This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when Organisations and Users use the DoneHai Platform.
2.1 Organisation-controlled configuration. Organisations decide which modules to enable (attendance, geo-features, verification, tasks, claims, etc.) and set role-based access.
2.2 Organisation responsibility. The Organisation is responsible for issuing employee notices, obtaining consents/authorisations where required, and ensuring its use of the Platform complies with applicable law (including DPDP Act, 2023 where applicable) and internal HR policies.
2.3 DoneHai responsibility. DoneHai acts as a technology provider processing data to provide the Services, maintain security, and operate the Platform.
Depending on the enabled modules and configuration, we may collect:
name, mobile number, email, employee ID (if provided), designation, department, reporting manager (if configured); organisation name and identifiers associated with tenancy.
check-in/check-out timestamps, shift details, attendance status; task assignments, task updates, remarks, work reports; leave requests/approvals and policy-related fields; travel/expense claim details (as configured by the Organisation).
GPS/network-derived location, timestamps, location accuracy metadata; IP-derived signals and device/network indicators; location history and route/visit events for enabled field modules. Background location tracking may occur only when (i) enabled by the Organisation's selected use case/module and (ii) permitted by the User via device prompts/settings.
selfie images (for verification); results/metadata from native device-supported facial/biometric verification methods, as available on the device/OS. (Availability and processing may vary by device/OS and Organisation settings.)
device model, OS version, app version, time zone, language; device identifiers (as permitted by OS), IP address, network info; logs and diagnostics for security and performance; device integrity signals (including rooted/jailbroken/tampered indicators).
files and documents uploaded by Organisation/Users (policies, announcements, attachments, evidence documents); messages/comments/notes entered in the Platform.
emails/requests sent to support, issue details, and resolution notes.
We use data to:
Processing may be based on one or more of the following, as applicable:
We may share data:
6.1 With the Organisation. Data is shared with the Organisation's authorised admins/managers as per role permissions (attendance, location events, verification status, tasks, claims, etc.).
6.2 With service providers (sub-processors). We use vendors for cloud hosting, storage, monitoring, messaging, analytics, and support tooling. They process data only to provide services to DoneHai and subject to contractual confidentiality/security obligations.
6.3 For legal reasons. We may disclose data if required by law, court order, or to protect rights, security, and integrity of the Platform.
6.4 Business changes. In case of merger/acquisition/restructuring, data may be transferred subject to applicable law and appropriate safeguards.
If any processing/storage occurs outside India through cloud/service providers, we will apply reasonable safeguards consistent with applicable law and contractual controls.
Users can manage permissions via device settings (location, camera, notifications, etc.). If required permissions are disabled, certain Services may not function. If the Organisation enables background location tracking for a module, Users will be prompted by device/OS and can control it in device settings.
We implement reasonable administrative, technical, and organisational security measures suitable for SaaS services (access controls, encryption in transit, monitoring, logging, least-privilege controls, etc.). No system can be guaranteed 100% secure.
10.1 During subscription. We retain data while the Organisation subscription is active to provide Services.
10.2 After termination. We may retain Organisation data for up to 60 days after subscription termination to support closure, export (if applicable), dispute handling, and operational continuity.
10.3 Deletion/anonymisation. After the retention window, we delete or anonymise data in accordance with this Policy and applicable law.
10.4 Exceptions. We may retain certain logs/records longer if required for legal compliance, fraud prevention, security auditing, dispute resolution, or backup integrity.
Depending on applicable law (including DPDP Act, 2023 where applicable), Users may have rights such as access/correction, withdrawal of consent (for permission-based processing), and grievance redressal. Because Users are onboarded by Organisations, many requests (e.g., HR data corrections) may need to be routed through the Organisation admin as the Organisation controls account configuration and records used for HR processes.
The Platform is intended for workplace/enterprise use. Users should generally be 18+ (or as permitted under applicable employment/contracting law). We do not knowingly provide the Platform for children.
We may update this Policy from time to time. Updated versions will be posted on our website/app. Continued use of the Platform indicates acknowledgement of the updated Policy.
For privacy questions, concerns, or grievances, contact:
Email: grievance@donehai.com
We will acknowledge and address grievances within timelines prescribed under applicable law.