Privacy Policy

01Data Controller

Lexara Advisory LLC is the data controller for personal data collected through this website (lexaraadvisory.com).

Lexara Advisory LLC is a consulting firm registered in Wyoming, United States. We are not a law firm and do not provide legal advice. This policy applies to all visitors to lexaraadvisory.com regardless of their location.

02Data We Collect

We collect the following categories of personal data:

We do not collect sensitive personal data (special categories under GDPR Article 9) through this website.

03Legal Basis for Processing (GDPR)

For visitors from the European Economic Area (EEA) and the United Kingdom, we rely on the following legal bases under GDPR Article 6:

• Consent (Art. 6(1)(a)): Analytics cookies and GA4 data collection. You may withdraw consent at any time by adjusting cookie preferences.
• Legitimate interests (Art. 6(1)(f)): Basic server logs and technical data necessary for security, fraud prevention, and proper website operation.
• Performance of a contract / pre-contractual steps (Art. 6(1)(b)): Processing of contact and communication data when you inquire about our services.
• Legal obligation (Art. 6(1)(c)): Where required by applicable law.

04How We Use Your Data

We use your personal data for the following purposes:

• Responding to inquiries and scheduling consultations
• Providing consulting services to clients
• Maintaining records of our communications
• Analyzing website usage to improve our content and user experience (analytics only, with prior consent)
• Ensuring the security and integrity of our website and systems
• Complying with legal obligations

We do not use personal data for automated decision-making that produces legal or similarly significant effects. We do not sell personal data to third parties.

05Cookies & Analytics

This website uses cookies. Below is a complete inventory:

We implement Google Consent Mode v2. Google Analytics does not load or set cookies until you explicitly grant consent. If you reject analytics, no GA4 cookies are set and no analytics data is transmitted.

You may withdraw or change your cookie consent at any time by clicking Cookie Preferences.

06AI Chat Assistant

This website includes an AI-powered chat assistant accessible via the floating button on the main page. The assistant is powered by the Anthropic Claude API via a Cloudflare Worker operated by Lexara Advisory LLC.

Data processing associated with the chat assistant:

• Messages you submit are transmitted to our Cloudflare Worker and then to the Anthropic API for processing
• Session history is maintained in your browser for the duration of your chat session and is not stored server-side beyond what is necessary to process your request
• IP address, approximate geographic location, and user agent may be logged for security purposes
• Anthropic's own privacy policy governs data processing on their infrastructure. See anthropic.com/privacy

The chat is limited to 20 messages per session. No data from chat sessions is used for advertising or sold to third parties.

07Data Sharing & Third Parties

We share personal data only with the following third parties, and only to the extent necessary:

We do not sell personal data. We do not share personal data with data brokers, advertisers, or marketing platforms.

08Data Retention

• Contact and communication data: Retained for as long as necessary to manage the client relationship, plus up to 3 years for legitimate interest in maintaining records of professional communications.
• Analytics data (GA4): Retained for up to 14 months in Google Analytics. We apply the minimum retention settings available.
• Server logs: Retained for up to 30 days for security monitoring purposes.
• Cookie consent record: Retained for 1 year in your browser's local storage.

When data is no longer necessary for the purposes for which it was collected, it is deleted or anonymized.

09Your Rights (GDPR & CCPA)

For EEA and UK residents (GDPR): You have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you
• Right to rectification (Art. 16): Request correction of inaccurate data
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to restriction (Art. 18): Request that we restrict processing of your data
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests
• Right to withdraw consent: At any time, for any processing based on consent (including analytics cookies)

For California residents (CCPA/CPRA): You have the right to know what personal information we collect, the right to delete your personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising these rights.

To exercise any of these rights, contact us at advisory@lexaraadvisory.com. We will respond within 30 days (GDPR) or 45 days (CCPA). We may request proof of identity before fulfilling certain requests.

10International Data Transfers

Lexara Advisory LLC is based in the United States. If you are located in the EEA, UK, or another jurisdiction with data protection laws, be aware that your data may be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.

Where we transfer data from the EEA to the US, we rely on:

• Standard Contractual Clauses (SCCs) — for transfers to Google LLC and Cloudflare Inc.
• Adequacy decisions — where applicable
• EU-US Data Privacy Framework — for participating organizations

You may request more information about the specific safeguards applicable to any transfer by contacting us at advisory@lexaraadvisory.com.

11Security

We implement technical and organizational measures to protect personal data against unauthorized access, loss, or disclosure. These measures include:

• HTTPS/TLS encryption for all data in transit
• Access controls and key-based authentication on server infrastructure
• Cloudflare infrastructure with DDoS protection and Web Application Firewall
• Environment variables for credential storage (not hardcoded)
• Regular security reviews of server configuration

No security measure is absolute. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you in accordance with applicable legal requirements (GDPR Article 34).

12Children

This website is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will delete that data promptly.

13Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational procedures. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

For material changes, we will make reasonable efforts to notify users through a notice on this website. We encourage you to review this policy periodically.

14Contact & Complaints

For any questions about this Privacy Policy or to exercise your rights, contact us:

If you are located in the EEA and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

For UK residents, the relevant supervisory authority is the Information Commissioner's Office (ICO).