Privacy Policy | DALEXOR

Document Version: 2.0 | Effective Date: December 25, 2025

Data Controller: Dalexor | Jurisdiction: Romania, European Union

Regulatory Framework: GDPR (EU) 2016/679 | EU AI Act (EU) 2024/1689 | ePrivacy Directive | CCPA | BIPA

ARTICLE 1: INTRODUCTION AND SCOPE

1.1 About This Policy

Dalexor ("Dalexor", "we", "us", "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard information when you:

Visit our website (www.dalexor.com);
Use our DALEXOR intelligent surveillance platform for personal household security;
Interact with our services, support, or marketing communications;
Are detected by surveillance systems operated by our customers in their private residences.

Household-Only Service: DALEXOR is designed exclusively for personal household and family use. We do not provide services for commercial, business, or professional purposes.

1.2 Data Controller Information

Dalexor
Registered office: Oradea, Romania
European Union
Email: support@dalexor.com
Data Protection Officer: support@dalexor.com

1.3 Legal Basis for Processing

We process personal data under the following legal bases as defined in GDPR Article 6:

Consent (Art. 6(1)(a)): Where you have given explicit consent for specific processing activities;
Contract (Art. 6(1)(b)): Where processing is necessary to perform our contract with you;
Legal Obligation (Art. 6(1)(c)): Where processing is required by law;
Legitimate Interests (Art. 6(1)(f)): Where processing is necessary for our legitimate business interests, balanced against your rights.

ARTICLE 2: INFORMATION WE COLLECT

2.1 Information You Provide Directly

Category	Data Types	Purpose
Contact Information	Name, email, phone	Communication, support
Account Information	Username, password (hashed), preferences	Service access, personalization
Payment Information	Billing address, payment method (via processor)	Transaction processing
Support Communications	Tickets, emails, chat logs	Customer support

2.2 Information Collected Automatically

Device Information: Browser type, operating system, device identifiers, screen resolution;
Usage Data: Pages visited, features used, click patterns, session duration;
Log Data: IP address, access timestamps, referring URLs, error logs;
Cookies and Tracking: Session cookies, analytics cookies (with consent), preference cookies.

2.3 Biometric Data Processing (CRITICAL SECTION)

This section explains how biometric data is handled within the DALEXOR surveillance platform. Please read carefully.

2.3.1 For Enrolled Persons (With Consent)

When an individual voluntarily enrolls in the system with explicit, informed consent:

Data Collected: Facial embeddings (mathematical representations), enrollment photographs;
Storage Location: Locally on customer's hardware (NOT on Dalexor servers);
Purpose: Identity verification for authorized access and personalized security;
Retention: Until enrollment is revoked by the data subject or as configured by the customer;
Legal Basis: Explicit consent (GDPR Art. 9(2)(a)).

Processing of biometric data (special category data under Art. 9 GDPR) is based exclusively on explicit consent. We do not rely on any other exception under Article 9.

2.3.1.1 Enrollment Requirements

Age Restriction: Individuals under 18 years of age may only be enrolled with explicit parental or legal guardian consent.

Consent Requirements: Before enrolling, individuals must receive clear information about:

What biometric data will be collected (facial embeddings, photographs)
How data will be used (identity verification, journey tracking)
Where data is stored (locally on customer's hardware)
How long data is retained (until revocation)
How to withdraw consent and delete data

Consent Format: Consent must be explicit, informed, freely given, and documented by the customer (system owner).

Consent Withdrawal: Enrolled persons may withdraw consent at any time by contacting the customer (system owner). Upon withdrawal, all biometric data is permanently deleted within 24 hours, and the individual will thereafter be treated as a stranger.

2.3.2 For Strangers (Face Visible, Not Enrolled)

Definition: A "Stranger" is any person detected with a visible, unobscured face who is NOT enrolled in the system.

