Privacy Policy
Last updated: April 2026 · Kalahanu Tech Studios LLP
At Pixelate Nest (operated by Kalahanu Tech Studios LLP), we respect
your privacy and are committed to protecting your personal
information. This Privacy Policy explains what data we collect, how
we use it, and your rights regarding that data when you use our
website at pixelatenest.com or engage with our services.
For our individual products, please refer to the
NestHR and NestLeads tabs — each
has its own dedicated policy covering product-specific data
practices.
Information We Collect
We collect information you provide directly and information
collected automatically when you visit our website:
Information You Provide
-
Name, email address, and phone number when you contact us or
submit a form
-
Business details and project requirements when requesting a quote
-
Resume and professional information if you apply for a position
-
Payment information (processed securely through third-party
payment gateways; we do not store card details)
Information Collected Automatically
- IP address and browser type
- Pages visited and time spent on the site
- Referral source (how you found our website)
- Device information (operating system, screen size)
-
Cookie data (see our
Cookie Policy)
How We Use Your Information
- Respond to your inquiries and provide requested services
-
Send you project updates, invoices, and service communications
- Improve our website and understand how visitors use it
- Send marketing communications (only with your consent)
- Comply with legal obligations
- Prevent fraud and ensure website security
Data Storage & Security
Your data is stored on secure servers. We implement
industry-standard security measures including SSL encryption, access
controls, and regular security reviews to protect your personal
information from unauthorised access, disclosure, or destruction.
We retain personal data only for as long as necessary to fulfil the
purposes for which it was collected, or as required by law. Contact
form submissions are retained for up to 2 years unless you request
earlier deletion.
Sharing Your Information
We do not sell your personal data. We may share information with
trusted third parties who assist us in operating our website and
providing services:
-
Google Analytics — website analytics (anonymised
data)
- Meta Pixel — advertising and remarketing
-
Email service providers — for communication
-
Payment processors — for billing (they have their
own privacy policies)
We may also disclose information when required by law or to protect
our legal rights.
Your Rights
-
Access: Request a copy of the personal data we
hold about you
-
Correction: Request correction of inaccurate data
-
Deletion: Request deletion of your personal data
(subject to legal obligations)
-
Opt-out: Unsubscribe from marketing
communications at any time
-
Complaint: Lodge a complaint with the relevant
data protection authority
To exercise any of these rights, contact us at
support@pixelatenest.com.
Children's Privacy
Our website and services are not directed to children under the age
of 13. We do not knowingly collect personal information from
children. If you believe we have inadvertently collected data from a
minor, please contact us and we will delete it promptly.
Changes to This Policy
We may update this Privacy Policy periodically. We will notify you
of significant changes by posting the new policy on this page with
an updated date.
Contact Us
-
Email:
support@pixelatenest.com
-
Address: Kala Bhawan, Akharaghat Road, Muzaffarpur, Bihar –
842001, India
- Phone: +91-84069-12345
NestHR Privacy Policy
Effective: June 11, 2026 · Last Updated: June 11, 2026
1. Introduction
NestHR ("we", "our", "us") is a Human Resource Management System
(HRMS) platform developed and operated by Pixelate Nest. This
Privacy Policy explains how we collect, use, store, share, and
protect personal information when businesses ("Clients") use the
NestHR platform and when individuals ("Employees") interact with it.
By using NestHR, you agree to the collection and use of information
as described in this policy. This policy is governed by the
Digital Personal Data Protection Act, 2023 (DPDPA)
and the Information Technology Act, 2000 of India.
2. Who This Policy Applies To
-
Client Organisations — Companies and businesses
that subscribe to and administer NestHR.
-
End Users — HR managers, administrators, and
employees who access NestHR through a Client's account.
-
Visitors — Anyone who visits our marketing
website at
hrms.pixelatenest.com.
3. Data We Collect
3.1 Personal Identification Data
-
Full name, email address, phone number, gender, date of birth
- Government-issued identifiers: PAN number, Aadhaar number
- Profile photograph / avatar
3.2 Employment Data
- Employee ID, designation, department, branch
- Employment type (full-time, part-time, contract, intern)
- Join date, exit date, employment status
- Shift assignments and working hour configurations
3.3 Financial & Payroll Data
-
Bank account number, account holder name, IFSC code, bank name
-
Salary components: basic pay, HRA, DA, TA, medical and other
allowances
- Deductions: PF (Provident Fund), ESI, TDS, loan repayments
-
Net and gross salary calculations, overtime pay, penalty
deductions
- Statutory IDs: PF number, ESI number, UAN number
-
Loan and advance details including outstanding balances and EMI
schedules
3.4 Biometric Data
-
Face recognition data: facial descriptor vectors
and device-specific face templates captured via on-device cameras
-
Fingerprint data: device-specific fingerprint
templates enrolled on biometric hardware
-
RFID / NFC card UIDs linked to individual
employees
- Biometric enrollment timestamps and verification logs
Important: Biometric data is among the most
sensitive categories of personal data. It is collected only for
attendance verification and access control, processed on-device
where possible, and is never sold or shared with third parties for
any other purpose.
