Legal

Privacy Policy

What we collect, why we collect it, where we store it, and what control you have over it. India's DPDP Act 2023 sets the floor; we aim higher.

Last updated: 15 May 2026
The short version We collect what's needed to run the HRMS — nothing more. Your data stays in India. We never sell it. Face data is stored as one-way hashes that can't be reversed into images. You can export or delete everything at any time.

1. Scope of this policy

This Privacy Policy explains how MoonFellow IT Solutions Pvt Ltd ("BizlumoAI", "we", "us"), operating the BizlumoAI product, handles personal data in connection with our HRMS Service. It applies to:

This policy is governed by the Digital Personal Data Protection Act 2023 (DPDP) and the Information Technology Act 2000 (IT Act). For EU-based visitors, it also addresses GDPR-equivalent rights where applicable.

2. What personal data we collect

2.1 From you (the customer)

2.2 About your employees (uploaded by you)

2.3 From visitors to our marketing site

3. How we use this data

We process personal data only for these purposes:

We never:

4. Who we share data with

We share personal data only with the following categories of third parties, and only as needed to provide the Service:

We have data processing agreements with all third parties to ensure they handle data according to DPDP Act requirements.

5. Where we store data

All customer and employee data is stored on AWS servers located in Mumbai, India (ap-south-1 region). Data does not leave Indian jurisdiction except in transit when:

6. Face data — how we handle it

Face data is sensitive personal information. We treat it accordingly.

6.1 What we store

We never store raw face images on our servers. The kiosk app (running on your tablet) captures the face image, computes a 128-dimensional numerical embedding (a face "fingerprint"), and transmits only that embedding to our servers. The original image is discarded immediately.

6.2 Why this matters

The embedding is a one-way hash. It cannot be reversed back into a face image. If our database were ever breached, attackers couldn't reconstruct your employees' faces from the data they'd obtain.

6.3 Consent

Under DPDP Act 2023, biometric data requires explicit consent. As the employer, you are responsible for obtaining your employees' explicit consent before enrolling them in the kiosk system. We recommend consulting your CA or legal counsel to draft appropriate consent language for your jurisdiction and workforce.

6.4 Deletion

When an employee leaves your company (and you mark them as inactive), their face embedding is marked for deletion within 30 days and removed from active systems within that window. Residual copies in encrypted backups are aged out as part of our rolling backup retention (see §7), with full removal from all systems within approximately 60 days. You can also delete embeddings on demand from the dashboard.

7. Data retention

8. Your rights

Under DPDP Act 2023, you (and your employees) have the right to:

8.1 Right to access

Request a copy of personal data we hold. Customers can self-export via dashboard. Employees should request through their employer (you); if they contact us directly, we'll redirect them.

8.2 Right to correction

Request correction of inaccurate data. Customers can edit directly in the dashboard.

8.3 Right to erasure

Request deletion of personal data, subject to legal retention requirements (e.g. tax records). Cancel your account to trigger 90-day deletion timeline.

8.4 Right to grievance redressal

File a complaint with our Grievance Officer at dpo@bizlumoai.com. We respond within 30 days. If unresolved, you can escalate to the Data Protection Board of India.

8.5 Right to nominate

You can nominate another individual to exercise these rights on your behalf in case of incapacity or death. Contact our Grievance Officer to register a nominee.

9. Cookies and tracking

Our marketing website (this site) uses no third-party cookies and no cross-site tracking. We do not currently run any analytics or advertising scripts on the marketing site; if we add a privacy-preserving analytics tool in future, this section will be updated.

Our admin dashboard (after you log in) uses functional cookies for session management — these are required for the app to work. We don't use marketing or advertising cookies anywhere.

10. Children's data

The Service is not intended for use by individuals under 18. We don't knowingly collect data from children. If you become aware that a child has provided us personal data, contact dpo@bizlumoai.com and we'll delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email at least 30 days in advance. The "Last updated" date at the top of this page reflects the most recent change.

12. Contact

Questions about privacy or data handling? Contact our Grievance Officer:

Grievance Officer
Email: dpo@bizlumoai.com
Postal: MoonFellow IT Solutions Pvt Ltd, 60, D Block, Sector 63, Noida, Uttar Pradesh 201301
Response time: within 30 days


If you have questions about this Privacy Policy, contact us at privacy@bizlumoai.com.