1 Who we are
Headx Monitor (hereafter "Headx," "we," "us," "our") is an employee monitoring and data loss prevention platform headquartered in Hyderabad, Telangana, India. We provide our services to corporate customers (Data Fiduciaries under the DPDP Act 2023) who in turn use the platform to monitor their own workforces.
For most personal data we handle, the corporate customer is the Data Fiduciary and Headx is the Data Processor.
2 Scope of this policy
This policy describes how we handle personal data in two distinct contexts:
- Marketing and sales contacts: visitors to headx.in, demo requesters, prospects in our sales funnel — Headx is the Data Fiduciary.
- Customer accounts and employee monitoring data: data captured by our agents and dashboard on behalf of our corporate customers — Headx is the Data Processor; the corporate customer is the Data Fiduciary.
If you are an employee whose company has deployed Headx, your employer's privacy policy and consent process are the primary governing documents. We honour our customers' instructions in handling your data.
3 Data we collect
From website visitors and prospects
- Name, email, phone, company name, role (when you submit a contact or demo form)
- IP address, browser type, pages visited, referrer URL
- Cookies and similar identifiers (see Section 11)
From customer administrators
- Name, email, role, tenant identifier
- Authentication metadata (session tokens, IP of login, MFA factors)
- Configuration choices, policies created, dashboards used
From monitored employees (where Headx is Data Processor)
- Application usage, websites visited, periodic screenshots, USB events, file-access events, clipboard contents, print metadata, agent telemetry
- Identifiers issued by the employer (employee code, department, manager assignment)
- Authentication metadata for the agent
4 Why we collect it
- To deliver the contracted monitoring service to our corporate customers
- To operate, secure, and improve the Headx platform
- To respond to support requests and sales inquiries
- To send service-related notifications (security advisories, planned maintenance, billing)
- To comply with applicable laws and regulator obligations
- To send occasional product-update communications to customer administrators (opt-out available)
5 Legal basis
For data we collect from our corporate customers and prospects, our legal basis is consent or the performance of a contract. For employee monitoring data, the corporate customer (Data Fiduciary) is responsible for obtaining consent from the monitored employees under the Indian IT Act 2000, IT Rules 2011, and DPDP Act 2023.
We process such data only on the customer's documented instructions.
7 How long we keep it
| Data type | Retention period |
|---|---|
| Marketing leads (uncontacted) | 24 months from last interaction |
| Customer account data | Duration of subscription + 90 days |
| Monitoring data (Cloud plan, default) | 30 days, customer-configurable up to indefinite |
| DLP and security-incident records | 3 years from the event |
| Billing and tax records | 8 years (Indian tax requirement) |
| Backups | 30 days from last write |
| Web server logs | 90 days |
On-Premise deployments — customer controls all retention. We do not hold a copy of your data.
8 How we protect it
See our Security & Compliance page and Security Architecture for the full technical and organisational measures. Headlines:
- TLS 1.3 in transit, AES-256 at rest
- AWS Mumbai data residency for Cloud
- Named-admin access with audit logging
- Code-signed agent
- Documented incident response programme
9 Your rights
Under the IT Rules 2011 and DPDP Act 2023, you have the following rights with respect to your personal data:
- Right to know what data we hold about you
- Right to correction of inaccurate data
- Right to erasure of your data (subject to statutory retention)
- Right to grievance redressal through our Grievance Officer
- Right to nominate another person to exercise these rights in case of death or incapacity
- Right to withdraw consent at any time
To exercise any of these rights, email privacy@headx.in. We acknowledge within 48 hours and resolve within 30 days.
10 International transfers
For Cloud-plan customers, all monitoring data stays within India (AWS Mumbai). Operational metadata (error logs, transactional email metadata) may transit through US-hosted services. We do not transfer monitoring data outside India for Cloud customers.
For customers outside India (UAE, Singapore, Malaysia via partners), we host data in the customer's chosen region. We sign appropriate data-transfer agreements where personal data crosses borders.
11 Cookies and tracking
headx.in uses the following categories of cookies:
- Strictly necessary — session cookies, CSRF protection. Required for the site to function.
- Analytics — aggregated visit data via privacy-respecting analytics. No cross-site tracking.
- Preferences — UI preferences, locale.
We do not use third-party advertising cookies. We do not track you across other websites. You can disable cookies in your browser; some site features will not work without strictly-necessary cookies.
12 Children
Headx services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a minor, write to privacy@headx.in and we will delete it within 7 days.
13 Changes to this policy
We review this policy at least annually and update it when laws or our practices change materially. The "Last updated" date at the top reflects the current version. For material changes, we notify customer administrators by email at least 30 days before the change takes effect.
14 Contact and Grievance Officer
General privacy queries: privacy@headx.in
Grievance Officer (under IT Rules 2011 and DPDP Act 2023)
- Email: privacy@headx.in
- Response SLA: acknowledgement within 48 hours, resolution within 30 days
Data Protection Board of India: for unresolved grievances after the 30-day window, you may approach the Data Protection Board of India (once constituted) under Section 27 of the DPDP Act 2023.
Need detailed audit evidence or a signed DPA?
The full Statement of Applicability, latest penetration-test summary, sub-processor register with annual review records, and pre-filled CAIQ / SIG questionnaires are available under NDA — typically within 24 hours (IST business days).