Legal

Master Terms, Privacy & Legal Framework

Effective Date: June 20, 2026 · Hutek HR Systems Private Limited

Important: By accessing, registering for, or using the ShramSetu platform in any capacity, you unconditionally agree to be bound by all terms, policies, and conditions in this Master Document. This document supersedes all prior verbal agreements, email representations, sales communications, or any other written understanding between the parties. Please read it carefully before proceeding.

1Introduction & Scope

Welcome to ShramSetu, a purpose-built, mobile-first, AI-powered workforce management and statutory compliance SaaS platform for Indian MSMEs. ShramSetu is developed and operated by Hutek HR Systems Private Limited, a company incorporated under the Companies Act, 2013.

Platform Capabilities

›Selfie + Geolocation Attendance (no hardware required)
›AI-powered Payroll Calculation Engine
›PF/ESI Auto-filing to Government Portals
›WhatsApp-based delivery of salary slips and compliance alerts
›Worker Self-Service mobile access to records and payslips
›Auto-generation of Appointment Letters, Salary Slips, and Compliance Reports
›Aadhaar OTP-based eSign (optional, consent-based)
›All 4 consolidated Labour Codes compliance framework
›Smart anomaly detection and predictive compliance alerts

Who This Document Governs

›Subscribers: MSME employers on paid or free tier
›Employees / End Users: Workers whose data is managed on the platform
›CA Partners: Chartered Accountants, Company Secretaries, and advisory firms in the Partner Program
›Platform Administrators: Internal Hutek HR team accessing systems for support/operations

2Definitions

"Platform"

The ShramSetu application and associated services, including the Android & iOS mobile applications, web-based dashboard (app.shramsetu.io), REST APIs, webhooks, third-party integrations, and any future products under the ShramSetu brand.

"Company" / "We" / "Us" / "Our"

Hutek HR Systems Private Limited, incorporated under the Companies Act, 2013, with registered office at 3rd Floor, Plot No. B-23, Block B, Sector 62, Noida, Uttar Pradesh – 201301, India.

"Subscriber"

The MSME employer, business proprietor, partnership firm, LLP, private limited company, or any other business entity that has registered for a free trial or paid subscription and is the primary account holder.

"Employee" / "End User" / "Worker"

Any individual whose personal data, attendance records, payroll information, and employment documentation is uploaded, processed, or generated on the Platform by or on behalf of a Subscriber.

"CA Partner"

A Chartered Accountant (ICAI-registered), Company Secretary (ICSI-registered), or advisory firm enrolled in ShramSetu's formal Partner Program for managing multiple MSME client accounts.

"Client Data"

All electronic data, text, records, documents, images, and other content uploaded to, stored within, transmitted through, or generated by the Platform on behalf of a Subscriber, including Employee Data.

"Employee Data"

A subset of Client Data comprising personal information, biometric-adjacent data (selfie photos), employment records, salary information, statutory identifiers (PF UAN, ESI IP No., PAN, masked Aadhaar), and generated documents of individual Employees.

"Services"

All features, functions, capabilities, and workflows accessible to a Subscriber under their subscribed plan, including attendance management, payroll calculation, compliance reporting, document generation, and eSign facilitation.

"Subscription Plan"

The tier of service (Starter, Growth, Scale, or Enterprise) subscribed to by a Subscriber, which defines the scope of Services, employee capacity limits, and applicable fees.

"eSign"

The facility for executing electronic signatures on employment documents using Aadhaar OTP-based authentication, facilitated through licensed ASPs authorised by the Controller of Certifying Authorities (CCA) under the Information Technology Act, 2000.

"ASP"

Application Service Provider — a licensed third-party entity authorised by CCA to deliver Aadhaar-based eSign services under the IT Act, 2000 and UIDAI guidelines.

"Labour Codes"

The four consolidated Labour Codes enacted by the Government of India: (i) Code on Wages, 2019; (ii) Industrial Relations Code, 2020; (iii) Code on Social Security, 2020; (iv) Occupational Safety, Health and Working Conditions Code, 2020.

"Personal Data"

Any information that identifies or can identify a natural person, including name, mobile number, email address, Aadhaar number (masked), PAN, bank account details, facial image (selfie), geolocation, and employment details.

"Sub-processor"

Any third-party entity engaged by the Company to process Client Data as part of delivering the Services, including cloud infrastructure providers, communication API providers, payment gateways, and eSign ASPs.

"Force Majeure"

Any event beyond the reasonable control of a party — including natural disasters, acts of God, war, civil unrest, cyberattacks by state actors, epidemic or pandemic, government-imposed restrictions, internet infrastructure failures, or power outages affecting data centres.

3Privacy Policy

3.1 Data Fiduciary & Processor Roles

ShramSetu operates within a clear data responsibility framework. Understanding your role is critical:

›Subscriber (MSME Employer) = Data Fiduciary: You determine the purposes and means of processing your employees' personal data. You are responsible for obtaining consent from your employees, maintaining data accuracy, and ensuring lawful basis for processing under applicable Indian law. Under the DPDPA, 2023, the Subscriber is the Data Fiduciary in respect of Employee Data.
›Company (Hutek HR / ShramSetu) = Data Processor: The Company processes personal data strictly on the documented instructions of the Subscriber and solely for the purpose of delivering the contracted Services. We do not use Client Data for our own commercial purposes. The Company acts as a Data Processor within the meaning of the DPDPA, 2023.
›CA Partners = Authorized Processors: CA Partners accessing client data do so as authorized delegates of the Subscriber. CA Partners are independently responsible for ensuring their own compliance with applicable professional and data protection obligations. Where a CA Partner independently determines the purpose and means of any processing, it does so as a separate Data Fiduciary under the DPDPA, 2023.

