Privacy Policy

1. Introduction

We are Atto Mind Lab, headquartered in Pune, Maharashtra, India. We build software to help Indian businesses manage their HR and operations.

This Privacy Policy explains how we collect, use, and protect your personal data across our website, product platforms (Atto-HR and Atto-Works), and mobile access points. This policy is written to comply fully with the Digital Personal Data Protection (DPDP) Act 2023, the Information Technology Act 2000 (as amended), and all applicable Indian laws.

By using our services, you agree to the practices described in this document.

2. Data We Collect

We only collect data necessary to provide our services. This includes:

• Personal Data: Your name, email address, phone number, company name, GST number, PAN, and billing information.
• Usage Data: Your IP address, browser type, device information, pages visited, and time spent on our platform.
• Product Data: When you use Atto-HR or Atto-Works, you may upload employee records, payroll data, and project data. This data is strictly separated, encrypted, and isolated in our product databases.

We collect this data through direct input forms, automated cookies, server logs, and integrated third-party analytics.

3. Purpose of Data Collection

Under the DPDP Act 2023, we only use your data for explicit, stated purposes:

• Providing and delivering our HRMS and ERP software services to your business.
• Managing your subscription, processing payments, and generating invoices.
• Providing customer support via email and WhatsApp.
• Ensuring legal compliance regarding GST, tax, and labor law reporting.
• Improving our service infrastructure, fixing bugs, and securing our platform against abuse.

We do not and will not process your data for any purposes beyond what is explicitly stated here (as per DPDP Section 6).

4. Legal Basis for Processing

We process your data based on:

• Consent: Explicitly obtained via checkboxes at the time of signup (DPDP Section 6).
• Legitimate Use: To fulfill our contract with you, deliver the promised service, maintain security, and meet Indian legal obligations.

We do not process sensitive personal data without your clear, affirmative consent (DPDP Section 3).

5. Data Sharing and Disclosure

We do not sell your personal data. We only share data with trusted entities to operate our business:

• Service Providers: Secure cloud hosting via AWS India (ap-south-1, Mumbai), payment processing via Razorpay, and transactional emails via SendGrid/AWS SES.
• Legal Obligations: We will disclose data if required by government authorities under the IT Act or a binding court order.
• Business Transfers: In the event of a merger or acquisition, you will be notified before your data is transferred.

6. Data Retention and Deletion

We keep your data only as long as necessary:

• Active Accounts: Data is retained while your subscription remains active.
• Cancelled Accounts: Routine data is deleted within 90 days of cancellation. However, financial and legal records (like invoices and GST data) are retained for 8 years as required by Indian tax law.
• Unactivated Trials: If you sign up for a trial but do not convert or activate, your data is permanently deleted within 30 days.

You have the explicit right to request immediate erasure of your personal data at any time (DPDP Section 12).

7. Data Security

Your business data is critical. We protect it using enterprise-grade measures:

• Encryption: All data is encrypted at rest using AES-256 and in transit using TLS 1.3 protocols.
• Access Controls: We use strict, role-based access controls and maintain comprehensive audit logs.
• Incident Notification: In the unlikely event of a data breach, we will notify affected users and the Data Protection Board (MEITY) within 72 hours as mandated by DPDP Section 10.
• Data Localization: Your data remains in India. We do not transfer data across borders without an adequacy decision or explicit compliance (DPDP Section 16).

8. Your Rights (DPDP Act)

Under the DPDP Act 2023, you have absolute control over your personal data:

• Right to Access (Section 11): Request a copy of the data we hold about you.
• Right to Correction and Erasure (Section 12): Fix inaccurate data or demand its deletion.
• Right to Grievance Redressal (Section 13): Escalate issues to our Grievance Officer.
• Right to Nominate (Section 14): Appoint someone to manage your data rights in the event of incapacity.

To exercise any of these rights, email privacy@attomindlab.com with the subject line "DPDP Request".

9. Cookies and Tracking Technologies

We use cookies to enhance your browsing experience. The types of cookies we use include:

• Essential cookies: Required for the website to function. These cannot be disabled.
• Analytics cookies: Help us understand how visitors interact with our website. These are only set with your consent.
• Marketing cookies: Used to deliver personalized advertisements. These are only set with your consent.

You can manage your cookie preferences at any time by clicking "Cookie Settings" in the footer of our website.

10. Children's Privacy

Our business software is not built for, nor directed at, anyone under the age of 18 (defined as a child under DPDP Section 2(j)). We do not knowingly collect data from minors. If we discover such data, it will be immediately permanently deleted within 24 hours.

11. Grievance Officer

In accordance with DPDP Section 13, if you have complaints regarding your data privacy, you can reach our appointed officer:

• Name: Rohan Deshmukh (Founder)
• Email: grievance@attomindlab.com
• Address: Atto Mind Lab, Pune, Maharashtra, India

We will acknowledge and respond to all valid grievances within 30 days.

12. Changes to This Policy

We may update this policy as Indian laws (like the DPDP Act rules) evolve. If we make material changes, we will notify you directly via email. Your continued use of Atto Mind Lab after notification constitutes your acceptance of the revised policy.

13. Contact Us

For any general privacy inquiries, please reach out to us:

• Email: privacy@attomindlab.com