We believe privacy is a fundamental right, not a checkbox. This policy explains precisely how Chillsoft collects, uses, protects, and respects your personal information across every product and service we offer.
Chillsoft Private Limited ("Chillsoft", "we", "us", or "our") is an enterprise Human Capital Management (HCM) software company headquartered at No. 82 (116), Velachery Main Road, Saidapet, Chennai — 600015, Tamil Nadu, India. We operate the Chillsoft platform, including Theo AI, ChillPay, ChillStat, ChillFix, Chill Vybes, OKR & PMS, Time & Attendance, Recruitment Tracking, Employee Care, and all associated mobile and web applications (collectively the "Services").
For the purposes of applicable data protection law — including the EU General Data Protection Regulation (GDPR), UK GDPR, and India's Digital Personal Data Protection Act (DPDPA) — Chillsoft acts as a data processor on behalf of our enterprise customers (who are the data controllers) for employee and candidate data processed through the platform. Chillsoft acts as a data controller in its own right for data collected through our website, marketing activities, and account management.
Data Protection queries: reachus@chillsoft.in · Postal: Chillsoft Private Limited, No. 82 (116) Velachery Main Road, Saidapet, Chennai-600015, Tamil Nadu, India · Phone: +91 9600 122 973
We collect personal data in two primary capacities — as a controller (website visitors, prospects) and as a processor (enterprise customer employee data).
| Category | Examples | Source | Purpose |
|---|---|---|---|
| Identity Data | Full name, employee ID, date of birth, gender, nationality | Customer/employee input | Account creation, HR administration |
| Contact Data | Work email, personal email, phone, home address | Customer/employee input | Communication, payroll, compliance |
| Employment Data | Job title, department, salary, benefits, performance reviews, attendance, leave records | Employer administrator | HR process automation |
| Payroll Data | Bank account details, tax identification numbers, statutory deductions | Employer / employee | Salary processing (ChillPay) |
| Location Data | GPS coordinates, geo-fence check-ins, IP address | Mobile app / device | Time & attendance, remote work management |
| Device & Usage Data | OS version, device type, browser, session logs, feature usage | Automated collection | Platform improvement, security |
| Candidate Data | CV/Resume, education, work history, interview notes | Job applicants | Recruitment (via employer's use of platform) |
| Website Visitor Data | Name, work email, company, IP address, cookie identifiers | Contact forms, cookies | Demo requests, marketing, analytics |
We only collect data that is strictly necessary for the specified purpose. We do not collect sensitive personal data (health, biometric, political views) unless explicitly required by your employer's use case and with appropriate legal safeguards in place.
Under Article 6 of the GDPR and equivalent provisions in other applicable laws, we process personal data on the following legal bases:
| Legal Basis | When We Rely On It |
|---|---|
| Contract Performance (Art. 6(1)(b)) | Processing employee data on behalf of employers pursuant to our Master Service Agreement; delivering the platform to enterprise customers. |
| Legitimate Interests (Art. 6(1)(f)) | Platform security monitoring, fraud prevention, product improvement through anonymised analytics, and direct marketing to existing business contacts. |
| Legal Obligation (Art. 6(1)(c)) | Compliance with tax laws, employment regulations, anti-money laundering requirements, and court orders. |
| Consent (Art. 6(1)(a)) | Optional marketing emails to website visitors; placement of non-essential cookies. Consent is freely given, specific, informed, and withdrawable at any time. |
| Vital Interests (Art. 6(1)(d)) | In rare emergency situations where processing is necessary to protect someone's life. |
We do not sell, rent, or trade personal data. We share data only in the following circumstances:
Employee data is shared with and controlled by the enterprise customer (your employer) who has deployed the Chillsoft platform. Chillsoft acts only on their documented instructions.
Microsoft Azure and AWS host our platform data in dedicated Virtual Private Clouds across our authorised regions (Central India, Singapore, North Europe, South East Asia, UAE). These providers are bound by Data Processing Agreements and certified to ISO 27001, SOC 2, and GDPR standards.
Carefully vetted third-party service providers (e.g. email delivery, payment gateways, customer support tools) access only the minimum data necessary under strict contractual data processing agreements. A full Sub-Processor List is available upon request.
We may disclose data when required by applicable law, court order, or legitimate regulatory authority request. We will notify you where legally permitted to do so.
In the event of a merger, acquisition, or asset sale, personal data may be transferred to the acquiring entity, subject to the same privacy protections and with advance notice to affected parties.
Chillsoft stores customer data in the following cloud regions, selected based on your geographic location and contractual requirements:
Where data is transferred outside the EEA, we rely on EU Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules. Support access from our Chennai headquarters does not result in customer data being stored in India; it is accessed securely via encrypted channels and governed by strict access controls and audit logs.
Chillsoft operates a world-class, multi-tier backup and disaster recovery infrastructure to ensure your data is always protected, available, and recoverable. Our backup architecture is designed to meet enterprise SLA commitments with zero tolerance for data loss.
Every 6 hours — Full incremental backups are executed automatically every six hours across all customer data partitions, ensuring a maximum data exposure window of 6 hours in any worst-case scenario. Critical payroll and financial data is additionally backed up on a 1-hour rolling snapshot schedule.
