Schedule a Demo

Schedule a Demo

Schedule a Demo


Your Privacy Is Our Priority

We're here to help and answer any question you might have. We look forward to hearing from you.

Introduction & Summary

Darwinbox (hereinafter referred to as Darwinbox, Company or Organization) provides an HRMS (Human Resource Management System) application that is used by customers to manage HR activities. This privacy policy applies to all our employees, prospective employees, customers as well as other users/ website visitors.

The following Privacy Policy (hereinafter referred to as privacy policy, privacy notice or privacy statement) describes how Darwinbox collects, uses, and discloses information, and what choices you have with respect to the information. Darwinbox is the controller for the personal data discussed in this Privacy Statement, except as noted in the “Darwinbox as a Service Provider” section below.

For the purposes of this policy references have been made to the General Data Protection Regulation (“EU GDPR”), 2016 and, the California Consumer Privacy Act, 2018 (“CCPA”), the California Privacy Rights Act, 2020 (together with the CCPA, “CPRA”).


This Privacy Notice applies to Visitors, Users, and Prospective Employees, Employees, and Independent Contractors (“individuals” or “you”) of Darwinbox. This Privacy Notice also applies to the prospective customers of Darwinbox who visit the website to understand the services provided by Darwinbox.

For the purposes of this notice, a “visitor” of Darwinbox refers to an individual who accesses Darwinbox’s website or mobile application with or without registering for an account, or who provides personal data to Darwinbox through other means, such as filling out a contact form or subscribing to a newsletter. A “user” of Darwinbox refers to an individual who has registered for an account on Darwinbox’s HRMS application either to access a demo or some other resource provided on the website.

This Privacy Statement will not be applicable for the businesses that use Darwinbox as processor. The businesses that use Darwinbox as processor/service provider are referred to as a “Customer” for sake of this Privacy Statement. For more information regarding the applicability of this notice on Darwinbox customers, please refer to Section Darwinbox as Service Provider/ Processor of this notice.

Both these categories of individuals or businesses are potential customers for Darwinbox, but with respect to the processing of their data, Darwinbox acts as a ‘Data Controller’ as per GDPR and ‘Business’ as per CPRA.

This Notice applies to Personal Data/Information and sensitive personal data, as defined under the GDPR and CCPA, that we collect to provide you with certain products and services (collectively, “Services”). This Notice does not apply to anonymized, de-identified or aggregate information if it is not Personal Information.

Darwinbox as Service Provider/ Processor

Darwinbox’s customers are organisations such as businesses, who use our services as a HRMS platform. Darwinbox acts as a processor processing personal data in these services only according to the customers’ instructions.

If you are an individual employee or prospective employee of a Darwinbox customer, this Notice does not apply to you. For information on your privacy rights and your employer’s privacy practices, please refer to your employer’s privacy notices. Under applicable privacy laws, we are a Data Processor under the GDPR or a Service Provider under CPRA and your employer is the Data Controller under the GDPR or the Business under CPRA.

Any queries or requests regarding the data processing from employees or users of a Darwinbox Customer, employee or users will be requested to reach out to the customer organisation.

Personal Data Collected by Darwinbox as Controller/ Business

The categories of information, including Personal Data that Darwinbox may have collected from you to provide certain services to you are listed below: (Please note that the following list is not exhaustive in nature)

  • First name
  • Last name
  • Email ID
  • Phone number
  • Company name
  • Job level
  • Functional role
  • Address

To access some areas of the Website, you will need to have account authentication credentials. As part of your account, you may choose to provide us with additional data, such as:

  • A photo
  • Social media profiles
  • Areas of expertise

As a service provider under Section 3 of this Policy, Darwinbox may collect more categories of personal data as per the agreement with Darwinbox’s customers. However, processing-related information is not covered under this policy. For enquiries related to the same, please contact your employer or consult your employer’s privacy policy. Any such queries shall be redirected to the respective Darwinbox customer.

