rollPay

ROLLPAY / ROLLPE

Privacy Policy and Employee Data Processing Notice

Document No.PP-RP-002
Version2.0
Effective Date1-April-2026
Last Updated On1-April-2026
Issued ByCrystal Smart Solutions
Registered OfficeKH No. 82/1/4, Gali No. 1, Mundka Udyog Nagar, New Delhi – 110041
Platform BrandRollPe / RollPAY
Related DocumentRollPAY Master SaaS Agreement MSA-RP-002
Governing LawLaws of India
Grievance OfficerMr.Swarn Kumar Mehto ;
Phone: 011-444 14 444 ; email: grievance@rollpay.in
Privacy Policy URLhttps://rollpe.com/privacy-policy.html

1. Introduction

This Privacy Policy and Employee Data Processing Notice (“Privacy Notice”) explains how Crystal Smart Solutions, a partnership firm duly constituted under the laws of India, having its registered office at KH No. 82/1/4, Gali No. 1, Mundka Udyog Nagar, New Delhi – 110041, operating its software platform under the brand name RollPe / RollPAY (“RollPAY”, “we”, “us”, or “our”), collects, receives, stores, uses, processes, discloses, protects, and retains personal data through the RollPe / RollPAY HRMS, payroll, attendance, employee self-service, approval workflow, reporting, workforce management, and related software-as-a-service platform (“Platform”).

This Privacy Notice applies to employees, workers, consultants, contractors, field staff, managers, HR users, payroll users, admin users, approvers, authorised representatives, job applicants, and other individuals whose data is uploaded to, generated through, or processed on the Platform (“User”, “you”, or “your”).

The Platform is generally provided by RollPAY to a company, firm, dealership, institution, organisation, group company, sister concern, branch, unit, or other legal entity that subscribes to or uses the Platform (“Client”). In most cases, the Client determines what personal data is collected, why it is collected, how it is used, who can access it, and how long it is retained.

This Privacy Notice is issued in compliance with applicable Indian law, including the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and applicable rules, notifications, and guidelines thereunder.

This Privacy Notice should be read together with the RollPAY Master SaaS Agreement (MSA-RP-002) and any other policies referenced therein.

2. Roles under the DPDP Act, 2023 — Data Fiduciary and Data Processor

For most employee, payroll, attendance, HRMS, statutory, and workforce management data processed through the Platform:

  1. The Client — i.e., the employer, organisation, or entity that subscribes to the Platform — is the Data Fiduciary. The Client decides the purpose and means of processing personal data of employees and other individuals. The Client bears primary legal responsibility for ensuring that data is collected and processed lawfully, that notice is given, that consent is obtained where required, and that data principal rights are honoured.
  2. RollPAY — as the Platform provider processing data on the Client’s instructions — is the Data Processor. RollPAY processes personal data only for providing, securing, supporting, maintaining, and improving the Platform, and for its own lawful ancillary purposes described in this Privacy Notice.

RollPAY may independently act as a Data Fiduciary for limited data it independently collects and controls, including account registration data, billing data, support communication data, security logs, and legal acceptance logs.

Employment-related queries, salary disputes, attendance disputes, leave issues, reimbursement issues, tax declaration issues, or employee record correction requests should be raised with the Client (your employer/organisation).

3. Categories of Personal Data Processed

Depending on the modules enabled by the Client and the information uploaded or generated through the Platform, RollPAY may process the following categories of personal data:

  1. Identity and profile data, including name, employee code, user ID, photograph, gender, date of birth, designation, department, grade, branch, location, reporting manager, employment type, joining date, exit date, and employee status;
  2. Contact data, including mobile number, email address, residential address, emergency contact details, and communication details;
  3. Employment and HR data, including appointment details, role details, transfer details, reporting structure, work location, shift, roster, leave records, holiday records, HR letters, employee documents, and employment history;
  4. Attendance and workforce data, including attendance punches, swipe records, mobile attendance records, geo-tagged attendance, shift data, overtime, late marks, early going records, regularisation requests, approvals, and attendance reports;
  5. Payroll and compensation data, including salary structure, salary components, allowances, deductions, incentives, reimbursements, arrears, bonus, full and final settlement, payslips, bank details, UAN, ESIC details, professional tax details, TDS-related data, tax declarations, investment proofs, and statutory reports;
  6. Government identity and statutory data, including PAN, UAN, ESIC number, PF details, professional tax details, and other statutory or employment-related identifiers;
  7. Aadhaar-related data — only where the Client is legally authorised to process such data under the Aadhaar Act, 2016 and UIDAI Regulations, and only in masked or redacted form unless otherwise legally required. See Clause 6 for full details and restrictions;
  8. Device, technical, and log data, including IP address, device ID, browser details, operating system, app version, login logs, activity logs, API logs, error logs, security logs, session details, timestamps, and user actions;
  9. Location data, including GPS location, geo-tagged attendance location, field visit location, route or movement logs, task location, check-in/check-out location, and related timestamp data, where enabled by the Client;
  10. Face verification data, including photographs, attendance images, face verification reference images/templates/results, match or failure logs, and related attendance authentication data, where enabled by the Client. This is treated as sensitive personal data and is subject to heightened protections under the DPDP Act;
  11. Documents and uploaded content, including identity documents, address proofs, certificates, reimbursement bills, tax proofs, declarations, forms, letters, profile documents, and other files uploaded by the Client or Users;
  12. Communication and support data, including emails, support tickets, messages, issue logs, queries, feedback, training records, and communication history; and
  13. Any other personal data uploaded, entered, generated, approved, imported, transmitted, or processed through the platform by the Client or Users.

