Privacy Policy

This Privacy Policy describes how Next Move Infotech Private Limited(“we”, “us”, or “our”) collects, uses, shares, and protects personal data when you use Next Move HRMS (the “Service”). We are an Indian private limited company with our registered office at Office No. 104, Centrum Plaza, Sector 53, Golf Course Road, Gurgaon 122002, Haryana, India.

We act as the data fiduciary under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) for personal data we collect directly. When we process personal data on behalf of a client organisation (typically your employer), we act as a data processor and your employer is the data fiduciary. For users located in Thailand, we observe the relevant principles of the Thailand Personal Data Protection Act B.E. 2562 (2019) (“Thai PDPA”).

This policy applies to client administrators (HR and finance staff who log in to manage payroll, attendance, leave, and statutory compliance), employees of client companies using Employee Self-Service (ESS), and visitors to our marketing pages. The Service is intended exclusively for adults in a professional capacity; we do not knowingly target or collect personal data from individuals under 18.

Information you provide directly: account credentials (username, hashed password, email, mobile number); employment and identity information (name, date of birth, gender, address, PAN, Aadhaar number, passport details for expat employees, photograph); payroll and financial data (salary structure, bank account number, IFSC, UPI ID, tax declarations, PF/ESI numbers, TDS elections); attendance and leave data (clock-in/out times, biometric sync events, leave applications, supporting documents); documents you upload (ID proofs, certificates, signed letters); and free-text content (messages, requests, feedback).

Information collected automatically: session data (encrypted session cookies, login timestamps, IP address, browser or device type, application version), usage logs (pages visited, API requests, error reports, performance traces), and mobile device data (device model, operating system version, network connectivity status, push-notification tokens).

Information from third parties: attendance events from biometric devices integrated by your employer, and pre-populated employee records provided by your employer at the time of joining.

We use personal data to provide, operate, and maintain the Service; perform HR, payroll, attendance, leave, and statutory compliance functions on behalf of your employer (Indian Provident Fund, ESI, TDS, Professional Tax, Labour Welfare Fund; Thai Social Security and PIT for Thailand operations); authenticate you and prevent unauthorised access; send service-related communications (OTPs, password resets, payslip and leave notifications, reminders); diagnose and fix bugs; and comply with legal and regulatory obligations. Under the DPDP Act we rely on consent where required and on the legitimate uses set out in Section 7 of the Act.

We use the following sub-processors to operate the Service, each bound by data-protection commitments, each receiving only what is necessary for the function it provides: Supabase (database, file storage, authentication, edge functions; hosted in AWS Sydney), Vercel (application hosting and content delivery), Cloudflare (DNS, content delivery, denial-of-service protection), Resend (transactional email delivery), Twilio (OTP delivery and welcome SMS messages), Sentry (error monitoring and performance traces; no form contents or file uploads are transmitted), Backblaze B2 (encrypted offsite backups of database and storage), Google Firebase App Distribution and Google Play (distribution of the Android app), and Apple TestFlight and the App Store (distribution of the iOS app). We do not sell personal data, share it with advertisers, or use it to train artificial intelligence models.

The Next Move HRMS Android and iOS apps request the following device permissions, each revocable at any time from your device's settings: camera (to scan documents and capture profile photos you choose to upload), internet access and network state (to communicate with our servers), push notifications (operational messages such as payslip availability and leave approvals), and vibration / haptics (tactile feedback). The mobile app does not access contacts, calendar, microphone, SMS messages, location, or photo library, and it does not run background tracking of any kind.

Our primary database and storage are hosted in Sydney, Australia (AWS ap-southeast-2). When you use the Service from India or Thailand, your personal data is transferred to Australia. We rely on contractual safeguards with each sub-processor and on the relevant cross-border transfer mechanisms permitted by the DPDP Act and Thai PDPA. Some sub-processors listed in Section 5 may also access data from the United States in the course of providing the Service.

We retain personal data only for as long as needed for the purposes for which it was collected, or as required by law. Active employee records are retained while you are employed by the client and for the period your employer instructs us to keep records after you leave. Payroll, statutory returns, and tax records are retained for a minimum of eight (8) years in line with Section 44AA of the Income-tax Act, the Companies Act 2013, and ESI/EPF regulations. Logs and audit trails are retained for up to 12 months. Encrypted backups are retained for up to 90 days on a rolling basis. On valid request, and where no overriding legal obligation requires retention, we will delete or anonymise the data.

Subject to the DPDP Act (for users in India) and the Thai PDPA (for users in Thailand), you have the right to access a summary of personal data we hold about you, correct inaccurate or incomplete data and request erasure, withdraw consent at any time, nominate another person to exercise your rights in the event of your death or incapacity, lodge a grievance with our Grievance Officer (Section 12), and approach the relevant data protection authority — the Data Protection Board of India or the Personal Data Protection Committee for Thailand — if your grievance is not resolved to your satisfaction. To exercise any of these rights, email privacy@nextmove-group.com. We will respond within the timeframes required by law (currently 30 days under both the DPDP Act and the Thai PDPA). Where we process your data on behalf of your employer, certain requests (such as correction of your salary record) should be directed to your employer.

We use commercially reasonable technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2 or higher) and at rest, row-level security in the database, encrypted backups, role-based access control, and audit logging. No system is perfectly secure; we will notify you and the relevant authorities of any personal data breach in line with our legal obligations.

The Service uses essential cookies and local storage to keep you signed in, remember your language and country preference, and store your session tokens. We do not use third-party advertising or behavioural-tracking cookies. The mobile app uses the platform-equivalent secure storage on your device for the same purposes.

In line with Section 10(4) of the DPDP Act and Rule 5(9) of the Indian IT Rules, 2011, we have appointed a Grievance Officer to handle user complaints regarding personal data: Syed Faizan, complaints@nextmove-group.com, Office No. 104, Centrum Plaza, Sector 53, Golf Course Road, Gurgaon 122002, Haryana, India. The Grievance Officer will acknowledge complaints within seven (7) working days and resolve them within thirty (30) days of receipt.

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will revise the effective date at the top of this page and, where appropriate, notify you through the Service or by email.

For any privacy-related question, write to Next Move Infotech Private Limited, Office No. 104, Centrum Plaza, Sector 53, Golf Course Road, Gurgaon 122002, Haryana, India, email privacy@nextmove-group.com.