Satisfied Pixelate Nest client Satisfied Pixelate Nest client Satisfied Pixelate Nest client Satisfied Pixelate Nest client
TRUSTED BY 20+ DELIGHTED CUSTOMERS

Privacy Policy

Learn how Pixelate Nest collects, uses, and protects your personal information across our products — NestHR and NestLeads.

Privacy Policy

Last updated: April 2026  ·  Kalahanu Tech Studios LLP

At Pixelate Nest (operated by Kalahanu Tech Studios LLP), we respect your privacy and are committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data when you use our website at pixelatenest.com or engage with our services.

For our individual products, please refer to the NestHR and NestLeads tabs — each has its own dedicated policy covering product-specific data practices.

Information We Collect

We collect information you provide directly and information collected automatically when you visit our website:

Information You Provide

  • Name, email address, and phone number when you contact us or submit a form
  • Business details and project requirements when requesting a quote
  • Resume and professional information if you apply for a position
  • Payment information (processed securely through third-party payment gateways; we do not store card details)

Information Collected Automatically

  • IP address and browser type
  • Pages visited and time spent on the site
  • Referral source (how you found our website)
  • Device information (operating system, screen size)
  • Cookie data (see our Cookie Policy)

How We Use Your Information

  • Respond to your inquiries and provide requested services
  • Send you project updates, invoices, and service communications
  • Improve our website and understand how visitors use it
  • Send marketing communications (only with your consent)
  • Comply with legal obligations
  • Prevent fraud and ensure website security

Data Storage & Security

Your data is stored on secure servers. We implement industry-standard security measures including SSL encryption, access controls, and regular security reviews to protect your personal information from unauthorised access, disclosure, or destruction.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Contact form submissions are retained for up to 2 years unless you request earlier deletion.

Sharing Your Information

We do not sell your personal data. We may share information with trusted third parties who assist us in operating our website and providing services:

  • Google Analytics — website analytics (anonymised data)
  • Meta Pixel — advertising and remarketing
  • Email service providers — for communication
  • Payment processors — for billing (they have their own privacy policies)

We may also disclose information when required by law or to protect our legal rights.

Your Rights

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your personal data (subject to legal obligations)
  • Opt-out: Unsubscribe from marketing communications at any time
  • Complaint: Lodge a complaint with the relevant data protection authority

To exercise any of these rights, contact us at support@pixelatenest.com.

Children's Privacy

Our website and services are not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a minor, please contact us and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by posting the new policy on this page with an updated date.

Contact Us

  • Email: support@pixelatenest.com
  • Address: Kala Bhawan, Akharaghat Road, Muzaffarpur, Bihar – 842001, India
  • Phone: +91-84069-12345

NestHR Privacy Policy

Effective: June 11, 2026  ·  Last Updated: June 11, 2026

1. Introduction

NestHR ("we", "our", "us") is a Human Resource Management System (HRMS) platform developed and operated by Pixelate Nest. This Privacy Policy explains how we collect, use, store, share, and protect personal information when businesses ("Clients") use the NestHR platform and when individuals ("Employees") interact with it.

By using NestHR, you agree to the collection and use of information as described in this policy. This policy is governed by the Digital Personal Data Protection Act, 2023 (DPDPA) and the Information Technology Act, 2000 of India.

2. Who This Policy Applies To

  • Client Organisations — Companies and businesses that subscribe to and administer NestHR.
  • End Users — HR managers, administrators, and employees who access NestHR through a Client's account.
  • Visitors — Anyone who visits our marketing website at hrms.pixelatenest.com.

3. Data We Collect

3.1 Personal Identification Data

  • Full name, email address, phone number, gender, date of birth
  • Government-issued identifiers: PAN number, Aadhaar number
  • Profile photograph / avatar

3.2 Employment Data

  • Employee ID, designation, department, branch
  • Employment type (full-time, part-time, contract, intern)
  • Join date, exit date, employment status
  • Shift assignments and working hour configurations

3.3 Financial & Payroll Data

  • Bank account number, account holder name, IFSC code, bank name
  • Salary components: basic pay, HRA, DA, TA, medical and other allowances
  • Deductions: PF (Provident Fund), ESI, TDS, loan repayments
  • Net and gross salary calculations, overtime pay, penalty deductions
  • Statutory IDs: PF number, ESI number, UAN number
  • Loan and advance details including outstanding balances and EMI schedules

3.4 Biometric Data

  • Face recognition data: facial descriptor vectors and device-specific face templates captured via on-device cameras
  • Fingerprint data: device-specific fingerprint templates enrolled on biometric hardware
  • RFID / NFC card UIDs linked to individual employees
  • Biometric enrollment timestamps and verification logs
Important: Biometric data is among the most sensitive categories of personal data. It is collected only for attendance verification and access control, processed on-device where possible, and is never sold or shared with third parties for any other purpose.

