← Back to Lexitio

Privacy Policy

Effective date: April 23, 2026  ·  Last updated: June 14, 2026

Security, Compliance & Data Privacy

Your data is encrypted (AES-256 at rest, TLS 1.3 in transit), logically isolated per firm, and processed only under contractual privacy protections. Our database and edge run on SOC 2 Type II–certified cloud infrastructure; our own application-layer SOC 2 audit is in progress. Privileged content and PHI are handled under a Business Associate Agreement and are never used to train public AI models.

SOC 2 Type II infrastructureAES-256TLS 1.3BAA-covered AIRBAC + MFA

Full details on our Security page.

1. What Data We Collect

We collect the following categories of data:

  • Account data: Your name, email address, firm name, and password hash (we never store plaintext passwords).
  • Matter and client data: Case files, client names and contact information, documents, notes, and other data you create or upload within the Service.
  • Evidence and research uploads: Documents, images, and other files you upload for analysis or investigation.
  • Usage analytics: Feature usage, query counts, session duration, and aggregate performance metrics used to improve the Service. This data is not linked to individual matters.
  • Technical data: IP address, browser type, device type, and access timestamps, collected for security and audit purposes.

2. How We Use Your Data

We use the data we collect to:

  • Provide, maintain, and improve the Service.
  • Process AI queries on your behalf using third-party LLM providers (see Section 4).
  • Send transactional emails (account notifications, billing receipts, export links).
  • Enforce our Terms of Service and prevent abuse.
  • Comply with legal obligations, including responding to lawful requests from authorities.

3. AI Training — Your Data Is Not Used to Train Models

Important

Your matter data, client information, uploaded documents, and AI query content are not used to train any AI model — including Lexitio’s own models or any third-party model providers we work with.

We use Anthropic’s API under Anthropic’s zero-data-retention API terms, which prohibit Anthropic from using API input/output for model training. We apply the same contractual restriction to any other LLM provider we use.

4. Third-Party Subprocessors

We work with the following third-party services to provide the Service:

ProviderPurposeData transferred
AnthropicAI co-counsel (Claude) — primary, under BAAQuery text, document excerpts
OpenAIAI language model (fallback, non-privileged)Query text, document excerpts
GroqAI inference for non-privileged tasksQuery text (non-privileged)
NeonManaged PostgreSQL database (US)Account, matter, and client data
VercelFrontend hosting & CDNRequest data, IP address
HostingerBackend application hosting (US)Data processed during compute
Backblaze B2Encrypted offsite database backupsBackup copies of stored data
StripePayment processingBilling details (Stripe stores card data; we do not)
ResendTransactional email deliveryEmail address, email content
SentryError monitoringStack traces, anonymized request metadata

5. Data Retention

Active account data is retained for the duration of your subscription. When you cancel, your data is retained for 30 days to allow for export, then deleted.

Firm administrators may configure a custom retention policy (in days) for closed and archived matters via the firm settings page. Matters subject to a legal hold are exempt from automatic deletion.

Audit logs are retained for a minimum of 7 years for legal compliance and are append-only. They cannot be modified or deleted.

6. Your Rights

You have the right to:

  • Access all data we hold about you and your firm via the audit log and data export features.
  • Export all your firm’s data at any time using Settings → Export. Exports include matters, clients, evidence, documents, invoices, and time entries as a ZIP archive delivered to your email.
  • Delete your account by contacting privacy@lexitio.com. We will delete your data within 30 days, subject to legal hold requirements and applicable law.
  • Correct inaccurate personal data by updating your account settings.
  • Portability: Export your data in machine-readable JSON format using the export feature described above.

7. Security Measures

  • Stored files use S3-compatible object storage with server-side AES-256 encryption; our managed PostgreSQL database is encrypted at rest by the infrastructure provider.
  • All data in transit is protected by TLS 1.2 or higher.
  • Passwords are hashed using bcrypt with per-user salts.
  • Every sensitive action is recorded in an append-only, tamper-evident audit log.
  • Each firm’s data is stored in an isolated tenant namespace. Cross-tenant data access is prevented at the application and database level.
  • Login attempts are rate-limited and accounts are locked after repeated failed attempts.

8. Cookies and Tracking

The Service uses a session token stored in your browser’s local storage for authentication. We do not use third-party advertising cookies. We may use first-party analytics to understand feature usage; this data is aggregate and not linked to individual clients or matters.

9. Children’s Privacy

The Service is not intended for users under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, contact us at privacy@lexitio.com and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice in the application at least 30 days before changes take effect.

11. Contact

For privacy-related requests or questions, contact our privacy team at privacy@lexitio.com.

HomeTerms of ServiceDo Not Share My Personal Informationprivacy@lexitio.com