Skip to main content
Legal

Privacy Notice

Last updated: May 2026 · Issued under the Mauritius Data Protection Act 2017 (DPA 2017)

Legal text follows in English. The English version governs in case of any discrepancy with translations of MauriHR documentation.
MauriResources Ltd. issues this notice under DPA 2017 §24(1) (informed consent), §29(1)(d)(ii) (special-category processing), §31(2)(a) (security of processing), and §36(1)(b) (cross-border transfer). Use /me/privacy to view, withdraw, or audit your consents at any time.

1. Data controller & processor (DPA §3)

Your employer (the Tenant admin who registered your company on MauriHR) is the Controller. MauriResources Ltd. is the Processor, acting only on documented instructions from your Controller. The MauriResources Data Protection Officer is reachable at [email protected].

2. Categories of data we process

  • Identity: full name, email, NIC number, date of birth
  • Employment: job title, department, base salary, start date, contract type
  • Attendance: clock-in/out timestamps; optional GPS / selfie (§29 special category, opt-in only)
  • Leave & medical: requests, balances, medical certificates (§29(1)(g), explicit consent)
  • Payroll: gross/net, PAYE, CSG, NSF, PRGF, HRDC, bank details
  • Technical: IP address, user-agent hash (audit + security; lawful basis: §28(d) legitimate interest)

3. Purposes & lawful basis (DPA §23 / §28 / §29)

  • HR administration: §28(b) performance of contract.
  • Payroll + statutory filings (MRA PAYE/ROE/EDF, MNS NSF/CSG, PRGF, HRDC, ROE, PACO): §28(c) legal obligation.
  • Attendance + leave + WRA 2019 statutory limits: §28(b)/(c).
  • Security audit + RLS isolation: §28(d) legitimate interest.
  • AI document generation (OpenAI / Anthropic): §24 explicit consent + §28(d) legitimate interest, capped per pricing tier.

4. Recipients & sub-processors (DPA §24(2)(c))

  • Mauritius Revenue Authority: PAYE, ROE, EDF, PACO, VAT.
  • Mauritius Network Services (MNS): NSF/CSG return upload.
  • HRDC: Training Levy 1.5% return.
  • Your bank: bulk salary credit (MCB, SBM, MauBank, ABC, AfrAsia, BankOne).
  • Hetzner Online GmbH (Germany): hosting + nightly age-encrypted backups.
  • Backblaze B2 (USA): encrypted off-site backup, payment-proof artefacts.
  • OpenAI / Anthropic (USA): AI doc + chatbot, no training-set retention.
  • Microsoft Azure (EU West): OCR via Document Intelligence, opt-in only.
  • Cloudflare: edge WAF + CDN.
  • Resend: transactional email (password reset, step-up OTP).
  • Sentry: anonymised exception traces.

Each sub-processor is bound by a written transfer agreement, listed in our processor register, and updates require a tenant-admin notification.

5. Cross-border transfer (DPA §36)

Hosting, AI inference, OCR, and backups all involve transferring data outside Mauritius. We rely on §36(1)(b) explicit consent ticked at registration (or at re-prompt if the law changes), backed by written transfer agreements and EU/EEA-equivalent safeguards. You may withdraw this consent at any time via /me/privacy.

6. Security (DPA §31)

Per §31(2)(a) we apply technical and organisational measures appropriate to the risk:

  • PostgreSQL Row-Level Security on every tenant-scoped table.
  • Fernet (AES-128-CBC + HMAC-SHA256) at-rest encryption for HRIS-API credentials + OCR fixtures, with explicit key rotation (`*_KEY_V1`, `_V2`, …).
  • TLS 1.3 in transit, HSTS preload.
  • JWT + step-up 2FA for sensitive operations; HttpOnly + SameSite cookies.
  • bcrypt password hashing (cost ≥ 12); no plaintext storage.
  • Tamper-evident audit log (IP + UA hash) on every privileged action.
  • NIST CSF 2.0 control mapping; ISO 27001 alignment in progress.

7. Retention

Operational personal data: kept while you are an active employee, then 5 years after termination per Income Tax Act §153. Payroll & banking records: 7 years (MRA + Banking Act overlap). Audit logs: 5 years rolling. Letterbox feedback: never linked to identity (no IP, no UA, no user-id).

8. Your rights under DPA 2017 Part VII

  • §37 access: request a copy of all data we hold on you.
  • §38 rectification: correct inaccurate data.
  • §39 erasure: request deletion (subject to statutory retention).
  • §40 restriction / objection: pause specific processing.
  • §41 portability: machine-readable export of your records.
  • Withdraw consent at any time via /me/privacy; withdrawal does not affect prior lawful processing.

9. Breach notification (DPA §25)

We notify the Data Protection Office and affected Controllers within 72 hours of becoming aware of a personal data breach, including its nature, scope, technical indicators, and remedial actions taken.

10. Contact + complaints

Privacy enquiries: [email protected].

You also have the right to lodge a complaint directly with the Data Protection Office of Mauritius: 5th Floor, SICOM Tower, Wall Street, Ebene · +230 460 0251 · [email protected].

← Terms of Service
Privacy Notice · MauriResources