CLAVIS · LEGAL

Privacy Policy

EFFECTIVE8 June 2026
LAST UPDATED8 June 2026

This Privacy Policy describes how NIXE Labs(“NIXE Labs”, “we”, “us”, or “our”), a sole proprietorship operated by Harish Sivaram, collects, uses, and protects information in the Clavishotel operating system — the Clavis web application, mobile apps, WhatsApp interfaces and related backend services (together, the “Service”).

Clavis is sold to and used by hotels. This means we act in two different roles depending on the data — see Section 1. If you have any questions, contact us at nixe.cxt@gmail.com.

SECTION 01

Who we are, and our two roles

For the purposes of the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and India’s Digital Personal Data Protection Act, 2023 (DPDP Act), NIXE Labs (sole proprietor: Harish Sivaram) operates Clavis. Our responsibility depends on whose data it is:

  • We are the controller of the data belonging to the hotel and its staff who hold Clavis accounts — for example, the account and billing details of the hotel and the login profiles of owners, managers and staff.
  • We are a processorof the data a hotel’s guests generate — for example, guest profiles, bookings, folios, ID documents and messages. Here the hotel is the controller, and we process that data only on the hotel’s documented instructions to provide the Service. See Section 8.
  • CONTACTnixe.cxt@gmail.com
  • PRODUCTClavis — hotel operating system
SECTION 02

Information we collect

We collect only the information needed to run Clavis. We do not sell personal data, and we do not use it for advertising.

2.1 Hotel & staff account data (we are controller)

CategoryExamplesSource
Account & property detailsHotel/property name, address, GSTIN, room inventory, rate plans, billing contactWhen you set up your property
Staff user profilesName, work email, phone, role (owner / manager / front desk / housekeeping / F&B / accountant), password (stored as a hash by our auth provider — we never see it in plain text)When accounts are created
HR & payroll data (if you enable it)Employee records, attendance, leave, salary, statutory IDs (PF/ESI/PAN), bank details for payrollWhen you use the HR & Payroll module
Billing dataSubscription tier, invoices, payment statusYour Clavis subscription

2.2 Guest data (we are processor, on the hotel’s behalf)

CategoryExamplesSource
Guest profilesName, contact number, email, nationality, preferences (room, floor, diet), stay historyBookings, check-in, prior stays
Identity documentsID type and number (Aadhaar / passport / driving licence), and — for foreign nationals — the data required for Form C / the digital C-registerCaptured at check-in by the hotel, as required by law
Reservations & foliosBooking dates, room, rate, channel/OTA source, charges for room, F&B, laundry, minibar, travel desk, banquetsDuring the guest's stay
Payment recordsAmount, method, status, and references — card details are handled by our payment processor and are not stored by ClavisPayments and checkout
Guest messagesWhatsApp and in-app messages between the guest, hotel staff and the Clavis AIGuest communication

2.3 Information collected automatically

CategoryExamplesPurpose
Authentication tokensSession and refresh tokens kept on your device/browserKeeping you signed in
Activity & audit logsWho did what and when inside the Service (sign-ins, approvals, changes), timestampsSecurity, accountability and the in-app audit trail
Technical metadataPlatform, app/browser version, request timestamps, error diagnosticsService operation and troubleshooting

2.4 What we do NOT collect

  • Raw card numbers, CVVs or full bank credentials (these stay with our payment processor)
  • Advertising identifiers or cross-app/cross-site tracking data
  • Behavioural data sold to or shared with advertising networks
SECTION 03

How we use information

We use information for the following purposes (with the GDPR legal basis noted in brackets):

  1. To provide and operate the Service — running reservations, billing, housekeeping, channels, payroll and messaging. [Performance of contract]
  2. To power Clavis AI — drafting guest replies, suggesting rates, preparing folios, writing the morning briefing (see Section 4). [Performance of contract / legitimate interests]
  3. To send operational messages — booking confirmations, pre-arrival check-in, invoices and staff task notifications via WhatsApp, email and push. [Performance of contract]
  4. To meet legal obligations — GST invoicing and returns, Form C / guest-register requirements, statutory payroll filings, and tax record-keeping. [Legal obligation]
  5. To protect security — auditing access, detecting abuse and rate-limiting. [Legitimate interests / legal obligation]
  6. To support and improve the Service — responding to support requests and fixing problems. [Legitimate interests]
SECTION 04

The Clavis AI

Clavis includes AI agents that read your operational data to draft replies, suggest pricing, prepare the night audit and write your morning briefing. A few commitments about how that works:

  • Your data is not used to train third-party foundation models. We send data to our AI provider only to generate output for you, under terms that prohibit using it to train their general models.
  • A human stays in control. For anything that materially affects a guest or your finances, the AI proposes and a manager approves — you set what the AI may do autonomously and within what limits (e.g. price floors and ceilings).
  • Suggestions are clearly marked. The interface distinguishes facts from AI suggestions so staff always know which is which.
  • We do not use AI to make decisions producing legal or similarly significant effects about a person without human involvement.
SECTION 05

Service providers and international transfers

We share data with the following sub-processors strictly to operate the Service. Each is bound by contract to protect it.