3.5 Attendance & Time Records
- Daily check-in and check-out timestamps
-
Total work hours, overtime hours, late arrivals, early departures
-
Attendance status (present, absent, half-day, on leave, holiday)
-
Verification method used (face, fingerprint, NFC card, PIN,
manual)
3.6 Leave Records
- Leave type, dates, duration, and reason
- Approval/rejection decisions and approver identity
- Remaining leave balance per type
3.7 Performance Data
-
Review periods, ratings (1–5 scale), goal descriptions and
achievement metrics
- Reviewer comments and employee self-assessments
-
Probation, quarterly, half-yearly, and annual review records
3.8 Recruitment Data
- Candidate name, email, phone, and uploaded résumé
-
Job posting details, salary ranges, hiring pipeline stage, and
interview notes
3.9 Account & Technical Data
-
Login credentials (passwords stored as bcrypt hashes — never in
plain text)
- JWT authentication tokens stored in browser local storage
- Last login timestamps, role assignments, account status
- IP addresses and device identifiers
4. How We Use Your Data
| Purpose |
Data Used |
| Employee identity verification and access control |
Biometric data, government IDs |
| Payroll processing and statutory compliance |
Financial data, attendance, leave, statutory IDs |
| Attendance management |
Biometric logs, timestamps |
| Leave and loan administration |
Leave records, loan details |
| Recruitment pipeline management |
Candidate data, job postings |
| Performance appraisal |
Review data, goal metrics |
| Subscription billing and invoicing |
Company contact, payment method tokens |
| WhatsApp / email notifications |
Phone number, email |
| Platform security and fraud prevention |
IP addresses, login history, rate limiting |
| Legal and statutory compliance (PF, ESI, TDS) |
Financial and statutory data |
We do not use personal data for advertising,
profiling for sale, or any purpose not listed above.
5. Data Sharing and Third-Party Services
5.1 Payment Processing
-
Razorpay — Subscription billing and payment
tokenisation. We store only the tokenised reference, not raw
payment credentials.
-
HDFC SmartGateway — Alternative payment gateway.
Order IDs and bank reference numbers stored; raw credentials are
not.
5.2 Communication
-
Meta WhatsApp Business API — HR notifications
(payslip ready, leave approval). Your phone number is transmitted
to Meta's servers to deliver messages.
-
Nodemailer (SMTP) — Email delivery of
notifications and reports.
5.3 Biometric Hardware
-
ZKTeco / ESSL Devices — Biometric templates are
synchronised between NestHR servers and on-premise biometric
devices. Data does not leave your organisation's network except to
sync with the NestHR server.
5.4 Cloud Infrastructure
-
MongoDB Atlas — All application data is stored on
MongoDB Atlas, which provides encryption at rest and in transit.
We do not sell, rent, or trade personal data to any
third party.
6. Data Retention
| Data Category |
Retention Period |
| Active employee records |
Duration of employment + 7 years |
| Payroll records |
10 years (statutory requirement) |
| Biometric data |
Duration of employment; deleted within 30 days of exit
|
| Attendance logs |
7 years |
| Recruitment data (non-hired candidates) |
1 year from last activity |
| Audit logs |
3 years |
| Deleted account data |
90 days (then permanently purged) |
7. Data Security
-
Encryption in transit: All API communication uses
HTTPS/TLS.
-
Encryption at rest: MongoDB Atlas encrypts data
at rest.
-
Password security: All passwords hashed using
bcryptjs (10 salt rounds). Plain-text passwords are never stored
or logged.
-
Access control: Role-based access control (RBAC)
with five distinct roles.
-
Authentication: JWT-based session management with
short-lived tokens.
-
Rate limiting: Authentication endpoints limited
(50 requests / 15 minutes).
-
Security headers: HSTS and Content Security
Policy enforced via Helmet.js.
-
CORS policy: Cross-origin requests restricted to
allowlisted domains.
In the event of a data breach, we will notify affected parties as
required by the DPDPA 2023 within 72 hours of
becoming aware.
8. Biometric Data — Special Notice
-
Collected only with the knowledge and consent of
the employee through the Client organisation's enrolment process.
-
Used exclusively for attendance marking and
access control.
-
Facial recognition processing occurs
client-side in the browser using
face-api.js where possible, minimising server-side
exposure.
-
Biometric templates stored in encrypted form and
not shared with any third party.
-
Employees may request deletion of their biometric data at any time
via their employer (Client organisation).
