Privacy Policy

This Privacy Policy describes how RapidData Solutions Private Limited (“RapidData,” “we,” “our,” or “us”), as the owner and operator of RapidHR (“RapidHR” or the “Platform”), collects, processes, stores, protects, uses, and discloses personal data in connection with the use of its websites, software applications, mobile applications, APIs, and related services. By accessing or using RapidHR, users acknowledge that they have read, understood, and agreed to the practices described in this Privacy Policy. This Policy should be read together with the RapidHR Terms and Conditions and any executed Data Processing Agreement (“DPA”).

1. About Us

RapidHR is owned, operated, and maintained by RapidData Solutions Private Limited, having its registered office at A Block, 1st Floor, Tecci Park, 285, Rajiv Gandhi Salai, Kumaran Nagar, ELCOT SEZ, Karapakkam, Chennai, Tamil Nadu – 600119, India. RapidHR is made available through our official websites and digital platforms.

Privacy and legal communications: legal@rapiddata.com

Product support: support@rapidhr.com or +91 9498699667

Grievance Officer (India – DPDP Act, 2023 and IT Rules): The designated Grievance Officer can be reached at grievance@rapiddata.com. Grievances will be acknowledged within 24 hours and resolved within fifteen (15) days, in accordance with applicable Indian law.

Data Protection Officer (EU/UK GDPR): For matters relating to the processing of personal data of EU/EEA or UK data subjects, our Data Protection Officer can be contacted at dpo@rapiddata.com.

2. Scope of this Policy

This Privacy Policy applies to all individuals and organizations that access or use RapidHR, including human resource professionals, administrators, employees of subscribing organizations, job applicants using recruitment portals powered by RapidHR, mobile application users, API users, and visitors to our websites. This Policy applies to all services, products, applications, integrations, and digital interfaces operated by RapidData in connection with RapidHR. This Policy does not apply to third-party websites, products, or services that are not owned or controlled by RapidData.

3. Our Role in Data Processing

RapidData primarily acts as a data processor (or “service provider” within the meaning of the CCPA/CPRA, and “data processor” within the meaning of the GDPR and the India DPDP Act). Subscribing client organizations remain the controllers (or “businesses” / “data fiduciaries”) of employee, applicant, organizational, and business data processed through RapidHR. RapidData processes such information solely in accordance with the executed customer agreement, the Data Processing Agreement (where applicable), documented client instructions, and applicable legal requirements. With respect to a limited set of activities (such as account administration, billing, security, fraud prevention, and direct communications with our own business contacts), RapidData acts as an independent controller.

4. Information We Collect

RapidHR may collect, process, and store personal, organizational, and technical information as required by subscribing organizations for workforce management, payroll administration, recruitment, compliance, reporting, and related business operations. Such information may include employee names, email addresses, telephone numbers, residential addresses, dates of birth, employee identification numbers, government-issued identification details, statutory records, passport or visa information, banking details, compensation records, payroll information, attendance records, leave records, timesheet information, work location information where enabled by clients, employment documentation, profile photographs, performance records, training records, and compliance-related records.

In connection with applicant tracking and recruitment services, RapidHR may process resumes, curriculum vitae, educational qualifications, employment history, professional certifications, skills information, interview notes, recruiter evaluations, assessment results, references, and background verification information where authorized by the client organization.

RapidHR may also automatically collect technical and usage information including internet protocol addresses, browser information, device details, operating system information, application versions, session identifiers, authentication records, login activity, audit trails, API usage records, diagnostic information, and security-related logs for platform administration, security, and service improvement purposes.

Sensitive / Special Categories of Personal Data: To the extent client organizations upload or instruct RapidData to process information that constitutes ‘special categories’ of personal data under the GDPR (Article 9), ‘sensitive personal information’ under the CCPA/CPRA, or ‘sensitive personal data’ under the India DPDP Act (such as government identifiers, financial information, biometric or health-related data), the client organization warrants that it has obtained all required consents and has a lawful basis for such processing.

5. Biometric Data

RapidHR may integrate with biometric attendance devices or mobile device authentication systems for attendance or identity verification purposes. RapidData does not collect, store, retain, or process raw biometric fingerprints, facial templates, voiceprints, retina scans, or other biometric identifiers or biometric authentication data. Any biometric authentication performed through mobile devices or external attendance infrastructure is handled by device manufacturers, operating system providers, or client-managed biometric systems, including platforms provided by Apple and Google. Where applicable, client organizations are solely responsible for compliance with biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA), Texas CUBI, Washington H.B. 1493, and any equivalent statutes.

6. Methods of Collection

RapidData may collect information directly from subscribing client organizations, employees, administrators, job applicants, website users, mobile application users, API integrations, connected services, system-generated logs, and recruitment workflows. Information may also be generated automatically through the use of platform features, security systems, authentication mechanisms, and operational analytics.