ProviderPurposeData shared
Supabase Inc.Database, authentication, realtime and file storageAccount, staff and guest data described in Section 2
RazorpayPayment processing (cards, UPI, net banking, pay links) and, where enabled, payroll disbursementPayment amount, references and the details needed to take payment; card data is handled by Razorpay, not stored by Clavis
Meta Platforms (WhatsApp Cloud API)Sending and receiving guest and staff messages over WhatsAppPhone numbers and message content for those conversations
OTA / channel partnersTwo-way sync of rates, availability and bookings (e.g. Booking.com, MakeMyTrip, Expedia, Agoda)Booking and rate/availability data for your property
Our AI providerGenerating AI agent output and briefingsThe operational data needed to produce a given response (see Section 4)
Cloud hosting providerRunning the Clavis backendData in transit and at rest in the hosting region

We do notuse third-party advertising or cross-site analytics SDKs. Some providers may process data outside your country (for example, in the United States or the EU). Where this happens for EU/UK data, we rely on lawful transfer mechanisms such as the European Commission’s Standard Contractual Clauses.

SECTION 06

How long we keep data (retention)

Where the hotel is the controller of guest data, retention is governed by the hotel’s instructions and by law. As a baseline:

Type of dataRetention
Hotel & staff account dataFor the life of the account; deleted on request after the account closes
Financial, tax & GST recordsRetained for the period required by Indian tax and company law (generally up to 8 years), even after account closure
Guest register / Form C dataRetained for the period required by applicable hospitality and immigration regulations
Guest messages & operational dataPer the hotel's configured retention, then deleted or anonymised
Security & audit logsUp to 12 months, then deleted
BackupsRoutine backups may retain data for up to 30 days before being overwritten
SECTION 07

Your rights

Depending on where you live, you have rights over your personal data, including the right to access, correct, delete, port, and object to or restrict certain processing, and to withdraw consent where we rely on it.

  • EU/UK (GDPR): you may also lodge a complaint with your local supervisory authority.
  • California (CCPA/CPRA): rights to know, delete, correct, and non-discrimination. We do not“sell” or “share” personal information as those terms are defined.
  • India (DPDP Act, 2023): rights to access, correction and erasure, grievance redressal, and to nominate another individual to exercise your rights.

If you are a hotel guest, the hotel is the controller of your data — please direct your request to the hotel, and we will assist them as their processor. For hotel and staff account data, email nixe.cxt@gmail.com. We respond within 30 days.

SECTION 08

Guest data and the hotel's responsibility

When a hotel uses Clavis to process its guests’ data, the hotel is the controller and NIXE Labs is the processor. We process guest data only:

  • on the hotel’s documented instructions and to provide the Service;
  • under appropriate confidentiality and security obligations;
  • with sub-processors that are themselves bound by equivalent terms; and
  • returning or deleting guest data at the end of the engagement, except where law requires us to keep it.

Hotels are responsible for collecting guest data lawfully (including giving guests appropriate notice and obtaining any required consent) and for using the Service in line with this policy.

SECTION 09

Security

We protect data using, among other measures:

  • Encryption in transit — all connections use HTTPS/TLS.
  • Encryption at rest — data stored in our database is encrypted at rest.
  • Role-based access & row-level security — staff see only what their role and property allow; tenants are isolated from one another.
  • Audit logging — security-relevant events are logged for monitoring.
  • Rate limiting — repeated failed sign-ins trigger a temporary lockout.

No system is 100% secure. If we become aware of a breach affecting personal data, we will notify affected controllers and the relevant authorities as required by law.

SECTION 10

WhatsApp and guest messaging

Clavis uses the WhatsApp Business (Meta Cloud API) to send and receive guest and staff messages — pre-arrival check-in links, confirmations, invoices, room service and task updates. Message content and phone numbers for those conversations are processed by Meta in order to deliver them. Standard WhatsApp terms and Meta’s own policies apply to the WhatsApp service itself. Guests can opt out of non-essential messages at any time.

SECTION 11

Children's privacy

Clavis is a business tool intended for use by hotel staff and is not directed at children. We do not knowingly collect personal data directly from children through the staff-facing Service. Where a guest record relates to a minor (for example, a child included on a booking), that data is provided and controlled by the hotel.

SECTION 12

Cookies and tracking technologies

The Clavis web application uses only essential cookies and similar technologies required to keep you signed in and to operate the Service securely. We do not use advertising cookies and we do not track you across other apps or websites.

SECTION 13

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will:

  • Update the “Last updated” date at the top of this page.
  • For material changes (e.g. a new sub-processor or new category of data), notify hotels via the Service or by email.

Continued use of Clavis after the effective date of an updated policy constitutes acceptance of the changes.

SECTION 14

Contact us

If you have questions, complaints, or requests relating to your privacy or this policy:

NIXE LABS

Email: nixe.cxt@gmail.com

Subject line for privacy requests: “Privacy request — Clavis”

We aim to respond within 7 days for general queries and within 30 days for formal rights requests.

Clavis is in pre-launch. This policy is provided in good faith and is intended to align with the GDPR, UK GDPR, CCPA/CPRA, and India’s DPDP Act, 2023. It is not legal advice and will be finalised before general availability. When NIXE Labs operates Clavis under a registered legal entity, Sections 1 and 14 will be updated with the registered name and address.