Privacy Policy

1. Who we are

This website, vexo.club (the “Site”), is operated by Vexocore IT Services Private Limited (the “Data Fiduciary”), a company incorporated under the laws of India with registered office in Rajasthan, India.

Corporate identifiers — CIN: U72900RJ2022PTC085082; GSTIN: 08AAJCV1239L1ZY; PAN: AAJCV1239L.

For the purposes of the DPDP Act, we act as a Data Fiduciary. For the purposes of GDPR (where applicable), we act as a Data Controller.

2. Personal data we collect

We only collect personal data that is necessary to operate vexo.club and to respond to your enquiries. The categories are:

• Contact details you provide on the brief form — name, email address, company name, role, telephone (if supplied), the brief or message text, budget band, timeline, creator-tier preferences, and platform preferences.
• Account data (admin users only) — name, email, hashed password, role (admin/operator/viewer) and session metadata. Admin accounts are created manually for Vexocore staff and authorised operators.
• Technical data — IP address, browser type and version, device type, referring URL, pages viewed, and timestamps. Logged only for a rolling 30 days for security, fraud prevention, and analytics.
• Cookies and similar technologies — see our Cookie Policy.

We do not knowingly collect personal data from individuals under the age of 18.

3. Why we process your data (purposes & legal bases)

Under the DPDP Act, every processing activity must have a lawful ground. We rely on the following:

• Your consent (DPDP § 6) — when you submit a brief through our contact form, subscribe to communications, or accept non-essential cookies. You may withdraw consent at any time by emailing [email protected].
• Legitimate uses (DPDP § 7) — to respond to a brief you voluntarily submit, to fulfil an engagement you commission, and for compliance with an order of a court or requirement of law.
• Contract performance — to perform services under a Master Services Agreement (MSA) or Statement of Work (SOW) where you are a counterparty.
• Legal and tax obligations — to issue invoices, maintain books of account, and meet GSTIN / Income Tax / MCA filing requirements.

4. How long we keep your data (retention)

• Inbound briefs that do not convert into an engagement — retained for 24 months from the date of the last meaningful interaction, then deleted or irreversibly anonymised.
• Client records (engaged briefs) — retained for the duration of the engagement plus 8 years, in line with the record-retention requirements of the Companies Act, 2013 and the Income-tax Act, 1961.
• Admin accounts — retained for the duration of the staff member's engagement with Vexocore, then deleted within 90 days of departure.
• Server and access logs — 30 days rolling.

5. Who we share your data with (sub-processors)

We disclose personal data only to service providers who help us operate vexo.club, each bound by confidentiality and data-protection terms at least as protective as this Policy:

• Cloudflare — CDN, DDoS protection, TLS termination. Role: processor.
• Brevo — transactional email delivery (brief confirmations). Role: processor.
• Plausible Analytics — privacy-first, cookie-free analytics. Role: processor.

We do not sell your personal data. We do not disclose personal data to government authorities except as required by a validly issued legal order.

6. Cross-border data transfers

Some of our sub-processors may store and process data outside India. Transfers are made under the authorisations permitted by the DPDP Act. A copy of the applicable safeguards can be requested from [email protected].

7. Your rights as a Data Principal (DPDP Act)

Under the DPDP Act, you have the right to:

• Access a summary of your personal data and the processing activities (§ 11).
• Correction, completion, updation, and erasure of your personal data (§ 12).
• Withdraw consent previously given, with effect going forward (§ 6(4)).
• Grievance redressal through our Grievance Officer, and onward escalation to the Data Protection Board of India.
• Nominate another person to exercise these rights in the event of your death or incapacity (§ 14).

To exercise any of these rights, email [email protected] with the subject line “Data Principal Request.” We will respond within 30 days.

8. GDPR / UK GDPR addendum (for EU & UK residents)

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, the EU GDPR and the UK GDPR apply to the extent Vexocore processes your personal data. This section supplements everything above.

8.1 Our role

For personal data you submit directly (e.g. through the brief form), Vexocore is the Controller under Art. 4(7) GDPR.

8.2 Legal bases (Art. 6)

• Art. 6(1)(a) — Consent: when you submit a brief, subscribe to communications, or accept non-essential cookies.
• Art. 6(1)(b) — Contract: where you are a party to (or about to enter) an MSA/SOW with Vexocore.
• Art. 6(1)(c) — Legal obligation: tax, books of account, and ROC filings under Indian law.
• Art. 6(1)(f) — Legitimate interests: site security, fraud prevention, product analytics.

We do not rely on special-category data processing (Art. 9). Do not share health, political, religious, biometric, or similar data in a brief.

8.3 Your rights

• Access (Art. 15): confirmation whether we process your data, and a copy of it.
• Rectification (Art. 16): correct inaccurate or incomplete data.
• Erasure / “right to be forgotten” (Art. 17): deletion where our lawful basis no longer applies.
• Restriction of processing (Art. 18).
• Data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
• Object (Art. 21): to processing based on legitimate interests, and to direct-marketing processing at any time.
• Withdraw consent (Art. 7(3)): with effect going forward.
• Lodge a complaint with your local supervisory authority (Art. 77).

To exercise any right, email [email protected] with the subject “GDPR Request — [Right].” We respond within one month (Art. 12(3)).

9. Security

We implement reasonable security practices including: TLS 1.3 transport encryption; encryption at rest on database and media storage; role-based access control on the admin panel; least-privilege sub-processor access; and periodic credential rotation.

No system is absolutely secure. If we become aware of a personal-data breach that is likely to cause harm, we will notify the Data Protection Board of India and affected Data Principals as required by the DPDP Act.

10. Children

vexo.club is not directed at children under the age of 18, and we do not knowingly collect their data. Creators on our roster are independent adults who have contractually represented that they are over 18.

11. Changes to this Policy

We may update this Policy to reflect changes in law or in how we operate. The “Last updated” date at the top reflects the most recent change. Material changes will be notified on the homepage at least 14 days before taking effect.

12. Grievance Officer / Data Protection Officer

For any complaint regarding the processing of your personal data, or to exercise any right under the DPDP Act, please contact:

You also have the right to lodge a complaint with the Data Protection Board of India once it is established under the DPDP Act.

13. Governing law and jurisdiction

This Policy is governed by the laws of India. Courts at Jaipur, Rajasthan shall have exclusive jurisdiction over any dispute arising from this Policy, subject to the grievance-redressal mechanism above.