Legal Document

Privacy Policy

This Privacy Policy explains how Vaixus Technologies collects, uses, shares, and protects personal data — both yours as a Client and that of your End Users processed through our AI Systems. We are committed to full compliance with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and all applicable data protection laws.

📅 Effective Date: 1 January 2026

🔄 Last Updated: 1 January 2026

🏛️ Compliant with: DPDP Act 2023, IT Act 2000

Who this applies to: This Privacy Policy applies to: (1) Clients — businesses and individuals who purchase or use Vaixus Services; (2) End Users — customers who interact with AI Systems deployed by Vaixus on behalf of Clients; and (3) Website Visitors — individuals who visit vaixus.in. If you are an End User interacting with a Vaixus-powered chat on a business's WhatsApp or website, the business (Client) is the primary data fiduciary responsible for your data. Vaixus processes it only on their behalf.

Table of Contents

01About Us & Controller Details
02Data We Collect — Clients
03Data We Collect — End Users
04Data We Collect — Website Visitors
05Legal Basis for Processing
06How We Use Your Data
07Data Sharing & Third Parties
08Data Retention
09Data Security
10Your Rights
11Children's Privacy
12Cookies & Tracking
13International Data Transfers
14AI-Specific Data Practices
15Data Breach Procedure
16Changes to This Policy
17Contact & Grievance Officer

01About Us & Controller Details

Vaixus Technologies is a sole proprietorship owned and operated by Soorya S V, based in Tiruppur, Tamil Nadu, India. For the purposes of data protection law:

Vaixus is the Data Fiduciary (Data Controller) for personal data of Clients and Website Visitors collected directly through vaixus.in.
For End User data processed through Client-deployed AI Systems, Vaixus acts as a Data Processor on behalf of the Client (who is the Data Fiduciary for those End Users).

Contact: For all data protection matters, contact us at soorya@vaixus.in. See Section 17 for our designated Grievance Officer details.

02Data We Collect — Clients

When you sign up, onboard, or use Vaixus Services as a business client, we collect the following categories of personal and business data:

Category	Data Collected	When Collected
Identity	Full name, business name, role/designation	Enquiry / onboarding
Contact	WhatsApp number, email address, business phone	Enquiry / onboarding
Location	Business address, city, state, PIN code	Onboarding / invoicing
Financial	GST number, payment transaction IDs (no card data stored)	Invoicing / payment
Business Data	Products, pricing, FAQs, policies, workflows you provide for AI training	Onboarding / ongoing updates
Communication	WhatsApp messages and emails exchanged with Vaixus support	Ongoing support
Usage / Technical	Dashboard login activity, feature usage, device/browser info	Service use

We do not collect your Aadhaar number, PAN, or other government-issued identity documents unless specifically required for GST invoicing purposes, in which case only the minimum necessary information is collected.

03Data We Collect — End Users (Your Customers)

When your customers interact with an AI System deployed by Vaixus on your behalf, the following End User data may be processed. We process this data as a Data Processor on your behalf — you as the Client are the Data Fiduciary responsible for obtaining lawful consent from your End Users.

Data Type	Purpose	Stored?
Name	Lead capture / order processing	Yes — in your dashboard
WhatsApp number / phone	Customer identification / order follow-up	Yes — in your dashboard
Email address	Lead capture (Website AI, if collected)	Yes — in your dashboard
Delivery address	Order fulfilment (WhatsApp AI)	Yes — in order records
Conversation content	AI response generation, performance monitoring	Yes — 90-day rolling window
Interaction metadata	Timestamps, message counts, session data	Yes — for analytics reports
Language preference	Multilingual response selection	Session only
Uploaded files	Document-based queries (Professional+)	Temporary — deleted after processing

Important for End Users: If you are an End User (a customer of a Vaixus Client) and wish to exercise your data rights — including accessing, correcting, or deleting your personal data — please contact the business you interacted with directly. They are the Data Fiduciary responsible for your data. You may also contact Vaixus at soorya@vaixus.in and we will assist you to the extent of our role as Data Processor.