Children’s Personal Information

Darwinbox’s services are not intended for or directed to children under the age of thirteen. The Company does not knowingly collect personal information directly from children under the age of thirteen without parental consent. If the company is made aware that a child under the age of thirteen has provided their personal information, Darwinbox will delete the information from its records.

If the personal data of a child is received by virtue of their parent being an employee or prospective employee of Darwinbox, the data is retained only after consent from parents has been obtained. The retention period and nature of processing and handling for this type of data is the same as other personal data received from the parent.

If the personal data of a child is received by virtue of their parent being an employee of Darwinbox’s customer, the privacy policy of the customers apply. Any queries about the same will be directed to the customer.

Website Visitor Information

Darwinbox collects your personal data when you contact us to register for an event, request information (whitepapers, reports etc.), or register for a free trial/demo. This information is used to set up the account and for service-related communications.

Darwinbox may use Cookies, Web Beacons, and other similar website tracking technologies like Google Analytics, LinkedIn, Bamboobox, HubSpot Marketing Hub to observe your activities, interactions, preferences, transactional information, and other computer and connection information (such as an IP (Internet Protocol) address) relating to your use of our websites and services. For more information about cookies, please refer to the cookie policy.

Darwinbox may also use log files, cookies, and similar technologies to collect information about the pages you view, links you click, and other actions you take when accessing our website or emails. If Darwinbox collects any other personal data from you, the company will explain the purposes at the time of collection.

Multifactor Resource Authentication

If you use certain systems provided by Darwinbox, the company will collect data from you to enable multi-factor authentication. Two-factor authentication (2FA) is a security process that adds an extra layer of protection to ensure the security of online accounts and personal data. It is a method of confirming users’ identities by requiring them to provide two different factors or pieces of information, typically a password or PIN code, and a unique code or token generated by an authentication app or device.

Users will be able to choose an offered multi-factor method, which may require additional information, such as mobile number, email address, or unique verification identifier.

Other Information

If Darwinbox collects any other personal data from you, the company will notify and explain the purposes of such collection at the time of collection.

Personal Data Obtained from Third-Party Sources

Darwinbox may also collect business contact information about you from other sources including third parties and from publicly accessible websites, such as your company’s website, professional network services, or press releases. Business contact information may include:

  • First name
  • Last name
  • Business email
  • Phone number
  • Company name
  • Job level
  • Functional role
  • Business street address
  • Online identifier
  • Employment history

In some instances, Darwinbox may combine personal data you have provided to us with personal data collected from other sources as described above. This data is processed to update, expand, and analyse the existing marketing records; identify new customers; create customized advertising or website experiences; and send marketing emails.

How Darwinbox uses your Personal Data

Darwinbox uses the data collected to contact the users/ visitors and other relevant individuals to provide Darwinbox’s websites, services, and support. For example, if you provide data a “Contact Us” form, your data will be used to respond to the request.

Darwinbox uses your personal data and information about your activity on our websites to contact you for marketing purposes in accordance with your marketing preferences, including telemarketing calls, and to send marketing emails that we believe may be of interest to you, such as product announcements, newsletters, educational materials, and details on upcoming events. The data is also used it to send administrative information, such as notices related to products, services, or policy changes. A detailed account of how Darwinbox uses your personal data is provided below:

  1. To Plan and Manage Events:
    Darwinbox uses your data for event planning and management, including registration, billing, and connecting with other event attendees or to contact you further about relevant products and services. Any information you provide about emergency contacts will be used for your safety purposes.

  2. For Improvement Purposes:
    Darwinbox uses the data collected to understand how the websites and services are being used and to make improvements. For example, the company may solicit your feedback about your experience using our services, and ways to improve those services.

  3. For Security and Investigations:
    Darwinbox may use your information to diagnose website technical problems, as well as to prevent, detect, mitigate, and investigate potential security issues, as well as fraudulent or illegal activity.