7. Purposes of Processing

RapidData processes information for the purpose of delivering human resource management services, applicant tracking services, payroll administration, statutory compliance, attendance management, workforce planning, employee lifecycle management, recruitment operations, reporting, analytics, platform optimization, customer support, fraud prevention, abuse detection, platform security, contractual performance, legal compliance, and service improvement. Where permitted by applicable law, RapidData may also use business contact information to send product announcements, service notifications, release updates, newsletters, and marketing communications.

8. Legal Basis for Processing

Depending on the applicable jurisdiction and the nature of processing, RapidData relies on the following lawful bases under GDPR Article 6 and equivalent provisions of other applicable laws:

  • <strong>(a)</strong> Performance of a contract – to provide RapidHR services to client organizations and to administer accounts;
  • <strong>(b)</strong> Compliance with legal obligations – including statutory recordkeeping, tax, payroll, and labour-law obligations;
  • <strong>(c)</strong> Legitimate interests – platform security, fraud prevention, service improvement, and operating our business, balanced against data subjects’ rights;
  • <strong>(d)</strong> Consent – where consent is the only available legal basis (e.g., certain marketing communications, optional cookies, processing of sensitive personal data); consent may be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal;
  • <strong>(e)</strong> Documented controller instructions – where RapidData acts as a processor on behalf of the client organization.

RapidHR is designed to support compliance with the India Digital Personal Data Protection Act, 2023 (DPDP Act), the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable data protection laws. Operational security practices are aligned with ISO/IEC 27001 principles and SOC 2 security standards.

9. Cookies and Analytics

RapidHR does not use advertising cookies, behavioral advertising cookies, or marketing cookies on its websites or applications. RapidData uses strictly necessary cookies and similar technologies required for authentication, session continuity, platform security, and core functionality. RapidData may also use analytics technologies, including Google Analytics, to understand website performance, platform usage, and service optimization. Where required by applicable law (including the EU ePrivacy Directive and the UK PECR), non-essential analytics cookies are loaded only after the user provides prior, informed, opt-in consent through our cookie banner. Users may withdraw consent or adjust preferences at any time through the cookie preference center.

10. Third-Party Services and Subprocessors

In order to deliver services efficiently and securely, RapidData may engage authorized infrastructure providers, payment processors, tax compliance providers, enterprise software providers, and other service partners to process data on its behalf. Such providers may include Amazon Web Services, Microsoft, Stripe, PayPal, Razorpay, ClearTax, and ICICI Bank. A current list of subprocessors is maintained at https://www.rapidhr.com/subprocessors and is available upon written request to legal@rapiddata.com. RapidData enters into written agreements with each subprocessor imposing data protection obligations no less protective than those in this Policy and the customer DPA. RapidData will provide reasonable advance notice of any new or replacement subprocessor and will give client organizations a reasonable opportunity to object on legitimate data protection grounds.

11. International Data Transfers

Because RapidHR operates using multi-region infrastructure, personal and organizational data may be transferred to, stored in, or processed in jurisdictions outside India, including regions where RapidData’s infrastructure providers or authorized subprocessors operate. Where such international transfers occur, RapidData implements appropriate safeguards as required by applicable law, including:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) for transfers from the EEA;
  • UK International Data Transfer Addendum (IDTA) for transfers from the United Kingdom;
  • Adequacy decisions where available;
  • Transfer impact assessments and supplementary technical, contractual, and organizational measures (such as encryption in transit and at rest, pseudonymisation, and strict access controls) where required.

Data subjects may obtain a copy of the relevant transfer mechanism by contacting legal@rapiddata.com.

12. Data Security

RapidData maintains administrative, technical, and organizational safeguards designed to protect data against unauthorized access, disclosure, alteration, destruction, loss, misuse, or unlawful processing. Such safeguards include encryption in transit (TLS 1.2 or higher) and encryption at rest (AES-256), access controls, role-based permissions, multi-factor authentication for administrative access, audit logging, network monitoring, backup systems, disaster recovery procedures, vulnerability management, secure software development lifecycle practices, and 24×7 security monitoring. While RapidData employs commercially reasonable security measures aligned with ISO/IEC 27001 and SOC 2 frameworks, no internet-based platform or electronic storage system can guarantee absolute security.

13. Data Retention

RapidData retains information only for as long as necessary to fulfill contractual obligations, provide services, comply with applicable legal requirements, resolve disputes, enforce agreements, or support legitimate business operations. Indicative retention periods (which may be modified by written agreement, applicable law, or documented client instructions) are as follows:

  • Active customer data: for the duration of the subscription term;
  • Customer data after termination: up to ninety (90) days to permit export, after which it is permanently deleted or irreversibly anonymised, unless longer retention is required by law;
  • System backups: up to three (3) months on a rolling basis;
  • Security and audit logs: up to twelve (12) months, or longer where required for regulatory or security investigation purposes;
  • Tax, payroll, and statutory records: for the period required under applicable Indian and foreign tax, labour, and corporate laws (typically seven (7) to eight (8) years);
  • Marketing contact records: until the data subject opts out or withdraws consent.

