Privacy Policy
Last updated: April 24, 2026
1. Introduction
This Privacy Policy explains how Lexoreg ("Lexoreg", "we", "us") collects, uses, stores, and protects personal data when you use the Lexoreg platform ("Service").
Lexoreg is the data controller for personal data collected through account registration and platform usage. For customer-uploaded data (SBOMs, product information), Lexoreg acts as a data processor on behalf of the customer (data controller).
Data Controller: Lexoreg, Espoo, Finland — hello@lexoreg.io
2. Personal Data We Collect
2.1 Account Data (provided by you)
| Data | Purpose | Legal Basis |
|---|---|---|
| Name | Account identification, communication | Contract performance |
| Email address | Authentication, notifications, support | Contract performance |
| Password (hashed) | Authentication | Contract performance |
| Organization name | Multi-tenant account setup | Contract performance |
| IP address | Security, rate limiting, audit trail | Legitimate interest |
2.2 Usage Data (collected automatically)
| Data | Purpose | Legal Basis |
|---|---|---|
| Browser type and version | Service optimization | Legitimate interest |
| Pages visited | Product improvement | Legitimate interest |
| Session timestamps | Security monitoring | Legitimate interest |
| API request logs | Debugging, rate limiting | Legitimate interest |
2.3 Customer-Uploaded Data
Data you upload (product information, SBOMs, vulnerability records, ENISA reports, compliance checks) is processed strictly as a data processor on your behalf. We process this data solely to provide the Service.
3. How We Use Personal Data
We use personal data to:
- Provide and maintain the Service
- Authenticate users and manage accounts
- Send transactional emails (vulnerability alerts, ENISA deadline reminders, password reset)
- Process payments and manage subscriptions
- Provide customer support
- Monitor and improve Service performance and security
- Comply with legal obligations
We do NOT use personal data for: advertising, selling to third parties, profiling, automated decision-making, or training AI/ML models.
4. Data Storage and Security
4.1 Where Data Is Stored
| Service | Provider | Location | Purpose |
|---|---|---|---|
| Database | Neon (PostgreSQL) | EU (Frankfurt) | All application data |
| File storage | Cloudflare R2 | EU | SBOM files |
| Redis | Railway | EU | Rate limiting, session cache |
| Resend | US (with EU processing) | Transactional emails | |
| API hosting | Railway | EU | Application hosting |
| Web hosting | Vercel | EU | Frontend hosting |
All primary data storage is within the European Economic Area (EEA).
4.2 Security Measures
- All data encrypted in transit (TLS 1.2+)
- Database encrypted at rest
- Passwords hashed with bcrypt
- API keys hashed with Argon2id
- Audit trail hash-chained for tamper detection
- Role-based access control (RBAC)
- Rate limiting on authentication endpoints
5. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days | Service provision |
| Audit trail | 5 years after creation | CRA compliance evidence requirement |
| SBOM files | Duration of account + 30 days | Service provision |
| ENISA reports | 5 years after creation | Regulatory evidence |
| Session logs | 90 days | Security monitoring |
| Payment records | 7 years | Finnish tax law (Accounting Act) |
| Expired trial data | 90 days after trial expiry | Grace period for reactivation |
6. Data Sharing
6.1 Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Neon Inc. | Database hosting | EU |
| Railway Corp. | API hosting, Redis | EU |
| Vercel Inc. | Frontend hosting | EU |
| Cloudflare Inc. | DNS, file storage (R2) | EU |
| Resend Inc. | Email delivery | US |
6.2 Legal Requirements
We may disclose personal data if required by Finnish law, EU regulation, or court order. We will notify you of such disclosures unless prohibited by law.
6.3 Business Transfer
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify you before your data becomes subject to a different privacy policy.
7. Your Rights (GDPR)
Under the EU General Data Protection Regulation, you have the right to:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Rectification | Correct inaccurate personal data |
| Erasure | Request deletion of your personal data |
| Restriction | Request restriction of processing |
| Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interest |
| Withdraw consent | Withdraw consent at any time where consent is the legal basis |
To exercise any of these rights, contact us at hello@lexoreg.io. We will respond within 30 days.
Note on audit trail: Due to the immutable, hash-chained nature of the audit trail (required for CRA compliance evidence), individual entries cannot be deleted. Instead, we apply pseudonymisation to redact personal identifiers while preserving the integrity of the audit chain.
8. Cookies
Lexoreg uses only essential cookies required for the Service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Authentication | Session (expires on logout or after idle period) |
We do NOT use: tracking cookies, analytics cookies, advertising cookies, or social media cookies. No cookie consent banner is required because we only use strictly necessary cookies.
9. International Transfers
Primary data processing occurs within the EEA. Where sub-processors operate outside the EEA (Resend), data transfers are protected by EU Standard Contractual Clauses (SCCs) as approved by the European Commission.
10. Children's Data
Lexoreg is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before taking effect.
12. Contact and Complaints
Data Controller:
Lexoreg
Email: hello@lexoreg.io
Espoo, Finland
Supervisory Authority:
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman:
Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
Website: tietosuoja.fi
Email: tietosuoja@om.fi
Address: Lintulahdenkuja 4, 00530 Helsinki, Finland