Privacy-First Architecture: The DALEXOR platform implements strict privacy protections for strangers:

Temporary RAM Processing Only: When a stranger is detected, their facial embedding is temporarily generated in volatile RAM memory for real-time identification comparison;
1-Hour RAM Retention: Facial embeddings remain in RAM for up to 1 hour after the person is last detected, enabling intelligent alert filtering (e.g., "same stranger seen 5 minutes ago, don't re-alert");
Automatic RAM Purge: All facial embeddings are automatically purged from RAM within 1 hour of last detection or upon system restart;
NO Persistent Storage: Facial embeddings, facial geometry, photographs, or appearance descriptions of strangers are NEVER written to disk, databases, or any permanent storage;
Cross-Camera Tracking: During active presence, the same stranger can be tracked across multiple cameras to provide comprehensive security monitoring;
Anonymized Logs Only: After RAM purge, only anonymized event logs remain: "Stranger detected at [timestamp] in [location]" with no biometric or identifying information;
No Profile Building: The system does NOT build profiles, databases, or historical records of strangers;
Technical Enforcement: These privacy protections are hardcoded at the architecture level and cannot be disabled.

Intelligent Alert Filtering: By maintaining facial embeddings in RAM for up to 1 hour, the system can recognize when the same stranger appears multiple times (e.g., delivery person making repeated trips) and intelligently filter redundant alerts. This temporary identification exists solely for real-time alert deduplication and nuisance reduction. No stable identifier survives the 1-hour window, and no historical tracking data is retained. This approach is commonly used in modern consumer security cameras to improve user experience without compromising privacy.

Why This Matters: This RAM-only, time-limited approach, combined with exclusive household/personal use licensing, we believe that the DALEXOR platform, when used strictly for personal household purposes as intended and licensed, is likely to fall within the scope of the household exemption under Article 2(2)(d) of the EU AI Act. Strangers' biometric data is processed transiently for security purposes but never permanently collected, stored, or used for profiling. However, the final legal classification always depends on the specific circumstances of use. Customers remain responsible for ensuring that their particular deployment complies with the applicable provisions of the EU AI Act and other relevant legislation.

2.3.3 For Obscured/Masked Persons (Face Not Visible)

Definition: An "Obscured Person" or "Masked Person" is any individual detected where the face is not visible or cannot be analyzed (masked, obscured, back turned, hooded, or detection confidence below recognition threshold).

Detection Behavior:

The system detects human presence through body detection algorithms;
No facial embedding is generated (face not visible);
No biometric data is processed or stored;
Detection is purely motion/body-based.

Security Implications: Obscured persons may trigger heightened security alerts when cameras are in Security Mode or Away Mode, as facial obscurement may indicate intentional concealment or unauthorized access.

Privacy Protection: Since no facial analysis occurs, no biometric data is collected or processed. Only anonymized event logs are retained: "Obscured person detected at [timestamp] in [location]."

Why This Matters: This architecture ensures DALEXOR is classified as a "limited-risk" AI system under the EU AI Act, NOT a prohibited mass surveillance system. Unknown persons' biometric data is never collected, stored, or profiled.

2.4 Video Footage and Recording

Household Security Only: All recording and monitoring functions are designed exclusively for private residential security. The system is not intended for commercial surveillance.

Recording Trigger: Video recording begins ONLY when a person (enrolled, stranger, or obscured) is detected on camera. No recording occurs when no persons are present;
Pre-Detection Buffer: The system may buffer up to 10 seconds of video before person detection to capture context leading to the detection event;
Storage: All video footage is stored locally on customer's hardware with NO cloud dependencies;
Offline Operation: The system works both offline and online with no cloud dependencies - core surveillance functionality works without internet;
Dalexor Access: We do NOT have access to customer video footage unless explicitly shared by the customer for technical support purposes;
Cross-Camera Analysis: Person detections are tracked across multiple cameras for comprehensive security monitoring and journey tracking (enrolled persons only);
Retention: Customer-configurable up to 365 days maximum (default: 365 days with automatic deletion).

Important: While enrolled persons receive full journey tracking with historical movement records, strangers receive only transient cross-camera tracking during active presence (up to 10 minutes in RAM), with no historical tracking data retained after RAM purge.

