Skip to content

New: HelloTime now integrates with HelloBooks — sync clients, hours, invoices and payroll.

DPDP Act, 2023 — Privacy notice for Indian users

Last updated: May 23, 2026

1. Who we are

HelloTime is operated by Meru Fintech, registered in Ahmedabad, Gujarat. For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), Meru Fintech is the Data Fiduciary.

2. Personal data we process

  • Account data — name, work email, phone, company
  • Tracked time — timers, project/task tags, timesheets
  • Optional activity data — screenshots (opt-in), app/URL usage (opt-in), activity levels
  • HelloTime Attend (mobile clock-in) only, where enabled by your employer: face-template embeddings derived from a selfie at clock-in, GPS coordinates captured at clock-in / clock-out, and device identifiers used for anti-spoofing.
  • Billing data — GSTIN, billing address, payment method
  • Usage metadata — IP address, device, browser, diagnostic logs

2a. Biometric & location data — special category

Face embeddings and GPS coordinates collected via HelloTime Attend are treated as a special category of personal data:

  • Captured only when your employer enables the face check-in or geofence feature and only at the moment of clock-in / clock-out.
  • Raw selfie photos are not retained — only a numeric face-template embedding is stored, and only for the purpose of verifying that the same person is clocking in.
  • Stored encrypted at rest in India-region AWS.
  • Retained for the duration of your employment relationship plus any statutory period required for attendance / payroll records (typically 3 years under Indian labour law).
  • Deleted within 90 days of account deletion, or sooner on a verified Data Principal erasure request — face embeddings cannot be reconstructed into a usable photo.
  • Never shared with third parties, never used to train AI models, never sold.

3. Purposes

Personal data is processed only for specified, explicit and lawful purposes: providing the HelloTime service, billing and GST compliance, security and fraud prevention, and service improvement.

4. Consent

Processing relies on your explicit, informed consent. You may withdraw consent at any time — the withdrawal will not affect lawfulness of processing prior to the withdrawal.

5. Your rights as a Data Principal

  • Right to access a summary of your personal data and processing
  • Right to correction and erasure of personal data
  • Right to nominate another person to exercise rights on your behalf
  • Right of grievance redressal

6. How to exercise rights

Email [email protected] with subject "DPDP request". You will receive an acknowledgement within 72 hours and a response within 30 days.

7. Grievance officer

Grievance Officer · Meru Fintech
902, 903 Shivalik Complex, opp. Bank of Baroda, Panchvati, Ahmedabad, Gujarat 380006
Email: [email protected]

8. Data retention & deletion

Personal data is retained only as long as necessary for the purposes set out above, or as required by Indian law. Upon account deletion, data is purged within 90 days.

9. Children

HelloTime is not directed at children under 18. We do not knowingly process the personal data of children without verifiable parental consent.

10. Cross-border transfers

We host primary data in India-region AWS. Where cross-border transfer is necessary, it is limited to jurisdictions permitted by the Central Government under the DPDP Act.