Lexerus

Legal

Privacy Policy

Last updated: 1 March 2026

1. Who We Are

Lexerus ("we", "our", "us") is an AI-powered video surveillance and loss prevention platform operated by Lexerus Ltd, a company incorporated in England and Wales. We provide software services that allow retail businesses to analyse their existing CCTV infrastructure to detect suspicious behaviour and prevent theft.

For the purposes of UK GDPR and the Data Protection Act 2018, Lexerus Ltd acts as a data processor on behalf of our retail customers (the data controllers) when processing video footage and associated data. We act as a data controller in respect of our customers' account information and any data we collect through our website.

Questions about this policy or our data practices can be directed to: privacy@lexerus.com

2. What Data We Collect

2.1 Account & Customer Data

When you register for or use the Lexerus platform, we collect:

  • Name, email address, and password (hashed)
  • Business name, address, and billing details
  • Subscription tier and payment history (processed via our payment provider)
  • Camera configuration: stream URLs, camera names, and store zones you define
  • Mobile device push notification tokens
  • App usage data, session logs, and API request logs

2.2 Video & Detection Data

Our platform processes RTSP video streams from cameras you connect. In doing so, we may store:

  • Short video clips and image snapshots captured at the point of a detected incident
  • Bounding-box detection metadata (coordinates, confidence scores, timestamps)
  • Suspicion assessments and alert records linked to specific camera feeds
  • Dwell-time and behaviour classification data derived from video analysis

We do not store continuous full-length recordings. We do not perform facial recognition or build persistent profiles of individuals captured in footage. All video analysis is performed to detect behavioural patterns, not to identify specific individuals.

2.3 Website & Analytics Data

When you visit our marketing website, we collect:

  • IP address and approximate location (country/city level)
  • Browser type, device type, and operating system
  • Pages visited, time on page, and referral source
  • Form submissions (e.g. demo requests, contact enquiries)

We use Vercel Analytics for privacy-friendly, cookie-free page analytics. No third-party advertising trackers are used on our website.

3. How We Use Your Data

We process personal data for the following purposes and under the corresponding lawful bases:

  • Delivering the service — processing your video streams, generating alerts, and providing the dashboard. Lawful basis: performance of a contract.
  • Account management — creating your account, processing payments, and managing your subscription. Lawful basis: performance of a contract.
  • Security & fraud prevention — detecting and preventing abuse of our platform. Lawful basis: legitimate interests.
  • Service improvement — analysing aggregated, anonymised usage patterns to improve detection accuracy and platform features. Lawful basis: legitimate interests.
  • Communications — sending transactional emails (OTP codes, alert notifications, billing receipts) and, where you have opted in, product updates. Lawful basis: contract / consent.
  • Legal compliance — retaining records as required by applicable law. Lawful basis: legal obligation.

4. Data Sharing & Third Parties

We do not sell your personal data. We share data only with the following categories of sub-processors, all of whom are bound by data processing agreements:

  • Cloud infrastructure — your data may be stored on servers provided by AWS or compatible S3-compatible storage providers. Data is encrypted at rest and in transit.
  • Email delivery — alert and transactional emails are sent via Resend.
  • Push notifications — mobile alerts are delivered to your team's devices via our push notification service.
  • Payment processing — billing is handled by a PCI DSS-compliant payment processor. We do not store card numbers.
  • Push notifications — mobile push alerts are delivered via Expo's push notification service, which routes through Apple APNs and Google FCM.

We may disclose data to law enforcement or regulatory authorities where required to do so by law or valid legal process.

5. Data Retention

  • Incident snapshots and clips — retained for 30 days from the date of capture, then permanently deleted, unless you export or download them.
  • Alert records and metadata — retained for 12 months from creation, then deleted.
  • Account data — retained for the duration of your subscription and for 90 days after cancellation, to allow reactivation. After 90 days, account data is permanently deleted.
  • Billing records — retained for 7 years in compliance with UK financial record-keeping obligations.

6. Your Rights

Under UK GDPR you have the following rights in respect of personal data we hold about you as a data controller:

  • Right of access — request a copy of the data we hold about you.
  • Right to rectification — ask us to correct inaccurate data.
  • Right to erasure — request deletion of your data where no legal basis for retention exists.
  • Right to restrict processing — ask us to pause processing while a dispute is resolved.
  • Right to data portability — receive your account data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email privacy@lexerus.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • TLS encryption for all data in transit
  • AES-256 encryption for data at rest
  • JWT-based authentication with 30-day expiry
  • Role-based access control — users can only access their own cameras and alerts
  • Regular security reviews and dependency audits

In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay.

8. International Transfers

We primarily store and process data within the UK and EEA. Where data is transferred outside these regions (for example, via certain sub-processors), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK ICO.

9. Cookies

Our marketing website uses no third-party advertising cookies. We may use a single session cookie to maintain your login state in the dashboard. Vercel Analytics operates without cookies or persistent identifiers.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active customers of material changes via email at least 14 days before they take effect. Continued use of the platform after that date constitutes acceptance of the updated policy.