2.5 Security Modes and Alert System

Security Modes

The DALEXOR platform offers flexible security modes adaptable to different scenarios:

Home Mode: Relaxed monitoring for when residents are present;
Security/Away Mode: Heightened alert sensitivity for when premises should be unoccupied;
Night Mode: Optimized for low-light conditions with adjusted alert thresholds;
Guest Mode: Temporary mode for expected visitors with reduced alert sensitivity.

Camera-Specific Configuration

Each camera can be configured with individual security modes (e.g., outdoor cameras in Security Mode while indoor cameras remain in Home Mode), providing granular control over monitoring behavior.

Siren and Alert Logic

Siren Triggering: Sirens activate automatically when:

A stranger is detected on a camera set to Security Mode or Away Mode;
An obscured/masked person is detected on a camera set to Security Mode or Away Mode;
A perimeter zone breach occurs (configurable red zones).

Siren Exceptions: Sirens do NOT activate for:

Enrolled persons (recognized and authorized);
Strangers or obscured persons detected on cameras in Home Mode, Night Mode, or Guest Mode.

Alert Notifications

Phone App Integration: Real-time alerts sent via phone app. Phone alerts are sent using secure encrypted channels. Alerts are sent when:

Strangers are detected (with intelligent filtering to reduce redundant alerts for the same stranger within 1 hour);
Obscured/masked persons are detected;
Perimeter zones are breached;
Security mode violations occur.

Intelligent Alert Filtering: The system uses temporary RAM-stored facial embeddings (for strangers only) to recognize repeated detections of the same individual within 1 hour, reducing alert fatigue while maintaining security. All biometric data used for this filtering is automatically purged from RAM after 1 hour.

Perimeter Zones

Customers can configure virtual "red zones" (perimeter boundaries) that trigger immediate alerts when crossed, enabling advanced perimeter detection and early warning capabilities.

ARTICLE 3: HOW WE USE YOUR INFORMATION

3.1 Primary Purposes

Service Delivery: Providing, maintaining, and improving the DALEXOR platform;
Account Management: Creating and managing your account, authentication;
Customer Support: Responding to inquiries, troubleshooting, technical assistance;
Transaction Processing: Processing payments, invoicing, billing;
Security: Detecting fraud, protecting against unauthorized access;
Legal Compliance: Meeting regulatory requirements, responding to legal requests.

3.2 Secondary Purposes (With Consent)

Marketing Communications: Product updates, newsletters, promotional offers (opt-in only);
Analytics: Understanding usage patterns to improve services;
Research: Developing new features and capabilities.

3.3 Automated Decision-Making

The DALEXOR platform uses AI for threat detection and behavioral analysis. However:

AI outputs are decision-support tools, not autonomous decision-makers;
Human oversight is required before any consequential action;
You have the right to request human review of any automated assessment;
We do not use automated profiling for decisions with legal effects.

ARTICLE 4: DATA SHARING AND DISCLOSURE

4.1 We Do NOT Sell Personal Data

Dalexor does not sell, rent, or trade your personal information to third parties for their marketing purposes.

4.2 Categories of Recipients

Service Providers: Cloud hosting (EU-based), payment processors (PCI-DSS compliant), analytics providers (privacy-focused);
Professional Advisors: Lawyers, accountants, auditors under confidentiality obligations;
Business Transfers: In connection with mergers, acquisitions, or asset sales (with notice);
Legal Requirements: When required by law, court order, or to protect rights and safety.

4.3 Sub-Processors

We maintain a list of sub-processors who may process personal data on our behalf. Current sub-processors include:

Cloud Infrastructure: EU-based data centers;
Payment Processing: Stripe (PCI-DSS Level 1);
Email Services: Privacy-focused email provider;
Analytics: Self-hosted, privacy-respecting analytics.

We will notify customers of any changes to sub-processors with at least 30 days' notice.

ARTICLE 5: DATA SECURITY

5.1 Technical Measures

Encryption: TLS 1.3 for data in transit, AES-256 for data at rest;
Access Controls: Role-based access, multi-factor authentication, least privilege;
Network Security: Firewalls, intrusion detection, DDoS protection;
Secure Development: Security-by-design, code reviews, penetration testing;
Monitoring: 24/7 security monitoring, anomaly detection, audit logging.