3.5 Attendance & Time Records

  • Daily check-in and check-out timestamps
  • Total work hours, overtime hours, late arrivals, early departures
  • Attendance status (present, absent, half-day, on leave, holiday)
  • Verification method used (face, fingerprint, NFC card, PIN, manual)

3.6 Leave Records

  • Leave type, dates, duration, and reason
  • Approval/rejection decisions and approver identity
  • Remaining leave balance per type

3.7 Performance Data

  • Review periods, ratings (1–5 scale), goal descriptions and achievement metrics
  • Reviewer comments and employee self-assessments
  • Probation, quarterly, half-yearly, and annual review records

3.8 Recruitment Data

  • Candidate name, email, phone, and uploaded résumé
  • Job posting details, salary ranges, hiring pipeline stage, and interview notes

3.9 Account & Technical Data

  • Login credentials (passwords stored as bcrypt hashes — never in plain text)
  • JWT authentication tokens stored in browser local storage
  • Last login timestamps, role assignments, account status
  • IP addresses and device identifiers

4. How We Use Your Data

Purpose Data Used
Employee identity verification and access control Biometric data, government IDs
Payroll processing and statutory compliance Financial data, attendance, leave, statutory IDs
Attendance management Biometric logs, timestamps
Leave and loan administration Leave records, loan details
Recruitment pipeline management Candidate data, job postings
Performance appraisal Review data, goal metrics
Subscription billing and invoicing Company contact, payment method tokens
WhatsApp / email notifications Phone number, email
Platform security and fraud prevention IP addresses, login history, rate limiting
Legal and statutory compliance (PF, ESI, TDS) Financial and statutory data

We do not use personal data for advertising, profiling for sale, or any purpose not listed above.

5. Data Sharing and Third-Party Services

5.1 Payment Processing

  • Razorpay — Subscription billing and payment tokenisation. We store only the tokenised reference, not raw payment credentials.
  • HDFC SmartGateway — Alternative payment gateway. Order IDs and bank reference numbers stored; raw credentials are not.

5.2 Communication

  • Meta WhatsApp Business API — HR notifications (payslip ready, leave approval). Your phone number is transmitted to Meta's servers to deliver messages.
  • Nodemailer (SMTP) — Email delivery of notifications and reports.

5.3 Biometric Hardware

  • ZKTeco / ESSL Devices — Biometric templates are synchronised between NestHR servers and on-premise biometric devices. Data does not leave your organisation's network except to sync with the NestHR server.

5.4 Cloud Infrastructure

  • MongoDB Atlas — All application data is stored on MongoDB Atlas, which provides encryption at rest and in transit.

We do not sell, rent, or trade personal data to any third party.

6. Data Retention

Data Category Retention Period
Active employee records Duration of employment + 7 years
Payroll records 10 years (statutory requirement)
Biometric data Duration of employment; deleted within 30 days of exit
Attendance logs 7 years
Recruitment data (non-hired candidates) 1 year from last activity
Audit logs 3 years
Deleted account data 90 days (then permanently purged)

7. Data Security

  • Encryption in transit: All API communication uses HTTPS/TLS.
  • Encryption at rest: MongoDB Atlas encrypts data at rest.
  • Password security: All passwords hashed using bcryptjs (10 salt rounds). Plain-text passwords are never stored or logged.
  • Access control: Role-based access control (RBAC) with five distinct roles.
  • Authentication: JWT-based session management with short-lived tokens.
  • Rate limiting: Authentication endpoints limited (50 requests / 15 minutes).
  • Security headers: HSTS and Content Security Policy enforced via Helmet.js.
  • CORS policy: Cross-origin requests restricted to allowlisted domains.

In the event of a data breach, we will notify affected parties as required by the DPDPA 2023 within 72 hours of becoming aware.

8. Biometric Data — Special Notice

  • Collected only with the knowledge and consent of the employee through the Client organisation's enrolment process.
  • Used exclusively for attendance marking and access control.
  • Facial recognition processing occurs client-side in the browser using face-api.js where possible, minimising server-side exposure.
  • Biometric templates stored in encrypted form and not shared with any third party.
  • Employees may request deletion of their biometric data at any time via their employer (Client organisation).