4. Purposes of Processing

Personal data may be processed for the following purposes, depending on the modules enabled by the Client:

  1. Creating and maintaining employee master records;
  2. Managing HRMS, employee lifecycle, on boarding, exits, transfers, and role changes;
  3. Managing attendance, shifts, rosters, holidays, weekly offs, leave, overtime, and regularisation;
  4. Processing payroll, salary registers, payslips, reimbursements, incentives, deductions, and full and final settlement;
  5. Generating statutory, compliance, tax, PF, ESIC, professional tax, bonus, gratuity, and payroll-related reports;
  6. Providing employee self-service and manager self-service features;
  7. Managing approvals, workflows, declarations, requests, claims, and tasks;
  8. Authenticating attendance through device, location, photograph, or face verification, where enabled by the Client;
  9. Preventing proxy attendance, fraudulent attendance, duplicate records, misuse, or unauthorised access;
  10. Managing field workforce, route tracking, site visits, location-based reporting, and operational monitoring, where enabled by the Client;
  11. Providing dashboards, analytics, reports, exports, alerts, notifications, and communications;
  12. Enabling integrations, imports, exports, APIs, and third-party connectivity, where agreed;
  13. Providing customer support, troubleshooting, implementation, training, maintenance, and service improvement;
  14. Securing the Platform, detecting misuse, investigating incidents, and maintaining audit trails;
  15. Complying with applicable law, court orders, regulatory directions, contractual obligations, audits, and dispute resolution;
  16. Improving, testing, securing, and developing the Platform, using only aggregated, anonymised, or de-identified data where possible; and
  17. Informing Users of automated or semi-automated processing that may affect their attendance record, payroll, or performance, including outputs generated by face verification or location verification systems.

5. Legal Basis and Client Responsibility

The Client is the Data Fiduciary under the DPDP Act. The Client is responsible for ensuring that it has a lawful basis to collect, upload, use, disclose, and process personal data through the Platform.

Under the DPDP Act, 2023, the primary lawful bases for processing personal data are:

  1. Consent — the data principal (employee or User) has given free, specific, informed, unconditional, and unambiguous consent for processing of their personal data for specified purposes. Consent must be capable of being withdrawn at any time.
  2. Legitimate use — processing is necessary for a purpose specified under the DPDP Act as a legitimate use, including compliance with law or order of a court, employment obligations, medical emergency, State functions, or other notified legitimate uses.

Where notice, consent, policy communication, or other authorisation is required, the Client is responsible for providing such notice, obtaining such consent, maintaining records of consent, and providing a mechanism for consent withdrawal.

RollPAY relies on the Client’s confirmation that personal data uploaded to or processed through the Platform has been collected and shared lawfully. RollPAY processes personal data for lawful purposes connected with providing, securing, supporting, maintaining, and improving the Platform, and complying with applicable legal and contractual obligations.

6. Aadhaar and Sensitive Identity Information

RollPAY does not require the Client or Users to upload full or unmasked Aadhaar numbers except where required by applicable law for statutory compliance. Aadhaar numbers are legitimately processed on the Platform for purposes such as Aadhaar-UAN seeding under EPFO requirements, ESIC insured person registration, and other statutory obligations expressly requiring Aadhaar. Where Aadhaar data is uploaded for such statutory purposes, the Client shall ensure it is used solely for the statutory purpose for which it was collected, and access is restricted to authorised personnel only. For all non-statutory purposes, Users are encouraged to upload only masked Aadhaar documents or alternate identity documents. Where Aadhaar card images or documents are uploaded through the Platform's document management feature, the Client shall ensure that only masked Aadhaar copies — with the first 8 digits obscured — are uploaded. Upload of full, unmasked Aadhaar card copies, scans, photographs, or PDFs is not permitted except where the Client is a UIDAI-authorised requesting entity and has obtained all necessary compliance.

