Version 1.2 | Effective Date: 27 April 2026 | Last Updated: 27 April 2026
Autoscal is a product and platform operated by Spark Eighteen Lifestyle Private Limited, a company incorporated under the laws of India, with its registered office at 4589, Sector B-5 & 6, Vasant Kunj, New Delhi – 110070, India. Spark Eighteen Lifestyle Private Limited is referred to in this Policy as "Autoscal", "we", "us", or "our". Autoscal is a cloud-based, multi-tenant Software-as-a-Service (SaaS) platform providing Human Resources, payroll, recruitment, project management, and workforce analytics services.
| Detail | Information |
|---|---|
| Company Legal Name | Spark Eighteen Lifestyle Private Limited |
| Country of Incorporation | India |
| Registered Office | 4589, Sector B-5 & 6, Vasant Kunj, New Delhi – 110070, India |
| Primary Hosting Region | AWS ap-south-1 (Mumbai, India) |
| Jurisdiction | New Delhi, India |
For privacy-related enquiries, please contact us at:
Data Protection Contact: DPO@sparkeighteen.com
Email: DPO@sparkeighteen.com
Address: 4589, Sector B-5 & 6, Vasant Kunj, New Delhi – 110070, India
This Privacy Policy applies to all personal data processed through the Autoscal platform and governs the following categories of individuals:
This Policy also covers data processed through third-party integrations (Fitbit, Google Calendar, Microsoft Outlook, Slack, Calendly, and others) where Autoscal acts as a data processor on behalf of the tenant company (data controller).
Autoscal implements data protection measures consistent with applicable privacy regulations, including the GDPR, India's DPDP Act 2023, and other relevant frameworks. Autoscal continuously reviews and enhances its privacy and security controls as the platform and regulatory landscape evolve.
Autoscal operates as a data processor on behalf of each tenant company, which acts as the data controller for their employees' personal data. This means:
3A. Tenant Responsibilities
Tenant organisations using the Autoscal platform are responsible for ensuring that they have a valid legal basis for collecting, uploading, and processing employee personal data through the platform, including obtaining any required notices, consents, or authorisations under applicable law. Autoscal acts solely as a data processor and cannot verify the lawfulness of the data submitted by tenant organisations. Tenants indemnify Autoscal against any claims arising from their failure to comply with applicable data protection obligations.
4.1 Personal Identifiable Information (PII)
| Data Field | Source | Purpose |
|---|---|---|
| Full name (first, last) | Employee / HR | Identity & profile management |
| Email address (personal & official) | Employee / HR | Communication & authentication |
| Mobile / phone number | Employee | Contact & SMS notifications |
| Date of birth | Employee | HR records & age verification |
| Gender | Employee | HR records |
| Blood group | Employee | Emergency reference |
| Marital status | Employee | HR records |
| Nationality | Employee | Compliance & payroll |
| Home address | Employee | HR records |
| Emergency contact (name, relationship, phone) | Employee | Safety |
| Profile photograph | Employee | Identity display |
| Candidate name, email, phone, resume | Candidate | Recruitment processing |
4.2 Employment & Professional Data
| Data Field | Source | Purpose |
|---|---|---|
| Job title, position, department | HR | Organisational profile |
| Employment start / end dates | HR | Records management |
| CTC (current and last) | HR / Payroll | Compensation management |
| Monthly remuneration | HR / Payroll | Salary processing |
| Skills | Employee / HR | Resourcing & talent management |
| Education (university, degree, CGPA, year) | Employee | Qualification records |
| Project allocations & hours | PM | Project management |
| Exit reason, exit date, exit documents | HR / Employee | Offboarding |
| Performance notes / comments | HR | HR records |
| Asset serial numbers & category | Admin | Asset tracking |
4.3 Financial & Banking Data
| Data Field | Source | Purpose |
|---|---|---|
| Bank account number | Employee | Salary disbursement |
| Bank IFSC code | Employee | Salary disbursement |
| Salary structure (earnings + deductions) | Payroll | Payslip generation |
| Payslips (PDF files) | Payroll | Record-keeping |
| Reimbursement amounts + receipts | Employee | Expense processing |
| Client billing addresses & rate cards | Admin | Project invoicing |
4.4 Health & Biometric Data
Important: Health and biometric data is classified as a special category of personal data under GDPR Article 9 and equivalent regulations. Collection of this data requires your explicit, informed, and freely given consent. The wellness module is entirely opt-in.
| Data Field | Source | Purpose |
|---|---|---|
| BMI | Fitbit / Employee | Wellness program |
| Blood pressure | Fitbit / Employee | Wellness program |
| Blood glucose | Fitbit / Employee | Wellness program |
| Cholesterol levels | Fitbit / Employee | Wellness program |
| Vitamin D & iron levels | Fitbit / Employee | Wellness program |
| Sleep data (duration & quality) | Fitbit | Wellness goals |
| Cardio / activity logs & step count | Fitbit | Wellness goals |
| Water intake & wellness goals | Employee | Gamification & wellness |
4.5 Authentication & Session Data
| Data Field | Source | Purpose |
|---|---|---|
| Email + password (stored as hashed) | Employee | Login authentication |
| JWT access tokens | System | Session authentication |
| OAuth tokens (Google, Outlook, Slack, Fitbit) | OAuth Providers | Third-party integrations |
| Login timestamps | Backend | Security auditing |
| Remember-me flag | Employee | Persistent sessions |
4.6 Device & Usage Data
| Data Field | Source | Purpose |
|---|---|---|
| IP address | Backend | Security & audit logging |
| Browser / user-agent | Backend | Analytics |
| Attendance clock-in/out timestamps | Employee | Time tracking |
| Location (for attendance verification) | Backend | Attendance verification |
We collect personal data through the following methods:
We process personal data only where we have a lawful basis to do so. The following table sets out our lawful bases per data category. For users located in India, processing is carried out in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable lawful uses under Indian law. Where required under the DPDP Act, 2023, consent shall be free, specific, informed, unconditional, and capable of being withdrawn by the Data Principal at any time.
| Data Category | Lawful Basis | Notes |
|---|---|---|
| Employment records & HR data | Contractual necessity | Required to perform the employment contract |
| Payroll & banking details | Contractual necessity | Required for salary disbursement |
| Authentication & session data | Legitimate interest / Contractual | Platform access and security |
| Health / biometric data | Explicit consent | Opt-in only; consent is revocable at any time |
| Google / Outlook calendar sync | Explicit consent | Via OAuth authorisation flow |
| Slack integration | Explicit consent | Via OAuth authorisation flow |
| Fitbit health integration | Explicit consent | Via OAuth authorisation flow |
| Candidate recruitment data | Consent / Legitimate interest | Processing job applications |
| Usage analytics & reporting | Legitimate interest | Platform performance & workforce insights |
| Error monitoring (Sentry) | Legitimate interest | Activated only after consent mechanism in place |
We share data with third-party providers only where necessary to deliver platform functionality. Autoscal does not sell personal data and does not share personal data for cross-context behavioural advertising. Autoscal uses commercially reasonable efforts to ensure third-party providers maintain appropriate data protection standards, whether via formal Data Processing Agreements (DPAs), standard contractual terms, or equivalent mechanisms. Autoscal is not responsible for the privacy or security practices of third-party services once data is transmitted to or processed by those services under the user's instruction.
| Third Party | Data Shared | Purpose | Consent Basis |
|---|---|---|---|
| Fitbit | Health metrics, activity, sleep data | Wellness tracking | OAuth (explicit) |
| Google Calendar | Events, meetings, availability | Calendar synchronisation | OAuth (explicit) |
| Microsoft Outlook | Events, meetings, availability | Calendar synchronisation | OAuth (explicit) |
| Slack | User identity, workspace data | In-app notifications | OAuth (explicit) |
| Calendly | Scheduling availability | Interview scheduling | Public scheduling link |
| Zoom / Google Meet | Meeting links | Video meeting integration | Configuration-based |
| Razorpay IFSC API | IFSC bank code only | Bank account verification | Automatic (no personal data) |
| Weather API | Inferred location query | Weather widget display | Automatic |
| Giphy API | Search query terms only | GIF picker feature | On use |
| Sentry (Error Monitoring) | Error logs, stack traces | Platform error monitoring | Legitimate interest (when active) |
Note: Each integrated third-party service is governed by its own Terms of Service and Privacy Policy. We encourage you to review those policies. By using integrated features, you also agree to the applicable third-party terms.
7A. Business Transfers
In the event of a merger, acquisition, corporate restructuring, financing transaction, or sale of assets involving Spark Eighteen Lifestyle Private Limited, personal data held by Autoscal may be transferred to the successor entity as part of the transaction. Any such transfer will be subject to applicable confidentiality obligations and data protection laws. We will notify affected users of any material change in data controller identity as required by applicable law.
The platform accepts and stores the following types of files:
All files are stored in secure cloud object storage on Amazon Web Services (AWS ap-south-1, Mumbai, India). Access to files is controlled via time-limited presigned URLs with expiration. File access is role-gated under our RBAC system, designed to ensure users can access only files they are authorised to view.
We retain personal data only for as long as necessary to fulfil the purposes outlined in this Policy, or as required by applicable law.
| Data Type | Retention Period | Notes |
|---|---|---|
| Employee profiles (active) | Duration of employment + 7 years | Statutory requirement in most jurisdictions |
| Payslips & salary data | 7–10 years | Tax & financial compliance |
| Exit documents | 7 years | Legal dispute resolution |
| Health & wellness data | Until withdrawn or account deletion request | Must honour right to erasure |
| Candidate data | 1 year post-rejection | GDPR: no longer than necessary |
| Authentication & audit logs | 90 days – 1 year | Security auditing |
| Reimbursement records | 7 years | Financial auditing |
| OAuth tokens | Session-based; cleared on logout | Revocable at any time |
| Approval audit trails | 7 years | Compliance & HR records |
Depending on your location and applicable data protection laws (including GDPR, India's DPDP Act 2023, CCPA, and equivalent laws), you may have the following rights in relation to your personal data:
To exercise any of these rights, please contact us at DPO@sparkeighteen.com. We will respond within 30 days of receiving your request, in accordance with applicable law.
The wellness and health tracking module on Autoscal involves the collection of special category data as defined under GDPR Article 9 and equivalent regulations. The following provisions apply:
Opt-In & Explicit Consent
Participation in the wellness programme (including Fitbit integration) is entirely voluntary. You will be presented with a clear, granular consent form before any health data is collected. You may withdraw consent at any time by disconnecting your Fitbit account in Settings. Refusal to provide health or wellness data will not affect your employment status, compensation, or access to core platform functionality.
Data Minimisation
We collect only the specific health metrics you consent to share. Metrics include BMI, blood pressure, blood glucose, cholesterol, vitamin D, iron levels, sleep data, and activity logs. You may consent to some metrics and not others.
Data Isolation
Your health data is not shared with your employer or other employees without your explicit authorisation. Aggregated, anonymised wellness statistics may be used for squad-level challenges and reporting.
Right to Erasure
You may request deletion of all health and biometric data at any time, independently of your other account data, by contacting DPO@sparkeighteen.com.
If you are a job candidate submitting an application via Autoscal's public-facing forms, the following applies:
We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include:
Despite our best efforts, no security system is impenetrable. In the event of a data breach that is likely to result in a risk to your rights and freedoms, where legally required, Autoscal will notify the relevant supervisory authority and affected users without undue delay and within applicable legal timelines (which may include 72 hours under GDPR or equivalent periods under other applicable laws).
While Autoscal implements commercially reasonable safeguards, the platform is provided on an ‘as available’ basis and uninterrupted or error-free operation cannot be guaranteed. Autoscal shall not be liable for any loss or damage arising from temporary unavailability of the platform due to maintenance, infrastructure issues, or circumstances beyond its reasonable control.
Autoscal uses secure session management mechanisms to maintain authenticated sessions. Session tokens are cleared upon logout. Autoscal does not currently use advertising cookies or cross-site tracking technologies.
| Storage Type | Data Stored | Purpose | Retention |
|---|---|---|---|
| localStorage | JWT access token | Maintain authenticated session | Until logout or token expiry |
| localStorage | Calendar integration flags | Remember connected integrations | Session-based |
| localStorage | Health integration flags | Remember Fitbit connection status | Session-based |
Note: Session tokens are cleared upon logout. Autoscal evaluates authentication and session management mechanisms in line with evolving security standards and will update this Policy to reflect material changes. Users are responsible for maintaining the security of devices used to access the platform.
Autoscal includes an AI-powered chat assistant within the platform. When you use the AI Assistant:
15A. Automated Decision-Making & Profiling
Autoscal does not use fully automated decision-making processes, including profiling, that produce legal or similarly significant effects on individuals without human involvement. All significant decisions affecting users — including employment recommendations, performance reviews, and access approvals — involve human oversight and are not made solely by automated systems.
Where analytics, leaderboards, or wellness insights are generated by the platform, these are informational tools provided to managers or employees and do not constitute binding automated decisions.
Autoscal's primary data hosting is on Amazon Web Services (AWS ap-south-1, Mumbai, India), meaning your data is stored within India. Certain third-party integrations (such as Fitbit, Google, Microsoft, and Slack) may process data outside India. Where data is transferred internationally, we ensure appropriate safeguards are in place, including:
The Autoscal platform is not designed for or directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted personal data through our platform, please contact us immediately at DPO@sparkeighteen.com and we will take steps to delete such data promptly.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
We encourage you to review this Policy periodically. Continued use of the platform after the effective date of an updated Policy constitutes acceptance of changes that do not materially affect your rights or the basis on which we process your personal data. Where a material change affects the lawful basis for processing personal data or introduces new categories of processing, we will seek your explicit consent before the change takes effect, where required by applicable law. Continued use of the platform shall not be deemed to constitute consent to such material changes.
For any questions, concerns, or requests relating to your personal data or this Privacy Policy, please contact:
Privacy & Data Protection Contact
Interim Data Protection Contact
Spark Eighteen Lifestyle Private Limited (Autoscal)
4589, Sector B-5 & 6, Vasant Kunj, New Delhi – 110070, India
Email (DPO): DPO@sparkeighteen.com
General Support: support@autoscal.com
Grievance Officer (Privacy): privacy@sparkeighteen.com
We will acknowledge your request within 5 business days and provide a full response within 30 days of receiving your request, in accordance with applicable law. This Privacy Policy is governed by the laws of the Republic of India. Any disputes arising from this Policy shall be subject to the exclusive jurisdiction of the courts of New Delhi, India. Where requests are complex or numerous, we may extend this period by a further 60 days; we will inform you of any such extension within the initial 30-day period, stating the reasons for the delay, as required by applicable law.
Spark Eighteen Lifestyle Private Limited (Autoscal) | Privacy Policy v1.2 | Effective 27 April 2026 | Last Updated 27 April 2026
© 2026 Autoscal. All rights reserved.