9. Your Rights

Under the DPDPA 2023, you have the right to:

  1. Access — Request a copy of your personal data held by us.
  2. Correction — Request correction of inaccurate or incomplete data.
  3. Erasure — Request deletion of your data (subject to statutory retention requirements).
  4. Grievance Redressal — Lodge a complaint with our Data Protection Officer.
  5. Nomination — Nominate another person to exercise rights on your behalf in case of incapacity.
  6. Withdraw Consent — Where processing is consent-based, withdraw consent at any time.
Note for Employees: NestHR acts as a Data Processor on behalf of your employer (the Client). For requests related to your employment data, please contact your HR department directly.

10. Cookies and Tracking

The NestHR web application does not use tracking cookies or third-party analytics cookies. We use session/authentication storage in browser localStorage for JWT tokens only. No advertising cookies, cross-site trackers, or fingerprinting.

11. Children's Privacy

NestHR is a professional employment platform. We do not knowingly collect data from individuals under 18 years of age. If we become aware that a minor's data has been collected, we will delete it promptly.

12. Cross-Border Data Transfers

NestHR's servers are hosted in India via MongoDB Atlas. Payment processing involves Razorpay (India) and HDFC (India). WhatsApp messages are processed by Meta (USA). Where data is transferred outside India, we ensure adequate contractual protections consistent with the DPDPA 2023.

13. Changes to This Policy

When we make material changes, we will notify Client administrators via email and via an in-app banner at least 14 days before the change takes effect.

14. Contact Us & Grievance Officer

NestHR — Pixelate Nest
Email: support@pixelatenest.com
Address: Kala Bhawan, Akharaghat Road, Muzaffarpur, Bihar – 842001, India

Response time: We aim to acknowledge all requests within 7 business days and resolve them within 30 days. If you are unsatisfied with our response, you may escalate to the Data Protection Board of India under the DPDPA 2023.

NestLeads CRM Privacy Policy

Effective: June 11, 2026  ·  Last Updated: June 11, 2026

Pixelate Nest ("we", "us", "our") operates NestLeads CRM, a cloud-based lead management platform for businesses. This Privacy Policy explains what data we collect, how we use it, how we protect it, and your rights regarding it.

By using NestLeads, you agree to the practices described in this policy. If you do not agree, please discontinue use of the platform.

1. Who This Policy Applies To

  • Business customers — companies and individuals who subscribe to NestLeads
  • Users — employees and team members added to a NestLeads account
  • Leads — contacts whose data is imported or synced into the platform by business customers
  • Visitors to our website
Note for Leads: If your contact information is stored in NestLeads by a business you interacted with (e.g., after submitting an Indiamart enquiry or Facebook lead form), that business is the data controller for your information. Please contact them directly for data-related requests.

2. Data We Collect

2.1 Account & User Data

Data Purpose
Full name Account identification
Email address Login, notifications
Password Authentication (bcrypt hashed — never stored in plain text)
Phone number Account contact
Role (Admin / Manager / User) Access control
Company / organisation name Account setup
IP address Security logging, activity audit trail

2.2 Lead Data

Data Source
Name, company, phone, email Manually entered or auto-imported
Location, city, pincode Lead profile
Requirement / product interest Lead enquiry details
Budget Lead qualification
Lead source (Indiamart, Facebook, Manual, Excel, etc.) Import/sync
Lead status and stage history CRM activity
Notes, remarks, follow-up dates, tags Sales team input

2.3 Indiamart Integration Data

When a business connects their Indiamart account, we sync lead name, company, phone, email, product query text, query type, timestamp, and Indiamart Query ID (for deduplication) — fetched via Indiamart's authorised API using the business's own API key.

2.4 Facebook / Meta Integration Data

  • Lead name, phone, email (from Facebook lead forms)
  • Facebook Lead ID, Form ID, Ad ID, Ad name and Page name
  • Facebook Page access tokens (encrypted at rest using AES-256-GCM)

2.5 WhatsApp Business Data

  • WhatsApp Business Account ID (WABA ID), Phone Number IDs
  • Access tokens (encrypted at rest — AES-256-GCM), webhook verify tokens
  • Sent message records (message ID, status, timestamp)
  • Delivery and read receipts (Sent → Delivered → Read)
  • Incoming text replies from leads
  • WhatsApp campaign details (recipients, statuses, failure reasons)
  • Template names and content (synced from Meta)

We do not store media files sent via WhatsApp. Media is uploaded directly to Meta's servers via the WhatsApp Cloud API.

