← Back to home

Privacy Policy

Last updated: 13 June 2026

Download .txt

Lexvory (“we”, “us”, “our”) operates theLexvory web application at lexvory.app (the “Service”). This Privacy Policy explains how we process personal data when you use the Service.

We comply with the EU General Data Protection Regulation (GDPR), the EU AI Act, and applicable national laws. EU AI Act transparency disclosures — including our AI provider (Anthropic PBC / Claude), features (document compliance analysis and Inbox Copilot), intended purpose, limitations, human oversight requirements, and risk classification — are set out in Section 12.

1. Data controller

The data controller is Lexvory Ltd, 123 Example Street, Dublin, D01 AB12, Ireland, company registration number Pending CRO registration — reference available on request at support@lexvory.app. For privacy-related requests, contact us at privacy@lexvory.app.

We are established in the European Economic Area (Ireland). An EU Article 27 representative is therefore not required. If you are in the United Kingdom and we do not have a UK establishment, you may contact us at the address and email above for all UK GDPR enquiries; we will appoint a UK representative under UK GDPR Article 27 if and when required based on the volume and nature of UK processing.

We assessed whether appointing a Data Protection Officer (DPO) is mandatory under GDPR Article 37(1) and Recital 97. Our core activities are providing B2B SaaS compliance tools to business customers. We do not conduct large-scale systematic monitoring of publicly accessible areas. Any special-category data in the Service arises from content customers upload under their control, not from our independent collection of such data. Based on the nature, scope, and context of our processing and our current scale, we concluded that a DPO is not mandatory. We document this assessment internally and review it at least annually or when processing changes materially. Privacy enquiries are handled by our privacy team at the contact address above.

2. Personal data we collect

We may collect and process the following categories of data:

  • Account data: email address, authentication credentials (stored securely by our auth provider), and account preferences.
  • Document data: files you upload (privacy policies, contracts, internal policies) and text extracted from them for compliance analysis.
  • Email triage data: email text you paste into Inbox Copilot, including inferred sender, subject, and generated draft replies.
  • Analysis results: compliance scores, issue lists, suggested fixes, urgency classifications, and related metadata.
  • Usage & billing data: subscription plan, document usage counters, and payment-related identifiers processed by Stripe (we do not store full card numbers).
  • Technical data: IP address, browser type, device information, and log data necessary to operate and secure the Service.

Summary of processing (layered notice)

ActivityDataPurposeLegal basis
Account & authEmail, credentialsProvide the ServiceContract (Art. 6(1)(b))
Document analysisUploaded files & extracted textCompliance gap analysis at your requestContract (Art. 6(1)(b))
Inbox CopilotPasted email text, draft repliesEmail triage & draft assistanceContract (Art. 6(1)(b))
BillingPlan, usage, payment IDsSubscriptions & invoicingContract / legal obligation
Security & reliabilityLogs, IP, device dataSecure and operate the ServiceLegitimate interests (Art. 6(1)(f))

3. How we use your data

We use personal data solely for the following purposes:

  • Providing, maintaining, and improving the Service you requested;
  • Running AI-powered compliance and inbox analysis at your request;
  • Managing subscriptions, usage limits, and billing;
  • Communicating with you about your account or important Service changes;
  • Detecting abuse, fraud, and security incidents;
  • Complying with legal obligations.

We do not use your personal data for purposes incompatible with those described above. We do not sell personal data to third parties.

4. Legal bases (GDPR Article 6)

  • Contract (Art. 6(1)(b)): processing necessary to deliver the Service you signed up for, including document analysis and account management.
  • Legitimate interests (Art. 6(1)(f)): securing the Service, preventing abuse, and maintaining service reliability. Where we rely on legitimate interests for product improvement, that means analysing aggregated usage metrics (e.g. feature usage counts, error rates, performance timings) and technical logs to fix bugs and improve reliability — not using the substantive content of your uploaded documents or pasted emails for product development. Server logs are retained for up to 90 days because this period balances incident investigation (which may require correlating events over several weeks), abuse detection, and minimisation; shorter retention would impair our ability to investigate security events. We apply a balancing test weighing our interest in a secure, reliable Service against your rights; given the limited data categories involved and your ability to object (Section 10), we consider this processing proportionate. You may object as described in Section 10. We do not use customer document content to train third-party AI models without your explicit consent.
  • Legal obligation (Art. 6(1)(c)): where required by applicable law, including tax and accounting obligations.
  • Consent (Art. 6(1)(a)): where we ask for your explicit consent (e.g. optional marketing emails, if offered). You may withdraw consent at any time via the unsubscribe link in any marketing email, through account settings where available, or by emailing privacy@lexvory.app. Withdrawal is as easy as giving consent (Art. 7(3)). Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal (Art. 13(2)(c)).