14. Data Sharing and Disclosure

RapidData does not sell personal information to third parties and does not “share” personal information for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA. Information may be disclosed only to the relevant client organization, authorized subprocessors, service providers, professional advisors, or other parties where such disclosure is necessary for service delivery, contractual performance, legal compliance, security protection, fraud prevention, or the protection of rights, property, and safety. Where legally permissible, requests from government or law-enforcement authorities relating to client-owned data will be redirected to the relevant client organization as the lawful data owner, except where RapidData is legally compelled to respond directly.

15. Data Subject and Consumer Rights

Subject to applicable law, individuals whose information is processed through RapidHR may exercise the following rights:

  • Right of access – to obtain confirmation and a copy of personal data processed;
  • Right to rectification – to correct inaccurate or incomplete data;
  • Right to erasure (“right to be forgotten”) – subject to legal exceptions;
  • Right to restriction of processing;
  • Right to data portability – to receive data in a structured, commonly used, machine-readable format;
  • Right to object to processing based on legitimate interests or for direct marketing;
  • Right to withdraw consent at any time where processing is based on consent;
  • Rights relating to automated decision-making and profiling under GDPR Article 22 – RapidData does not engage in solely automated decision-making producing legal or similarly significant effects on individuals;
  • Right to opt out of ‘sale’ or ‘sharing’ of personal information, and the right to limit use of sensitive personal information (CCPA/CPRA);
  • Right to non-discrimination for exercising privacy rights;
  • Right to nominate a representative under the India DPDP Act;
  • Right to lodge a complaint with the relevant supervisory authority – the Data Protection Board of India, the relevant EU/EEA Data Protection Authority, the UK Information Commissioner’s Office (ICO), the California Privacy Protection Agency, or other competent regulator.

Where RapidData acts solely as a processor, such requests will be referred to the relevant client organization for action, and RapidData will provide reasonable assistance. Privacy-related requests may be submitted to legal@rapiddata.com. RapidData will acknowledge receipt within ten (10) business days and respond substantively within thirty (30) days under the GDPR / India DPDP Act and within forty-five (45) days under the CCPA/CPRA. These periods may be extended by an additional sixty (60) days (GDPR) or forty-five (45) days (CCPA/CPRA) where reasonably necessary, with notice to the requester. RapidData may take reasonable steps to verify the identity of the requester before fulfilling a request, but will not require excessive documentation.

16. Marketing Communications

RapidData may send product announcements, security updates, release notifications, service notices, newsletters, educational communications, and marketing communications to business contacts and authorized recipients where permitted by applicable law. Marketing communications to individual subscribers in jurisdictions requiring opt-in consent (such as the EU/EEA and the UK) will only be sent on the basis of valid consent. Recipients may opt out of non-essential marketing communications at any time by following the unsubscribe instructions in the communication or by writing to legal@rapiddata.com.

17. Security Incident Notification

If RapidData becomes aware of a confirmed personal data breach affecting customer or personal data processed through RapidHR, RapidData will:

  • Notify the affected client organization without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach where commercially and legally feasible, to enable the controller to comply with its own notification obligations under GDPR Article 33;
  • Provide sufficient information to enable the controller to assess and notify the breach to supervisory authorities and, where required, to affected data subjects;
  • Cooperate in good faith with the controller’s investigation, mitigation, and remediation efforts;
  • Where RapidData is itself the controller, notify the relevant supervisory authority within seventy-two (72) hours and affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

18. Children’s Privacy

RapidHR is intended solely for business, employment, recruitment, and professional use. RapidHR is not directed to, marketed to, or intended for individuals under eighteen (18) years of age, and RapidData does not knowingly collect personal information directly from minors. RapidData does not knowingly process personal data of children in a manner inconsistent with the U.S. Children’s Online Privacy Protection Act (COPPA), GDPR Article 8, or Section 9 of the India DPDP Act. If RapidData becomes aware that personal data of a minor has been provided without appropriate consent, such data will be deleted promptly.

19. Changes to this Privacy Policy

RapidData reserves the right to modify, update, or revise this Privacy Policy at any time to reflect changes in business practices, legal requirements, technology, or platform functionality. Material changes will be notified to client organizations and, where required by applicable law, to data subjects through RapidHR websites, in-product notifications, applications, or other official communication channels at least thirty (30) days in advance of the effective date. Continued use of RapidHR after such updates constitutes acceptance of the revised Privacy Policy.

20. Contact Information

Any questions, requests, complaints, or notices relating to this Privacy Policy or the processing of personal data may be addressed to:

Legal & Privacy Office

RapidData Solutions Private Limited

A Block, 1st Floor, Tecci Park, 285, Rajiv Gandhi Salai, Kumaran Nagar, ELCOT SEZ, Karapakkam, Chennai, Tamil Nadu – 600119, India

Email: legal@rapiddata.com

Grievance Officer: grievance@rapiddata.com

Data Protection Officer (EU/UK): dpo@rapiddata.com