuals under the age of 18. We do not knowingly collect data from minors.
Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction. Our primary infrastructure, including database nodes and cloud computing servers provided by third-party services (such as AWS, Google Cloud Platform, and Cloudflare), are globally distributed but primarily hosted within the Republic of India to comply with local data localization mandates.
If you are located outside India and choose to provide information to us, please note that we transfer the data, including Personal Data, to India and process it there. Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.
Although our primary operations are based in India, we recognize the global nature of modern enterprises. For users accessing our Platform from the European Economic Area (EEA), we abide by the principles of the General Data Protection Regulation (GDPR). Similarly, for residents of California, we observe the California Consumer Privacy Act (CCPA).
To provide our comprehensive SaaS offering, we engage various third-party sub-processors. We maintain strict Data Processing Agreements (DPAs) with these vendors to ensure they uphold privacy standards identical or superior to our own.
Our Web Administrator and Super Admin dashboards employ cookies, web beacons, and similar tracking technologies to enhance user experience, track session states, and monitor platform performance.
In the unlikely event of a data breach that compromises the confidentiality, integrity, or availability of Personal Data, we have a robust Incident Response Plan (IRP) in place. We will notify the affected Company Administrators without undue delay, and in any event within 72 hours of becoming aware of the breach, providing comprehensive details of the nature of the breach, the specific data compromised, and the immediate mitigation steps deployed.
We reserve the right to update, amend, or modify this Privacy Policy at any time to reflect changes in our technological infrastructure, legal compliance requirements, or business operations. Any substantial changes will be communicated to Company Administrators via email and through in-app platform notifications prior to the changes taking effect. Continued use of the Platform after the effective date constitutes your binding acceptance of the revised Policy.
We retain Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. The specific retention periods vary depending on the nature of the data and the corresponding legal obligations.
The Platform employs advanced Artificial Intelligence (AI) and Machine Learning (ML) algorithms, primarily for facial recognition during attendance logging. We want to be fully transparent about how these systems operate:
Our Face AI system creates a mathematical representation (a "vector") of your face. We do not store raw images of your face for daily attendance checks; rather, we compare the live vector against the enrolled vector. The AI does not make employment decisions, such as hiring or firing. It solely determines whether the face presented matches the enrolled profile with a high degree of confidence. We regularly audit our AI models to mitigate biases based on race, gender, or age, ensuring fair and equitable performance across diverse demographics.
We may disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency). Our policy for handling such requests includes:
Our Platform is intended strictly for corporate and enterprise use, specifically for managing adult workforce populations. We do not knowingly collect, maintain, or process Personal Data from anyone under the age of 18. If a parent or guardian becomes aware that their child has provided us with Personal Data without parental consent, they should contact our support team immediately. If we become aware that we have collected Personal Data from anyone under the age of 18, we will take immediate steps to remove that information from our active databases and servers.
If Digital Book of India is involved in a merger, acquisition, asset sale, bankruptcy, or corporate restructuring, your Personal Data may be transferred as a business asset. In such an event, we will provide notice to all Company Administrators before your Personal Data is transferred and becomes subject to a different Privacy Policy. The acquiring entity will be bound by the same obligations of confidentiality and security as outlined in this document.
In the event that Digital Book of India receives a subpoena, warrant, or other legal order requiring the disclosure of your Personal Data, our standard procedure dictates that we will first attempt to notify the affected Company Administrator to allow them an opportunity to file a motion to quash or seek a protective order, unless such notification is legally prohibited. We mandate that any requesting law enforcement agency produce a valid court order before any data is surrendered. Furthermore, we practice strict data minimization, meaning we will only provide the precise data points explicitly detailed in the legal order.
To continually fortify our defenses, Digital Book of India operates a coordinated vulnerability disclosure program. Security researchers who discover potential vulnerabilities in our Platform are encouraged to report them to our security team. We maintain strict confidentiality during the triage and remediation process. Under no circumstances will we penalize well-intentioned researchers who comply with our safe harbor guidelines. Reports that lead to significant security enhancements may be eligible for financial rewards at the sole discretion of our Security Council.
