Privacy Policy

Effective Date: 13 June 2026 Version: v1.0 Jurisdiction: India

This Privacy Policy explains how Sheltertech India Private Limited (“Sheltertech India Private Limited”) collects, uses, stores, and protects personal data and employment records on its Sheltertech India Private Limited Nexus platform (the “Platform”). It is drafted to align with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

On this page

1. Who we are
2. Scope & applicability
3. Data we collect
4. Sensitive personal data
5. Purposes of processing
6. Legal basis & consent
7. Sharing & disclosure
8. Processors & sub-processors
9. Cross-border transfers
10. Data retention
11. Security measures
12. Your rights
13. Breach notification
14. Children & minors
15. Cookies & logging
16. Changes to this Policy
17. Grievance Officer & DPO

1. Who we are

Sheltertech India Private Limited (“Sheltertech India Private Limited”, “we”, “us”, “our”) operates the Sheltertech India Private Limited Nexus platform to manage customer files, agronomy operations, employee records, payroll inputs, attendance, leave, and statutory documents. For the purposes of the DPDP Act, we act as a Data Fiduciary with respect to our employees, contractors, partners, and customers whose data is processed through the Platform.

Registered office: Office #7, Plot #9, DHL Square, IT Park, Sector 22, Panchkula, Haryana – 134109, India.
Phone: +91 97792 50555 | Email: info@sheltertechindia.com

2. Scope & applicability

This Policy applies to all individuals (“Data Principals”) whose personal data is processed via the Platform, including:

Employees, interns, contract staff, and consultants;
Customers and their authorised representatives;
Vendors, suppliers, transporters, and installation partners;
Visitors to the Platform with limited browsing access.

3. Data we collect

We collect the following categories of personal data:

3.1 Identity & contact data

Full name, date of birth, gender, photograph;
Residential and correspondence address, district, state, PIN code;
Mobile number, email address, emergency contact;
Employee code, designation, department, reporting manager.

3.2 Employment & payroll data

Date of joining, employment type, shift assignment, location of work;
Salary structure, CTC, deductions, advance payments, expense claims;
Attendance, leave balances, comp-off accrual, biometric punch records;
Performance, training, disciplinary records.

3.3 Customer & transaction data

Property records, project type, site size, site reports;
Order history, quotations, dispatches, installations, payments;
Subsidy and loan processing data.

3.4 Device & usage data

IP address, user agent, login timestamps, activity logs;
Pages visited, actions performed, files accessed.

4. Sensitive personal data

We collect a limited set of sensitive personal data only where necessary for statutory compliance, payroll, or identity verification:

Government identifiers: Aadhaar number, PAN, voter ID, passport, driving licence.
Financial information: bank account number, IFSC, UPI ID for salary disbursement.
Biometric data: fingerprint / face recognition templates used by attendance terminals (stored on the device vendor’s system; we receive only the matched employee code and timestamp).
Health information: medical certificates submitted for leave or insurance.

Aadhaar numbers and similar government identifiers are stored encrypted at rest, displayed in masked form (only the last four digits are visible), and accessible only to authorised personnel with a documented purpose. We do not use Aadhaar for any purpose other than identity verification and statutory reporting required by law.

5. Purposes of processing

We process personal data for the following purposes:

Onboarding, payroll, attendance, leave, and statutory employer obligations (EPF, ESI, PT, TDS);
Identity verification and KYC for employees, customers, and vendors;
Customer order management: quotation, dispatch, installation, payment, subsidy/loan processing;
Agronomy advisory, field visits, fertigation planning, customer support;
Internal audit, fraud detection, security monitoring, and dispute resolution;
Communication via email, SMS, WhatsApp, and in-app notifications;
Compliance with court orders, regulatory requests, and applicable laws.

6. Legal basis & consent

We process personal data on one or more of the following bases:

Consent — for purposes that are not legally mandatory, including marketing communication and non-essential analytics. Consent is captured electronically and may be withdrawn at any time.
Performance of contract — for employment, customer order fulfilment, and vendor engagements.
Legal obligation — for tax, labour, and statutory reporting under Indian law.
Legitimate use as defined under Section 7 of the DPDP Act — for security monitoring, audit, fraud prevention, and operational continuity.

Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal and does not relieve either party of obligations under an active employment or commercial contract.

We share personal data only with the following categories of recipients:

Statutory and regulatory authorities where required by law (EPFO, Income Tax, GSTN, labour department, courts);
Banking partners for salary disbursement and customer payment processing;
Insurance providers for group health and accident cover;
Authorised internal personnel on a need-to-know basis, governed by role-based access controls;
Professional advisors (auditors, legal counsel) bound by confidentiality.