ChillPay payroll data, salary records, and financial transactions undergo rolling 1-hour snapshots with point-in-time recovery (PITR). These snapshots are stored in encrypted, geo-redundant storage containers separate from primary application storage.
All customer data — HR records, attendance, performance data, documents, configurations — is captured in a full incremental backup every six hours (00:00, 06:00, 12:00, 18:00 UTC). Each backup is cryptographically hashed, compressed, and encrypted at rest using AES-256.
A complete differential backup is performed nightly at 02:00 UTC. This creates a full baseline from which any 6-hour incremental can be applied. Daily backups are retained for 30 days in primary storage with geographic replication.
Weekly full backups are archived for 12 months in cold storage (Azure Archive / AWS Glacier). These are integrity-checked monthly and can be restored within 4 hours for compliance and audit purposes.
Monthly consolidated backups are retained for a minimum of 7 years (84 months) in compliance with statutory requirements including India's IT Act, GDPR Article 5(1)(e), and US labour laws. These are stored in tamper-evident, write-once storage.
All backups are asynchronously replicated to a secondary cloud region within 15 minutes of creation. This provides geographic redundancy — if an entire cloud region fails, backup data remains intact and recoverable from the secondary region.
Every quarter, our infrastructure team conducts a full disaster recovery drill — selecting random customer data partitions and performing a complete end-to-end restoration to a staging environment to verify backup integrity and measure actual RTO/RPO achievement.
| Metric | Target | Achieved |
|---|---|---|
| RPO (Recovery Point Objective) | < 6 hours | ✅ < 6 hours (incremental) / < 1 hour (financial) |
| RTO (Recovery Time Objective) | < 4 hours | ✅ < 2 hours for critical systems |
| Backup Success Rate | 99.99% | ✅ 99.99% verified monthly |
| Backup Encryption | AES-256 at rest | ✅ AES-256 + TLS 1.3 in transit |
| Geo-Redundancy | 2 regions minimum | ✅ 2–3 regions per customer geography |
| Backup Retention (Standard) | 30 days incremental | ✅ 30 days incremental, 12 months weekly |
| Compliance Retention | 7 years | ✅ 7 years write-once archive |
We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by applicable law. The following retention periods apply:
| Data Type | Retention Period | Basis |
|---|---|---|
| Active employee HR records | Duration of employment + 7 years | Legal obligation, statutory audit |
| Payroll and financial data | 7 years post-termination | Tax law, labour law, audit requirements |
| Candidate/applicant data | 2 years from application date | Legitimate interest, legal compliance |
| Access and audit logs | 3 years | Security, regulatory compliance |
| Website visitor / demo request data | 3 years from last contact | Legitimate interest (CRM) |
| Cookie consent records | 3 years | GDPR accountability obligation |
| Backup archives | 7 years (monthly), 30 days (incremental) | Compliance, disaster recovery |
| Marketing contact data | Until opt-out + 30 days suppression list | Consent |
After the applicable retention period, data is securely deleted using NIST SP 800-88 compliant data sanitisation methods. Deletion is logged and available for audit.
Depending on your location, you have the following rights regarding your personal data. Note: If you are an employee using Chillsoft through your employer, many of these rights should be exercised through your employer (the data controller). We will assist employers in fulfilling these requests.
You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data, along with information about how it is processed.
You have the right to have inaccurate personal data corrected or incomplete data completed without undue delay.
You may request deletion of your personal data where it is no longer necessary for the purpose it was collected, where you withdraw consent, or where processing is unlawful — subject to our legal retention obligations.
You may request that we restrict how we process your data in certain circumstances, such as while accuracy is contested or while an objection is being considered.
Where processing is based on consent or contract and carried out by automated means, you may receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.
You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce significant legal effects, without human review.
Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
You have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, your country's Data Protection Authority in the EU, or India's Data Protection Board under the DPDPA).
Submit a Data Subject Request (DSR) to reachus@chillsoft.in with subject line "Data Subject Request — [Your Name]". We will respond within 30 days (extendable to 90 days for complex requests, with notice). Identity verification will be required before processing requests.
The Chillsoft platform is an enterprise B2B software solution intended exclusively for use by organisations and their adult employees (18 years and older). We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will promptly delete such data and notify the relevant employer.
Chillsoft implements comprehensive technical and organisational security measures aligned with ISO 27001, SOC 2 Type II, and NIST cybersecurity frameworks:
We may update this Privacy Policy from time to time to reflect changes in law, our data practices, or our business. We will notify you of material changes by posting the updated policy on this page with a revised "Last Updated" date. For significant changes that materially affect your rights, we will provide prominent notice via email or in-product notification at least 30 days before the change takes effect. Continued use of our services after the effective date constitutes acceptance of the updated policy.
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Data Protection team:
Email: reachus@chillsoft.in
Phone (India): +91 9600 122 973
Phone (US): +1 (408) 401-6054
Postal Address: Data Protection Officer, Chillsoft Private Limited, No. 82 (116), Velachery Main Road, Saidapet, Chennai — 600015, Tamil Nadu, India
Response Time: We aim to acknowledge all privacy queries within 2 business days and provide a substantive response within 30 days.
Our Data Protection team is here to help. Reach out and we'll respond within 2 business days.
Contact Our Team →