3.2 Categories of Personal Data Collected

Subscriber & Business Information: Legal name, entity type, GSTIN, CIN, registered office address, authorized signatory details, billing address, bank account details (for payroll disbursement), PAN of business entity.

Employee / Worker Data: Full name, date of birth, gender, selfie photograph (for attendance verification only), mobile number, email address, residential address, masked Aadhaar (last 4 digits only), PAN, PF UAN, ESI IP Number, Professional Tax details, employment data (designation, department, joining date, employment type), salary structure, bank account details, attendance & leave records, generated employment documents.

Face / Selfie Data (Special Category): ShramSetu collects selfie photographs exclusively for attendance verification. At check-in, the captured selfie is compared by an AI face-verification algorithm against the employee’s enrolled reference photograph, solely to confirm that the person marking attendance is the enrolled employee. This constitutes processing of biometric data and is carried out only with the employee’s explicit, informed consent (obtained by the employer at onboarding) and only where the employee grants camera permission on their device. Face data is never used for surveillance, emotion analysis, behavioural profiling, or advertising, and is never sold or shared with third parties.

CA Partner Data: CA/CS registration number, firm name and registration, contact details, list of client MSMEs managed, login activity and access logs.

Technical & Usage Data: Device identifiers, IP address, browser type, GPS coordinates (captured only at the moment of attendance marking, with employee permission), platform usage analytics, crash reports, and error logs.

3.3 Purpose & Legal Basis for Data Processing

›Contract Performance: To operate the platform and deliver subscribed Services, including attendance tracking, payroll calculation, document generation, and statutory filing facilitation.
›Legal Obligation: To facilitate PF/ESI e-filing to EPFO/ESIC portals, generate statutory registers, and maintain records as required under applicable labour and tax laws.
›Legitimate Interest: To detect and prevent fraud, unauthorized access, and security threats; to improve product quality through anonymised usage analytics; to provide customer support. ShramSetu’s AI models (including anomaly detection and predictive compliance alerts) are trained exclusively on aggregated, anonymised data that cannot identify any individual; identifiable Employee Data is never used to train AI models.
›Consent: For Aadhaar OTP-based eSign (each transaction requires explicit OTP consent); for WhatsApp communications; for marketing communications (explicit opt-in only); for camera access and selfie capture for attendance.

3.4 How We Use Your Data

›Operate, maintain, and improve the ShramSetu platform and its features
›Calculate payroll based on attendance data and salary structures entered by the Subscriber
›Generate compliance documents: salary slips, appointment letters, PF challans, ESI contribution reports, and statutory registers
›Facilitate e-filing of PF/ESI contributions to government portals (EPFO/ESIC)
›Send automated reminders, deadline alerts, and compliance notifications via SMS, email, and WhatsApp
›Deliver salary slips and documents to employees via WhatsApp (with consent)
›Enable employee self-service: access to own payslips, leave balances, attendance records
›Monitor for security threats, unusual activity, and fraudulent use
›Comply with legal obligations and respond to lawful requests from government authorities
›In the event of a business acquisition or merger, transfer data to the successor entity (with prior notice to Subscribers)

3.5 Third-Party Platforms & Integrations

ShramSetu integrates with the following platforms to deliver its services. ShramSetu does not control these platforms and is not responsible for their independent data practices.

›Cloud Infrastructure (AWS / GCP / Azure): Secure hosting on servers located in India, compliant with ISO 27001, SOC 2, and Indian data localisation requirements.
›WhatsApp Business API (Meta): Used to deliver salary slips, compliance alerts, and operational notifications. Governed by Meta's Business Messaging Terms.
›SMS Gateway Providers: Used to send OTPs, alerts, and reminders. Compliant with TRAI DLT regulations.
›Payment Gateways (Razorpay / Cashfree): Used to process subscription payments. Full card data is handled and tokenized by the gateway — ShramSetu does not store payment card details.
›Aadhaar eSign ASPs (Licensed Providers): Licensed by the Controller of Certifying Authorities (CCA) under UIDAI guidelines. ShramSetu does not directly access the Aadhaar ecosystem.
›Firebase (Google): Crash analytics, performance monitoring, and push notification infrastructure.
›Government Portals (EPFO / ESIC / Traces): Direct e-filing integrations. Employer credentials are used only with explicit authorization.

3.6 Data Sharing & Disclosure Policy

We DO NOT sell, rent, license, or trade your personal data or Client Data to any third party under any circumstances. We DO NOT use Employee Data or Client Data for targeted advertising or commercial profiling.

Permitted sharing is strictly limited to:

›With Sub-processors: Strictly for service delivery, bound by data protection agreements.
›With CA Partners: Only when Subscriber has explicitly granted access. CA Partners can only see data of clients they have been assigned.
›With Government / Regulatory Authorities: Only when legally mandated (EPFO audit, ESIC inspection, Income Tax inquiry, court order). We will attempt to notify the Subscriber before disclosure unless legally prohibited.
›In M&A Events: In the event of merger, acquisition, or asset sale, Client Data may be transferred to the successor entity. Subscribers will be notified a minimum of 30 days in advance.

3.7 Data Localisation & Security Measures

All Client Data and Employee Data at rest is stored on cloud infrastructure located within India (AWS/GCP/Azure India regions), in compliance with applicable data localisation requirements. Message delivery via the WhatsApp Business API, however, involves transmission across Meta’s global network and is governed by Meta’s Business Terms (see Section 3.5).

