Privacy Policy — Lexitio

1. What Data We Collect

We collect the following categories of data:

Account data: Your name, email address, firm name, and password hash (we never store plaintext passwords).
Matter and client data: Case files, client names and contact information, documents, notes, and other data you create or upload within the Service.
Evidence and research uploads: Documents, images, and other files you upload for analysis or investigation.
Usage analytics: Feature usage, query counts, session duration, and aggregate performance metrics used to improve the Service. This data is not linked to individual matters.
Technical data: IP address, browser type, device type, and access timestamps, collected for security and audit purposes.

2. How We Use Your Data

We use the data we collect to:

Provide, maintain, and improve the Service.
Process AI queries on your behalf using third-party LLM providers (see Section 4).
Send transactional emails (account notifications, billing receipts, export links).
Enforce our Terms of Service and prevent abuse.
Comply with legal obligations, including responding to lawful requests from authorities.

3. AI Training — Your Data Is Not Used to Train Models

Important

Your matter data, client information, uploaded documents, and AI query content are not used to train any AI model — including Lexitio’s own models or any third-party model providers we work with.

We use Anthropic’s API under Anthropic’s zero-data-retention API terms, which prohibit Anthropic from using API input/output for model training. We apply the same contractual restriction to any other LLM provider we use.

4. Third-Party Subprocessors

We work with the following third-party services to provide the Service:

Provider	Purpose	Data transferred
Anthropic	AI language model (Claude)	Query text, document excerpts
OpenAI	AI language model (GPT — optional fallback)	Query text, document excerpts
Amazon Web Services	File storage (S3) and infrastructure	Uploaded files (encrypted at rest)
Stripe	Payment processing	Billing details (Stripe stores card data; we do not)
SendGrid / SMTP	Transactional email delivery	Email address, email content
Sentry	Error monitoring	Stack traces, anonymized request metadata

5. Data Retention

Active account data is retained for the duration of your subscription. When you cancel, your data is retained for 30 days to allow for export, then deleted.

Firm administrators may configure a custom retention policy (in days) for closed and archived matters via the firm settings page. Matters subject to a legal hold are exempt from automatic deletion.

Audit logs are retained for a minimum of 7 years for legal compliance and are append-only. They cannot be modified or deleted.

6. Your Rights

You have the right to:

Access all data we hold about you and your firm via the audit log and data export features.
Export all your firm’s data at any time using Settings → Export. Exports include matters, clients, evidence, documents, invoices, and time entries as a ZIP archive delivered to your email.
Delete your account by contacting privacy@lexitio.com. We will delete your data within 30 days, subject to legal hold requirements and applicable law.
Correct inaccurate personal data by updating your account settings.
Portability: Export your data in machine-readable JSON format using the export feature described above.

7. Security Measures

All data is encrypted at rest using AES-256 (AWS S3 SSE).
All data in transit is protected by TLS 1.2 or higher.
Passwords are hashed using bcrypt with per-user salts.
Every sensitive action is recorded in an append-only, tamper-evident audit log.
Each firm’s data is stored in an isolated tenant namespace. Cross-tenant data access is prevented at the application and database level.
Login attempts are rate-limited and accounts are locked after repeated failed attempts.

8. Cookies and Tracking

The Service uses a session token stored in your browser’s local storage for authentication. We do not use third-party advertising cookies. We may use first-party analytics to understand feature usage; this data is aggregate and not linked to individual clients or matters.

9. Children’s Privacy

The Service is not intended for users under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, contact us at privacy@lexitio.com and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice in the application at least 30 days before changes take effect.

11. Contact

For privacy-related requests or questions, contact our privacy team at privacy@lexitio.com.