Our advanced GPS tracking infrastructure is designed to identify and flag anomalies, such as impossible travel speeds, GPS spoofing, or the use of virtual private networks (VPNs) designed to obscure true locations. When such anomalies are detected, the Platform logs the event for auditing purposes. While we do not automatically take punitive action against employees, these logs are made available to Company Administrators who retain the right to investigate and act upon suspected fraudulent attendance or field visit check-ins according to their internal corporate policies.
We recognize that many organizations operate under a Bring Your Own Device (BYOD) policy. Our Employee Mobile App is explicitly designed to sandbox corporate data from personal data. We do not inspect personal SMS messages, personal browsing history, or non-work-related application usage. Location tracking is strictly activated only when explicitly triggered by attendance check-ins or during scheduled field visits. Employees retain full control over operating-system-level permissions and can revoke GPS or camera access at any time, acknowledging that doing so may restrict their ability to utilize core Platform features.
To improve Platform performance and develop new features, we occasionally analyze usage patterns. Before this data enters our analytics pipelines, it undergoes a rigorous anonymization or pseudonymization process. Direct identifiers (such as names, exact employee codes, and email addresses) are stripped or hashed using strong cryptographic algorithms. This ensures that the resulting datasets used by our product engineering teams cannot be reverse-engineered to identify any specific individual, thereby preserving employee privacy while allowing for continuous technological innovation.
Organizations utilizing Enterprise tiers of the Platform may configure Single Sign-On (SSO) integrations using protocols such as SAML 2.0 or OAuth2 (e.g., Google Workspace, Microsoft Entra ID). When SSO is utilized, we receive identity tokens from the Identity Provider (IdP). We only extract and store the minimal information required to provision the user account (typically email address and basic profile info). We do not receive, store, or have any access to the user's master password associated with their corporate directory.
While our Face AI model evaluates facial vectors to authenticate attendance, it is designed strictly as a verification tool rather than a decision-making entity. Employees have the right to request manual intervention if they believe the AI has incorrectly rejected their attendance check-in due to lighting, facial hair changes, or physical injuries. Company Administrators retain full override capabilities to manually approve attendance logs that fail automated verification.
Organizations operating within strictly regulated industries (such as healthcare under HIPAA or finance under PCI-DSS) are subject to specialized data processing addendums. While Digital Book of India is not inherently a processor of protected health information (PHI) or primary cardholder data, any incidental exposure is governed by strict compartmentalization rules. Clients in these sectors must engage with our legal team to sign appropriate specialized NDAs and DPAs before onboarding.
All data transmitted between the client applications and our API servers is secured using Transport Layer Security (TLS 1.2 or higher) with strong cipher suites. Data at rest, particularly sensitive fields such as payroll figures and biometric vectors, is encrypted using AES-256 block-level encryption. Access to cryptographic keys is strictly managed through secure hardware security modules (HSMs) and audited cloud key management services (KMS).
Upon the termination of a Master Service Agreement (MSA) or subscription cancellation, Digital Book of India initiates a structured offboarding process. The Company Administrator is provided a 30-day grace period to export their organizational data (including attendance logs, payslips, and employee rosters) via secure, structured formats (CSV/JSON). At the conclusion of this grace period, all tenant-specific data is irreversibly destroyed from our primary databases and cascading deletion is triggered across our backup infrastructure, ensuring complete data obliteration within 90 days of contract termination.
We strictly adhere to the doctrine of "Privacy by Design." Before any major feature (such as advanced analytics or new biometric integrations) is deployed to production, our internal legal and security teams conduct comprehensive Data Protection Impact Assessments (DPIAs). These assessments evaluate potential risks to employee privacy, ensuring that mitigating controls are baked into the software architecture before a single line of code is shipped.
If you have any questions about this Privacy Policy, your biometric data, or our location tracking practices, please contact our support team at:
Digital Book of India staffypie Support
Email: support@biddingindia.com