Security controls maintained at all times include:

›Encryption at Rest: AES-256 encryption for all stored data
›Encryption in Transit: TLS 1.2 or higher for all data transmitted between client devices and servers
›Role-Based Access Control (RBAC): Employees see only their own data; admin access is logged and audited
›Multi-Factor Authentication (MFA): Available for all admin accounts; strongly recommended
›Audit Logs: All data access, modification, and deletion events are logged and retained
›Regular Security Assessments: Periodic vulnerability assessments and penetration testing
›SOC2-aligned operational controls: Target certification in progress

3.8 Aadhaar Data Handling

ShramSetu is NOT a KYC User Agency (KUA) as defined by UIDAI. Full Aadhaar numbers are never collected or stored by design; if a full Aadhaar number is inadvertently entered into any free-text field, it is purged upon detection. Only the last 4 digits (masked Aadhaar) may be retained as a reference identifier. All Aadhaar OTP-based eSign transactions are routed exclusively through licensed ASPs. Aadhaar XML data is not retained post-transaction. All Aadhaar-related processing strictly complies with UIDAI Technical Specifications and the Aadhaar Act, 2016.

3.9 Data Retention Policy

›Active Subscriber Data: Retained for the full duration of the subscription period.
›Post-Subscription: Data retained for 90 days post-termination to allow data export. After 90 days, data is archived or deleted per Subscriber instruction, except where legal retention is required.
›Statutory Compliance Records (PF/ESI/PT registers, salary slips): Retained for a minimum of 7 years as required under applicable labour and tax laws in India.
›Selfie / Attendance Photos: Retained for the duration of the subscription. Deleted post-subscription on request.
›Audit Logs: Retained for 7 years.
›Payment Records: Retained for 8 years as required under GST and income tax laws.

3.10 User Rights (DPDPA, 2023)

In accordance with the Digital Personal Data Protection Act, 2023 (DPDPA), the DPDP Rules made thereunder, and the IT Act, 2000 framework, Data Principals (employees and users) have the following rights:

›Right of Access: You may request a copy of the personal data we hold about you in a structured, readable format.
›Right to Correction / Rectification: You may request correction of inaccurate or incomplete personal data.
›Right to Erasure (Right to be Forgotten): You may request deletion of your personal data, except where data must be retained by law.
›Right to Data Portability: You may request an export of your data in CSV or PDF format at any time during your subscription.
›Right to Withdraw Consent: You may withdraw consent for non-essential processing at any time, including opting out of WhatsApp communications, revoking camera/selfie access, or opting out of SMS/push notifications.
›Right to Object: You may object to processing where it is based on legitimate interests.

How to Exercise: Email privacy@shramsetu.io. Requests are free of charge. We will respond within 30 days of receipt. If your concern remains unresolved, you may escalate it to the Data Protection Board of India as provided under the DPDPA, 2023.

3.11 Cookies & Tracking Technologies

›Session Cookies (Essential — cannot be disabled): Used for user authentication, session management, and platform security.
›Security Cookies (Essential): Used to detect and prevent fraudulent activity and unauthorized access.
›Analytics Cookies (Optional — opt-out available): Used to understand how users interact with the platform in aggregate. May include Google Analytics or similar tools.
›Marketing Cookies (Optional — explicit consent required): Used only where user has explicitly opted in to receive marketing communications.

You may manage cookie preferences via your browser settings. Disabling essential cookies may affect platform functionality.

3.12 Children's Privacy & Grievance Officer

ShramSetu is designed for use by business entities and adult professionals. The platform is not intended for, and we do not knowingly collect data from, individuals under the age of 18 years. If we become aware that data of a minor has been inadvertently collected, we will delete it promptly.

In accordance with the Information Technology Act, 2000 and the IT (Intermediary Guidelines) Rules, 2021, the following Grievance Officer has been designated:

Designated Grievance Officer: Amit Kumar Singh, Founder
Company: Hutek HR Systems Private Limited
Email: info@shramsetu.io
Address: 3rd Floor, Plot No. B-23, Block B, Sector 62, Noida, UP – 201301
Response: Acknowledge within 48 hours; resolve within 30 days.

4Terms of Service

4.1 Platform Nature & Non-Advisory Disclaimer

ShramSetu is a software tool — it is NOT a legal advisor, compliance consultant, labour law advocate, chartered accountant, or tax professional. By using the platform, you acknowledge that: (a) All outputs (payroll computations, PF/ESI challans, compliance reports) must be verified by the Subscriber before relying on or submitting them; (b) No output generated by the platform constitutes legal advice; (c) Any compliance decisions, filings, or employment actions taken based on platform outputs are solely the responsibility of the Subscriber.

4.2 Account Registration & Eligibility

›You must be a minimum of 18 years of age to register.
›You must be a duly authorized representative of the business entity on whose behalf you are registering.
›You must provide accurate, complete, and current information during registration.
›Each business entity is entitled to one primary admin account. Additional user seats are available per plan.
›You are solely responsible for all activity that occurs under your account, including actions by authorized sub-users.
›We reserve the right to decline registration or cancel accounts if eligibility requirements are not met.

4.3 Subscription Plans & Features

Plan	Capacity	Key Features	Support
Starter	Up to 10 employees	Selfie + Geo Attendance, Basic Payroll, Attendance Reports, Salary Slips	Email (48-hr)
Growth	Up to 50 employees	Everything in Starter + PF/ESI Auto-Filing, WhatsApp Alerts, Worker Self-Service App, Advanced Payroll	Email + Chat (24-hr)
Scale	Up to 100 employees	Everything in Growth + Priority Support, API Access, Advanced Analytics, White-label Reports	Priority (12-hr) + Account Manager
Enterprise	100+ / Multi-location	Custom. Contact support@shramsetu.io	24×7 Priority + Custom SLA

Plan features, limits, and pricing are subject to change. Material changes will be communicated with 30 days' notice.

