Privacy Policy

Kaptanz Space Private Limited ("we", "us", "our"), operating WorkRight at app.workright.in, is committed to protecting your privacy. This policy explains how we collect, use, store and protect personal information when you use our HR and compliance platform — covering leave management, HR core, expense tracking, performance management and POSH Act 2013 compliance.

• Account information: company name, admin name, work email, phone, and a hashed password.
• Employee information: names, work emails, employee IDs, departments, designations and reporting lines as entered by your company administrator.
• HR records: leave requests and balances, onboarding progress, uploaded employee documents, asset assignments, expense claims and receipts, and performance data (goals, reviews, 1:1 notes, feedback).
• POSH compliance data: training progress and certificates, ICC complaint details, inquiry records and generated policies/reports.
• Payment information: transaction records processed through Razorpay. We do not store card numbers or bank account details directly.
• Usage data: login timestamps and feature usage, used in aggregate to improve the platform.

• To provide and maintain the platform's HR and compliance services
• To run leave, expense and performance workflows and generate certificates and reports
• To process payments and manage subscriptions
• To send service notifications (approvals, reminders, compliance deadlines)
• To improve the platform based on aggregate usage
• To comply with legal obligations

Complaint data is treated with the highest level of confidentiality in accordance with Section 16 of the POSH Act 2013:

• Complaint details are accessible only to designated ICC members and authorised administrators within your organisation
• Complainant and respondent identities are never shared with unauthorised parties
• Complaint data is encrypted at rest and in transit
• We do not access complaint contents unless required for technical support with explicit authorisation from your organisation

• Multi-tenant isolation:every record is scoped to your organisation; one tenant's data is never visible to another.
• Authentication: sessions use httpOnly cookies with CSRF protection. We do not store authentication tokens in browser localStorage. Two-factor authentication is available, and mandatory for privileged roles.
• Encryption: data is encrypted in transit (TLS) and at rest.
• Access control: role-based access ensures employees only see their own data; ICC complaint data is restricted to assigned members.
• Passwords: stored using a strong one-way hash — never in plain text.
• Audit trail: state-changing actions are recorded in an immutable audit log.

We do not sell or rent your personal information. We share it only with: payment processing (Razorpay, under their own policy); legal requirements (court order or government authority); and infrastructure/email service providers that process data on our behalf under confidentiality agreements.

• Active accounts: data is retained for the duration of the subscription.
• Cancelled accounts: account data is deleted within 90 days of cancellation, except where retention is required by law.
• Compliance records: certificates and POSH complaint records are retained per statutory requirements.
• Payment records: retained for 7 years as required under Indian tax law.

You may request access, correction, deletion (subject to legal retention), and export of your personal data, and may opt out of non-essential communications. To exercise these rights, email [email protected].

We use essential cookies only — for authentication (httpOnly session cookies plus a readable CSRF token) and session management. We do not use third-party tracking or advertising cookies. Analytics, if any, is collected in aggregate without personal identifiers.

WorkRight is designed for use by adults in a workplace context. We do not knowingly collect information from individuals under 18 years of age.

We may update this policy from time to time. We will notify registered users of material changes via email and update the "Last updated" date above.