Lexandro Privacy & Data Retention

Controller (website & service metadata). For website visits, marketing, support, and account administration, Lexandro is the data controller.

Processor (Customer Content). For documents, knowledge bases, prompts, and outputs you or your organization supply to the platform (“Customer Content”), Lexandro processes data only on your instructions and in line with the Data Processing Addendum (DPA).

“Personal Data” means information that relates to an identified or identifiable individual. Capitalized terms have the meanings given in the DPA or applicable privacy laws.

Last updated: November 2, 2025.

Account information (e.g., name, work email, role, language preferences, credentials, billing profile).

Communication information (support tickets, product feedback, survey responses, testimonials, event registrations).

Social and marketing interactions (engagement with our pages on professional networks and video platforms; high-level analytics provided by those platforms).

Technical/usage data (IP address, device and browser, time zone, pages viewed, feature use, clickstream, and session logs) collected via the app and cookies/SDKs.

Customer Content (documents you upload, workspace knowledge, chat prompts and outputs) processed under your instructions and the DPA.

Lexandro does not use Customer Content to train foundation models unless you explicitly instruct or opt in through your admin settings or contract.

We store and process Customer Content in secure infrastructure and limit access to authorized personnel with a legitimate need.

Upon termination or deletion requests, we provide export options and then schedule deletion consistent with the DPA and the timelines below.

Provide, administer, and troubleshoot the Services; personalize your experience; and deliver customer support.

Develop and improve features, including product research, testing, and analytics on aggregated or de-identified usage data.

Communicate about updates and security alerts and, where allowed, events and marketing (with opt-out controls).

Detect, prevent, and investigate fraud, abuse, and security incidents; enforce terms; comply with law.

Contractual necessity to provide the Services and support.

Legitimate interests such as product improvement, security, and anti-fraud, balanced against your rights and expectations.

Consent for certain cookies/analytics or marketing where required. Consent can be withdrawn at any time.

Legal obligation for tax, bookkeeping, and responding to lawful requests.

We use appropriate safeguards for cross-border transfers, including adequacy decisions (where available) and Standard Contractual Clauses for other destinations.

We require third-party processors to protect your data and to process it only under our instructions. See the “Sub-processors” page for details.

Questions about transfer mechanisms can be addressed to the privacy contact listed below.

Chat history and usage logs: retained up to 12 months to deliver features, resolve issues, and improve reliability. You can delete sooner.

Customer Content (documents/knowledge base): retained while your workspace is active. After account closure, an export is available and then deletion occurs within 30 days. Content in backups is isolated and removed on rotation.

Support and communications: typically 12–18 months.

Billing and tax records: retained as required by law (usually 5–7 years, depending on jurisdiction).

Cookies and analytics: see the “Cookie Policy” for specific lifetimes. Many analytics cookies last around one year, subject to your choices.

Encryption in transit and at rest; least-privilege access; SSO/SAML and MFA support; continuous logging and alerting.

Secure development lifecycle, vulnerability management, and vendor risk review. Refer to the “Security” page for details.

No model training on Customer Content by default. Model providers are not permitted to train their foundation models on your Customer Content unless you or your organization instructs us or opts in by contract.

Aggregated or de-identified telemetry may be used to improve reliability and safety; it is not used to reconstruct your documents or disclose your identity.

Providers and purposes are listed on the “Sub-processors” page and governed by the DPA.

Essential cookies keep the service secure and usable. They cannot be switched off.

Functional cookies remember choices such as language and region.

Analytics cookies help us understand usage. You can manage consent via the cookie banner and the “Cookie Policy.”

Access, correct, delete, or export your data; object to or restrict processing; withdraw consent where applicable.

EEA/UK users may lodge a complaint with a supervisory authority. We respond to verified requests within the timelines set by law.

Lexandro does not sell personal information for money. Some advertising or analytics disclosures may be considered a “sale” or “sharing” under certain laws. Opt-out mechanisms are available through the “Your Privacy Choices” page.

US rights can include the right to know, delete, correct, and opt out of sale/sharing and certain profiling. Authorized-agent requests are honored as required.

We do not knowingly collect personal data from anyone under 18. If you believe a minor provided data, contact us and we will delete it.

When you use integrations or follow references, those providers’ policies—not ours—govern those interactions.

We will post updates here and, when required, notify administrators or provide in-product notice.

Privacy contact: privacy@lexandro.ai

Controller: Festina Technology

DPO (if appointed) or EU/UK representative (if required): [Insert contact].

For data processing terms, see the “Data Processing Addendum (DPA).”