04Data We Collect — Website Visitors (vaixus.in)

When you visit our website at vaixus.in, we may collect:

Contact form submissions: Name, phone number, email, business type, and message content submitted via the demo booking form.
Technical / analytics data: IP address, browser type and version, operating system, referring URL, pages visited, time spent on pages. This is collected in aggregate and not linked to your identity.
Cookies: Session cookies required for basic website functionality. We do not use third-party advertising cookies. See Section 12 for full cookie details.

We do not use persistent tracking technologies, behavioural advertising cookies, or cross-site tracking on vaixus.in.

05Legal Basis for Processing

Under India's Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable law, we rely on the following lawful bases for processing personal data:

Processing Activity	Legal Basis
Client account setup and service delivery	Performance of Contract (Terms of Service)
Payment processing and GST invoicing	Legal obligation / Performance of Contract
Sending service-related communications (reports, alerts)	Performance of Contract / Legitimate Interest
Processing End User data through AI Systems	Instructions from Client (Data Fiduciary) / Client's End User consent
Website analytics (aggregate, non-identifiable)	Legitimate Interest
Contact form enquiries	Pre-contractual steps / Consent
Responding to legal / regulatory requests	Legal Obligation
Service improvement using anonymised data	Legitimate Interest

We do not sell personal data. We do not process personal data for advertising profiling. We process only what is necessary for the specified purpose (data minimisation principle).

06How We Use Your Data

6.1 Client Data — How We Use It

To set up, configure, and operate your AI System.
To train the AI on your business products, services, pricing, and FAQs.
To send you daily/weekly/monthly performance reports and alerts.
To process payments and issue GST invoices.
To provide customer support via WhatsApp and email.
To notify you of service updates, maintenance windows, and policy changes.
To improve our AI Systems and services using anonymised and aggregated insights.
To comply with our legal obligations under Indian law.

6.2 End User Data — How We Use It

To generate AI responses to End User queries on behalf of the Client.
To store conversation history for 90 days to enable context-aware responses.
To populate Client dashboards with lead records and order information.
To generate anonymised analytics for performance reports to Clients.
To debug and improve AI response quality (on a strictly need-to-know basis).

6.3 What We Do NOT Do

We do not sell your data or End User data to any third party.
We do not use End User data to train general AI models shared across clients.
We do not profile End Users for advertising purposes.
We do not share Client Data with other Clients.
We do not use your business data (products, pricing) beyond what is needed to operate your AI System.

07Data Sharing & Third Parties

Vaixus does not sell, rent, or trade personal data. We share data only in the following limited circumstances:

Recipient	Data Shared	Purpose	Safeguards
Meta Platforms (WhatsApp)	Messages sent/received via WhatsApp AI	Message delivery infrastructure	Meta's Data Processing Terms; messages encrypted in transit
Razorpay	Transaction amount, Client name, invoice reference	Payment processing	RBI-compliant; PCI DSS certified; Razorpay Privacy Policy
Cloud Hosting Provider	All stored data (encrypted)	Infrastructure hosting & database	Encrypted at rest and in transit; access controls; DPA in place
Cloudflare (Professional+)	IP addresses, request metadata	Bot protection, DDoS mitigation	Cloudflare's Privacy Policy; data processed transiently
Legal / Government Authorities	As required by court order or law	Legal compliance	Only as required; Client notified where legally permissible

We do not transfer your data to any country outside India except as technically necessary for the cloud infrastructure and WhatsApp/Meta's global operations. Where international transfers occur, appropriate contractual safeguards are in place. See Section 13 for more detail.

08Data Retention

We retain data only for as long as necessary for the purposes described in this Policy:

Data Type	Retention Period	Basis
Client account data (name, contact, business info)	Duration of subscription + 3 years post-termination	Legal obligation (GST records), legitimate interest
GST invoices and payment records	7 years from invoice date	Income Tax Act / GST law requirement
End User conversation logs	90 days rolling (active subscription)	Legitimate interest (contextual AI responses)
End User lead records (name, phone, email)	Duration of Client subscription + 30 days post-termination	Client's instruction (Data Fiduciary)
All Client Data post-termination	30 days from termination, then permanently deleted	Client data export window
Website contact form submissions	12 months from submission, or until actioned	Legitimate interest (sales / support)
Website analytics data (aggregate)	24 months	Legitimate interest (site improvement)
Security logs	12 months	Legitimate interest (security monitoring)

Where data is retained for legal compliance purposes, it will be processed only for that compliance purpose and not for any other purpose. At the end of the retention period, data is permanently and securely deleted or anonymised.

