PM
Peymatrix
Legal

Privacy Policy

Last updated: April 1, 2026 · Effective date: April 1, 2026

1. Overview

Peymatrix Technologies Private Limited (“Peymatrix”, “we”, “us”, or “our”) operates the HR automation platform available at peymatrix.com and app.peymatrix.com (the “Service”). This Privacy Policy explains how we collect, use, store, share, and protect information about you and your employees when you use the Service.

This policy applies to: (a) HR administrators and company admins who purchase and configure the Service (“Customers”); (b) employees and workers whose data is processed through the Service (“End Users”); and (c) visitors to our marketing website.

Summary: We collect only what is necessary to provide the Service. We never sell personal data. We process employee data only on behalf of the employing organisation (the Customer) acting as Data Controller. We implement enterprise-grade encryption and access controls. You have the right to access, correct, and delete your data at any time.

Peymatrix is GDPR compliant, ISO 27001 aligned, and undergoing SOC 2 Type II certification. Our data processing agreement (DPA) is available at peymatrix.com/data-processing.

2. Information we collect

2.1 Information you provide directly

When you create an account or use the Service, we collect:

  • Account registration information: name, work email address, company name, job title
  • Payment information: billing name, address, and payment method (card details are processed and stored by our payment processor, Razorpay — we do not store full card numbers)
  • Company configuration: legal entity details, company address, registered number, GST/VAT number
  • Communications: messages you send to our support team or via in-app chat

2.2 Employee data entered by Customers

Our Customers enter data about their employees into the platform as part of running their HR operations. This data is controlled by the Customer (the employing organisation), and Peymatrix processes it only on their instructions. This data may include:

  • Identity: full name, date of birth, gender, national ID / Aadhaar, passport number
  • Contact: personal email, personal mobile number, home address
  • Employment: job title, department, manager, employment type, start date, salary
  • Payroll: bank account details (for salary disbursement), PAN, PF number, UAN
  • Attendance: check-in/out times, location (for geo-fenced check-in), shift data
  • Leave: leave applications, leave balances, reasons (if provided by employee)
  • Documents: uploaded employment contracts, educational certificates, identity proofs
  • Performance: review scores, feedback notes, OKR progress (if Customer uses these modules)

2.3 Information collected automatically

When you use the Service, we automatically collect certain technical information:

  • Log data: IP address, browser type, pages visited, timestamps, referring URL
  • Device information: device type, operating system, screen resolution
  • Usage events: features used, actions taken, error events (for debugging)
  • Session information: session duration, navigation paths

This data is used solely for security monitoring, product improvement, and debugging. It is not used for advertising.

3. How we use your information

We use the information we collect for the following purposes:

Providing the Service

Processing payroll, managing leave and attendance records, generating payslips, running compliance calculations, and all other core HR functions your organisation has configured.

Contractual necessity

Account management

Creating and maintaining your account, billing, communicating with you about your subscription, and responding to support requests.

Contractual necessity

Service improvement

Analysing aggregated, anonymised usage patterns to identify performance issues, prioritise features, and improve reliability. We never use employee data for this purpose.

Legitimate interest

Security and fraud prevention

Monitoring for suspicious access patterns, preventing unauthorised access, and maintaining audit logs for compliance purposes.

Legitimate interest / Legal obligation

Legal compliance

Meeting statutory obligations under Indian labour law, GDPR, UAE data protection law, and UK GDPR as applicable to each Customer entity.

Legal obligation

Communications

Product updates, security notices, and (with your consent) marketing communications about Peymatrix features and offers.

Consent (marketing only)

4. Data storage and security

4.1 Infrastructure

All Customer and employee data is stored on Amazon Web Services (AWS) infrastructure. Primary data regions: AWS ap-south-1 (Mumbai, India) for Indian entities. EU entities default to AWS eu-west-2 (London). UAE entities use AWS me-south-1 (Bahrain). Enterprise Customers may request alternative data residency as part of their contract.

