Who we are
Suggested text: Our website address is: https://amppearlpigmentltd.com.
Comments
Suggested text: When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.
Media
Suggested text: If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
Cookies
Suggested text: If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Suggested text: Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.
Who we share your data with
Suggested text: If you request a password reset, your IP address will be included in the reset email.
How long we retain your data
Suggested text: If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
Suggested text: If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data
Suggested text: Visitor comments may be checked through an automated spam detection service.
Section 01
Scope & Data Controller / Processor
This Privacy Policy (“Policy”) describes how AMP Pearl Pigment LTD.(“we”, “us”, “our”) collects, uses, stores, shares, and protects personal data when you access or use the AMP HR platform.
This Policy is prepared to comply with:
- Digital Personal Data Protection Act, 2023 (DPDPA) — India
- Information Technology Act, 2000 and IT (Amendment) Act, 2008 — India
- IT (SPDI) Rules, 2011 — Sensitive Personal Data protection
- Google Play Store Data Safety Policy and Families Policy
- Apple App Store App Privacy Details requirements and Review Guidelines
- GDPR — to the extent applicable for EEA-based users
1.1 Data Controller vs. Data Processor
As Data Processor: With respect to Employee personal data, AMP Pearl Pigment LTD processes data on behalf of the Organisation (the data controller) per the Organisation’s instructions and a Data Processing Agreement.
As Data Controller: With respect to Organisation Admin account data and data collected for the Company’s own purposes (billing, security, product improvement), AMP Pearl Pigment LTD is the data controller.
Section 02
Legal Bases for Processing
Legal Basis Application
| Contractual Necessity | Processing required to perform the Subscription agreement, including providing HR modules and payroll services. |
| Consent | Processing of biometric (facial) data and background location data — requires explicit, granular, informed consent from each Employee. |
| Legitimate Interests | Security monitoring, fraud prevention, aggregated/anonymised platform analytics, and product improvement — where not overridden by individual rights. |
| Legal Obligation | Statutory payroll reporting (PF, ESI, TDS), tax compliance, and lawful regulatory/authority requests. |
Categories of Personal Data Collected
Category |
Data Points |
Source |
|---|---|---|
| Identity & Account | Full name, employee ID, designation, department, profile photo, date of birth, gender | Organisation / Employee |
| Contact | Work email, work mobile, emergency contact | Organisation / Employee |
| Biometric (Special Category) | Facial feature vectors (encrypted mathematical embeddings); liveness detection data | Captured via app with Employee consent |
| Location | GPS latitude/longitude, timestamp, accuracy radius, device identifier | Captured via app during active sessions |
| Attendance & Time | Clock-in/out timestamps, shift data, working hours, regularisation records, leave balances | Platform / Employee |
| Financial & Payroll | Salary structure, CTC, PAN, bank details, PF/ESI numbers, tax declarations, payslips, expense claims and receipts | Organisation / Employee |
| Task & Work Data | Task assignments, status, comments, timestamps, attachments | Platform / Employee / Admin |
| Device & Technical | Device model, OS version, app version, IP address, device UUID, push token, crash logs | Automatically collected |
| Usage Analytics | Feature usage patterns, session duration (anonymised) | Automatically collected |
Section 04
Biometric Data — Special Category
4.1 What We Capture & Store
We do not store raw facial photographs in our primary operational database. The AI attendance system converts facial images into encrypted mathematical feature vectors (embeddings) — numerical representations that cannot be reverse-processed to reconstruct a recognisable photograph. Original images may be temporarily retained as an audit record for attendance disputes, subject to the retention schedule in Section 8.
4.2 Consent & Withdrawal
Biometric enrolment is voluntary and requires explicit, informed, documented consent from each Employee prior to activation. Consent may be withdrawn at any time by written request to the Organisation Admin or our Grievance Officer. Biometric data will be permanently deleted within 7 business days of verified withdrawal.
4.3 Storage & Access Controls
- Feature vectors are stored with AES-256 encryption under separately managed keys from other data categories.
- Biometric data is physically and logically segregated at the database level.
- Access is restricted to the automated AI inference system. No AMP Pearl Pigment LTD employee accesses individual biometric vectors in unencrypted form.
- All access to biometric data stores is subject to comprehensive audit logging.
4.4 No Third-Party Disclosure
Biometric data is never sold, rented, licensed, or disclosed to any third party — including advertisers, data brokers, or government authorities — except pursuant to a valid, legally enforceable court order. Any such compelled disclosure will be notified to the Organisation to the extent permitted by law.
