Privacy Policy
Effective Date: April 17, 2026
LexOculus is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) (EU) 2016/679.
1. Data Controller
LexOculus operates as the Data Controller for personal data processed through the Service.
Contact: founder@lexoculus.com
2. Information We Collect
| Category | Data Collected | Purpose |
|---|---|---|
| Account Data | Email, Name, GitHub Username | Account creation, authentication |
| Usage Data | Truncated IP address, browser type | Security, audit logging |
| Repository Data | File tree, README, dependency files | Compliance analysis |
| Inquiries | Name, Email, Company | Demo requests, sales communication |
3. Legal Basis (GDPR Article 6)
- Contract (Art. 6(1)(b)): Processing necessary to perform the LexOculus Service you requested (e.g., scanning repos, generating reports).
- Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, and responding to business inquiries.
- Consent (Art. 6(1)(a)): Where required for specific optional features.
4. Data Retention
| Data Type | Retention Period |
|---|---|
| Account Data | Retained while active. Deleted upon user request. |
| Repository Metadata | Stored for 30 days to enable regenerative analysis, then automatically purged. |
| Demo & Sales Inquiries | Stored for 90 days, then automatically purged. |
| Audit Logs | Retained for 12 months for security compliance. |
5. Sub-Processors
We use the following third-party services to operate LexOculus. We have signed Data Processing Agreements with applicable sub-processors.
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase (South Korea, ap-northeast-2) | Database, Authentication | Account data, encrypted tokens, scan metadata |
| Vercel (Paris, France — cdg1) | Hosting, CDN | Anonymised metrics, request routing |
| Groq (USA) | LLM code analysis | Repository metadata (NO training on API inputs) |
| DodoPayments | Merchant of Record | Billing email, transaction history |
Note on Groq: Code snippets sent for analysis are processed transiently and discarded. Following their Terms of Service, no customer data is used to train their models.
Enterprise Customers: Please refer to our Data Processing Agreement (DPA).
6. Data Breach Notification
In the event of a personal data breach, LexOculus will notify affected Data Controllers (and where applicable, Data Subjects) within 72 hours of becoming aware of the breach, in compliance with GDPR Article 33.
7. Your Rights Under GDPR
You can execute the following rights directly within your Dashboard Settings:
- Right to Erasure (Art. 17): Use the "Delete Account" button to permanently and cascadedly delete all your data.
- Right to Data Portability (Art. 20): Use the "Export Data" button to download a JSON file of your complete data history.
For other rights (Access, Rectification, Restriction, Objection), please contact: founder@lexoculus.com.