Privacy Policy
This Privacy Policy describes how NIXE Labs(“NIXE Labs”, “we”, “us”, or “our”), a sole proprietorship operated by Harish Sivaram, collects, uses, and protects information in the Clavishotel operating system — the Clavis web application, mobile apps, WhatsApp interfaces and related backend services (together, the “Service”).
Clavis is sold to and used by hotels. This means we act in two different roles depending on the data — see Section 1. If you have any questions, contact us at nixe.cxt@gmail.com.
Who we are, and our two roles
For the purposes of the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and India’s Digital Personal Data Protection Act, 2023 (DPDP Act), NIXE Labs (sole proprietor: Harish Sivaram) operates Clavis. Our responsibility depends on whose data it is:
- We are the controller of the data belonging to the hotel and its staff who hold Clavis accounts — for example, the account and billing details of the hotel and the login profiles of owners, managers and staff.
- We are a processorof the data a hotel’s guests generate — for example, guest profiles, bookings, folios, ID documents and messages. Here the hotel is the controller, and we process that data only on the hotel’s documented instructions to provide the Service. See Section 8.
- CONTACTnixe.cxt@gmail.com
- PRODUCTClavis — hotel operating system
Information we collect
We collect only the information needed to run Clavis. We do not sell personal data, and we do not use it for advertising.
2.1 Hotel & staff account data (we are controller)
| Category | Examples | Source |
|---|---|---|
| Account & property details | Hotel/property name, address, GSTIN, room inventory, rate plans, billing contact | When you set up your property |
| Staff user profiles | Name, work email, phone, role (owner / manager / front desk / housekeeping / F&B / accountant), password (stored as a hash by our auth provider — we never see it in plain text) | When accounts are created |
| HR & payroll data (if you enable it) | Employee records, attendance, leave, salary, statutory IDs (PF/ESI/PAN), bank details for payroll | When you use the HR & Payroll module |
| Billing data | Subscription tier, invoices, payment status | Your Clavis subscription |
2.2 Guest data (we are processor, on the hotel’s behalf)
| Category | Examples | Source |
|---|---|---|
| Guest profiles | Name, contact number, email, nationality, preferences (room, floor, diet), stay history | Bookings, check-in, prior stays |
| Identity documents | ID type and number (Aadhaar / passport / driving licence), and — for foreign nationals — the data required for Form C / the digital C-register | Captured at check-in by the hotel, as required by law |
| Reservations & folios | Booking dates, room, rate, channel/OTA source, charges for room, F&B, laundry, minibar, travel desk, banquets | During the guest's stay |
| Payment records | Amount, method, status, and references — card details are handled by our payment processor and are not stored by Clavis | Payments and checkout |
| Guest messages | WhatsApp and in-app messages between the guest, hotel staff and the Clavis AI | Guest communication |
2.3 Information collected automatically
| Category | Examples | Purpose |
|---|---|---|
| Authentication tokens | Session and refresh tokens kept on your device/browser | Keeping you signed in |
| Activity & audit logs | Who did what and when inside the Service (sign-ins, approvals, changes), timestamps | Security, accountability and the in-app audit trail |
| Technical metadata | Platform, app/browser version, request timestamps, error diagnostics | Service operation and troubleshooting |
2.4 What we do NOT collect
- Raw card numbers, CVVs or full bank credentials (these stay with our payment processor)
- Advertising identifiers or cross-app/cross-site tracking data
- Behavioural data sold to or shared with advertising networks
How we use information
We use information for the following purposes (with the GDPR legal basis noted in brackets):
- To provide and operate the Service — running reservations, billing, housekeeping, channels, payroll and messaging. [Performance of contract]
- To power Clavis AI — drafting guest replies, suggesting rates, preparing folios, writing the morning briefing (see Section 4). [Performance of contract / legitimate interests]
- To send operational messages — booking confirmations, pre-arrival check-in, invoices and staff task notifications via WhatsApp, email and push. [Performance of contract]
- To meet legal obligations — GST invoicing and returns, Form C / guest-register requirements, statutory payroll filings, and tax record-keeping. [Legal obligation]
- To protect security — auditing access, detecting abuse and rate-limiting. [Legitimate interests / legal obligation]
- To support and improve the Service — responding to support requests and fixing problems. [Legitimate interests]
The Clavis AI
Clavis includes AI agents that read your operational data to draft replies, suggest pricing, prepare the night audit and write your morning briefing. A few commitments about how that works:
- Your data is not used to train third-party foundation models. We send data to our AI provider only to generate output for you, under terms that prohibit using it to train their general models.
- A human stays in control. For anything that materially affects a guest or your finances, the AI proposes and a manager approves — you set what the AI may do autonomously and within what limits (e.g. price floors and ceilings).
- Suggestions are clearly marked. The interface distinguishes facts from AI suggestions so staff always know which is which.
- We do not use AI to make decisions producing legal or similarly significant effects about a person without human involvement.