9. Your Rights
Under the DPDPA 2023, you have the right to:
-
Access — Request a copy of your personal data
held by us.
-
Correction — Request correction of inaccurate or
incomplete data.
-
Erasure — Request deletion of your data (subject
to statutory retention requirements).
-
Grievance Redressal — Lodge a complaint with our
Data Protection Officer.
-
Nomination — Nominate another person to exercise
rights on your behalf in case of incapacity.
-
Withdraw Consent — Where processing is
consent-based, withdraw consent at any time.
Note for Employees: NestHR acts as a
Data Processor on behalf of your employer (the
Client). For requests related to your employment data, please
contact your HR department directly.
10. Cookies and Tracking
The NestHR web application does not use tracking cookies or
third-party analytics cookies. We use session/authentication storage
in browser localStorage for JWT tokens only. No
advertising cookies, cross-site trackers, or fingerprinting.
11. Children's Privacy
NestHR is a professional employment platform. We do not knowingly
collect data from individuals under 18 years of age. If we become
aware that a minor's data has been collected, we will delete it
promptly.
12. Cross-Border Data Transfers
NestHR's servers are hosted in India via MongoDB Atlas. Payment
processing involves Razorpay (India) and HDFC (India). WhatsApp
messages are processed by Meta (USA). Where data is transferred
outside India, we ensure adequate contractual protections consistent
with the DPDPA 2023.
13. Changes to This Policy
When we make material changes, we will notify Client administrators
via email and via an in-app banner at least
14 days before the change takes effect.
14. Contact Us & Grievance Officer
NestHR — Pixelate Nest
Email:
support@pixelatenest.com
Address: Kala Bhawan, Akharaghat Road, Muzaffarpur, Bihar – 842001,
India
Response time: We aim to acknowledge all requests within
7 business days and resolve them within
30 days. If you are unsatisfied with our response,
you may escalate to the
Data Protection Board of India under the DPDPA
2023.
NestLeads CRM Privacy Policy
Effective: June 11, 2026 · Last Updated: June 11, 2026
Pixelate Nest ("we", "us", "our") operates NestLeads CRM, a
cloud-based lead management platform for businesses. This Privacy
Policy explains what data we collect, how we use it, how we protect
it, and your rights regarding it.
By using NestLeads, you agree to the practices described in this
policy. If you do not agree, please discontinue use of the platform.
1. Who This Policy Applies To
-
Business customers — companies and individuals
who subscribe to NestLeads
-
Users — employees and team members added to a
NestLeads account
-
Leads — contacts whose data is imported or synced
into the platform by business customers
- Visitors to our website
Note for Leads: If your contact information is
stored in NestLeads by a business you interacted with (e.g., after
submitting an Indiamart enquiry or Facebook lead form), that
business is the data controller for your information. Please contact
them directly for data-related requests.
2. Data We Collect
2.1 Account & User Data
| Data |
Purpose |
| Full name |
Account identification |
| Email address |
Login, notifications |
| Password |
Authentication (bcrypt hashed — never stored in plain text)
|
| Phone number |
Account contact |
| Role (Admin / Manager / User) |
Access control |
| Company / organisation name |
Account setup |
| IP address |
Security logging, activity audit trail |
2.2 Lead Data
| Data |
Source |
| Name, company, phone, email |
Manually entered or auto-imported |
| Location, city, pincode |
Lead profile |
| Requirement / product interest |
Lead enquiry details |
| Budget |
Lead qualification |
|
Lead source (Indiamart, Facebook, Manual, Excel, etc.)
|
Import/sync |
| Lead status and stage history |
CRM activity |
| Notes, remarks, follow-up dates, tags |
Sales team input |
2.3 Indiamart Integration Data
When a business connects their Indiamart account, we sync lead name,
company, phone, email, product query text, query type, timestamp,
and Indiamart Query ID (for deduplication) — fetched via Indiamart's
authorised API using the business's own API key.
2.4 Facebook / Meta Integration Data
- Lead name, phone, email (from Facebook lead forms)
- Facebook Lead ID, Form ID, Ad ID, Ad name and Page name
-
Facebook Page access tokens (encrypted at rest using AES-256-GCM)
2.5 WhatsApp Business Data
- WhatsApp Business Account ID (WABA ID), Phone Number IDs
-
Access tokens (encrypted at rest — AES-256-GCM), webhook verify
tokens
- Sent message records (message ID, status, timestamp)
-
Delivery and read receipts (Sent → Delivered → Read)
- Incoming text replies from leads
-
WhatsApp campaign details (recipients, statuses, failure reasons)
- Template names and content (synced from Meta)
We do not store media files sent via WhatsApp.
Media is uploaded directly to Meta's servers via the WhatsApp Cloud
API.