4.4 Billing, Payment & Taxes

›Subscription fees are billed in advance — monthly or annually, as chosen at time of subscription.
›All prices are in Indian Rupees (INR) and are exclusive of applicable taxes.
›Goods and Services Tax (GST) at the prevailing rate (currently 18%) will be levied on all invoices.
›Accepted payment methods: UPI, Credit Card, Debit Card, Net Banking, NEFT/RTGS for annual plans.
›Subscriptions auto-renew unless cancelled before the renewal date.
›If payment fails, the Company will attempt re-collection for 3 business days. After 7 days of non-payment, services may be suspended. After 30 days, the account may be terminated and data archived.
›GST-registered Subscribers may claim input tax credit on subscription fees. GSTIN must be provided during account setup.

4.5 Free Trial

›New Subscribers may access a free trial period as communicated at signup.
›No credit card is required for the free tier / trial.
›Free trial access is limited to one per business entity (determined by GST, PAN, or mobile number). Creating multiple accounts to extend free access is prohibited.
›The Company reserves the right to modify, extend, or terminate the free trial program at any time without prior notice.

4.6 User Responsibilities

Subscribers agree to:

›Provide accurate, complete, and current data for all employees and business records
›Obtain all necessary consents from employees before onboarding them onto the platform (see Section 8)
›Maintain confidentiality of all login credentials and access tokens
›Ensure that only authorized personnel have admin-level access to the account
›Comply with all applicable laws including Code on Wages, 2019; PF Act, 1952; ESI Act, 1948; Income Tax Act, 1961; Shops & Establishments Acts; Maternity Benefit Act; Gratuity Act; Payment of Bonus Act; and all applicable state-specific labour laws
›Promptly report any unauthorized access, security incidents, or data breaches to security@shramsetu.io
›Maintain offline backups of critical compliance data and generated documents

4.7 Accuracy of Outputs & Compliance Responsibility

ShramSetu generates payroll, compliance documents, and statutory filings based entirely on the data input by the Subscriber. The Company is not responsible for incorrect payroll calculations arising from wrong salary inputs or attendance data, incorrect PF/ESI filings arising from wrong employee or contribution data, or any compliance outcome attributable to inaccurate data entry by the Subscriber.

4.8 Intellectual Property Rights

›The Platform — including software code, algorithms, AI models, design system, brand identity (ShramSetu name, logo, trade dress), documentation, and all content created by the Company — is the exclusive intellectual property of Hutek HR Systems Private Limited.
›Users are granted a limited, non-exclusive, non-transferable license to access and use the platform solely for internal business operations during the subscription period.
›Users are strictly prohibited from copying, reverse engineering, scraping data through automated means, creating derivative works, or using the ShramSetu brand in any unauthorized manner.
›Client Data remains the intellectual property of the Subscriber. The Company claims no ownership over Client Data.

4.9 API Usage (Scale & Enterprise Plans)

›API access is available on Scale and Enterprise plans, subject to rate limits documented in the API Reference Guide (available at app.shramsetu.io).
›API credentials (keys and tokens) are personal to the account and must not be shared, published, or exposed.
›The Company reserves the right to throttle or suspend API access in case of misuse, security risk, or rate limit violations.

4.10 Third-Party Integrations

›The Company does not guarantee the availability, accuracy, or continued operation of any third-party service (including EPFO, ESIC, Traces, WhatsApp Business API, payment gateways).
›Changes to third-party APIs (including government portal changes) may temporarily affect Platform functionality; the Company will work to restore integration as quickly as possible.
›Subscribers assume the risk of third-party service disruptions that are beyond the Company's control.

4.11 Suspension & Termination

Grounds for suspension/termination by Company:

›Non-payment of subscription fees for more than 7 days after due date
›Violation of these Terms of Service
›Fraud, misrepresentation, or illegal activity
›Security threat or unauthorized access arising from the Subscriber's account
›Court order or regulatory direction

Subscriber-initiated termination: Subscribers may terminate by providing 30 days' written notice to support@shramsetu.io. Prepaid fees are non-refundable (see Refund Policy, Section 5). Upon termination, a 90-day data export window is provided. Termination does not relieve the Subscriber of any outstanding payment obligations.

4.12 Force Majeure

The Company shall not be liable for any failure or delay in performance caused by a Force Majeure event, including acts of God, natural disaster, war, civil unrest, cyberattack by state actors, government-imposed restrictions, nationwide internet outages, third-party infrastructure failures (including AWS/GCP/Azure), or epidemic or pandemic. The Company will notify affected Subscribers of any Force Majeure event as soon as reasonably practicable.

4.13 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW: The Company's total aggregate liability to any Subscriber for any claim arising under or related to these Terms shall not exceed the total subscription fees paid by that Subscriber in the twelve (12) months immediately preceding the event giving rise to the claim. The Company shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, data, business, or goodwill, arising from use of or inability to use the Platform.

4.14 Indemnification

Subscribers agree to indemnify, defend, and hold harmless Hutek HR Systems Private Limited, its directors, officers, employees, and agents from and against any claims, damages, losses, liabilities, and expenses (including legal fees) arising from: (a) misuse of the Platform; (b) data inaccuracies or errors introduced by the Subscriber; (c) violation of these Terms; (d) violation of any applicable law; (e) infringement of any third-party rights by the Subscriber.