  4. To Personalize Your Experience:
    Darwinbox also may use your data to personalize your experience on our websites. Darwinbox or our service providers use website tracking technologies like, Google Analytics, LinkedIn, Bamboobox and HubSpot Marketing Hub, to display products, features, or content that are tailored to your interests and to present advertising on other sites. For more information on how cookies are used, please see the Cookie Policy, which can be found on the website.

  5. For Market Research:
    Darwinbox may use your data for market research purposes. This is done via functionality reporting on the data collected from you.
Data Disclosure

Darwinbox may share information with its affiliates and third-party service providers or vendors that have been contracted to offer services on behalf of the Organization. These service providers or vendors are only permitted to use the disclosed data in accordance with the instructions provided by the Organization via binding documents enforceable by the law.

Additional Disclosures

Darwinbox will not disclose customer data unless it is required to do so to comply with the statutory law or a binding order of a governmental body or a judicial authority. If a governmental body issues a notice or a directive to Darwinbox to share the customer data, Darwinbox will attempt to redirect the same to the Customer which shall be at the sole discretion of such authority. Governmental and regulatory bodies need to follow the stipulated procedure to obtain valid and binding orders that shall be undisputed. The company will review all orders and object to overbroad or otherwise inappropriate ones. If compelled to disclose customer data to a government body, Darwinbox will give customers reasonable notice of the demand to allow the customer to seek a protective order or other appropriate remedy unless Darwinbox is legally prohibited from doing so.

Darwinbox does not sell personal data that is collected or processed under this Privacy Statement.

International Data Transfers

Darwinbox while headquartered in Hyderabad, India and with registered offices in Singapore, Indonesia, the US, Malaysia, Dubai, Thailand and the Philippines, operates as a global business and may transfer, store, or process your personal data in a country outside your local jurisdiction, including countries outside the European Economic Area (“EEA”). However, the company has taken appropriate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercise of your rights. For example, if Darwinbox transfers personal data from the EEA to a country outside it, such as the United States, it will implement an appropriate data transfer solution such as entering into EU standard contractual clauses with the data importer or taking other measures to provide an adequate level of data protection under EU GDPR.

Transfer of data from the US to other countries only happens once Darwinbox determines that the personal data transferred across borders is protected using appropriate safeguards. This includes implementing contractual or other measures to ensure that the recipient provides a level of data protection that is comparable to the protections afforded by the CCPA, as assessed by conducting risk assessments for cross-border transfers. The consumers will be notified of the cross-border transfers of their personal information including the categories of personal information that will be transferred, the countries to which the information will be transferred, and the purposes for which the information will be used. The consumer’s explicit consent will be obtained before making the transfer.

For the purposes of the processing conducted in the capacity of a processor, Darwinbox is not liable to implement the controls noted above. The implementation of the appropriate safeguards is the responsibility of the data controller which in this case would be the Darwinbox customers. If you are an employee of a business that uses Darwinbox, please contact your employer for questions regarding cross border data transfer.

Data Retention as a Controller/Processor
  • Darwinbox in the capacity of controller stores your Personal Information for different time periods depending on the category of Personal Information and the nature of relationship that you have with the company. The Company determines how long it needs Personal Information on a case-by-case basis, but the goal is to keep your Personal Information for as short a time period as possible to achieve the purpose for which Personal Information is collected.

    Darwinbox will retain your personal data as long as is necessary to fulfil the service that you have requested. This is done in compliance with the US regulations such as CCPA and CPRA and the principles of GDPR. For an elaborate insight on the retention periods of individual categories of data collected by Darwinbox, please contact us at

  • Darwinbox in the capacity of processor as per Section 3 of the policy, with respect to the data of employees of the Darwinbox customer, the Darwinbox customer is responsible for defining the data retention period for their data, taking into consideration relevant laws and regulations.

    The customer shall define the data retention period for their data, taking into account the purpose for which the data was collected and processed, the applicable legal requirements, and the customer’s own data retention policies. The data retention period should not exceed the time necessary to fulfil the purpose for which the data was collected or to comply with legal requirements. Data entered in a Darwinbox enterprise service is retained in accordance with any applicable agreement between Darwinbox and its customer.