5. Recipients & processors

We share personal data only with the following processors, solely to operate the Service. Each is bound by a data processing agreement that requires equivalent protection and restricts processing to our documented instructions:

  • Google LLC (United States) — AI document analysis via the Gemini API. Customer content is processed only per request and is not used to train foundation models under our API terms. DPA: Google Cloud / AI API terms. Data transfers to the US are governed by EU Standard Contractual Clauses and supplementary measures;
  • Anthropic PBC (United States) — fallback AI document and email analysis. Under our commercial API agreement, Anthropic processes submitted content only to fulfil each request and does not use that content to train its foundation models unless separately agreed. DPA: Anthropic Data Processing Addendum. Data transfers to the US are governed by EU Standard Contractual Clauses and supplementary measures;
  • Supabase Inc. (United States / EU) — database, authentication, file storage, and transactional authentication emails. DPA: Supabase Data Processing Agreement. Data transfers to the US are governed by EU Standard Contractual Clauses;
  • Stripe, Inc. (United States) — payment processing. DPA: Stripe Data Processing Agreement. Data transfers to the US are governed by EU Standard Contractual Clauses;
  • Vercel Inc. (United States) — web application hosting, CDN, and serverless infrastructure. DPA: Vercel Data Processing Addendum. Data transfers to the US are governed by EU Standard Contractual Clauses.

These processors may engage sub-processors (e.g. cloud infrastructure, content delivery, or payment network providers) under GDPR Article 28(2). We authorise sub-processing only where covered by our data processing agreements and equivalent safeguards (including SCCs where transfers occur). Current sub-processor lists are published by each vendor (Anthropic, Supabase, Stripe, Vercel) and we review material changes. You may request an overview of sub-processor categories by emailing privacy@lexvory.app.

Do not upload documents or paste emails containing data you are not authorised to share. You are responsible for ensuring you have a lawful basis to process any personal data contained in content you submit.

6. Automated decision-making & profiling

The Service generates compliance scores and issue classifications using AI. These outputs assist your review of documents and emails; they are not used to make solely automated decisions that produce legal or similarly significant effects concerning you without meaningful human involvement (GDPR Article 22).

Where Article 22 applies or could apply, you have the right to obtain human intervention, to express your point of view, and to contest any decision (Art. 22(3)). We provide these safeguards by design: analysis outputs are advisory only, require human review before reliance, and you may request manual re-review or correction by contacting privacy@lexvory.app.

7. Data retention

We apply the storage limitation principle (GDPR Article 5(1)(e)). Specific retention periods:

  • Account data: from registration until you delete your account; deleted within 30 days of confirmed account closure.
  • Uploaded documents: retained for up to 24 months from upload, or until you delete them or close your account, whichever is earlier.
  • Analysis results: retained for up to 12 months from creation, or until you delete the associated document or close your account.
  • Account and billing data: billing records retained for 6 years from the end of the financial year in which the last relevant transaction occurred, where required for tax, accounting, or legal claims.
  • Server logs: retained for up to 90 days for security incident investigation and abuse detection (see Section 4 balancing test), then deleted or anonymised.

8. International transfers

Some of our processors transfer personal data outside the European Economic Area (EEA), including to the United States. Transfers are protected by appropriate safeguards under GDPR Chapter V, including:

  • Anthropic PBC (US): EU Standard Contractual Clauses (Module 2, Art. 46(2)(c) GDPR), supplemented by technical and organisational measures;
  • Supabase Inc. (US/EU): EU Standard Contractual Clauses and, where applicable, adequacy decisions or EU-hosted infrastructure options;
  • Stripe, Inc. (US): EU Standard Contractual Clauses and Stripe's Data Processing Agreement;
  • Vercel Inc. (US): EU Standard Contractual Clauses and Vercel's Data Processing Agreement.

You may request a copy of relevant transfer safeguards by emailing privacy@lexvory.app.

9. Cookies & local storage

We use essential cookies and local storage to keep you signed in and to operate the Service. We do not use non-essential tracking cookies without your consent. You can control cookies through your browser settings, though disabling essential cookies may prevent the Service from working.

10. Your rights

If you are in the EEA, UK, or Switzerland, you have the following rights under GDPR Articles 15–21:

  • Right of access (Art. 15): obtain confirmation and a copy of your personal data.
  • Right to rectification (Art. 16): correct inaccurate personal data.
  • Right to erasure (Art. 17): request deletion where applicable.
  • Right to restriction (Art. 18): limit processing in certain circumstances.
  • Right to data portability (Art. 20): receive personal data you provided in a structured, commonly used, machine-readable format where processing is based on consent or contract and carried out by automated means.
  • Right to object (Art. 21): object to processing based on legitimate interests, including profiling based on those interests.
  • Rights related to automated decision-making (Art. 22): not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, except where permitted by law with appropriate safeguards — see Section 6.