5.2 Organizational Measures

Employee Training: Regular privacy and security training;
Background Checks: For employees with data access;
Confidentiality Agreements: All staff bound by confidentiality;
Incident Response: Documented procedures for security incidents;
Vendor Management: Due diligence and contractual protections for sub-processors.

5.3 Breach Notification

In the event of a personal data breach:

We will notify the relevant supervisory authority within 72 hours (where required);
We will notify affected individuals without undue delay if the breach poses high risk;
We will document all breaches and remediation actions.

5.3.1 Biometric Data Breaches (BIPA Compliance)

In the event of a breach involving biometric data of enrolled persons:

Immediate Assessment: We will assess the scope and risk within 24 hours;
Authority Notification: Relevant supervisory authority notified within 72 hours;
Individual Notification: Affected enrolled persons notified within 72 hours;
Customer Notification: Customers (system owners) notified immediately;
Remediation: Immediate steps taken to contain and remediate the breach;
Documentation: Full incident report maintained for regulatory compliance.

Customer Obligations: If a customer experiences a breach of biometric data stored on their hardware, they must:

Notify affected enrolled persons immediately;
Notify Dalexor within 24 hours at support@dalexor.com;
Document the breach per applicable regulations (GDPR, BIPA);
Take immediate remediation steps.

ARTICLE 6: YOUR RIGHTS

6.1 GDPR Rights (EEA Residents)

Under the General Data Protection Regulation, you have the following rights:

Right of Access (Art. 15): Obtain confirmation of processing and a copy of your data;
Right to Rectification (Art. 16): Correct inaccurate or incomplete data;
Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten");
Right to Restriction (Art. 18): Limit processing in certain circumstances;
Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format;
Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing;
Right to Withdraw Consent (Art. 7): Withdraw consent at any time (without affecting prior processing);
Right to Lodge a Complaint (Art. 77): File a complaint with a supervisory authority.

6.3 Illinois Biometric Information Privacy Act (BIPA) Considerations

When Illinois residents are enrolled in a DALEXOR system by a customer located in Illinois, that customer (system owner) may become subject to the Illinois Biometric Information Privacy Act. Dalexor is not directly subject to BIPA. However, we design the system to facilitate customer compliance with BIPA requirements when applicable, including:

Requiring written informed consent before biometric enrollment;
Local-only storage of biometric data;
No sale/leasing/profit from biometric data;
The system is designed to support customer compliance with retention and destruction obligations under applicable biometric privacy laws.

Illinois residents with BIPA concerns should contact the system owner directly, as they are the data controller responsible for BIPA compliance.

6.2 CCPA Rights (California Residents)

For California residents (CCPA/CPRA): Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:

Right to Know: Know what personal information is collected about you;
Right to Delete: Request deletion of your personal information;
Right to Opt-out: Say no to the sale or sharing of personal information (we do not sell or share personal information for targeted advertising);
Right to Correct: Correct inaccurate personal information;
Right to Limit: Limit use of sensitive personal information;
Receive equal service and price if you exercise your privacy rights.

6.4 How to Exercise Your Rights

To exercise any of your rights, contact us at:

Email: support@dalexor.com
Subject Line: "Data Subject Request - [Your Request Type]"
Response Time: Within 30 days (extendable by 60 days for complex requests)
Verification: We may need to verify your identity before processing requests

ARTICLE 7: DATA RETENTION

7.1 Retention Periods

Data Category	Retention Period	Basis
Account Data	Duration of account + 3 years	Contract, legal
Transaction Records	7 years	Tax/accounting law
Support Communications	3 years after resolution	Legitimate interest
Marketing Preferences	Until withdrawal + 1 year	Consent
Enrolled Person Biometrics	Until revoked by data subject	Consent
Unknown Person Data	Transient processing only (purged from RAM within 1 hour)	Privacy by design
Video Footage (Customer)	Customer-configured (default 365 days)	Customer policy

7.2 Deletion Process

When data reaches the end of its retention period or upon valid deletion request:

Data is securely deleted from primary systems within 30 days;
Backup copies are deleted within 90 days;
Anonymized/aggregated data may be retained for analytics;
Deletion is logged for audit purposes.