4.15 Dispute Resolution

Step 1 — Written Notice: The aggrieved party must issue a written notice describing the dispute in detail.
Step 2 — Good Faith Negotiation: Parties shall attempt to resolve the dispute through good faith discussions within 30 days of the notice.
Step 3 — Mediation: If unresolved after 30 days, parties agree to attempt mediation before a mutually agreed mediator.
Step 4 — Arbitration: If mediation fails, the dispute shall be resolved by binding arbitration under the Arbitration and Conciliation Act, 1996 (as amended). Seat of arbitration: Noida, Uttar Pradesh, India. Language: English.

Nothing prevents either party from seeking urgent injunctive relief from a competent court.

4.16 Governing Law & Entire Agreement

These Terms of Service and all related disputes shall be governed by and construed in accordance with the laws of India. The courts of Noida / Gautam Buddh Nagar, Uttar Pradesh, India shall have exclusive jurisdiction over any disputes not resolved through arbitration.

This Master Document, together with any Plan-specific Order Form, constitutes the entire agreement between the parties and supersedes all prior agreements, negotiations, representations, and understandings, whether oral or written.

5Refund Policy

5.1 General Policy

ShramSetu operates on a SaaS subscription model. As a general rule, all subscription fees paid are strictly non-refundable once processed. This applies to: monthly subscription fees; annual subscription fees (no pro-rated refund for unused months upon cancellation); plan upgrade or downgrade fees; and add-on feature fees.

5.2 Eligible Refund Exceptions

ONLY the following cases qualify for a refund or credit:

Duplicate Payment: If the same invoice has been charged twice due to a payment processing error, the duplicate charge will be fully refunded within 7 business days of verification.
Technical Platform Failure (Company-Fault): If the core platform is rendered completely inaccessible for a continuous period exceeding 72 hours due to a failure on the Company's part (not attributable to third-party dependencies, Force Majeure, or the Subscriber's own actions), a pro-rated credit for the downtime period will be issued.
Accidental Auto-Renewal: If a Subscriber had submitted a valid cancellation request before the renewal date and billing still occurred, a refund will be considered on a case-by-case basis with supporting evidence.

5.3 Non-Eligible Scenarios (No Refund)

›Dissatisfaction with features or functionality after purchase
›Regulatory or policy changes that affect the utility of the platform
›Data entry errors or compliance output inaccuracies caused by the Subscriber
›Underutilization of subscribed features
›Termination of subscription before the end of a paid period
›Changes in business circumstances

5.4 Refund Request Process

Email: billing@shramsetu.io within 7 calendar days of the charge.
Subject Line: "Refund Request — Invoice No. [XXXX]"
Required Information: Invoice number, date of charge, transaction ID, reason for refund, supporting evidence.
Processing Time: 10–15 business days for eligible refunds. Refunds issued to the original payment method only.

6Data Processing Addendum (DPA)

6.1 Purpose & Legal Framework

This Data Processing Addendum (DPA) governs the processing of personal data by ShramSetu (Hutek HR Systems Private Limited) on behalf of Subscribers and CA Partners. It operates within the framework of the Information Technology Act, 2000; the IT (SPDI) Rules, 2011; and anticipates compliance with the Digital Personal Data Protection Act (DPDPA) as and when it comes into full force.

6.2 Roles & Responsibilities

›MSME Subscriber / CA Partner = Data Fiduciary: Determines the purpose and means of processing employee personal data. Bears primary responsibility for lawful data collection, obtaining consent, and ensuring accuracy.
›ShramSetu (Hutek HR) = Data Processor: Processes personal data solely on documented instructions from the Controller. Does not process data for any independent commercial purpose.

6.3 Processing Instructions & Scope

The Company processes Client Data only for the purposes of: (a) delivering the subscribed Platform services; (b) generating statutory compliance documents and reports; (c) facilitating e-filing with government portals on the Subscriber's instruction; (d) providing customer support; (e) maintaining platform security and integrity. The Company will not process Client Data for any purpose beyond the above without the explicit written instruction of the Subscriber.

6.4 Sub-processors

The Subscriber authorises the Company to engage sub-processors as necessary to deliver the Services. Current categories of sub-processors include: Cloud Infrastructure (AWS/GCP/Azure), Communication APIs (SMS, Email, WhatsApp Business), eSign ASPs (licensed by CCA), Payment Gateways (Razorpay/Cashfree), and Analytics Platforms.

All sub-processors are bound by data protection obligations equivalent to those in this DPA. A current list of sub-processors is available on request at privacy@shramsetu.io. The Company will notify Subscribers of any material change to sub-processors with at least 14 days' advance notice.

6.5 Data Subject Requests & Breach Notification

The Company will provide reasonable assistance to the Subscriber in responding to requests from employees exercising their data rights. Upon receiving a data subject request, the Company will notify the Subscriber within 72 hours and await instruction.

In the event of a confirmable personal data breach affecting Client Data, the Company will notify affected Subscribers within 72 hours of becoming aware of the breach. Notification will include: nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken. In parallel, the Company will report qualifying cybersecurity incidents to CERT-In within six (6) hours of noticing, as required under the CERT-In Directions, 2022, and will notify the Data Protection Board of India and affected Data Principals where required under the DPDPA, 2023. The Subscriber (as Data Fiduciary) remains responsible for its own notification obligations toward its employees and authorities.

6.6 Audit Rights

Subscribers may request an annual summary of the Company's security controls and data processing practices. Physical or systems access audits require 30 days' advance written notice and are subject to confidentiality obligations.