2.6 Billing & Subscription Data
-
Subscription plan (Free / Starter / Pro / Enterprise), plan expiry
date, Razorpay Subscription ID
We do not store card numbers, CVV, or full payment details. All
payment processing is handled by Razorpay.
2.7 Activity Logs & Technical Data
-
Which user performed an action, what action, which module,
timestamp, IP address
-
Browser and device type, API request logs, session tokens (JWT)
We do not use tracking pixels, advertising cookies, or third-party
analytics on the platform dashboard.
3. How We Use Your Data
| Purpose |
Data Used |
| Providing the CRM service |
Lead data, user accounts, integrations |
| Authentication and access control |
Email, password, JWT tokens, IP |
| Sending WhatsApp messages on behalf of businesses |
Lead phone numbers, WhatsApp credentials |
| Syncing leads from Indiamart |
Indiamart API key, lead data |
| Syncing leads from Facebook Lead Ads |
Facebook access tokens, lead data |
| Billing and subscription management |
Razorpay subscription ID, plan data |
| Security and fraud prevention |
IP address, activity logs |
| Customer support |
Account data, error logs |
| Email notifications (OTP, alerts) |
Email address |
| Product improvement |
Aggregated, anonymised usage patterns |
We do not use your data for advertising, profiling, or selling to
third parties.
4. Third-Party Services
| Service |
Purpose |
Data Shared |
| Meta (Facebook / WhatsApp) |
Lead Ads sync, WhatsApp messaging |
Lead data sent to WhatsApp Cloud API; Facebook tokens stored
encrypted
|
| Indiamart |
Lead sync |
Indiamart API key; lead data fetched from their API |
| Razorpay |
Subscription billing |
Business name, email; payment handled on Razorpay's servers
|
| MongoDB Atlas |
Database hosting |
All platform data stored in cloud database |
| SMTP |
Transactional emails |
Recipient email address |
5. Data Security
- Passwords — hashed using bcrypt
-
Access tokens (WhatsApp, Facebook) — encrypted at
rest using AES-256-GCM
-
API authentication — all requests require a valid
JWT bearer token
-
Multi-tenant isolation — each business's data is
scoped to their tenant ID
-
HTTPS — all data in transit is encrypted via TLS
-
IP logging — all sensitive actions are logged
with the user's IP
-
Role-based access — Admin / Manager / User roles
with separate permissions
6. Data Retention
| Data Type |
Retention Period |
| Lead data |
Retained as long as the business account is active |
| User accounts |
Retained until the user is deleted by the admin |
| Activity logs |
12 months |
| WhatsApp campaign logs |
12 months |
| Billing records |
7 years (legal/tax requirement) |
| Account data after cancellation |
Deleted within 90 days of account closure |
7. Your Rights
For Business Customers and Users
-
Access — Request a copy of the data we hold about
your account
-
Correction — Update inaccurate information
directly in the platform or by contacting us
-
Deletion — Request deletion of your account and
associated data
-
Portability — Request an export of your lead data
in CSV format
-
Restriction — Request that we stop processing
your data in certain ways
-
Withdraw Consent — Disconnect integrations
(Indiamart, Facebook, WhatsApp) at any time from Settings
For Leads (contacts stored in the CRM)
Your data is controlled by the business that collected it. Please
contact that business directly. If you cannot reach them, contact us
at
support@pixelatenest.com
and we will assist.
8. Cookies
The NestLeads platform uses only authentication
localStorage (JWT token) to keep you logged in. No
advertising cookies and no third-party tracking cookies.
9. Children's Privacy
NestLeads is a B2B business tool and is not intended for use by
individuals under the age of 18. We do not knowingly collect data
from minors.
10. International Data Transfers
Our servers are hosted in cloud infrastructure (MongoDB Atlas) which
may process data outside India. We ensure that such transfers comply
with applicable data protection laws.
11. WhatsApp Messaging — Additional Notice
-
Messages are sent via the
Meta WhatsApp Cloud API using the business's own
approved WABA account
-
NestLeads acts as a technology intermediary — we
do not initiate contact with leads independently
- All templates must be pre-approved by Meta before use
-
Lead phone numbers are passed to Meta's API solely to deliver the
message
-
Delivery receipts (Sent/Delivered/Read) are stored to help
businesses track campaign performance
12. Facebook Lead Ads — Additional Notice
-
NestLeads requests only
leads_retrieval and
pages_read_engagement permissions
-
Businesses are responsible for compliance with Meta's Platform
Terms and proper consent disclosures in their lead ad forms
13. Changes to This Policy
When we update this policy, the "Last Updated" date at the top will
change. For significant changes, we will notify active customers by
email. Continued use after changes means you accept the updated
policy.
14. Contact Us
Pixelate Nest
Email:
support@pixelatenest.com
General support:
support@pixelatenest.com
Website: pixelatenest.com