2.6 Billing & Subscription Data

  • Subscription plan (Free / Starter / Pro / Enterprise), plan expiry date, Razorpay Subscription ID

We do not store card numbers, CVV, or full payment details. All payment processing is handled by Razorpay.

2.7 Activity Logs & Technical Data

  • Which user performed an action, what action, which module, timestamp, IP address
  • Browser and device type, API request logs, session tokens (JWT)

We do not use tracking pixels, advertising cookies, or third-party analytics on the platform dashboard.

3. How We Use Your Data

Purpose Data Used
Providing the CRM service Lead data, user accounts, integrations
Authentication and access control Email, password, JWT tokens, IP
Sending WhatsApp messages on behalf of businesses Lead phone numbers, WhatsApp credentials
Syncing leads from Indiamart Indiamart API key, lead data
Syncing leads from Facebook Lead Ads Facebook access tokens, lead data
Billing and subscription management Razorpay subscription ID, plan data
Security and fraud prevention IP address, activity logs
Customer support Account data, error logs
Email notifications (OTP, alerts) Email address
Product improvement Aggregated, anonymised usage patterns

We do not use your data for advertising, profiling, or selling to third parties.

4. Third-Party Services

Service Purpose Data Shared
Meta (Facebook / WhatsApp) Lead Ads sync, WhatsApp messaging Lead data sent to WhatsApp Cloud API; Facebook tokens stored encrypted
Indiamart Lead sync Indiamart API key; lead data fetched from their API
Razorpay Subscription billing Business name, email; payment handled on Razorpay's servers
MongoDB Atlas Database hosting All platform data stored in cloud database
SMTP Transactional emails Recipient email address

5. Data Security

  • Passwords — hashed using bcrypt
  • Access tokens (WhatsApp, Facebook) — encrypted at rest using AES-256-GCM
  • API authentication — all requests require a valid JWT bearer token
  • Multi-tenant isolation — each business's data is scoped to their tenant ID
  • HTTPS — all data in transit is encrypted via TLS
  • IP logging — all sensitive actions are logged with the user's IP
  • Role-based access — Admin / Manager / User roles with separate permissions

6. Data Retention

Data Type Retention Period
Lead data Retained as long as the business account is active
User accounts Retained until the user is deleted by the admin
Activity logs 12 months
WhatsApp campaign logs 12 months
Billing records 7 years (legal/tax requirement)
Account data after cancellation Deleted within 90 days of account closure

7. Your Rights

For Business Customers and Users

  • Access — Request a copy of the data we hold about your account
  • Correction — Update inaccurate information directly in the platform or by contacting us
  • Deletion — Request deletion of your account and associated data
  • Portability — Request an export of your lead data in CSV format
  • Restriction — Request that we stop processing your data in certain ways
  • Withdraw Consent — Disconnect integrations (Indiamart, Facebook, WhatsApp) at any time from Settings

For Leads (contacts stored in the CRM)

Your data is controlled by the business that collected it. Please contact that business directly. If you cannot reach them, contact us at support@pixelatenest.com and we will assist.

8. Cookies

The NestLeads platform uses only authentication localStorage (JWT token) to keep you logged in. No advertising cookies and no third-party tracking cookies.

9. Children's Privacy

NestLeads is a B2B business tool and is not intended for use by individuals under the age of 18. We do not knowingly collect data from minors.

10. International Data Transfers

Our servers are hosted in cloud infrastructure (MongoDB Atlas) which may process data outside India. We ensure that such transfers comply with applicable data protection laws.

11. WhatsApp Messaging — Additional Notice

  • Messages are sent via the Meta WhatsApp Cloud API using the business's own approved WABA account
  • NestLeads acts as a technology intermediary — we do not initiate contact with leads independently
  • All templates must be pre-approved by Meta before use
  • Lead phone numbers are passed to Meta's API solely to deliver the message
  • Delivery receipts (Sent/Delivered/Read) are stored to help businesses track campaign performance

12. Facebook Lead Ads — Additional Notice

  • NestLeads requests only leads_retrieval and pages_read_engagement permissions
  • Businesses are responsible for compliance with Meta's Platform Terms and proper consent disclosures in their lead ad forms

13. Changes to This Policy

When we update this policy, the "Last Updated" date at the top will change. For significant changes, we will notify active customers by email. Continued use after changes means you accept the updated policy.

14. Contact Us

Pixelate Nest
Email: support@pixelatenest.com
General support: support@pixelatenest.com
Website: pixelatenest.com