6.7 Data Return & Deletion on Termination

›Upon termination of a subscription, the Company will make all Client Data available for export for 90 days.
›After the 90-day window, data will be deleted from live systems. Archived backup copies will be purged within a further 30 days, except where legal retention is required.
›The Company will provide written confirmation of deletion upon request.

7CA Partner Terms

7.1 Partner Program Overview

ShramSetu's CA Partner Program enables Chartered Accountants (ICAI-registered), Company Secretaries (ICSI-registered), Tax Consultants, and professional advisory firms to manage multiple MSME client accounts from a single, unified dashboard. ShramSetu does not replace the professional — it empowers the professional to serve more clients, more efficiently, with better compliance outcomes.

7.2 Eligibility Criteria

›Hold a valid ICAI membership number (for CAs) or ICSI membership number (for CS), or be a registered professional advisory firm
›Complete the ShramSetu Partner Program onboarding, including the platform orientation module
›Execute the ShramSetu Partner Agreement (separate from these Master Terms, where applicable)
›Agree to all terms in this Section 7

7.3 Partner Access & Capabilities

›Manage multiple MSME client accounts from a single partner dashboard
›View consolidated compliance status, pending tasks, and deadline alerts across all assigned clients
›Generate and download compliance reports, statutory registers, and payroll summaries for assigned clients
›Access employee-level data for assigned clients (subject to Subscriber's authorization)
›Use platform-generated documents for professional service delivery
›Receive automated compliance deadline reminders and regulatory update alerts
›Access white-label report generation features (where available on the partner plan)

7.4 Partner Pricing Model

›Partner plan pricing is based on the number of active client seats managed through the partner account.
›Special partner margins and volume-based billing structures are available.
›White-label features (custom report branding) are available on request and subject to additional terms.
›Revenue sharing or referral commission structures, if applicable, are governed by a separate Partner Agreement.

7.5 Data Access, Confidentiality & Client Privacy

A CA Partner can ONLY access the data of MSME clients who have explicitly granted the CA Partner access via the platform. Access rights are controlled by the Subscriber and can be revoked at any time. Violation of data confidentiality obligations will result in immediate partner account termination and may result in legal action and reporting to ICAI/ICSI.

CA Partners must NOT: share client data with unauthorized parties; use client data for any purpose other than service delivery to that specific client; transfer client data to competing platforms; or use access to one client's data to benefit another client in a conflicted manner.

7.6 Professional Responsibility & Independence

›CA Partners remain solely and independently responsible for the professional advice given to their clients, including all compliance recommendations, tax advice, and filing decisions.
›ShramSetu provides the technology infrastructure. It does not endorse, certify, or guarantee the quality of professional services rendered by any CA Partner.
›CA Partners must ensure their use of the platform complies with the ICAI/ICSI Code of Ethics, particularly with respect to client confidentiality, conflict of interest, and independence. CA Partners shall indemnify and hold harmless the Company against claims, losses, and liabilities arising from the CA Partner’s unauthorized use or disclosure of client data, or from professional services rendered by the CA Partner to its clients.

7.7 No-Conflict Clause

CA Partners agree and covenant that they will: (a) disclose to clients any actual or potential conflict of interest; (b) not use access to client data through ShramSetu to compete against the client, solicit the client's employees, or benefit any competing entity; (c) not act as a data broker, aggregator, or reseller of any client data obtained through the platform.

7.8 Termination of Partnership

Either party may terminate the Partner Program relationship with 30 days' written notice to support@shramsetu.io. Upon termination: the CA Partner's access to all client dashboards will be revoked; Client data will remain accessible to the respective MSME Subscribers; the CA Partner may not retain any copies of client data beyond what was received in the normal course of professional service delivery.

8.1 Employer's Obligation to Obtain Employee Consent

The Subscriber, as the employer and Data Fiduciary, bears full responsibility for obtaining valid, informed, and documented consent from each employee before onboarding them onto the ShramSetu platform. This includes consent for:

›Collection and processing of personal data (name, contact, address, PAN, masked Aadhaar, bank details, employment details)
›Collection of selfie photographs for attendance verification purposes
›Collection of GPS/geolocation data at the time of attendance marking
›Delivery of salary slips and employment documents via WhatsApp (where applicable)
›Electronic signature (Aadhaar OTP-based eSign) for employment documents (where applicable)

ShramSetu provides a suggested consent language template within the platform's employee onboarding wizard. Subscribers are encouraged to use or adapt this template in consultation with their legal advisor. Consent and notice templates are available in English and Hindi, and notices in additional Indian languages are supported consistent with the DPDPA’s notice requirements for Data Principals.

8.2 Face Data / Selfie Attendance — Special Provisions

FACE DATA COLLECTION NOTICE: Attendance selfies are processed by an AI face-verification algorithm that compares the check-in selfie with the employee’s enrolled reference photograph, solely to verify identity at the moment of attendance marking. This is biometric processing under applicable law and requires the employee’s explicit, informed consent, obtained by the employer before enrolment. Face data is used for NO other purpose — no surveillance, emotion analysis, profiling, or advertising — and is stored encrypted on India-hosted infrastructure, is not shared with any third party beyond secure cloud storage, and is deleted in accordance with Section 3.9. Geolocation data (GPS coordinates) is captured ONLY at the moment of attendance marking, with the employee's device permission, and is not tracked continuously.

8.3 Employee Rights on the Platform

›Employees can view their own salary slips, attendance history, and leave balances via the ShramSetu Worker Self-Service app.
›Employees may request correction of their personal data through their employer (Subscriber).
›Employees may withdraw consent for WhatsApp communications by informing their employer or by replying 'STOP' to any WhatsApp message.
›Employees may revoke camera/selfie access by adjusting permissions in their device settings.
›Employees may raise data-related concerns directly with ShramSetu at privacy@shramsetu.io.

