Privacy Policy

Effective Date: March 18, 2026

1. Introduction

ZenFlowHR ("we", "us", or "our") is committed to protecting the privacy of our customers and their employees. This Privacy Policy explains how we collect, use, store, share, and protect personal information when you use the ZenFlowHR platform and related services (the "Service").

ZenFlowHR operates as a multi-tenant platform where each customer organization ("Tenant") maintains its own isolated workspace. This policy applies to all users of the Service, including Tenant Owners, administrators, managers, and employees.

2. Information We Collect

2.1 Account Registration Data

When you create an account or register a Tenant, we collect:

  • Full name (first and last name)
  • Work email address
  • Company/organization name
  • Chosen subdomain
  • Password (stored in hashed form; we never store plain-text passwords)

2.2 Employee Data (Entered by Your Organization)

Tenant Owners and administrators may enter employee data into the Service as part of HR operations. This may include:

  • Personal information: Name, date of birth, gender, nationality, marital status, blood group
  • Contact information: Email, phone number, residential address
  • Employment details: Employee ID, job title, department, branch, hire date, employment type, reporting structure
  • Identification documents: Government-issued ID numbers (PAN, Aadhaar, passport, etc.)
  • Financial information: Bank account details for payroll processing
  • Emergency contacts: Name, relationship, phone number of designated contacts
  • Dependents: Name, relationship, date of birth of family members
  • Leave and attendance records: Leave balances, requests, approvals, attendance logs
  • Performance data: Goals, reviews, feedback
  • Documents: Employment agreements, background checks, uploaded files

2.3 Authentication and Security Data

  • Login timestamps and IP addresses
  • MFA (Multi-Factor Authentication) enrollment status and device information
  • Trusted device identifiers
  • Session and refresh token metadata
  • Failed login attempts and account lockout events

2.4 Usage and Technical Data

  • Browser type and version
  • Operating system
  • Pages visited and features used within the Service
  • Error logs and diagnostic information

2.5 External Authentication Data

If you sign in using Google or Microsoft, we receive your name, email address, and profile picture from the identity provider. We do not receive or store your Google or Microsoft password.

3. How We Use Your Information

We use the collected information for the following purposes:

Purpose Data Used
Providing and operating the Service Account data, employee data, usage data
Authentication and access control Credentials, MFA data, session tokens
Tenant isolation and multi-tenancy Tenant ID, subdomain, user-tenant associations
Sending transactional emails Email address (confirmations, password resets, notifications)
Customer support Account data, usage logs, error reports
Security monitoring and fraud prevention Login attempts, IP addresses, device fingerprints
Service improvement and analytics Aggregated and anonymized usage data
Billing and subscription management Account data, plan details, payment history
Legal compliance and audit Audit logs, consent records

4. Data Isolation and Multi-Tenancy

ZenFlowHR is built on a multi-tenant architecture where each customer organization's data is logically isolated:

  • Tenant-level isolation: All employee data, leave records, organizational structures, and configurations are scoped to your Tenant. Database-level query filters ensure that one Tenant's data is never accessible to another Tenant.
  • Subdomain-based access: Each Tenant is accessed via a unique subdomain (e.g., yourcompany.zenflowhr.com), providing clear organizational boundaries.
  • Role-based access within Tenants: Within your Tenant, access is controlled through a granular permission system. Tenant Owners assign roles (HR Admin, Manager, Employee) with specific permissions governing what each user can view and modify.

5. Data Storage and Security

5.1 Where We Store Data

Customer Data is stored on secure servers hosted by reputable cloud infrastructure providers. We may use data centers located in multiple regions to ensure reliability and performance. We will inform you of the primary data storage region applicable to your Tenant upon request.

5.2 Security Measures

We employ the following security measures to protect your data:

  • Encryption in transit: All communications between your browser and our servers are encrypted using TLS 1.2 or higher
  • Encryption at rest: Sensitive data is encrypted at rest using industry-standard encryption algorithms
  • Password security: Passwords are hashed using bcrypt with salt; plain-text passwords are never stored
  • Multi-Factor Authentication: TOTP-based MFA is available for all users
  • Audit logging: All significant actions (create, update, delete) are recorded with timestamps and user identification
  • Access control: Granular permission-based authorization with privilege escalation prevention
  • Session management: JWT tokens with configurable expiration and secure refresh token rotation

5.3 Data Retention

  • Active accounts: Data is retained for the duration of your subscription
  • Cancelled accounts: Data is retained for 30 days after cancellation to allow export, then permanently deleted
  • Expired trials: Data from expired trial accounts is retained for 30 days, then permanently deleted
  • Audit logs: Retained for a minimum of 12 months for compliance purposes
  • Soft-deleted records: Records marked as deleted within the Service are logically removed but may be retained in the database for audit purposes

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share data only in the following circumstances:

6.1 Service Providers

We engage trusted third-party service providers to help us operate the Service, including cloud hosting, email delivery, payment processing, and error monitoring. These providers are contractually obligated to protect your data and use it only for the purposes we specify.

6.2 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you of any such change and any choices you may have regarding your data.

6.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data, subject to legal retention requirements
  • Data portability: Request your data in a structured, machine-readable format
  • Objection: Object to certain types of data processing
  • Withdraw consent: Withdraw previously given consent at any time

For employees: If you are an employee of a ZenFlowHR customer, your employer (the Tenant Owner) is the data controller for your employment data. Please contact your employer directly to exercise your data rights. We will assist your employer in fulfilling such requests.

For Tenant Owners: You can exercise your rights by contacting us at privacy@zenflowhr.com. We will respond within 30 days.

8. Cookies and Tracking

The Service uses cookies and similar technologies for:

  • Essential cookies: Authentication tokens, session management, CSRF protection, and tenant context. These are strictly necessary and cannot be disabled.
  • Preference cookies: Theme selection (light/dark mode) and language preferences

We do not use advertising cookies or third-party tracking pixels. We do not share cookie data with advertisers or ad networks.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us, and we will take steps to delete such information.

Note: Employee dependents' data (name, relationship, date of birth) may be entered by the employer for benefits administration purposes. This data is entered and managed by the Tenant Owner, who is responsible for ensuring appropriate consent.

10. International Data Transfers

If you access the Service from outside the country where our servers are located, your data may be transferred across international borders. We ensure that such transfers comply with applicable data protection laws and that appropriate safeguards are in place to protect your data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice within the Service at least 30 days before the changes take effect. The "Effective Date" at the top of this page indicates when the policy was last revised.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: