THG The Holidays Group Public policy center

Privacy Policy

The Holidays Group CRM Privacy Policy

This policy explains how The Holidays Group CRM collects, uses, protects, shares, and retains workspace data for HR, Sales, Accounts, Payroll, Travel Operations, Call CRM, automation, and customer service workflows.

Effective date: June 21, 2026 Website: theholidaysgrouphr.in Contact: +91 82876 69022

1. Who This Policy Covers

This policy applies to The Holidays Group CRM, its customer workspaces, admins, staff users, candidates, employees, customers, passengers, suppliers, vendors, and other contacts whose data is entered or processed through the CRM.

The customer organization controls what business data is uploaded, who can access it, and how its users use the CRM. The CRM operator processes workspace data to provide, secure, support, bill, and improve the service.

2. Data We May Process

  • Company profile, branch, GST, billing, subscription, workspace settings, and admin contact data.
  • User account data, role permissions, department access, login activity, audit history, support activity, and security logs.
  • HR, recruitment, attendance, live camera verification, location, leave, payroll-support, document, policy acknowledgement, employee case, asset, and performance records.
  • Sales, lead, passenger, itinerary, flight, hotel, package, supplier, product, invoice, payment follow-up, receivable, GST report, and travel operations records.
  • Call logs, recordings when enabled, SMS, WhatsApp, email, reminders, delivery status, opt-out status, notes, tasks, comments, and automation records.
  • KYC or identity verification status, masked identifiers, consent records, reference IDs, document types, and provider responses when such features are enabled.

3. Why We Use Data

Data is used to create and manage workspaces, authenticate users, run role-based access, support HR and payroll operations, process sales and accounts work, manage travel bookings, create documents and reports, send reminders, provide communication tools, troubleshoot issues, prevent abuse, maintain audit logs, and meet legal, tax, security, billing, and dispute requirements.

4. Consent And Customer Responsibility

Customers must ensure they have a lawful basis, notice, consent, authorization, or business permission before entering data about employees, candidates, customers, passengers, suppliers, or other contacts. This includes permission for calls, messages, recordings, live camera attendance, location attendance, document storage, KYC checks, payroll-support data, and automation workflows.

Staff monitoring, attendance capture, communication recording, and customer outreach should be used only with proper notice and in line with applicable law, telecom rules, platform rules, and company policy.

5. Sharing With Service Providers

Data may be shared with hosting providers, email and SMTP providers, telecom and messaging providers such as Twilio or WhatsApp services, payment gateways such as Razorpay, storage providers, security tools, analytics, support tools, KYC providers, and other integrations only as needed to provide the requested CRM service or workflow.

Third-party services operate under their own terms, compliance rules, uptime, pricing, approvals, data handling, and regional processing practices.

6. Payments And Billing Data

The CRM may store invoice records, subscription status, plan details, billing contact information, payment references, gateway status, UPI AutoPay or card mandate status, manual payment proof, and collection follow-up history. Full card or banking credentials should be handled by the payment gateway and should not be stored in CRM notes or comments.

7. Security And Access Control

The CRM uses role-based permissions, branch scope, session controls, password protection, audit trails, activity logs, and operational safeguards. Customers must keep admin access limited, remove users who leave, review permissions regularly, keep devices secure, avoid shared passwords, and store API keys or secrets only in approved secure configuration areas.

8. Retention And Deletion

Workspace data is retained while the account is active and for reasonable backup, tax, audit, security, legal, dispute, recovery, and compliance periods after suspension, cancellation, or closure. Customers should request export before account closure. Some records may need to be retained where law, accounting, security, or dispute requirements apply.

9. User Rights And Requests

Where applicable, individuals may request access, correction, deletion, restriction, withdrawal of consent, or grievance support. Most requests should first be raised with the customer organization that controls the workspace. The CRM support team can assist with technically feasible actions after verifying the request and authority.

10. Cookies, Sessions, And Logs

The CRM may use cookies, local storage, session tokens, device data, IP information, browser details, and security logs to keep users signed in, protect accounts, remember settings, diagnose errors, and prevent abuse.

11. Children And Sensitive Data

The CRM is intended for business use. Customers should not enter children's data or sensitive personal data unless they have a clear lawful purpose, proper consent or authority, and suitable safeguards. Unnecessary full identity numbers, passwords, and highly sensitive records should not be stored in free-text notes.

12. Incident Reporting

Suspected unauthorized access, credential exposure, data leakage, wrong access, or misuse should be reported immediately. The CRM operator and customer should cooperate on investigation, containment, password resets, log review, provider notification, user notice, and corrective action.

13. Updates To This Policy

This policy may be updated as modules, laws, vendors, payments, telecom tools, KYC tools, or security practices change. The latest public version will be available on this page.

This public policy is part of The Holidays Group CRM customer workspace terms and should be read with the Terms of Service.