Your Rights Over your Personal Data

Depending on where you are located, you may have certain legal rights over the personal data we hold about you, subject to local privacy laws.

If you are located in the US, the CCPA/CPRA ensures that you have the:

  • Right to Know: You have the right to know explicitly what data is being collected on you as well as for what exact purpose.

  • Right to Delete: You have the right to request any personal information collected on you by businesses be deleted.

  • Right to Opt-out of Sale of personal Information: You can choose to not allow for the sale of your personal information. (Darwinbox does not sell any data collected or processed)

  • Right to Rectification: You have the right to request changes and alterations to the personal information collected by the business that has since become outdated/incorrect/obsolete.

  • Right to Access Personal Information: You have the right to request access to specific pieces of personal information or categories of personal information collected about you including the sources from where it was collected, the business or commercial purpose for which it was collected, sold or shared and the categories of third parties with whom the personal information was disclosed to.

  • Right to Limit Use and Disclosure of Sensitive Personal Information: You have the right to restrict the use and disclosure of information that has been defined as sensitive personal information.

  • Right of No Retaliation Following Opt-Out or Exercise of Other Right: You have the right to have the right to exercise any of their data subject rights without having to endure any form of retaliation or loss in their user experience.

For EEA (“European Economic Area”), United Kingdom and Singapore Residents:

  • Right to be Informed: You can have clear and concise information about what is done with your personal data and why.

  • Right to Access: You can access the personal data we hold about you.

  • Right to Data Portability: You may receive the personal data provided to a controller, in a structured, commonly used, and machine-readable format and may transmit those data to another controller.

  • Right of Correction: You can have incorrect personal data updated or deleted.

  • Right of Erasure: You can have your personal data deleted.

  • Right to Restrict Processing: You may object to the processing of your personal data carried out based on our legitimate interests or for direct marketing purposes.

  • Right to Object: You have the right to have a mechanism to opt out of marketing communications at any time.

  • Right Not to be subject to automated decision making: You cannot be subject to a decision based solely on automated processing, including profiling, which produces legal effects or otherwise significantly affects you.

Darwinbox will not discriminate against you for exercising your rights. You, or an authorized individual that we can verify is acting on your behalf, can exercise the applicable rights by contacting us using the contact details at the bottom of this Privacy Statement or by submitting your request through

If your personal data has been submitted by or on behalf of a Darwinbox customer and you wish to exercise any rights you may have under applicable data protection laws, please inquire with the relevant customer directly.

If the local regulations require certain categories of personal data to be retained for legal and regulatory purposes, a data subject’s right to erasure will not be fulfilled. In such situations, Darwinbox shall provide the data subject with a notification explaining the reasons for unfulfillment of the request.

Handling Customer Data Subject Requests

For DSRs received by Darwinbox as a Processor:

The handling of Customer Data Subject Requests (DSRs) as received by Darwinbox from its customers as defined in Section 3 of this policy, is a critical aspect of the organization’s data protection policy. As per the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), individuals have certain data subject rights related to their personal information that Darwinbox as a processor is committed to uphold.

For customer data, the customer will be responsible for raising DSRs to the organization. The customer will act as the data controller and provide Darwinbox with the necessary information to identify the requester and the personal information requested. The organization will then act as the data processor and process the request in accordance with the customer’s instructions.

For DSRs received by Darwinbox as a Controller:

In accordance with the Data Subject Rights provided in the relevant regulations, the organization will take the following steps to handle Data Subject Requests, which will vary based on the type of data involved:

  • Website and Marketing Data: The organization will handle DSRs for website and marketing data that we collect, use, and store. Darwinbox will use reasonable means to verify the identity of the requester and process the request in accordance with the instructions provided by the customer.

  • Documentation: The organization will maintain records of all DSRs and the actions taken in response to each request. This documentation will be kept for a period of time specified by the applicable regulations. The records of DSAR will be deleted periodically as per company policy.