4.2 Encryption

  • At rest: AES-256 encryption for all data stored on disk. Database-level encryption using AWS RDS encryption with Customer-managed KMS keys (available on Enterprise plan).
  • In transit: TLS 1.3 enforced for all data in transit. TLS 1.0 and 1.1 are disabled. HTTP is permanently redirected to HTTPS.
  • Secrets vault: Sensitive credentials (bank account numbers, PAN, Aadhaar) are stored in a dedicated secrets vault using HashiCorp Vault-compatible architecture with envelope encryption. Application code cannot access raw values without explicit vault authorisation.
  • Payslip documents: Signed and unsigned payslip PDFs are encrypted with employee-specific keys. Employees access their own payslips via authenticated sessions only.

4.3 Access controls

  • Role-based access control (RBAC) with least-privilege principles. Employees see only their own data by default.
  • HR administrators see only the data their role requires. Payroll data is separated from general HR data with distinct permission levels.
  • Peymatrix engineers access production data only through a PAM (Privileged Access Management) system with 4-eyes approval, MFA, and full audit logging.
  • No Peymatrix employee can access Customer data without explicit Customer consent, except for automated systems required to provide the Service.

4.4 Certifications and audits

SOC 2 Type II

In progress (2026)

Security, availability, and confidentiality trust service criteria.

ISO 27001

Aligned (formal audit Q3 2026)

Information security management system standard.

GDPR Art. 28

Compliant

Data processing agreements with all sub-processors.

4.5 Incident response

In the event of a data breach that is likely to result in risk to individuals, we will notify affected Customers within 72 hours of becoming aware of the breach, in compliance with GDPR Article 33 and applicable national data protection laws. Notification will include the nature of the breach, categories of data affected, and remedial measures taken.

5. Sharing and disclosure

We never sell personal data. Not to advertisers, data brokers, or any third party. This is unconditional.

We share data only in the following limited circumstances:

5.1 Sub-processors

We use a limited number of third-party service providers (“sub-processors”) to provide the Service. All sub-processors are contractually bound to process data only on our instructions, maintain appropriate security standards, and not use data for their own purposes. A full list is available at peymatrix.com/data-processing.

Current primary sub-processors include:

  • Amazon Web Services (AWS) — cloud infrastructure and storage
  • Razorpay — payment processing for subscription fees
  • Postmark — transactional email delivery (payslips, notifications)
  • Twilio — WhatsApp and SMS delivery
  • Sentry — error monitoring (no employee PII in error payloads)

5.2 Legal requirements

We may disclose data if required by applicable law, court order, or lawful request from a competent authority. We will, to the extent legally permitted, notify you before disclosing your data in response to such a request and will challenge requests we believe are overbroad or unlawful.

5.3 Business transfers

In the event of a merger, acquisition, or sale of substantially all assets, Customer data may be transferred to the acquiring entity. We will notify affected Customers prior to any such transfer and give them the option to export their data.

6. Employee personal data

Peymatrix processes employee data as a Data Processor on behalf of the employing organisation (the Customer), which acts as the Data Controller. This means:

  • The Customer determines the purposes for which employee data is processed.
  • Employees should direct requests about their data to their employer (the Customer) in the first instance.
  • Customers are responsible for obtaining any required consents from employees and providing appropriate privacy notices to their workforce.
  • Peymatrix provides technical mechanisms (data export, deletion, correction) to help Customers fulfil their obligations to employees.

6.1 Employee rights under GDPR

For employees whose data is subject to GDPR (EU residents and UK residents under UK GDPR), the following rights apply:

  • Right of access (Art. 15): Employees may request a copy of all personal data held about them via their employer.
  • Right to rectification (Art. 16): Employees may request correction of inaccurate data through the self-service portal or via their employer.
  • Right to erasure (Art. 17): Employees may request deletion of their data. Deletion is subject to the Customer's retention obligations under labour law (e.g., payroll records must be retained for 7 years in India). Peymatrix will delete data within 30 days of a valid erasure request, except where a legal retention obligation applies.
  • Right to data portability (Art. 20): Employees can export their own data (personal profile, payslips, leave history) in machine-readable format from the self-service portal.
  • Right to object (Art. 21): Employees may object to processing based on legitimate interests. Contact your employer or dpo@peymatrix.com.