8.4 Legal Admissibility & WhatsApp Document Delivery

Documents generated on the ShramSetu platform — including appointment letters, salary slips, increment letters, and compliance reports — are legally admissible as electronic records under Section 65B of the Indian Evidence Act, 1872 (read with the Information Technology Act, 2000).

By onboarding an employee with a mobile number on the platform, the Subscriber confirms that: (a) the employee has provided consent to receive employment-related communications via WhatsApp; (b) the mobile number provided belongs to the employee; (c) the Subscriber has complied with applicable TRAI and WhatsApp Business API Terms of Service requirements.

9Aadhaar eSign Terms

9.1 Nature of the eSign Service

Aadhaar OTP-based eSign is an optional feature available on select ShramSetu plans. It enables employees and employers to execute legally binding electronic signatures on employment documents using Aadhaar-linked mobile OTP authentication, facilitated through licensed ASPs.

Aadhaar Compliance Framework: ShramSetu is NOT registered as a KYC User Agency (KUA) with UIDAI. Full Aadhaar numbers are never collected or stored by design; only masked Aadhaar (last 4 digits) may be retained. Aadhaar XML data is processed exclusively by the licensed ASP and is not retained by ShramSetu post-transaction. All Aadhaar-related processing complies with the UIDAI Technical Specifications for eSign, the Aadhaar Act, 2016, and IT Act, 2000.

eSign is strictly consent-based. A user must explicitly initiate each signing event via OTP. No eSign transaction is processed without the user's active OTP input. Once completed, an eSign is legally binding and cannot be reversed.

9.2 Legal Validity of eSigned Documents

eSigned documents executed through ShramSetu are legally valid electronic records under:

›Information Technology Act, 2000 — Section 5 (Legal recognition of electronic signatures) and Section 10A (Validity of contracts formed electronically)
›Indian Contract Act, 1872 — contracts formed via electronic means are legally binding
›Indian Evidence Act, 1872 — Section 65B (Admissibility of electronic records as evidence)
›UIDAI eSign Framework — eSign transactions through licensed ASPs are recognized as valid electronic signatures under applicable UIDAI regulations

10Acceptable Use Policy

ShramSetu is provided exclusively for the lawful management of workforce data and statutory compliance for Indian MSMEs. The following uses are expressly prohibited and will result in immediate account suspension and, where applicable, legal action:

Uploading false, fabricated, or intentionally inaccurate employee or business data for the purpose of fraud, tax evasion, or avoidance of statutory obligations.
Creating fictitious employee records ("ghost employees") to generate fraudulent salary slips or PF/ESI contributions.
Using the platform to facilitate money laundering, hawala transactions, or any activity that violates the Prevention of Money Laundering Act, 2002.
Attempting to gain unauthorized access to other Subscribers' accounts, employee data, or administrative panels.
Attempting to reverse-engineer, decompile, disassemble, or copy any part of the Platform's code, algorithms, or database structures.
Using automated bots, scripts, or crawlers to access, scrape, or extract data from the Platform without written permission.
Sharing login credentials across multiple individuals in violation of the Platform's account license structure.
Creating multiple free accounts or trial accounts for the same business entity to circumvent subscription requirements.
Using the Platform to harass, discriminate against, or infringe upon the rights of any employee.
Misrepresenting the nature of your business or employee count to obtain a lower subscription tier.
Using the Platform for any purpose that violates applicable Indian law, including the Income Tax Act, GST Act, PF Act, ESI Act, POSH Act, or any applicable state labour law.

11Confidentiality

Both the Subscriber and the Company agree to maintain strict confidentiality with respect to each other's proprietary and sensitive information. "Confidential Information" means any information designated as confidential or that reasonably should be understood to be confidential given the nature of the information and circumstances of disclosure.

›Subscriber obligations: Not disclose platform pricing, internal workflows, proprietary algorithms, or technical architecture to competitors or unauthorized parties.
›Company obligations: Not use Client Data for any purpose beyond delivery of the contracted Services; not disclose Client Data to any third party except as expressly permitted in Section 3.6; maintain Client Data with at least the same degree of care used to protect its own confidential information.

Confidentiality obligations do not apply to information that was already publicly known at time of disclosure, becomes publicly known through no fault of the receiving party, was independently developed by the receiving party, or is required to be disclosed by law or court order.

Confidentiality obligations under this Section 11 shall survive termination of the subscription or agreement for a period of five (5) years from the date of termination.

12Service Availability & SLA

12.1 Uptime Commitment & Maintenance Windows

The Company commits to a minimum Monthly Uptime of 99.5% for the core Platform, measured per calendar month and excluding scheduled maintenance and the exclusions listed in Section 12.3. If Monthly Uptime falls below 99.5%, affected paid Subscribers are eligible for a service credit of 5% of that month’s subscription fee for each full 1% of shortfall, capped at 50% of the monthly fee, claimable by writing to support@shramsetu.io within 30 days of month-end. Service credits are the sole and exclusive remedy for availability shortfalls.

›Scheduled Maintenance: Minimum 24 hours' advance notice via in-app banner and email. Typically conducted during off-peak hours: 12:00 AM – 4:00 AM IST.
›Emergency Maintenance: May occur without prior notice to address critical security vulnerabilities or infrastructure failures. Updates communicated as quickly as possible.