Section 05
Location Data
5.1 Collection Basis & Frequency
Location data is collected only when an Employee has an active clock-in session and location tracking has been enabled by the Organisation. Collection occurs at intervals of every 15 to 30 minutes and upon specific trigger events. No location data is collected outside active work sessions.
5.2 Permission Levels
- Foreground (“While Using App”): Captured while the app is actively open. Used for standard attendance geo-verification.
- Background (“Always Allow”): Captured while the app runs in background. Required only for field employee configurations. Employees receive a clear system-level permission dialog and must explicitly grant permission. Disclosed in data safety declarations on Google Play and App Store.
5.3 Purpose Limitation
Location data is processed exclusively for attendance geo-verification, field workforce monitoring, route validation, and operational compliance reporting. It is not used for advertising, cross-app tracking, personal profiling unrelated to employment, or disclosed to data brokers.
5.4 Employee Transparency
Employees can view their own historical location data through the mobile application. Admin access is governed by role-based permissions configured at the Organisation level.
Section 06
Purposes of Processing
- Platform Service Delivery: Providing attendance, payroll, task, expense, shift, leave, and regularisation functionality.
- Identity Verification: Running AI facial recognition for attendance marking.
- Payroll Processing: Computing salaries, statutory deductions (PF, ESI, TDS, PT), and generating payslips and compliance reports.
- Workforce Management: Enabling Organisations to manage shifts, tasks, expenses, and field operations.
- Security & Fraud Prevention: Detecting and preventing unauthorised access, attendance spoofing, expense fraud, and data breaches.
- Legal & Regulatory Compliance: Complying with labour, tax, and data protection law; responding to lawful authority requests.
- Support & Communication: Responding to support requests; sending service-critical notifications.
- Product Improvement: Using anonymised, aggregated data to improve features and AI model accuracy. No individual is identifiable from data used for this purpose.
- Billing & Account Management: Processing Subscriptions, invoicing, and managing contracts with Organisations.
Section 07
Data Sharing & Third-Party Disclosure
We do not sell personal data. We disclose it only in the following circumstances and only to the minimum extent necessary:
| Recipient | Data Disclosed | Legal Basis | Safeguard |
|---|---|---|---|
| Your Organisation (Admin) |
Employee attendance, tasks, location, expense,payroll data |
Contract / Employment | RBAC; DPA in place |
| Cloud Infrastructure (AWS / Azure) | All encrypted Platform data | Contract | SOC 2 Type II; AES-256; DPA |
| Payment Gateway (Razorpay / Stripe) | Billing/payment data only | Contract | PCI-DSS; DPA |
| Email Service (SendGrid) | Email address, name | Legitimate interests | DPA; transactional use only |
| Crash Analytics (Firebase) | Anonymised crash logs, device type | Legitimate interests | Anonymised; no PII |
| Legal Authorities / Courts | As required by valid legal order | Legal obligation | Minimum disclosure; Organisation notified where permitted |
All third-party processors are bound by Data Processing Agreements restricting use to stated purposes and requiring equivalent data protection standards.
Section 08
Data Retention Schedule
| Data Category | Retention Period | Post-Retention Action |
|---|---|---|
| Attendance Records | 3 years from date of record | Permanent irreversible deletion |
| Biometric (Facial) Data | Duration of employment + 90 days; or immediately on consent withdrawal |
Cryptographic erasure and permanent deletion |
| Location Data | 12 months from date of capture | Automatic purge |
| Payroll & Financial Records | 7 years (statutory — Indian tax law) | Permanent deletion |
| Expense Records | 5 years | Permanent deletion |
| Task & Work Data | 3 years or Subscription duration (whichever shorter) | Permanent deletion |
| Account & Identity Data | Until deletion + 60-day grace period | Permanent deletion |
| Device / Technical Logs | 90 days | Automatic purge |
| Security & Audit Logs | 2 years | Permanent deletion |
Upon Subscription termination, data remains available for export for 60 days. After this period, all data is permanently and irreversibly deleted from all live and backup systems.
Section 09
Data Security
- Encryption in Transit: All data transmitted between clients and servers is encrypted using TLS 1.3.
- Encryption at Rest: All stored data is encrypted using AES-256. Biometric data has an additional encryption layer with separately managed keys.
- Access Controls: Role-based access control (RBAC) with least-privilege principles. MFA is enforced for all internal AMP Pearl Pigment LTD administrative access.
- Infrastructure Security: Hosted on SOC 2 Type II certified cloud infrastructure. Regular independent penetration testing is conducted.
- Audit Logging: All access to and modifications of personal data are logged in tamper-resistant logs retained for 2 years.
- Vulnerability Management: A formal programme addresses identified vulnerabilities within defined SLAs.