Timeline of Resolution:

The organization is committed to protecting the privacy rights of individuals and will take all necessary steps to ensure that Data Subject Requests are handled in a timely and effective manner, regardless of the type of data involved.


The California Consumer Privacy Act (CCPA) provides certain rights to California residents with respect to their personal information as mentioned in Section 15 of this policy.

If you are a California resident and would like to make a CCPA request, please send an email to Darwinbox will respond to your request within 45 days.


The General Data Protection Regulation (GDPR) is a privacy law in the European Union (EU) that applies to organizations that process personal information of individuals in the EU. As mentioned in Section 15, GDPR provides the data subject with certain rights. If you are an individual in the EU and would like to exercise your rights under GDPR, please send an email to Darwinbox will respond to your request within 30 days

Mechanism of Contact

For DSR related queries as mentioned in Section 15 and Section 18 of this policy please send an email to

For other grievances and queries on our privacy policy or the use of our services, you may contact us through email at

You may also contact Darwinbox at our mailing address below:

Darwinbox Digital Solutions Private Limited

Skootr Managed Office, Block C, RMZ Futura,
3rd Floor, Plot No. 14 and 15, Survey No. 64 (P), Road No. 2,
Hitech City Layout, Madhapur, Serilingampally Mandal,
Ranga Reddy District – 500081, Telangana

Legal Basis for Processing Personal Data

Darwinbox’s legal grounds for collecting and using your personal data as described in this Privacy Statement fall into the following four categories:

  • Consent: In some cases, the organization asks you for your consent to process your personal data, such as when there is need for your consent for marketing purposes. You can withdraw your consent at any time, which will not affect the lawfulness of the processing before your consent is withdrawn. If you would like to withdraw your consent, you can do so by contacting Darwinbox as provided in Section 18 of this policy below.

  • Legitimate Interest: Darwinbox processes certain data for the legitimate interests of the organization, its affiliates, partners, or customers. These legitimate interests include, for example, contacting you to provide support or sending you marketing information (subject to applicable law); detecting, preventing, and investigating illegal activities and potential security issues; and maintaining and improving the Website and mobile applications. The company will rely on its legitimate interests for processing personal data only after balancing our interests and rights against the impact of the processing on individuals.

  • Performance of a Contract: Sometimes Darwinbox processes personal data to perform its obligations decided as per its agreement with you. This may include using payment information you provide when you register for an event to process your payment for access to the services you have purchased.

    In situations where Darwinbox acts as a processor the processing is as per contractual obligation with Darwinbox Customers.

  • Other Legal Basis: In some cases, the company may have a legal obligation to process your personal data, such as in response to a court or regulator order. Darwinbox also may need to process your personal data to protect vital interests, or to exercise, establish, or defend legal claims.

We use technical and organizational measures that provide a level of security appropriate to the risk of processing your personal data. This includes conducting Transfer Impact Assessments and having Standard Contractual Clauses in place before cross border data transfers. As per technical measures only role-based and department-based access is allowed for employees who require access to the personal data collected by Darwinbox. This is done by only allowing for SSO login.

In case there is a requirement to share the collected personal data with an external team, the same is done by allowing restricted access to data present on our CRM system and via email.

To ensure that the organization is in compliance with the principles of data protection and the mechanisms in place are effective, reviews are conducted in a quarterly basis. An internal audit is also conducted periodically.

However, the security of information transmitted through the internet can never be guaranteed. You are responsible for maintaining the security of your password or other form of authentication involved in accessing password-protected or secured resources.

Changes to this privacy statement

This Privacy Statement may be amended or revised from time to time at the discretion of Darwinbox. Changes to this Privacy Statement will be posted on the Website and links to the Privacy Statement will indicate that the statement has been changed or updated. If there is a proposal to make any material changes, Darwinbox will provide notice prior to the change becoming effective. The organization encourages you to periodically review this Privacy Statement for the latest information on its privacy practices.

Scroll to Top