This privacy policy pertains to processing by Lerxs by means other than through the use of cookies. Lerxs has formulated a separate cookie policy, which can be found on our website.
Lerxs respects the privacy of its customers, suppliers and partners. We have therefore formulated and implemented a policy on complete transparency regarding the processing of personal data, its purpose(s) and the possibilities to exercise your legal rights in the best possible way. For employees, we have formulated a separate privacy policy, available upon employment and upon request.
Definitions of Terms
- Party responsible for processing personal data: SUBARASHI-DOKITA.AI LTD; with registered address at Back Testing Ground, Oranfe, Ile-Ife, Osun State, Nigeria; and Data Protection Officer Fatunmbi Daniel who can be reached at daniel@lerxs.com
- Data Protection Authority: Nigeria Data Protection Commission (NDPC).
- Data Protection laws:
- Nigerian Data Protection Regulation (NDPR) 2019
- Nigerian Data Protection Act (NDPA) 2023
- Nigeria Information Technology Development Agency (NITDA) regulations
Collection of Data
- Your personal data will be collected by Lerxs and its data processors.
- Personal data means any information relating to an identified or identifiable natural person ('data subject').
- An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Types of Data We Collect and How They Are Processed
The following business processes describe how we may collect, store or otherwise process the types of personal information:
- Collection of cookies, subscription to newsletter or filling out the contact form on the website(s);
- Analyse trends and profiles, for our legitimate interest to aim to enhance, modify, personalise and improve our services and communications for the benefit of our customers;
- Process and respond to support requests, enquiries and complaints received from you through use of business email;
- Provide services and products requested and/or purchased by you and to communicate with you about such services and/or products. We do this as necessary in order to carry out a contract with you and in accordance with our legitimate interest to operate a business;
- Carry out administrative activities such as invoicing and collecting payments either locally on devices or using cloud-services;
- Store and exchange personal information contained in documents through email and cloud-services;
- Marketing and customer acquisition through email or using cloud-services.
Types of Data Shared with Third Parties and How They Are Processed
We may have to share your data with third parties, including third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with the law. We may transfer your Personal Data outside Nigeria. If we do, you can expect a similar degree of protection in respect of your Personal Data. We will only share your Personal Data with third parties in accordance with the NDPR and as outlined in the legal justification table above. We share your personal data with the following enterprise third parties. We also share your data with SME third parties, details of which are available upon request. You will be notified when we have engaged with a new third party recipient of your personal data.
Third Party Service Providers
| Third Party | Purpose | Data Subject | Security Measures |
|---|---|---|---|
| Cloud services | Users (Contractual necessity) | Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. Physical security such as access controls, clean desk policy and CCTV; | |
| Amazon Web Services | Cloud services | Users (Contractual necessity) | Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. Physical security such as access controls, clean desk policy and CCTV; |
| Stripe | Payment processing | Users (Contractual necessity) | Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. Physical security such as access controls, clean desk policy and CCTV; |
| Paystack | Payment processing | Users (Contractual necessity) | PCI DSS compliant processing; role based access; strong authentication; encryption at rest and in transit; operational and physical controls as above; |
| Supabase | Managed database, authentication and storage | Users (Contractual necessity) | Role based access; strong authentication; encryption at rest and in transit; environment hardening; logging; retention controls aligned to this policy; |
| OpenRouter | Model routing and AI inference services | Users (Contractual necessity) | Role based access; strong authentication; encryption at rest and in transit; contractual limits on data use including no training on customer data without a separate written agreement. |
| Github | Code Management | Company (Contractual necessity) | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. |
Third Party Privacy Policies
International Data Transfers
The third parties we have engaged for the above mentioned business process may transfer your personal information outside of Nigeria. Lerxs' third party processors take all necessary measures to ensure the confidentiality, availability and integrity of personal data and to comply with the NDPR with regards to international data transfers. The international nature of its compliance certifications, as well as far-reaching technical security measures (including but not limited to encryption of the personal data, making the data illegible to an unauthorised recipient) are sufficient to ensure that the data subjects continue to benefit from the fundamental rights they are entitled to under the NDPR. Where Lerxs transfers data to other countries, it relies on the following legal grounds for international data transfers:
- Consent of the data subject for the transfer
- Appropriate safeguards in the form of Standard Contractual Clauses or Binding Corporate Rules
- Supplementary security measures to safeguard the international data transfer with one or more of the following measures:
- Encryption
- Anonymisation
- Pseudonymisation
- Compliance with NDPR cross-border transfer requirements
Storage and Protection of Data
Your data is protected by Lerxs and its processors in pursuance to all legal requirements set by the relevant data processing laws. Lerxs has taken technical and organizational security measures to protect your data and requires its data processors to meet the same requirements. Lerxs has signed processing agreements with its processors to ensure an adequate level of data protection.