7. Face Verification, Biometric Data and Photograph-Based Attendance

Face verification data and photograph-based attendance data are sensitive personal data under applicable Indian law and are subject to heightened protections.

Where enabled by the Client, the Platform may process photographs, attendance images, face verification reference images/templates, verification results, failure logs, timestamps, device details, and related attendance authentication data.

Such data may be used by the Client for attendance authentication, prevention of proxy attendance, payroll accuracy, workforce monitoring, security, and audit. RollPAY processes such data solely on the Client’s instructions as Data Processor.

The Client is responsible for:

  1. Deciding whether to enable face verification or photograph-based attendance features;
  2. Providing clear, prior, written notice to employees in plain language about what data is collected, the purpose, whether participation is mandatory, how long data will be retained, and what happens on failure or refusal;
  3. Obtaining valid consent or establishing another lawful basis under the DPDP Act before enabling such features;
  4. Providing an alternative attendance mechanism for individuals who are unable to use face verification due to medical, technical, or other reasons;
  5. Maintaining a written internal biometric/face data policy approved by appropriate management; and
  6. Handling employee grievances regarding face verification failure, misidentification, or attendance discrepancy.

RollPAY shall not be liable for employee claims, privacy complaints, labour disputes, or regulatory action arising from the Client’s failure to provide notice, obtain consent, or implement a proper internal policy.

Face verification may be affected by lighting, image quality, device quality, angle, network condition, camera condition, and other technical factors. Attendance grievances should be raised with the Client or authorised admin.

8. Location Data and Field Tracking

Where enabled by the Client, the Platform may collect and process location-related data, including GPS coordinates, geo-tagged attendance, check-in/check-out location, field visit location, route or movement logs, task location, and timestamps.

Such data may be used by the Client for attendance verification, field workforce management, route planning, operational monitoring, task verification, site visit validation, payroll accuracy, safety, and audit.

The Client is responsible for:

  1. Informing Users clearly about what location data is captured, when, why, and for how long;
  2. Specifying whether location capture is active only during attendance / task events or during broader permitted work activity;
  3. Obtaining valid consent or establishing another lawful basis under the DPDP Act before enabling location tracking; and
  4. Ensuring that location monitoring is used only for legitimate business purposes and not for surveillance beyond what is necessary.

Users must not spoof, manipulate, falsify, or bypass location capture mechanisms.

9. Automated Processing and Impact on Users

The Platform may use face verification results, location data, geo-tagged attendance, device-based attendance, and related data to automatically generate attendance records, mark attendance as present or absent, flag discrepancies, or affect payroll calculations.

Users have the right to be informed when automated or semi-automated processing may materially affect their attendance record, payroll, or working status. The Client is responsible for informing employees about such automated processing in its internal notice or HR policy.

Where a User believes their attendance or payroll has been incorrectly affected by automated processing, they should raise a grievance with the Client’s HR or admin team. The Client is responsible for providing a manual review and correction mechanism.

10. Data Sharing and Disclosure

RollPAY may share or disclose personal data only as reasonably necessary for the following purposes:

  1. With the Client, its authorised admins, HR users, payroll users, managers, approvers, and authorised representatives, for providing Platform services;
  2. With Client Group Entities where they are configured or operated under the same RollPAY account or arrangement, as instructed by the Client;
  3. With RollPAY employees, contractors, support teams, implementation teams, developers, auditors, advisors, or service providers who need access for authorised purposes, subject to appropriate confidentiality and data protection obligations;
  4. With sub-processors including hosting providers, cloud providers, SMS gateways, email providers, WhatsApp/API providers, payment gateways, map providers, biometric device providers, and analytics providers used to operate the Platform. A sub-processor list is maintained and made available to Clients on request;
  5. With government authorities, courts, regulators, law enforcement agencies, statutory authorities, or other persons where required by law, court order, or legal process;
  6. In connection with audit, dispute resolution, legal claims, security investigation, business transfer, merger, restructuring, or enforcement of rights; and
  7. With consent or instruction of the Client or concerned User, where applicable.

RollPAY does not sell personal data.

RollPAY does not share personal data for third-party advertising, marketing profiling, or commercial profiling purposes.

