Privacy Policy
Last updated: 13 April 2026
1. Who We Are
Pluxo is a product of Clevora AI Private Limited (CIN: U62099KA2025PTC201284), a company incorporated under the Companies Act, 2013, with its registered office at 235, Binnamangala, 2nd Floor, 13 Cross Road, Indira Nagar, Bangalore-560038, Karnataka, India ("Company", "we", "us", "our"). Pluxo is an AI-powered platform that generates and hosts websites for healthcare practices in India. This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and other applicable Indian laws. This policy applies to: • Customers — healthcare practitioners and clinic owners who use Pluxo • Patients — individuals who interact with Pluxo-generated websites (booking appointments, making payments, sending WhatsApp messages) • Visitors — individuals who browse pluxo.ai or any Pluxo-generated site
2. Data We Collect
Customer data (provided directly): • Name and email — account creation, communication • Phone number — account verification, support • Clinic/practice name and specialty — website generation, theme selection • Payment information — subscription billing (processed by Cashfree, not stored by Pluxo) • Login credentials — authentication Customer data (sourced from public sources with your authorisation): • Google Places API — clinic name, address, phone, hours, reviews, photos, ratings • Google Maps — location and directions • Your existing clinic website — services, doctor profiles, descriptions • Search engines (Serper API) — public web results about your practice Patient data (collected through your generated website): • Name, phone, email — appointment booking • Appointment details — booking management • Payment details — processed by Cashfree • WhatsApp messages — AI receptionist responses via Gupshup • IP address, device info — site analytics Automatically collected data: • IP address, browser type, pages visited, referring URL, device type — via server logs and analytics
3. How We Use Data
We use personal data for the following purposes: • Providing the Service — generating, hosting, and maintaining your website • Processing payments — managing subscriptions and patient payments via Cashfree • Communication — account notifications, support, service updates • WhatsApp receptionist — processing and responding to patient messages via Gupshup • Appointment management — scheduling and managing bookings • Security — detecting and preventing fraud, abuse, and incidents • Legal compliance — fulfilling legal obligations, responding to lawful requests • Service improvement — analysing de-identified, aggregate usage patterns What we never do: • We never sell personal data to third parties • We never share patient data with other customers • We never use patient data for marketing • We never use customer or patient data to train AI models • We never display one customer's data on another customer's site
4. Legal Basis for Processing
Under the DPDP Act, 2023, we process your data on the following lawful bases: • Consent — when you create an account, submit information, or opt in to communications • Contractual necessity — when processing is necessary to provide the Service you subscribed to • Legal obligation — when we are required to retain records under tax, accounting, or other regulations • Legitimate interest — when processing is necessary for security, fraud prevention, or service improvement (using de-identified data) For patient data: the customer (healthcare practice) is the Data Fiduciary. Pluxo processes patient data on the customer's behalf as a Data Processor. Customers are responsible for obtaining valid consent from patients.
5. Data Sharing
We share data only with the following service providers, and only to the extent necessary: • Cashfree — payment details and transaction data for payment processing • Gupshup — WhatsApp messages and phone numbers for messaging • Google (Gemini AI) — clinic data for content generation • Google (Places API) — clinic identifiers for data enrichment • Vercel — site data and visitor analytics for website hosting • MongoDB Atlas — all stored data for database hosting Each provider processes data under its own terms and privacy policies. We may also disclose data if required by a court order, applicable law, or a request from a law enforcement authority, or to protect Pluxo's legal rights, safety, or property. In the event of a merger, acquisition, or asset sale, data may be transferred to the successor entity with prior notice to affected users.
6. Data Storage and Security
Data is stored on MongoDB Atlas (cloud database) and Vercel (hosting infrastructure). Servers may be located outside India; where data is transferred outside India, we ensure appropriate safeguards are in place under the DPDP Act. Security measures include: • Encryption in transit (TLS/HTTPS) and at rest for sensitive data • Access controls and authentication • Secure API key management • Environment-separated development and production systems • Regular security reviews In the event of a personal data breach, we will notify the Data Protection Board of India as required under the DPDP Act, notify affected customers without undue delay, and assist customers in fulfilling their notification obligations for patient data.
7. Data Retention
• Customer account data — duration of subscription + 90 days • Customer billing records — 8 years (Income Tax Act and GST requirements) • Patient booking data — duration of customer's subscription + 90 days • Patient payment records — 8 years (tax/accounting requirement) • WhatsApp message logs — 90 days • Server and access logs — 90 days • AI-generated content — duration of customer's subscription + 90 days After the applicable period, data is permanently deleted or irreversibly anonymised.
8. Your Rights Under the DPDP Act
As a Data Principal under the DPDP Act, 2023, you have the right to: • Access — request a summary of your personal data and processing activities • Correction — request correction of inaccurate or incomplete data • Erasure — request deletion of your data (subject to legal retention requirements) • Grievance redressal — lodge a complaint about our data practices • Withdraw consent — withdraw previously given consent at any time • Nominate — nominate another person to exercise your rights in case of death or incapacity Patients may exercise their rights by contacting the customer (Data Fiduciary) for matters related to the healthcare practice, or Pluxo for matters related to our processing. To exercise any of these rights, email privacy@pluxo.ai. We will respond within 30 days.
9. Cookies
Essential cookies: session management, authentication, CSRF protection. These are necessary for the Service to function and cannot be disabled. Analytics cookies: we may use analytics cookies to understand how the Service is used. These are only set with your consent where required by law. We do not use third-party advertising or tracking cookies on pluxo.ai or any generated site. You can control cookies through your browser settings.
10. Children's Data
The Service is not directed at individuals under 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly. For patient data: if a customer's practice serves minors, the customer is responsible for obtaining consent from the minor's parent or lawful guardian in accordance with the DPDP Act.
11. Grievance Officer
In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the DPDP Act, 2023: Grievance Officer: Prabesh Goyal Email: prabesh.goyal@gmail.com Address: 235, Binnamangala, 2nd Floor, 13 Cross Road, Indira Nagar, Bangalore-560038, Karnataka, India The Grievance Officer will acknowledge complaints within 24 hours and resolve them within 15 days, or such period as prescribed under applicable law.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be posted on pluxo.ai and notified via email to registered customers at least 15 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.
13. Contact
For questions about this Privacy Policy or our data practices: Clevora AI Private Limited (trading as Pluxo) 235, Binnamangala, 2nd Floor, 13 Cross Road, Indira Nagar, Bangalore-560038, Karnataka, India Email: privacy@pluxo.ai We will respond to all privacy-related enquiries within 30 days.
If you have any questions about this Privacy Policy, please contact us at privacy@pluxo.ai.