The following security measures are taken by Lerxs to protect your personal data in the course of the listed business processes:
Organisational Security Measures
Lerxs' staff members are required to conduct themselves in a manner consistent with Lerxs' guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. All staff members undergo appropriate background checks prior to hiring and sign a confidentiality agreement outlining their responsibility in protecting customer data. We continuously train staff members on best security practices, including how to identify social hacks, phishing scams, and hackers.
Access Controls
Lerxs maintains your data privacy by allowing only authorized individuals access to information when it is critical to complete tasks for you. Lerxs staff members will not process customer data without authorization.
Data Hosting
As a rule, data is hosted within countries and areas that provide a substantially similar level of protection as data subjects have under the NDPR. We rely on Standard Contractual Clauses with the recipient and take supplementary security measures to secure international data transfers, such as encryption and anonymisation.
Physical Security
The data centres on which personal data is hosted are secured and monitored 24/7 and physical access to facilities is strictly limited to select staff.
Technical Security Measures
All devices which are used to access personal data for which we are responsible are secured with antivirus software, firewalls, encryption and access management. We regularly update operating systems and software to ensure vulnerabilities cannot be exploited. We carry out regular vulnerability scanning of our website and have engaged credentialed external auditors to verify the adequacy of our security and privacy measures. Data at rest is encrypted using AES 256. Data in transit uses TLS 1.2 or higher. Keys are generated and stored in a managed key service with role based access, separation of duties, rotation on a defined schedule, and audit logging. Compromised keys are revoked without delay.
Patient Information Obfuscation Before Third Party Processing
Before any patient information is sent to third parties for processing, Lerxs removes direct identifiers and applies obfuscation methods such as tokenisation, hashing, truncation, generalisation of dates or locations, suppression of identity signals in free text, and k anonymisation where suitable. Any mapping values required for business purposes are stored separately under strict access controls and encryption. Contracts prohibit recipients from attempting re identification and limit use to the documented purpose.
Data Request
Each data subject has the right to information on and access to, and rectification, erasure and restriction of processing of their personal data, as well as the right to object to the processing and the right to data portability. You also have the right to request that you are not made subject to decision making based solely on automated processes, including profiling, if these decisions would have a significant effect on you. You can exercise these rights by contacting us at the following email address: daniel@lerxs.com. If we have any doubts as to your identity, we may request you to provide us with proof of identification, such as through sending us a copy of your valid ID. Ensure that you write "Data Request" in the subject line of your email. Within one month of the submitted request, you will receive an answer from us. We will not charge you for submitting your request unless the request is manifestly unfounded or otherwise unreasonable in its nature. Depending on the complexity and the number of the requests this period may be extended to two months.
Marketing
- You may receive commercial offers from Lerxs. If you do not wish to receive them (anymore), please send us an email to the following address: pr@lerxs.com and ensure that you write "Data Opt-Out" in the subject line of your email.
- Your personal data will not be used by our partners for commercial purposes.
- If you encounter any personal data from other data subjects while visiting our website, you are to refrain from collection, any unauthorized use or any other act that constitutes an infringement of the privacy of the data subject(s) in question. The collector is not responsible in these circumstances.
Data Retention
- The collected data are used and retained for the duration determined by law. You may, at any time, request your data to be deleted from any Lerxs account, system or other data processing medium in accordance with the process described above.
- Default retention window: unless a longer period is required by law or an executed contract, customer submitted content, derived outputs, usage logs, and system backups are retained for a maximum of 24 hours. After 24 hours, automated jobs delete primary records and any replicas or backups. If a legal hold applies, deletion is paused until the hold is released. Earlier deletion can be requested using the Data Request process above.
Applicable Law
These conditions are governed by the laws and regulations of the country where we are headquartered. The court in the district where we are headquartered has the sole jurisdiction if any dispute regarding these conditions may arise, save when a legal exception applies.
Children's Data
We do not knowingly process children's data, unless specifically stated in this Privacy Policy. If you have concerns about or knowledge of a child using our services, products, websites or apps without parental consent, please contact our DPO via daniel@lerxs.com to ensure we can take appropriate action as soon as possible.
Contact Us
For any questions or concerns regarding our privacy policies, please contact our dedicated compliance team at pr@lerxs.com or use the contact form on our website.
Data Protection Officer
Fatunmbi Daniel
Email: daniel@lerxs.com
Email: dpo@lerxs.com
Privacy Inquiries
Email: privacy@lerxs.com
Phone: +234 913 066 1327
Postal Address
SUBARASHI-DOKITA.AI LTD
Back Testing Ground, Oranfe
Ile-Ife
Osun State
Nigeria
Last Updated: 21st August, 2025
SUBARASHI-DOKITA.AI LTD (Trading as Lerxs Health)