Your data, protected and yours
Last updated 17 June 2026
01 Introduction
Lexa is an AI compliance operating system built and operated by Webority Technologies Private Limited. This Privacy Policy explains what personal data we collect when you visit our website, contact our team, or use the Lexa platform. It also sets out how we use that data, how we keep it safe, and the choices and rights you have.
We handle personal data in line with India's Digital Personal Data Protection Act, 2023 (the DPDP Act) and, where they apply, the EU and UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). By using Lexa, you agree to the practices described here.
02 Who we are
Lexa is a product owned and operated by Webority Technologies Private Limited, a company incorporated in India with its registered office at 629-634, Vipul Trade Centre, Sector-48, Sohna Road, Gurugram, Haryana 122018, India ("Lexa", "we", "us", "our"). For the personal data processed through this platform, Webority Technologies Private Limited acts as the Data Fiduciary under the DPDP Act.
When our customers upload information about their own organisations and people, we process that data on their instructions as a Data Processor.
03 The data we process
We collect and process a few categories of data:
- Account and contact data: your name, work email, phone number, job title, employer, and the login credentials of the people who use the Lexa platform.
- Customer compliance data: the entity, location, obligation, task, evidence and document records your organisation uploads or creates inside Lexa. This can include the names and contact details of the employees you assign as obligation owners.
- Usage and technical data: IP address, device and browser type, the pages you view, how you use features, and diagnostic logs. We collect this to run and secure the service.
- Communications: the content of enquiries, support tickets, and any other correspondence with our team.
We do not knowingly collect sensitive personal data through the website, and we ask that you avoid uploading it to Lexa unless a specific compliance obligation makes it necessary.
04 How we use your data
We use personal data to:
- run, secure and improve the Lexa platform;
- create and manage accounts and sign users in;
- monitor regulation, generate tasks and verify evidence for our customers;
- answer enquiries and support tickets;
- send service and security messages, and product updates where you have opted in; and
- meet our own legal, tax and regulatory obligations.
We never sell personal data, and we do not use customer compliance data to train shared or third-party AI models.
05 Legal bases and consent
Where the DPDP Act or GDPR applies, we rely on one or more of these grounds: your consent; the performance of a contract with you or your organisation; compliance with a legal obligation; and our legitimate interest in running and protecting the business, weighed against your rights.
Where we rely on consent, for example for non-essential analytics cookies or marketing email, you can withdraw it at any time. Withdrawing consent does not affect anything we did before you withdrew it.
06 AI and automated processing
Lexa uses artificial intelligence to extract obligations from regulation, classify and summarise evidence, draft responses, and answer grounded questions. These features run on Microsoft Azure OpenAI and Azure AI services under enterprise terms.
- No training on your data. We do not use customer compliance data, prompts or documents to train shared or third-party foundation models, and our AI providers are contractually barred from doing so.
- Human oversight. AI outputs are decision-support, not decisions. They do not produce legal effects on their own; your team reviews and acts on them. We do not carry out automated decision-making that produces legal or similarly significant effects without human involvement.
- Data minimisation. We send AI services only the data needed for the task, and we apply the same residency and security controls as the rest of the platform.
If a feature ever involves solely automated decision-making within the meaning of Article 22 GDPR, we will tell you and offer the safeguards the law requires, including the right to human review.
07 How we share your data
We share personal data only where it is needed to run the service:
- Sub-processors: vetted cloud hosting, AI, email and analytics providers who process data under contract and only on our instructions, as described in section 08.
- Professional advisers: auditors, lawyers and accountants, where we reasonably need their help.
- Legal and regulatory bodies: where the law, a court order, or a valid government request requires it.
- Corporate transactions: in connection with a merger, acquisition or reorganisation, always subject to this Policy.
We never sell your data or share it with advertisers.
08 Sub-processors
We engage a small number of vetted sub-processors to run Lexa. Each is bound by contract to process data only on our instructions, to keep it secure, and to meet obligations equivalent to those in this Policy. The main categories are below; you can ask for our current itemised list, including entity names and locations, at any time by writing to [email protected].
| Sub-processor | Purpose | Data location |
|---|---|---|
| Microsoft Azure | Cloud hosting, storage, database and platform infrastructure. | India (Central / South), or the region agreed with you. |
| Microsoft Azure OpenAI & Azure AI | AI extraction, classification, summarisation and grounded QA. | In-region within your Azure geography; no training on your data. |
| Transactional email provider | Sending service, security and account email. | Processed under contract; minimal personal data. |
| Analytics provider | Aggregate website usage measurement (consent-based only). | Website visitors only; not customer compliance data. |
We notify customers before adding or replacing a sub-processor that handles their data, so they can raise any objection under their agreement.