Where processing is based on consent (Art. 6(1)(a)), you may withdraw consent at any time (Art. 7(3)) via the mechanisms described in Section 4.

Where we conduct profiling based on automated processing, you have the right to object to such profiling (Art. 21(2)). You have an unconditional right to object to processing for direct marketing purposes (Art. 21(2)–(3)). To exercise these rights, contact privacy@lexvory.app.

To exercise your rights, email privacy@lexvory.app. We respond within one month as required by GDPR.

You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Data Protection Commission (DPC), Ireland — www.dataprotection.ie. You may also complain to the authority in your country of residence or workplace.

11. Security, DPIA & data protection by design

We implement technical and organisational measures under GDPR Articles 25 and 32, including encryption in transit (TLS), row-level access controls, private file storage, pseudonymisation of log data where practicable, and restricted access to production systems. For AI processing, we apply data minimisation by design: only text necessary for the requested analysis is sent to our AI provider, and we do not retain AI prompts beyond what is needed to deliver and store your analysis results. No method of transmission over the Internet is 100% secure.

We have conducted a Data Protection Impact Assessment (DPIA) under GDPR Article 35 for AI-powered processing activities, including document compliance analysis and Inbox Copilot. The DPIA identified risks relating to third-country transfers, unintended processing of special-category data in uploaded documents, and AI output reliability. We have implemented the following measures to address those risks: data minimisation by design (only text required for analysis is transmitted to our AI provider), EU Standard Contractual Clauses for all third-country transfers, row-level access controls, and human-review requirements for all AI-generated outputs. Residual risks have been assessed as low. We review this DPIA annually or when processing changes materially. A summary is available on request at privacy@lexvory.app.

12. AI system transparency (EU AI Act)

Risk classification (Article 6): Lexvory has assessed its AI features against Annex III of the EU AI Act. Document compliance analysis is classified as minimal-risk (decision-support for professional users, no Annex III high-risk use case). Inbox Copilot is classified as limited-risk (AI interaction and synthetic content subject to transparency obligations under Article 50). This classification is reviewed at least annually and when processing changes materially. Full risk-management documentation is available on request at privacy@lexvory.app.

Lexvory integrates Anthropic Claude, a general-purpose AI (GPAI) model, deployed as a B2B SaaS tool in the EU and internationally. The model is used only on content you submit and only to deliver the analysis you request. You should be aware of the following:

  • (a) Intended purpose: automated identification of potential compliance gaps in documents and emails you submit, and generation of draft responses for your review.
  • (b) Accuracy and limitations: we do not guarantee detection of all violations. Output quality depends on input quality, document completeness, and language clarity. The underlying model has a training knowledge cut-off; we do not independently verify regulatory changes after that date. We periodically evaluate outputs against a benchmark set of sample documents and track internal quality metrics (e.g. issue recall on known test cases); results inform prompt and process improvements but are not a warranty of accuracy.
  • (c) Known failure conditions: the system may produce false positives or false negatives; may not correctly apply jurisdiction-specific rules; may misinterpret ambiguous legal language; and performance may degrade on non-English documents unless otherwise stated.
  • (d) Human oversight: all outputs require review by a qualified human before reliance, distribution, or regulatory submission.
  • (e) No legal advice: outputs are informational only and do not constitute legal advice.

Risk management (Article 9): Lexvory maintains a documented, systematic, and iterative risk management system for its AI features throughout their lifecycle. This includes: (i) identification and analysis of reasonably foreseeable risks from misuse, malfunction, or inaccurate outputs; (ii) evaluation and treatment of risks in relation to intended purpose, including mandatory human review before reliance; (iii) periodic regression testing on a defined sample corpus with documented results; and (iv) residual risk acceptance criteria — we accept deployment only where residual risks of significant harm to data subjects are mitigated by human-in-the-loop review, advisory-only outputs, and data minimisation, and where remaining risks are documented and reviewed at least annually. Further details are available on request at privacy@lexvory.app.

AI-generated content labelling (Article 50): Draft replies produced by Inbox Copilot are clearly labelled as “AI-generated draft” within the user interface before any user action is taken. Users are notified at the point of generation that the content was produced by an AI system and must be reviewed before use or distribution. If you send AI-assisted replies to third parties, you are responsible for ensuring appropriate disclosure that the content was AI-generated, in accordance with applicable law and your own policies.

GPAI model transparency (Article 53): Anthropic publishes documentation for Claude as a general-purpose AI model, including summaries of training data and known limitations. We maintain and review Anthropic's published GPAI transparency materials as a downstream deployer. See anthropic.com/transparency.

13. Children

The Service is not directed at individuals under 16. We do not knowingly collect personal data from children.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the “Last updated” date. Material changes may be notified by email or in-app notice.

15. Contact

Questions about this Privacy Policy: privacy@lexvory.app