- Data Isolation: Biometric data is physically and logically segregated from all other data categories.
Section 10
Your Rights as a Data Principal
- Right of Access: Request confirmation of and access to personal data we hold about you, including processing purposes.
- Right to Correction: Request correction of inaccurate, incomplete, or outdated data.
- Right to Erasure: Request deletion of personal data where no longer necessary, subject to legal retention obligations.
- Right to Withdraw Consent: Withdraw consent for biometric or background location processing at any time without affecting prior lawful processing.
- Right to Data Portability: Request a copy of your data in a structured, machine-readable format.
- Right to Nominate (DPDPA 2023): Nominate another individual to exercise rights on your behalf in the event of death or incapacity.
- Right to Grievance Redressal: Lodge a complaint with our Grievance Officer (Section 16).
- Right to Object (GDPR, where applicable): Object to processing based on legitimate interests for EEA data subjects.
Employee rights requests should be directed to the Organisation’s HR Admin in the first instance. Direct requests may also be submitted to our Grievance Officer. Requests are acknowledged within 48 hours and resolved within 30 days (extendable by 30 days for complex matters, with notice).
Section 11
Children’s Privacy
The AMP HR Platform is exclusively for employed adults. It is not directed at, designed for, or intended for use by children under the age of 18 (or the minimum legal working age in the jurisdiction, if higher). We do not knowingly collect personal data from minors. If we become aware of such collection without verifiable consent, we will delete it immediately.
This disclosure complies with the Google Play Families Policy, Apple App Store Review Guidelines (Guideline 1.3), and DPDPA 2023 provisions on children’s data.
Section 12
Cookies & Tracking Technologies
12.1 Web Application
- Strictly Necessary Cookies: Authentication session tokens, CSRF protection — essential for core functionality; cannot be disabled.
- Security Cookies: Fraud detection, anomalous login detection, session integrity.
- Functional Cookies: UI preferences, language settings, dashboard layout.
- Analytics Cookies: Anonymised usage analytics for product improvement — opt-out available via Cookie Preferences in the web application.
We do not use cookies for advertising or cross-site tracking. No third-party advertising cookies are placed.
12.2 Mobile Application
The app uses device-local secure storage for authentication tokens and preferences only. It does not track users across third-party apps or websites and does not use advertising identifiers (GAID/IDFA) for advertising purposes.
Section 13
Third-Party SDKs & Integrations
| Service / SDK | Provider | Purpose | Data Processed |
|---|---|---|---|
| Google Maps SDK | Google LLC | Location display & geo-fencing | GPS coordinates |
| Firebase Crashlytics | Google LLC | Crash reporting & stability | Anonymised crash logs, device type |
| Firebase Cloud Messaging | Google LLC | Push notification delivery | Device push token |
| Razorpay / Stripe | Razorpay / Stripe Inc. | Subscription payment processing | Billing/payment data only |
| AWS / Microsoft Azure | Amazon / Microsoft | Cloud hosting & data storage | All encrypted Platform data |
| SendGrid | Twilio Inc. | Transactional email delivery | Email address, name |
All third-party integrations are bound by their own privacy policies and a Data Processing Agreement with the Company. This list may be updated; material changes will be reflected in Policy updates.
Section 14
International Data Transfers
Personal data is primarily stored and processed on servers located within India. Where cloud providers process data outside India for redundancy or operational purposes, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms and Data Processing Agreements requiring equivalent data protection standards.
For EEA-based users, transfers outside the EEA are conducted in compliance with GDPR Chapter V requirements.
Section 15
Policy Updates
We may update this Policy to reflect changes in data practices, legal obligations, or regulatory guidance. For material changes, we will: (a) update the “Last Updated” date; (b) deliver in-app and email notice to Organisation Admins at least 15 days before the change takes effect; and (c) seek fresh consent for changes affecting the legal basis of biometric data processing.
Continued use after the effective date constitutes acceptance. If you do not accept the updated Policy, you must discontinue use and may request data deletion.
Section 16
Grievance Officer & Contact
In accordance with the Information Technology Act, 2000, IT (SPDI) Rules, 2011, and DPDPA 2023, AMP Pearl Pigment LTD has designated a Grievance Officer for privacy concerns, data rights requests, and complaints:
Grievance Officer — AMP Pearl Pigment LTD
Acknowledgement within 48 hrs · Resolution within 30 days
https://amppearlpigmentltd.com/privacy-policy/
If your grievance is unresolved, you may escalate to the Data Protection Board of India (once constituted under DPDPA 2023) or a court of competent jurisdiction. EEA-based users may also lodge a complaint with their local data protection supervisory authority.