09 Data residency and international transfers
Lexa runs on Microsoft Azure. We host customer data in the region agreed with each customer, and we offer in-region data residency for Indian customers so that data stays within India by default.
Where personal data moves across borders — for example to a support team or a sub-processor outside your region — we put the safeguards the law requires in place. For transfers subject to the GDPR we rely on the European Commission's Standard Contractual Clauses and, where needed, supplementary measures. For transfers subject to the DPDP Act we comply with any restrictions the Central Government notifies on transfers to particular countries. We do not transfer personal data to a country unless adequate protection travels with it.
10 Security
We protect data with encryption in transit and at rest, role-based access controls, tenant isolation, an immutable audit log, least-privilege access for our staff, and continuous monitoring. Single sign-on and in-region data residency are available from day one. SOC 2 and ISO 27001 are targets we are actively working toward, not certifications we hold today. No system is ever perfectly secure, but we work to industry standards and will notify the people affected if a reportable breach occurs, as the law requires. Our Security page sets out our controls in more detail.
11 Cookies and similar technologies
This website currently uses only strictly necessary cookies to run securely; we do not run analytics or advertising cookies on it. If we introduce non-essential cookies, we will ask for your consent first. Our Cookie Policy has the full detail and your controls.
12 Data retention
We keep personal data only for as long as we need it for the purposes set out here, or for as long as the law requires. When a retention period ends, we securely delete or irreversibly anonymise the data. Indicative periods are below; specific periods for customer compliance data are set in each customer agreement.
| Category of data | Retention period |
|---|---|
| Account & user profile data | For the life of the subscription, then deleted within 90 days of account closure. |
| Customer compliance data | For the life of the subscription; exported or deleted per the customer agreement (see Terms). |
| Audit & security logs | Up to 12 months, or longer where a legal or regulatory duty requires it. |
| Website enquiry & demo-request data | Up to 24 months, unless you ask us to delete it sooner. |
| Billing & tax records | As long as Indian tax and company law require (generally up to 8 years). |
| Cookie consent records | Kept for the period stated in our Cookie Policy, if and when non-essential cookies are introduced. |
13 Your rights
Subject to the law that applies to you, you can:
- Access the personal data we hold about you and get a summary of how we process it;
- Correct or update data that is inaccurate, incomplete or out of date;
- Erase your data where there is no lawful reason for us to keep it;
- Withdraw consent at any time, as easily as you gave it;
- Object to or restrict certain processing, including direct marketing;
- Receive your data in a portable form and, where feasible, have it sent to another provider;
- Nominate someone, under the DPDP Act, to exercise your rights if you die or become incapacitated; and
- Complain to a supervisory authority — the Data Protection Board of India under the DPDP Act, or your local authority under the GDPR.
Residents of California have equivalent rights under the CCPA, including the right not to be treated differently for exercising them. To make a request, write to [email protected]; we may need to verify your identity, and we respond within the timelines the law sets. Where we act as a processor for one of our customers, we will pass your request on to that customer and support their response.
14 Data breach notification
We maintain procedures to detect, contain, investigate and respond to personal data breaches. If a reportable breach occurs, we will notify the Data Protection Board of India and the affected Data Principals in line with the DPDP Act, report to CERT-In within the timelines its directions require, and, where the GDPR applies, notify the relevant supervisory authority without undue delay and within 72 hours where feasible. Where we act as a processor, we will notify the affected customer promptly so they can meet their own obligations.
15 Children's privacy
Lexa is a business product and is not aimed at children. We do not knowingly collect personal data from anyone under 18. If you believe a child has given us their data, contact us and we will delete it.
16 Changes to this policy
We may update this Policy from time to time. We will post the new version here with a fresh "last updated" date, and when the changes are significant we will tell you by email or inside the product.
17 Grievance redressal
If you have a concern about how we handle your personal data, you can contact our Grievance Officer, who is appointed under the DPDP Act:
Mr. Navneet Singh, Grievance Officer
Webority Technologies Private Limited
Phone: +91 95990 06518
Email: [email protected]
We will acknowledge and respond to grievances within the timelines the law sets.
18 Contact
For any privacy question, write to [email protected], or to our registered office at 629-634, Vipul Trade Centre, Sector-48, Sohna Road, Gurugram, Haryana 122018, India.