← Back to Lexitio

Privacy Policy

Effective date: April 23, 2026  ·  Last updated: June 14, 2026

Security, Compliance & Data Privacy

Your data is encrypted (AES-256 at rest, TLS 1.3 in transit), logically isolated per firm, and processed only under contractual privacy protections. Our database and edge run on SOC 2 Type II–certified cloud infrastructure; our own application-layer SOC 2 audit is in progress. Privileged content and PHI are handled under a Business Associate Agreement and are never used to train public AI models.

SOC 2 Type II infrastructureAES-256TLS 1.3BAA-covered AIRBAC + MFA

Full details on our Security page.

1. What Data We Collect

We collect the following categories of data:

  • Account data: Your name, email address, firm name, and password hash (we never store plaintext passwords).
  • Matter and client data: Case files, client names and contact information, documents, notes, and other data you create or upload within the Service.
  • Evidence and research uploads: Documents, images, and other files you upload for analysis or investigation.
  • Usage analytics: Feature usage, query counts, session duration, and aggregate performance metrics used to improve the Service. This data is not linked to individual matters.
  • Technical data: IP address, browser type, device type, and access timestamps, collected for security and audit purposes.

2. How We Use Your Data

We use the data we collect to:

  • Provide, maintain, and improve the Service.
  • Process AI queries on your behalf using third-party LLM providers (see Section 4).
  • Send transactional emails (account notifications, billing receipts, export links).
  • Enforce our Terms of Service and prevent abuse.
  • Comply with legal obligations, including responding to lawful requests from authorities.

3. AI Training — Your Data Is Not Used to Train Models

Important

Your matter data, client information, uploaded documents, and AI query content are not used to train any AI model — including Lexitio’s own models or any third-party model providers we work with.

We use our AI providers’ APIs under zero-data-retention terms, which prohibit them from using API input/output for model training. We apply the same contractual restriction to every LLM provider we use.

4. Third-Party Subprocessors

We rely on a small set of vetted providers to run the Service — US-based cloud hosting and CDN, a managed database with encrypted offsite backups, AI model providers (under contractual no-training terms), a payment processor, transactional email, and error monitoring. Each receives only the data needed for its function, is bound by contractual privacy and security obligations, and none may use your data to train AI models. A current list of subprocessors is available on request at privacy@lexitio.com.

5. Data Retention

Active account data is retained for the duration of your subscription. When you cancel, your data is retained for 30 days to allow for export, then deleted.

Firm administrators may configure a custom retention policy (in days) for closed and archived matters via the firm settings page. Matters subject to a legal hold are exempt from automatic deletion.

Audit logs are retained for a minimum of 7 years for legal compliance and are append-only. They cannot be modified or deleted.

6. Your Rights

You have the right to:

  • Access all data we hold about you and your firm via the audit log and data export features.
  • Export all your firm’s data at any time using Settings → Export. Exports include matters, clients, evidence, documents, invoices, and time entries as a ZIP archive delivered to your email.
  • Delete your account by contacting privacy@lexitio.com. We will delete your data within 30 days, subject to legal hold requirements and applicable law.
  • Correct inaccurate personal data by updating your account settings.
  • Portability: Export your data in machine-readable JSON format using the export feature described above.

7. Security Measures

  • Stored files use S3-compatible object storage with server-side AES-256 encryption; our managed PostgreSQL database is encrypted at rest by the infrastructure provider.
  • All data in transit is protected by TLS 1.2 or higher.
  • Passwords are hashed using bcrypt with per-user salts.
  • Every sensitive action is recorded in an append-only, tamper-evident audit log.
  • Each firm’s data is stored in an isolated tenant namespace. Cross-tenant data access is prevented at the application and database level.
  • Login attempts are rate-limited and accounts are locked after repeated failed attempts.

8. Cookies and Tracking

The Service uses a session token stored in your browser’s local storage for authentication. These necessary cookies are always on. With your consent, we also use third-party analytics cookies (such as Google Analytics) to understand how the Service is used and improve it; this data is aggregate and not linked to individual clients or matters. You can decline non-essential cookies at any time using the cookie banner (“Necessary only”), and analytics will not load unless you accept.

9. Children’s Privacy

The Service is not intended for users under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, contact us at privacy@lexitio.com and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice in the application at least 30 days before changes take effect.

11. Contact

For privacy-related requests or questions, contact our privacy team at privacy@lexitio.com.