LexeyLexey
HomePricingDocs
Sign in

Privacy Policy

Last updated: February 21, 2026

This Privacy Policy describes how Re-X Australasia Ltd (“Company”, “we”, “us”, or “our”) collects, uses, and protects information when you use the Lexey platform (“Service”).

1. Information We Collect

Account information

When you create an account, we collect your email address and authentication credentials through our identity provider (Clerk). If you sign in with Google, we receive your name, email address, and profile picture from Google.

Organisation data

When you create or join an organisation, we store the organisation name and membership information to manage multi-tenant access.

Service data

We store the content you provide to configure your support agent, including business context, knowledge articles, business rules, branding settings, and configuration changes. We also store all conversations between your AI agent and your end customers, including message content, timestamps, and metadata.

Usage & billing data

We track token usage per request for billing purposes, including the model used, input/output token counts, and credits consumed. Payment information is processed and stored by Stripe — we do not store credit card numbers or payment details directly.

Automatically collected data

We collect standard server logs including IP addresses, browser user agent strings, and request timestamps. We use Sentry for error monitoring, which may capture technical context about errors including stack traces and request metadata.

2. How We Use Information

We use the information we collect to:

  • Provide, operate, and maintain the Service.
  • Process your AI agent’s responses to end customer queries.
  • Perform quality assurance assessments on AI-generated responses.
  • Screen messages for safety (prompt injection, abuse, harmful content).
  • Process billing and subscription management.
  • Send transactional communications (e.g. escalation notifications).
  • Monitor and improve the reliability and performance of the Service.

3. Data Processing & Sub-Processors

The Service is hosted in the United States. We use the following third-party service providers (sub-processors) to operate the Service:

  • Vercel (United States) — hosting, compute, and edge network.
  • Neon (United States) — serverless PostgreSQL database.
  • Anthropic (United States) — large language model provider for AI-generated responses, safety classification, and quality assessment. Conversation content and knowledge articles are sent to Anthropic’s API for processing.
  • Clerk (United States) — authentication and user management.
  • Stripe (United States) — payment processing, subscription management, and usage metering.
  • Sentry (United States) — error monitoring and performance tracking.
  • SendGrid (United States) — transactional email delivery (e.g. escalation notifications).
  • Cloudflare (United States) — bot protection (Turnstile) for chat interfaces.

We may use a third-party web content retrieval service to fetch publicly available web pages you specify for knowledge ingestion. Requests include only public URLs; no customer account or end-user personal data is shared with such services.

4. Cookies & Tracking Technologies

The Service uses essential cookies for authentication and session management. Cloudflare Turnstile may set a cookie for bot protection purposes. We use Plausible Analytics on our public marketing pages to collect anonymous, aggregate website usage statistics. Plausible is cookieless and does not store personal data or use cross-site tracking. We do not use advertising pixels.

5. Data Isolation

The Service is multi-tenant. All data is isolated at the application level — every database query is scoped to your tenant. You can only access data belonging to your organisation. Your end customers’ conversations are visible only to members of your organisation with appropriate roles.

6. Data Retention

We retain your data for as long as your account is active. Conversation data, knowledge articles, and configuration data are retained indefinitely while your account is active. If you delete your organisation or request account deletion, we will delete your data within 30 days, except where retention is required by law or for legitimate business purposes (e.g. billing records).

7. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS) for all communications.
  • Encryption at rest for database storage.
  • API keys stored using salt + SHA-256 hash (plaintext never persisted).
  • Content Security Policy headers, input/output safety filtering, and role-based access controls.

8. End Customer Data

When your end customers interact with your AI support agent, their messages are processed and stored as part of the Service. End customer chat is unauthenticated — we do not collect personal information from end customers unless they voluntarily provide it in conversation or the tenant has enabled the contact collection skill (which may prompt end customers for details such as name, email, or phone number). You are responsible for informing your end customers about the use of AI-powered support and any applicable data collection, as required by law.

9. Your Rights

Under the New Zealand Privacy Act 2020, the Information Privacy Principles (IPPs) give you the following statutory rights:

  • Access (IPP 6) — You may request access to the personal information we hold about you.
  • Correction (IPP 7) — You may request correction of any inaccurate, incomplete, or misleading personal information.

We will respond to access and correction requests promptly and, in any case, within 20 working days as required by the Privacy Act. If we refuse a request, we will provide reasons and inform you of your right to make a complaint to the Office of the Privacy Commissioner.

In addition, we provide the following commitments:

  • Deletion — As described in section 6, you may request deletion of your personal information by deleting your organisation or requesting account deletion. We will action deletion requests within 30 days, except where retention is required by law.
  • Portability — On request, we will provide a copy of your personal information in a structured, commonly used format.

To exercise any of these rights, contact us at support@lexey.ai.

10. Children’s Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 13, we will take steps to delete it promptly.

11. Applicable Law

The Service is operated by Re-X Australasia Limited, a company registered in New Zealand. Our collection and handling of personal information is subject to the New Zealand Privacy Act 2020 and applicable New Zealand privacy laws. The Service is hosted in the United States by our sub-processors listed above, and your data may be transferred to and processed in the United States accordingly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date at the top of this page and, where practicable, by email. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact

For questions about this Privacy Policy or our data practices, contact us at support@lexey.ai.

Product

  • Features
  • Pricing
  • Use Cases

Documentation

  • Getting Started
  • Customer API
  • Management API

Company

  • Sign Up
  • Sign In
  • Terms of Service
  • Privacy Policy
© 2026 Re-X. All rights reserved.