09Data Security

Vaixus implements a comprehensive set of technical and organisational security measures to protect personal data from unauthorised access, disclosure, alteration, or destruction:

9.1 Technical Measures

Encryption in transit: All data transmitted between users and our systems is encrypted using TLS 1.2 or higher (HTTPS).
Encryption at rest: Databases and file storage are encrypted at rest using AES-256 or equivalent.
Access controls: Role-based access controls limit data access to personnel who require it for their specific function.
Authentication: Strong passwords, multi-factor authentication for all administrative access.
Automated backups: All data is backed up daily. Backups are encrypted and stored securely.
Bot protection: Cloudflare bot protection on Professional and Enterprise plans to prevent automated abuse.
Vulnerability management: Regular security reviews of our codebase and infrastructure.

9.2 Organisational Measures

Data access is restricted to Soorya S V and any authorised technical personnel engaged under confidentiality agreements.
No Client data or End User data is shared with or accessible to other clients.
All third-party service providers handling personal data are assessed for security compliance before engagement.

9.3 Limitations

Despite our efforts, no transmission or storage system can be guaranteed 100% secure. We cannot guarantee absolute security of personal data. In the event of a data breach, we will follow the procedure in Section 15.

10Your Rights

Under the DPDP Act, 2023, and applicable Indian data protection law, you have the following rights regarding your personal data processed by Vaixus as Data Fiduciary:

👁️

Right to Access

Request confirmation of whether we process your personal data and obtain a summary of the data we hold about you.

✏️

Right to Correction

Request correction of any inaccurate, incomplete, or outdated personal data we hold about you.

🗑️

Right to Erasure

Request deletion of your personal data where processing is no longer necessary for the purpose collected, subject to legal retention requirements.

📦

Right to Portability

Request a copy of your personal data in a structured, machine-readable format where technically feasible.

🚫

Right to Withdraw Consent

Where processing is based on your consent, withdraw consent at any time. This does not affect lawfulness of processing before withdrawal.

📢

Right to Grievance Redressal

Lodge a complaint with our Grievance Officer. If unresolved, escalate to the Data Protection Board of India when established.

10.1 How to Exercise Your Rights

To exercise any of the above rights, email our Grievance Officer at soorya@vaixus.in with the subject line "Data Rights Request". Include: your full name, contact information, the right you wish to exercise, and sufficient detail to identify the data concerned. We will respond within 30 days of receiving a verified request. We may need to verify your identity before processing the request.

10.2 Refusal of Request

We may decline to act on a rights request where: the request is manifestly unfounded or excessive; fulfilling it would conflict with a legal obligation; or the data is required to defend or establish legal claims. We will explain the reason for any refusal.

11Children's Privacy

Vaixus Services are intended for use by business owners and their customers who are at least 18 years of age. We do not knowingly collect personal data from individuals under the age of 18.

If you believe that a minor under 18 has provided personal data to us or through an AI System you operate, please notify us immediately at soorya@vaixus.in and we will take steps to delete such data promptly.

If you operate a business that serves customers who may be minors (e.g., coaching institutes, schools), you as the Client (Data Fiduciary) are responsible for obtaining appropriate parental consent before allowing minors to interact with your Vaixus-powered AI System and for complying with applicable laws protecting minors' personal data.

12Cookies & Tracking Technologies

12.1 Cookies Used on vaixus.in

Cookie Type	Purpose	Duration
Strictly Necessary	Session management, security (CSRF protection), form token	Session (deleted on browser close)
Functional	Remember your tab preferences (e.g., WhatsApp AI vs Website AI pricing tab)	30 days
Analytics (anonymised)	Page view counting, aggregate traffic analysis (no personal identifier)	90 days

12.2 What We Do NOT Use

Third-party advertising cookies (Google Ads, Meta Pixel, etc.)
Cross-site tracking technologies
Fingerprinting or device identification
Any cookie that tracks your behaviour across other websites

12.3 Cookie Control

You can control and delete cookies through your browser settings. Disabling strictly necessary cookies may affect the functionality of vaixus.in. Our website is designed to function with minimal cookie dependency.