11. Data Storage, Hosting and Cross-Border Transfers

Personal data may be stored on RollPAY servers, cloud infrastructure, hosting environments, databases, backups, support systems, email systems, and other technology systems used for providing the Platform.

RollPAY may use service providers located in India or outside India for hosting, cloud infrastructure, email delivery, support tools, or other operational purposes. Where data is transferred outside India, RollPAY shall ensure that such transfer is subject to contractual safeguards and complies with applicable Indian law, including any restrictions or conditions notified under the DPDP Act.

The DPDP Act empowers the Central Government to notify countries to which personal data transfers are restricted. RollPAY commits to complying with any such restriction as and when notified. The Client is responsible for ensuring that any additional cross-border data transfer requirement applicable to its employee data is addressed through its internal policy, employment terms, consent, contract, or other lawful basis.

12. Data Retention

Personal data may be retained for as long as necessary for the purposes described in this Privacy Notice, and not longer. Under the DPDP Act, data must be erased when it is no longer necessary for the specified purpose, unless retention is required by law.

The Client determines the retention period for most employee, payroll, attendance, HRMS, and statutory data. RollPAY may retain system logs, security logs, acceptance logs, support records, billing records, backups, and audit records for legal, security, operational, compliance, or dispute resolution purposes.

Upon termination of the Client’s subscription, RollPAY may retain Client Data as per the MSA (MSA-RP-002), applicable law, backup cycles, and commercial arrangement. After the applicable retention period, data shall be deleted or anonymised.

13. Security Safeguards

RollPAY uses reasonable technical and organisational measures to protect personal data against unauthorised access, misuse, loss, alteration, destruction, or disclosure. Such measures may include access controls, authentication, role-based permissions, encryption where appropriate, secure backups, logging, security monitoring, restricted database access, and security review processes.

No internet-based platform, cloud service, software system, or network can be guaranteed to be completely secure.

Users must protect their passwords, OTPs, devices, login credentials, and account access. Clients must ensure appropriate admin controls, user access review, timely deactivation of resigned users, and secure handling of downloaded reports.

14. Data Breach and Security Incident

If RollPAY becomes aware of a personal data breach or security incident affecting personal data processed through the Platform, RollPAY shall take reasonable steps to assess, contain, investigate, and remediate the incident.

RollPAY shall notify the Client and/or relevant authorities where required under applicable law or contractual obligation.

The Client shall cooperate with RollPAY in investigation, communication, mitigation, regulatory response, and affected-User handling where the incident relates to Client Data.

Users should promptly report suspected unauthorised access, credential compromise, device loss, suspicious activity, or data misuse to their employer / Client admin or to RollPAY support.

15. Data Principal Rights under the DPDP Act, 2023

The DPDP Act, 2023 grants individuals (data principals) specific rights in relation to their personal data. The following table explains these rights and how to exercise them:

Right under DPDP Act, 2023What it meansHow to exercise it
Right to information about processing (Section 11)Know what personal data RollPAY or the Client holds about you and how it is processed.Contact your employer / Client admin first. For Platform-level queries, contact the RollPAY Grievance Officer.
Right to correction and erasure
(Section 12)		Request correction of inaccurate or incomplete data, or erasure of data no longer required for the stated purpose.Raise with your employer / Client admin. Statutory, payroll, tax, or audit data may be subject to mandatory retention periods.
Right to grievance redressal
(Section 13)		Have grievances about processing of your personal data addressed promptly and effectively.Contact the Grievance Officer of the Client (your employer) first, then RollPAY’s Grievance Officer if required.
Right to nominate
(Section 14)		Nominate another individual to exercise your data rights on your behalf in the event of death or incapacity.Contact your employer / Client admin or RollPAY’s Grievance Officer with a nomination request.
Right to withdraw consentWhere processing is based on consent, withdraw that consent at any time. Withdrawal will not affect prior lawful processing.Contact your employer / Client admin. Note that withdrawal may affect ability to use certain Platform features.

Since most employee data is controlled by the Client (as Data Fiduciary), Users should first raise data correction, deletion, access, attendance, payroll, salary, leave, statutory, or employment-related requests with their employer / organisation or authorised Client admin.

Where RollPAY receives such a request directly and RollPAY is independently required to act (e.g., for data RollPAY controls as Data Fiduciary), RollPAY shall process it. For data controlled by the Client, RollPAY may redirect the request to the Client or process it in consultation with the Client.

Withdrawal of consent, deletion, or restriction of certain data may affect the User’s ability to use certain Platform features and may be subject to employment, statutory, payroll, audit, tax, legal, or contractual retention requirements.

