Privacy Policy.

1. Who we are

This Policy is issued by Lorexus Partners, Inc. ("Lorexus", "we", "us", "our"), a New York corporation with its principal place of business at 418 Broadway # 5918, Albany, NY 12207, United States. For privacy questions, contact us at support@lorexus.com.

Throughout this Policy, "personal information" or "personal data" means information that identifies, relates to, or could reasonably be linked to an identifiable individual or household, as defined under applicable law (including the EU and UK GDPR, the California Consumer Privacy Act as amended by the CPRA, and similar U.S. state privacy laws).

2. Information we collect

a. Information you provide

• Contact details: first and last name, business email, company name, and any other information you submit through our contact form, email, or scheduling links.
• Engagement information: indicative budget, IT challenges, and other context you share to help us assess fit.
• Account credentials: if you become an administrator of our admin panel, we store the email address and a salted, hashed password.
• Correspondence: the content of communications you send us, including emails, support tickets, and meeting notes.

b. Information collected automatically

• Device and connection data: IP address, browser type and version, operating system, referring URLs, language preference.
• Usage data: pages viewed, time on page, navigation paths, approximate location (derived from IP), and similar telemetry.
• Cookies and similar technologies: see Section 8 below.
• Form metadata: when you submit our contact form we record the submission timestamp, your IP address, and your user-agent string for spam prevention and security auditing.

c. Information from engagements

When you engage us for services, we may receive personal data about your employees, customers, or other individuals as part of our work (e.g., user lists during a Microsoft 365 audit). We process such data on your behalf as a processor or service provider under our agreement with you and only for the purposes you instruct.

3. How we use information

We use personal information to:

• respond to inquiries, schedule consultations, and follow up on opportunities;
• perform services under an engagement with you;
• send transactional communications (account, security, contract notices);
• operate, secure, and improve our website and admin systems;
• detect, prevent, and respond to fraud, abuse, or security incidents;
• comply with legal, regulatory, and tax obligations;
• establish, exercise, or defend legal claims;
• where you have opted in, send occasional marketing about our services (you can unsubscribe at any time).

4. Legal bases (EU/UK GDPR)

Where the GDPR applies, we rely on the following legal bases:

• Performance of a contract — to deliver the Services you have requested or to take steps before entering into a contract.
• Legitimate interests — to operate our business, secure our website, prevent fraud, and conduct B2B outreach to existing or prospective business contacts, balanced against your rights.
• Consent — for non-essential cookies, marketing emails to individuals who require opt-in consent, and any optional functionality you enable. You may withdraw consent at any time.
• Legal obligation — to comply with applicable laws and respond to lawful requests.

5. How we share information

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We disclose personal information only as described below:

• Service providers / processors who support our operations under written contracts that restrict their use to the services we have asked them to perform. These include the categories listed in Section 6 below.
• Professional advisors such as lawyers, accountants, and auditors, bound by confidentiality.
• Corporate transactions — in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to standard confidentiality protections.
• Legal and safety — when we believe in good faith that disclosure is required by law, court order, or regulatory request, or is necessary to protect our rights, property, or the safety of any person.
• With your direction or consent — for any other purpose disclosed at the time of collection.

6. Third-party services we use

We rely on a small set of vendors to operate the website and our business. These vendors process data on our behalf:

• Microsoft Azure — hosting, infrastructure, and identity (privacy info: microsoft.com/privacy).
• Brevo (formerly Sendinblue) — transactional email and contact-form notifications (privacy info: brevo.com/legal/privacypolicy).
• Google Analytics 4 and Google Tag Manager — website analytics, only loaded after you accept analytics cookies (privacy info: policies.google.com/privacy).
• OpenStreetMap — used to render the office location map; OpenStreetMap may receive your IP address when the map is loaded (privacy info: osmfoundation.org/wiki/Privacy_Policy).
• Google Fonts — used for typography on the website (privacy info: policies.google.com/privacy).

If you engage us for services, we may use additional sub-processors specific to that engagement; we will identify them and the categories of data involved in the applicable order document or data processing terms.

7. International data transfers

We are based in the United States, and our service providers may process data in the United States, the European Economic Area, the United Kingdom, or other countries. Where personal data is transferred from the EEA, the UK, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented by additional measures as needed. You may request a copy of the relevant safeguards by contacting us.

8. Cookies and similar technologies

We use the following cookie categories. You can control non-essential cookies through the cookie banner shown on your first visit, or by clearing site data in your browser:

• Strictly necessary — required for the site to work (e.g., anti-forgery tokens, your cookie-preference choice). Always on.
• Analytics — Google Analytics 4 (and, if configured by us, Google Tag Manager) to understand how the site is used. Loaded only after you grant consent and uses Google Consent Mode v2 to default analytics_storage and ad_storage to denied until granted.
• Marketing — used only if you grant marketing consent; off by default.

We honor the Global Privacy Control (GPC) signal where applicable. Most browsers also let you reject or delete cookies; doing so may affect site functionality.

9. Data retention

We keep personal information only as long as is necessary for the purposes described in this Policy, including to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements:

• Contact-form submissions and inquiry records: typically up to 36 months from last contact, unless you become a Client.
• Client engagement records and invoices: at least 7 years from the end of the engagement, in line with U.S. tax and audit requirements.
• Server logs and security telemetry: typically 90 days, longer where required for security investigations.
• Marketing-list records: until you unsubscribe, plus a short suppression-list period to honor your unsubscribe request.

10. Your privacy rights

Depending on where you live, you may have the following rights:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to correct inaccurate or incomplete information.
• Deletion — ask us to delete personal information, subject to legal retention obligations.
• Portability — receive a copy in a structured, commonly used machine-readable format.
• Object or restrict — object to processing based on our legitimate interests, or ask us to restrict processing.
• Withdraw consent — where we rely on consent, withdraw it at any time without affecting prior processing.
• Opt out of "sales" and "sharing" (CCPA/CPRA) — we do not sell or share personal information for cross-context behavioral advertising; if this changes we will provide the required opt-out mechanism.
• Limit use of sensitive personal information (CCPA/CPRA) — we do not use sensitive personal information for purposes that would trigger this right.
• Non-discrimination — we will not discriminate against you for exercising any of these rights.
• Lodge a complaint — EEA/UK residents may lodge a complaint with their local data protection authority. We would, however, appreciate the chance to address your concern first.

To exercise any right, email support@lorexus.com from the address associated with the request, or write to the postal address in Section 1. We may need to verify your identity before responding. We will respond within the timelines required by applicable law (typically 30 to 45 days).

You may designate an authorized agent to make a request on your behalf. We may require written proof of authorization and direct verification with you.

11. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include encryption of data in transit (TLS), encryption at rest where supported by the underlying platform, role-based access controls, multi-factor authentication for administrative access, audit logging, regular patching, and secure software development practices. No system can be guaranteed 100% secure; if you have reason to believe your interaction with us is no longer secure, please contact us immediately.

12. Children's privacy

Our website and Services are intended for business use by adults. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

13. "Do Not Track"

Some browsers send a "Do Not Track" (DNT) signal. There is no industry-standard interpretation, so we currently do not respond to DNT signals separately, but we honor consent choices made in our cookie banner and the Global Privacy Control signal where applicable.

14. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be highlighted on the website or, where appropriate, communicated by email. Continued use of the Services after a change indicates acceptance of the revised Policy.

15. Contact

If you have questions or concerns about this Policy or our privacy practices, contact us at support@lorexus.com, or by mail at:

Lorexus Partners, Inc.
Attn: Privacy
418 Broadway # 5918
Albany, NY 12207, USA