13International Data Transfers

Vaixus is an Indian business and primarily processes data within India. However, due to the nature of our technology infrastructure, some data may be processed outside India in the following limited circumstances:

WhatsApp / Meta: Messages processed through the WhatsApp Business API transit Meta's global infrastructure, including servers outside India. This is governed by Meta's Terms and Data Processing Terms.
Cloud infrastructure: Our hosting provider may operate data centres in regions outside India. Data stored on such infrastructure is encrypted and governed by Data Processing Agreements.

Any international transfer of personal data is conducted with appropriate contractual safeguards consistent with the DPDP Act, 2023 and applicable Indian law. We will update this section if the Indian government publishes specific cross-border transfer rules under the DPDP Act.

14AI-Specific Data Practices

14.1 Client-Specific Training

Every Vaixus AI System is trained and configured exclusively using the data provided by that specific Client. We do not use one Client's business data, products, pricing, or customer conversations to train or improve AI Systems for any other Client. Each Client's data is isolated and processed in a dedicated configuration.

14.2 Conversation Data Usage

Conversation logs between End Users and AI Systems may be reviewed by Vaixus personnel for the following limited purposes: debugging errors or incorrect AI responses; improving AI response quality for that specific Client; generating anonymised performance analytics; and responding to Client support requests. All access is logged and limited to authorised personnel.

14.3 No Training on Sensitive Data

We strongly advise Clients not to configure their AI Systems to collect or process sensitive personal data such as health diagnoses, financial account numbers, government identity numbers, passwords, biometric data, or information concerning a person's religious beliefs, political opinions, or sexual orientation. Vaixus AI Systems are not designed or secured for sensitive personal data processing, and Clients are solely responsible for compliance if they choose to process such data.

14.4 Automated Decision-Making

Vaixus AI Systems make automated responses to customer queries. These automated responses are not used to make significant decisions about individuals (such as credit scoring, employment, or healthcare diagnosis). AI Systems produce informational responses and sales assistance only. Significant decisions based on AI interaction outputs remain the sole responsibility of the Client.

14.5 Model Improvement

Vaixus may use anonymised and aggregated performance data (e.g., average response accuracy rates, common question types across industries — with no personally identifiable information) to improve our overall AI platform and develop new features. No individual Client's identifiable business data or End User personal data is used for this purpose.

15Data Breach Notification Procedure

Despite robust security measures, in the event of a personal data breach, Vaixus will:

01Contain and assess the breach as soon as it is identified.
02Notify affected Clients within 72 hours of becoming aware of the breach, including: nature of the breach, data affected, number of individuals likely affected, likely consequences, measures taken or proposed.
03Report to the Data Protection Board of India (once operational) where required by the DPDP Act, 2023.
04Cooperate with Clients in notifying affected End Users where required.
05Document the breach, our response, and measures taken to prevent recurrence.

16Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, services, or applicable law. For material changes affecting your rights, we will provide at least 14 days' prior notice via email or WhatsApp to active Clients. For minor clarifications or non-material changes, we will update this page with a revised "Last Updated" date.

We encourage you to review this Policy periodically. Your continued use of Vaixus Services following any update constitutes acceptance of the revised Policy.

17Contact & Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, Vaixus has designated a Grievance Officer for data protection matters:

Grievance Officer: Soorya S V
Designation: Proprietor, Vaixus Technologies
Email: soorya@vaixus.in (Subject: "Privacy Grievance")
Address: Vaixus Technologies, Tiruppur, Tamil Nadu, India
Response Time: We will acknowledge your grievance within 24 hours and aim to resolve it within 30 days.

If you are not satisfied with our response, you have the right to escalate your complaint to the Data Protection Board of India (once constituted under the DPDP Act, 2023) or to seek redress through the Consumer Protection Act, 2019 mechanisms available to you.