6.2 Special category data

Some HR processes may involve special category data under GDPR (e.g., medical information for sick leave, disability status for reasonable adjustments). Peymatrix does not require Customers to enter special category data. Where Customers choose to record such data, they are responsible for ensuring they have a valid legal basis under GDPR Article 9. Special category data fields are restricted to HR administrators with explicit “sensitive data” permissions.

7. Data retention

We retain data for the following periods:

Data typeRetention periodReason
Active employee recordsDuration of employment + 7 yearsIndian Labour Law, EPF Act
Payroll records7 years after paymentIncome Tax Act, EPF Act
Attendance records3 yearsFactories Act, Shops & Establishment Acts
Leave records3 yearsStatutory audit trail
Account data (admin)30 days after account closureContractual
Billing records7 yearsCompanies Act, GST records
Security logs12 monthsSecurity monitoring
Marketing consent recordsDuration of consent + 3 yearsAccountability principle

After the applicable retention period, data is deleted or irreversibly anonymised. Deletion is a permanent, automated process — recovered data cannot be reinstated after a confirmed deletion event.

8. Cookies and tracking

Our marketing website (peymatrix.com) uses cookies. The application (app.peymatrix.com) uses only essential cookies necessary for authentication and session management. We do not use tracking or advertising cookies inside the application.

Cookies used on the marketing website:

CookieTypePurposeDuration
_pmx_sessionEssentialMaintains login session on app subdomainSession
_pmx_csrfEssentialCSRF protection tokenSession
_pmx_analyticsAnalyticsAnonymous page view analytics (no PII)1 year
_pmx_consentFunctionalStores your cookie consent choice1 year

We do not use Google Analytics, Meta Pixel, or any advertising cookies. You can manage your cookie preferences via the consent banner on first visit.

9. Your rights

Depending on your location, you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that inaccurate or incomplete data be corrected.
  • Erasure: Request deletion of your data, subject to legal retention obligations.
  • Portability: Receive your data in a structured, machine-readable format.
  • Restriction: Request that we restrict processing while a dispute is resolved.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Withdraw any consent you have given at any time.

To exercise any of these rights, email dpo@peymatrix.com. We will respond within 30 days. We may need to verify your identity before processing requests.

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with the relevant supervisory authority — the Information Commissioner's Office (ICO) in the UK, the Data Protection Commission (DPC) in Ireland for EU matters, or the relevant state data protection authority in India under the Digital Personal Data Protection Act 2023.

10. International transfers

Customer data is stored in the AWS region closest to the Customer's primary operating country (see Section 4.1). Where data is transferred outside the European Economic Area (EEA) or UK, we rely on the following transfer mechanisms:

  • Standard Contractual Clauses (SCCs): We execute the European Commission's 2021 SCCs with all sub-processors receiving EU/UK personal data.
  • UK International Data Transfer Agreements (IDTAs): For transfers from the UK.
  • Adequacy decisions: Where applicable (e.g., transfers to countries with an EU adequacy decision).

Our Data Processing Agreement (available at peymatrix.com/data-processing) includes SCCs as an annex. Enterprise Customers may request a countersigned DPA.

11. Children's privacy

The Service is intended for use by organisations and their employees. We do not knowingly collect personal data from individuals under the age of 16. The Service is not directed at children. If you become aware that a child's data has been submitted to the Service, please contact us at dpo@peymatrix.com and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes (those that affect your rights or how we use your data) will be communicated via email to all active Customers at least 30 days before the change takes effect. Non-material changes (e.g., clarifications, formatting) will be posted on this page with an updated “Last updated” date.

Continued use of the Service after a material change takes effect constitutes your acceptance of the revised policy. If you do not agree to the changes, you may export your data and close your account before the effective date.

13. Contact and DPO

For all privacy-related enquiries, data subject requests, or complaints, contact our Data Protection Officer:

Data Protection Officer

Peymatrix Technologies Private Limited

12th Floor, Prestige Tech Park

Sarjapur Ring Road, Bengaluru – 560 087

Karnataka, India

dpo@peymatrix.com

Related documents: Terms of Service · Data Processing Agreement