16. Right to Nominate

Under Section 14 of the DPDP Act, 2023, a data principal has the right to nominate another individual to exercise their data principal rights in the event of their death or incapacity.

A User who wishes to make such a nomination may do so by contacting RollPAY’s Grievance Officer or their employer’s HR department with a written nomination request specifying the nominee’s details.

RollPAY will honour such nominations in accordance with the DPDP Act and applicable rules.

17. Duties of Users

Users shall:

  1. Provide accurate and updated information;
  2. Not submit false, forged, misleading, or unauthorised documents;
  3. Not share passwords, OTPs, or login credentials;
  4. Not misuse another person’s personal data;
  5. Not upload unnecessary, excessive, or irrelevant sensitive information;
  6. Not manipulate attendance, location, photograph, face verification, payroll, or approval records;
  7. Not perform or facilitate unauthorised access to any account or data; and
  8. Promptly report suspected misuse, incorrect data, or unauthorised access to the Client admin or RollPAY support.

18. Children’s Data

The Platform is intended for use by employers, organisations, employees, workers, contractors, managers, and authorised business users. The Platform is not directed at or intended for use by children.

Under the DPDP Act, 2023, a “child” means any person below the age of 18 years. Processing of personal data of children requires verifiable parental consent, and the DPDP Act prohibits tracking or behavioural monitoring of children.

If any personal data of minors is processed for employment, dependent, nominee, statutory, insurance, welfare, or HR-related purposes through the Platform, the Client shall be solely responsible for:

  1. Ensuring that such processing is lawful and supported by appropriate notice, verifiable parental consent, or other lawful basis under the DPDP Act;
  2. Ensuring that the Platform is not used to track or behaviourally monitor children; and
  3. Maintaining appropriate records of consent obtained for processing children’s data.

19. Aggregated, Anonymised and De-Identified Data

RollPAY may use aggregated, anonymised, or de-identified data for analytics, benchmarking, product improvement, research, security, service development, reporting, and business intelligence.

Such data will not reasonably identify the Client, User, or individual employee and is not subject to the data protection obligations applicable to personal data under the DPDP Act.

20. Third-Party Links and Services

The Platform may contain links, integrations, APIs, or connections to third-party websites, services, portals, devices, or applications.

RollPAY is not responsible for the privacy practices, content, security, availability, or policies of third-party services. Users and Clients should review the applicable third-party terms and privacy notices where relevant.

21. Changes to this Privacy Notice

RollPAY may update this Privacy Notice from time to time to reflect changes in law, technology, Platform features, business practices, or compliance requirements.

For material changes — particularly changes that affect the purpose of processing, the categories of data processed, the basis for processing, or the rights of data principals — RollPAY shall provide prior notice through email, login prompt, in-app notification, or dashboard message. Where the change affects data previously collected on the basis of consent, RollPAY shall require a fresh acknowledgement or, where necessary, fresh consent before continuing to process such data.

For non-material or administrative changes, continued use of the Platform after the updated Privacy Notice becomes effective shall be treated as acknowledgement of the updated notice.

22. Grievance Officer — Contact and Grievance Redressal

In compliance with Rule 3(1)(c) of the IT (Intermediary Guidelines) Rules, 2021 and the grievance redressal requirements of the DPDP Act, 2023, RollPAY has appointed a Grievance Officer.

Name: Mr.Swarn Kumar Mehto Designation: Grievance Officer

Email: grievance@rollpay.in Phone: 011- 444 14 444

Working Hours: Monday to Saturday, 10:00 AM – 6:00 PM IST

Address: Crystal Smart Solutions, KH No. 82/1/4, Gali No. 1, Mundka Udyog Nagar, New Delhi – 110041

Acknowledgement: within 24 hours of receipt

Resolution: within 15 days of receipt

For employment, salary, attendance, leave, payroll, reimbursement, tax, statutory, document correction, or HR-related data issues, Users should first contact their employer / organisation, HR department, payroll department, reporting manager, or authorised Client admin.

For privacy or Platform-related queries, complaints about processing of personal data, requests to exercise DPDP Act rights, or escalations not resolved by the Client, you may contact the RollPAY Grievance Officer at the details above.

RollPAY may verify your identity before responding to any privacy-related request.

Privacy / Grievance Emailgrievance@rollpay.in
Support Emailsupport@rollpay.in
Registered OfficeCrystal Smart Solutions, KH No. 82/1/4, Gali No. 1, Mundka Udyog Nagar, New Delhi – 110041
Related AgreementRollPAY Master SaaS Agreement — MSA-RP-002

--------- End of Privacy Notice — Version PP-RP-002 — Crystal Smart Solutions--------------