12.2 Support Channels & Response Times

Plan	Channels	Response Time
Starter	Email: support@shramsetu.io	Within 48 business hours
Growth	Email + In-app Chat	Within 24 business hours
Scale	Priority Email + Chat + Phone callback	Within 12 business hours + Dedicated Account Manager
Enterprise	24×7 Priority Support + Account Manager	Custom SLA

12.3 Exclusions from SLA

›Scheduled maintenance windows (with advance notice)
›Force Majeure events (per Section 4.12)
›Government portal outages (EPFO, ESIC, Traces) — these are third-party dependencies
›WhatsApp Business API or payment gateway downtime
›Disruptions caused by the Subscriber's own actions, misconfigurations, or Terms violations
›Internet connectivity issues on the Subscriber's end

Subject to the uptime commitment above, the Platform is provided "as-is" and "as-available". Subscribers are strongly advised to maintain offline backups of all critical compliance data and generated documents.

13Security Responsibilities

13.1 Company's Security Commitments

›AES-256 encryption for all data stored at rest
›TLS 1.2 or higher encryption for all data in transit
›Role-Based Access Control (RBAC) with logged and audited admin access
›Multi-Factor Authentication (MFA) available for all admin accounts
›Periodic third-party penetration testing and vulnerability assessments
›A documented and tested Incident Response Plan
›Audit logs of all data access, modification, and deletion events — retained for 7 years
›Reporting of qualifying cybersecurity incidents to CERT-In within six (6) hours of noticing, as required under the CERT-In Directions, 2022
›SOC2 Type II certification as a target milestone

13.2 Subscriber's Security Responsibilities

›Using strong, unique passwords for ShramSetu admin accounts (minimum 12 characters recommended)
›Enabling Multi-Factor Authentication (MFA) where available — strongly recommended for all admin users
›Granting admin access only to authorized and trusted personnel
›Promptly revoking access for any personnel who leave the organization
›Logging out of the platform after each session, particularly on shared or public devices
›Immediately reporting suspected unauthorized access to security@shramsetu.io

14Compliance Positioning

14.1 Labour Code Readiness

ShramSetu's platform logic is designed and continuously updated to align with India's four consolidated Labour Codes: Code on Wages, 2019; Industrial Relations Code, 2020; Code on Social Security, 2020; and Occupational Safety, Health and Working Conditions Code, 2020. As individual states notify and operationalize rules under these Codes, the platform will be updated accordingly.

14.2 PF/ESI Filing & Responsibilities

›Company's Responsibility: Provide accurate calculation tools; maintain integration with EPFO/ESIC portals; generate ECR (Electronic Challan-cum-Return) files based on data provided; alert for upcoming filing deadlines.
›Subscriber's Responsibility: Ensure accuracy of employee data (PF UAN, ESI IP numbers, salary components); verify computed contributions before submission; ensure timely deposit of challans. The liability for incorrect, delayed, or missing PF/ESI filings and payments rests entirely with the Subscriber.

14.3 Professional Tax (PT)

Where the Subscriber has configured Professional Tax (PT) deductions, the platform calculates PT based on the slab rates input by the Subscriber. It is the Subscriber's sole responsibility to ensure the correct state-specific PT slabs are configured and that PT is deposited to the relevant state authority within prescribed timelines.

The Company monitors regulatory changes affecting its core compliance features (Labour Codes, PF, ESI) and rolls out platform updates as changes are notified. Subscribers should subscribe to official regulatory notifications (EPFO, ESIC, Ministry of Labour) and consult their CA or labour law consultant for jurisdiction-specific compliance requirements.

15Updates to This Document

Hutek HR Systems Private Limited reserves the right to update, modify, or replace any part of this Master Terms, Privacy & Legal Framework document at any time. The most current version will always be available at www.shramsetu.io/terms.

15.1 Notification of Material Changes

Material changes — defined as those that affect Subscriber rights, pricing, data practices, or liability — will be communicated via email to the registered admin account and via in-app banner notification, both at least 14 days before the effective date.

15.2 Acceptance of Updated Terms

Continued use of the ShramSetu platform after the effective date of any update constitutes your acceptance of the revised terms. If you do not agree with any updated terms, you may terminate your subscription by providing written notice to support@shramsetu.io before the effective date of the change.

16Contact, Support & Grievance

16.1 Company Details

Hutek HR Systems Private Limited
3rd Floor, Plot No. B-23, Block B, Sector 62
Noida, Uttar Pradesh – 201301, India
CIN and GSTIN: as per official company records (furnished on invoices and on request)
Website: www.shramsetu.io

16.2 Contact Directory

Purpose	Email
General Support & Queries	team@shramsetu.io
Billing, Invoices & Refunds	billing@shramsetu.io
Data Privacy & Rights Requests	privacy@shramsetu.io
Grievance Officer (IT Act, 2000)	info@shramsetu.io
Security Incidents & Vulnerability Disclosure	security@shramsetu.io
CA Partner Program Enquiries	partners@shramsetu.io

16.3 Designated Grievance Officer

In accordance with Rule 3(11) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021:

Designated Grievance Officer: Amit Kumar Singh, Founder
Company: Hutek HR Systems Private Limited
Email: info@shramsetu.io
Address: 3rd Floor, Plot No. B-23, Block B, Sector 62, Noida, UP – 201301
Acknowledgement: Within 48 hours of receipt
Resolution: Within 30 days of receipt of complaint

16.4 Business Hours

Support is available Monday to Saturday, 9:00 AM to 6:00 PM IST. Response times may vary on national public holidays. Scale and Enterprise plan Subscribers may have access to extended support hours as per their individual plan terms.

Phone: +91 93157 21962

Last updated: June 6, 2026