ARTICLE 8: INTERNATIONAL DATA TRANSFERS

8.1 Transfer Mechanisms

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards:

Adequacy Decisions: Transfers to countries with adequate protection (per EU Commission);
Standard Contractual Clauses: EU-approved contractual protections;
Binding Corporate Rules: For intra-group transfers;
Supplementary Measures: Additional technical and organizational safeguards as needed.

8.2 Data Localization

The DALEXOR platform is designed for local processing:

All surveillance data is processed locally on customer hardware;
Biometric data never leaves the customer's premises;
Cloud features (if enabled) use EU-based data centers;
Customers can configure data residency requirements.

ARTICLE 9: COOKIES AND TRACKING

9.1 Types of Cookies

Essential Cookies: Required for website functionality (no consent needed);
Preference Cookies: Remember your settings (consent required);
Analytics Cookies: Understand usage patterns (consent required);
Marketing Cookies: NOT USED - we do not use advertising cookies.

ARTICLE 10: CHILDREN'S PRIVACY

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will delete that information promptly. If you believe we have collected information from a child, please contact us at support@dalexor.com.

ARTICLE 11: THIRD-PARTY LINKS

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

ARTICLE 12: CHANGES TO THIS POLICY

12.1 Notification of Changes

We may update this Privacy Policy periodically. For material changes:

We will provide at least 30 days' notice before the changes take effect;
We will notify you via email and/or prominent notice on our website;
We will update the "Effective Date" at the top of this policy;
Continued use after the effective date constitutes acceptance.

12.2 Version History

Version 2.0 (December 25, 2025): Comprehensive update with GDPR, CCPA, BIPA, EU AI Act compliance;
Version 1.0 (December 25, 2025): Initial privacy policy.

ARTICLE 13: DATA PROCESSING ROLES

13.1 Controller-Processor Relationship

For Surveillance Data (Enrolled Persons & Video):

Customer is the Data Controller: The customer (system owner/operator) determines purposes and means of processing;
Customer's Responsibilities: Obtaining consents, providing privacy notices, responding to data subject rights, breach notification;
Dalexor's Role: We provide the technology platform but do NOT access, process, or control surveillance data unless explicitly provided for support.

For Account & Billing Data:

Dalexor is the Data Controller: We determine how account, billing, and support data is processed;
Processing Covered By: This Privacy Policy.

13.2 Data Processing Agreement

For customers who require a formal Data Processing Agreement (DPA) under GDPR Article 28, we provide a standard DPA available upon request at support@dalexor.com. The DPA incorporates EU Standard Contractual Clauses for any international data transfers and clarifies that Dalexor acts as a data processor while Customer remains the data controller for surveillance data.

13.3 Customer Obligations as Controller

When operating DALEXOR surveillance systems, customers must:

Conduct Data Protection Impact Assessments (DPIA) before deployment;
Provide clear privacy notices to all persons who may be monitored;
Obtain valid consents for enrolling persons' biometric data;
Implement human oversight of AI-generated alerts per EU AI Act Article 14;
Respond to data subject rights requests within legal timeframes;
Maintain records of processing activities per GDPR Article 30;
Report breaches to authorities and affected individuals as required.

ARTICLE 14: CONTACT INFORMATION

Data Protection Contacts

General Privacy Inquiries:
Email: support@dalexor.com

Data Protection Officer:
Email: support@dalexor.com

Data Subject Requests:
Email: support@dalexor.com
Subject: "Data Subject Request"

Postal Address:
Dalexor
Attn: Privacy Team
Oradea, Romania
European Union

Supervisory Authority:
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Romanian Data Protection Authority (ANSPDCP)
Website: www.dataprotection.ro
Email: anspdcp@dataprotection.ro
Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania

For EEA Residents: You may also contact your local data protection authority. A complete list is available at: https://edpb.europa.eu/about-edpb/board/members_en

BY USING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.

This Privacy Policy is effective as of December 25, 2025.