Service providers and international transfers
We share data with the following sub-processors strictly to operate the Service. Each is bound by contract to protect it.
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase Inc. | Database, authentication, realtime and file storage | Account, staff and guest data described in Section 2 |
| Razorpay | Payment processing (cards, UPI, net banking, pay links) and, where enabled, payroll disbursement | Payment amount, references and the details needed to take payment; card data is handled by Razorpay, not stored by Clavis |
| Meta Platforms (WhatsApp Cloud API) | Sending and receiving guest and staff messages over WhatsApp | Phone numbers and message content for those conversations |
| OTA / channel partners | Two-way sync of rates, availability and bookings (e.g. Booking.com, MakeMyTrip, Expedia, Agoda) | Booking and rate/availability data for your property |
| Our AI provider | Generating AI agent output and briefings | The operational data needed to produce a given response (see Section 4) |
| Cloud hosting provider | Running the Clavis backend | Data in transit and at rest in the hosting region |
We do notuse third-party advertising or cross-site analytics SDKs. Some providers may process data outside your country (for example, in the United States or the EU). Where this happens for EU/UK data, we rely on lawful transfer mechanisms such as the European Commission’s Standard Contractual Clauses.
How long we keep data (retention)
Where the hotel is the controller of guest data, retention is governed by the hotel’s instructions and by law. As a baseline:
| Type of data | Retention |
|---|---|
| Hotel & staff account data | For the life of the account; deleted on request after the account closes |
| Financial, tax & GST records | Retained for the period required by Indian tax and company law (generally up to 8 years), even after account closure |
| Guest register / Form C data | Retained for the period required by applicable hospitality and immigration regulations |
| Guest messages & operational data | Per the hotel's configured retention, then deleted or anonymised |
| Security & audit logs | Up to 12 months, then deleted |
| Backups | Routine backups may retain data for up to 30 days before being overwritten |
Your rights
Depending on where you live, you have rights over your personal data, including the right to access, correct, delete, port, and object to or restrict certain processing, and to withdraw consent where we rely on it.
- EU/UK (GDPR): you may also lodge a complaint with your local supervisory authority.
- California (CCPA/CPRA): rights to know, delete, correct, and non-discrimination. We do not“sell” or “share” personal information as those terms are defined.
- India (DPDP Act, 2023): rights to access, correction and erasure, grievance redressal, and to nominate another individual to exercise your rights.
If you are a hotel guest, the hotel is the controller of your data — please direct your request to the hotel, and we will assist them as their processor. For hotel and staff account data, email nixe.cxt@gmail.com. We respond within 30 days.
Guest data and the hotel's responsibility
When a hotel uses Clavis to process its guests’ data, the hotel is the controller and NIXE Labs is the processor. We process guest data only:
- on the hotel’s documented instructions and to provide the Service;
- under appropriate confidentiality and security obligations;
- with sub-processors that are themselves bound by equivalent terms; and
- returning or deleting guest data at the end of the engagement, except where law requires us to keep it.
Hotels are responsible for collecting guest data lawfully (including giving guests appropriate notice and obtaining any required consent) and for using the Service in line with this policy.
Security
We protect data using, among other measures:
- Encryption in transit — all connections use HTTPS/TLS.
- Encryption at rest — data stored in our database is encrypted at rest.
- Role-based access & row-level security — staff see only what their role and property allow; tenants are isolated from one another.
- Audit logging — security-relevant events are logged for monitoring.
- Rate limiting — repeated failed sign-ins trigger a temporary lockout.
No system is 100% secure. If we become aware of a breach affecting personal data, we will notify affected controllers and the relevant authorities as required by law.
WhatsApp and guest messaging
Clavis uses the WhatsApp Business (Meta Cloud API) to send and receive guest and staff messages — pre-arrival check-in links, confirmations, invoices, room service and task updates. Message content and phone numbers for those conversations are processed by Meta in order to deliver them. Standard WhatsApp terms and Meta’s own policies apply to the WhatsApp service itself. Guests can opt out of non-essential messages at any time.
Children's privacy
Clavis is a business tool intended for use by hotel staff and is not directed at children. We do not knowingly collect personal data directly from children through the staff-facing Service. Where a guest record relates to a minor (for example, a child included on a booking), that data is provided and controlled by the hotel.
Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will:
- Update the “Last updated” date at the top of this page.
- For material changes (e.g. a new sub-processor or new category of data), notify hotels via the Service or by email.
Continued use of Clavis after the effective date of an updated policy constitutes acceptance of the changes.
Contact us
If you have questions, complaints, or requests relating to your privacy or this policy:
We aim to respond within 7 days for general queries and within 30 days for formal rights requests.
Clavis is in pre-launch. This policy is provided in good faith and is intended to align with the GDPR, UK GDPR, CCPA/CPRA, and India’s DPDP Act, 2023. It is not legal advice and will be finalised before general availability. When NIXE Labs operates Clavis under a registered legal entity, Sections 1 and 14 will be updated with the registered name and address.