We do not sell personal data, and we do not share employee or customer data with advertising networks.

8. Processors & sub-processors

We use the following categories of processors to operate the Platform. Each processor is engaged on terms requiring confidentiality, reasonable security controls, and notification to us in the event of a security incident.

Cloud hosting and storage provider — runs the Platform application and database, and stores periodic backups.
SMS gateway provider — delivers one-time passwords and transactional notifications.
WhatsApp messaging provider — delivers transactional WhatsApp messages to customers and employees.
Email delivery provider — delivers transactional, grievance, and system emails.
Biometric attendance device vendor — stores biometric templates on its device and shares only the matched employee code and timestamp with us.
Error tracking / operational analytics tooling — receives non-identifying technical telemetry for stability monitoring.

A current list of named sub-processors is maintained internally and can be provided on written request to the Grievance Officer (Section 17).

9. Cross-border transfers

Our primary application servers and live data are hosted in India (Asia region). Encrypted backups are stored with our hosting provider in Singapore for disaster-recovery purposes only. We do not transfer personal data to any country which the Central Government has notified as restricted under Section 16 of the DPDP Act, and we rely on contractual safeguards with our hosting provider equivalent to those required under Indian law.

10. Data retention

We retain personal data only for as long as necessary for the purpose collected:

Employment records: for the duration of employment plus eight (8) years from date of exit, as required under the Income-tax Act, Payment of Gratuity Act, and other labour statutes.
Customer transaction records: minimum eight (8) years from the date of the last transaction.
Identity documents (Aadhaar, PAN, etc.): for the duration of the underlying employment or customer relationship, plus the statutory retention period.
Activity logs and security audit trails: minimum one hundred and eighty (180) days, extendable for ongoing investigations.
Marketing consent records: until withdrawal of consent.

On expiry of the retention period, data is securely deleted or anonymised.

11. Security measures

We implement the following reasonable security practices and procedures:

Encryption of sensitive identifiers at rest and in transit (TLS 1.2+);
Role-based access control with the principle of least privilege;
Re-authentication challenges for destructive and high-risk operations;
Mandatory reason capture and audit logging for every view of sensitive documents;
Mutation rate limiting and anomaly detection on document access patterns;
Magic-byte verification and antivirus scanning of every uploaded document;
Watermarking and download suppression on document previews;
Periodic security reviews, vulnerability assessment, and access recertification.

12. Your rights

Subject to applicable law, Data Principals have the following rights:

Right to information about the personal data being processed and the categories of recipients;
Right of access — to obtain a copy of your personal data;
Right to correction — to update inaccurate or incomplete data;
Right to erasure — subject to retention obligations under law;
Right to grievance redressal through our Grievance Officer (Section 17);
Right to nominate another individual to exercise rights in the event of death or incapacity.

To exercise these rights, contact the Grievance Officer using the details in Section 17. We will respond within the timelines prescribed by the DPDP Act and applicable rules.

13. Breach notification

In the event of a personal data breach that is likely to result in harm to a Data Principal, we will notify the Data Protection Board of India and affected Data Principals without undue delay, and in any event within fourteen (14) days of becoming aware of the breach, in accordance with the DPDP Act and its rules.

14. Children & minors

The Platform is an internal business system and is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect personal data of minors. Where data of a minor is necessarily processed (for example, family details of an employee), it is collected only with the consent of the parent or lawful guardian and is not used for tracking, behavioural monitoring, or targeted advertising.

15. Cookies & logging

The Platform uses strictly necessary cookies for session management, authentication, and CSRF protection. It does not use third-party advertising or behavioural tracking cookies. Server-side activity logs are maintained for security and audit purposes as described in Section 10.

16. Changes to this Policy

We may update this Policy from time to time to reflect changes in law, regulatory guidance, or our processing practices. Material changes will be notified through the Platform and, where required, will require fresh acceptance before continued use. The current version number and effective date are shown at the top of this Policy.

17. Grievance Officer & Data Protection Officer

For questions, complaints, or requests relating to this Policy or your personal data, please contact:

Grievance Officer: Nitin Parmar
Officer email: contact@sheltertechindia.com
General enquiries: info@sheltertechindia.com
Postal address: Office #7, Plot #9, DHL Square, IT Park, Sector 22, Panchkula, Haryana – 134109, India
Phone: +91 97792 50555

We acknowledge grievances within seventy-two (72) hours of receipt and aim to resolve them within the timelines prescribed under the DPDP Act and the IT Rules, 2011.