← Back to home

Terms of Service

Last updated: 24 June 2026

Download .txt

These Terms of Service (“Terms”) govern your access to and use of Lexvory (“Service”). By creating an account or using the Service, you agree to these Terms and our Privacy Policy, which is incorporated by reference. If you do not agree, do not use the Service.

1. Data controller and contact

Data controller: Lexvory Ltd, 123 Example Street, Dublin, D01 AB12, Ireland, Ireland. Company registration: Pending CRO registration — reference available on request at support@lexvory.app.

General enquiries: support@lexvory.app
Privacy & data protection: privacy@lexvory.app

We are established in the European Economic Area (Ireland). We assessed GDPR Article 37 and concluded a Data Protection Officer is not mandatory at our current scale because: (a) we employ fewer than 250 people; (b) our core activities do not consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; and (c) we do not process special categories of personal data or criminal-conviction data on a large scale. Privacy enquiries are handled by our privacy team at privacy@lexvory.app. We document this assessment and review it at least annually.

2. Personal data — transparency notice (GDPR Articles 13 & 14)

This section provides the information required when you enter into a contract with us. Full detail is in our Privacy Policy at https://lexvory.app/privacy.

2.1 Lawful bases (GDPR Article 6)

  • Contract (Art. 6(1)(b)): account creation, authentication, document compliance analysis, storage of your uploads and reports, and customer support.
  • Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, service reliability, and limited product improvement — balanced against your rights. You may object at any time (Art. 21) by emailing privacy@lexvory.app with your grounds; we will stop processing unless we demonstrate compelling legitimate grounds that override your interests.
  • Consent (Art. 6(1)(a)): optional marketing emails and any non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal (Art. 7(3)) by emailing privacy@lexvory.app or using unsubscribe links.
  • Legal obligation (Art. 6(1)(c)): tax, accounting, and regulatory record-keeping where applicable.

2.2 Retention periods (GDPR Articles 5(1)(e) and 13(2)(a))

  • Account data (email, preferences): retained while your account is active; deleted or anonymised within 30 days of confirmed account closure.
  • Uploaded documents: retained for up to 24 months from the date of each individual upload, or until you delete them or close your account, whichever is earlier. This period is calculated per upload and does not reset or extend solely because your account remains active; re-uploading a document starts a new 24-month period for that upload only.
  • Analysis results (scores, issues, suggested fixes): retained for up to 12 months from the date each result is created, or until you delete the associated document or close your account, whichever is earlier. This 12-month period is fixed from creation and does not reset if you run additional analyses on the same document.
  • Billing records: retained for 6 years from the end of the financial year of the last relevant transaction, where required for tax and accounting law.
  • Security logs: retained for up to 90 days, then deleted or anonymised.

2.3 Your rights (GDPR Articles 15–22)

You have the right to access, rectify, erase, restrict, and port your personal data, to object to processing based on legitimate interests (including profiling), and rights related to automated decision-making where applicable.

Right of access (Art. 15): to exercise your right of access, you can request a copy of your personal data by emailing privacy@lexvory.app, specifying the data you wish to receive.

Rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), and portability (Art. 20): email privacy@lexvory.app describing your request and the data concerned. For portability, we provide data in JSON or CSV where technically feasible.

Right to object (Art. 21): email privacy@lexvory.app with your objection and grounds. We will cease processing unless we demonstrate compelling legitimate grounds. You have an unconditional right to object to direct marketing.

Exercising your rights is free of charge (Art. 13(2)(d)). We may charge a reasonable fee or refuse requests that are manifestly unfounded or excessive — for example, repetitive requests after we have already provided the same data, requests with no factual basis, or requests that would impose a disproportionate burden on our resources.

We respond within one month. You may lodge a complaint with a supervisory authority. Our lead authority is the Data Protection Commission (DPC), Ireland www.dataprotection.ie, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland. You may also complain to the authority in your country of residence or workplace.

2.4 Sub-processors (GDPR Articles 13(1)(e) and 28)

We use the following sub-processors to deliver the Service. Each is bound by a written data processing agreement (DPA) requiring GDPR Article 28 obligations, including processing only on our instructions, confidentiality, security measures, assistance with data subject rights, deletion/return of data, and audit cooperation:

  • Supabase Inc. (United States / EU) — database, authentication, encrypted file storage, and transactional emails. DPA: Supabase Data Processing Agreement. Data transfers to the US are governed by EU Standard Contractual Clauses.
  • Google LLC (United States) — AI document analysis via the Gemini API. Customer content is processed only to fulfil each API request and is not used to train Google's foundation or general-purpose models under our API terms. Any residual technical logs are deleted or anonymised per Google's published API data retention policies. DPA: Google Cloud / AI API terms. Data transfers to the US are governed by EU Standard Contractual Clauses and supplementary measures.
  • Anthropic PBC (United States) — fallback AI analysis where configured. Content is processed only per request and is not used to train Anthropic's foundation models under our commercial API terms. Residual data is handled per Anthropic's Data Processing Addendum. DPA: Anthropic Data Processing Addendum. Data transfers to the US are governed by EU Standard Contractual Clauses and supplementary measures.
  • Stripe, Inc. (United States) — payment processing when paid plans are offered. DPA: Stripe Data Processing Agreement. Data transfers to the US are governed by EU Standard Contractual Clauses.
  • Vercel Inc. (United States) — application hosting, CDN, and serverless infrastructure. DPA: Vercel Data Processing Addendum. Data transfers to the US are governed by EU Standard Contractual Clauses.

The current, up-to-date list of sub-processors is maintained in Section 5 of our Privacy Policy at https://lexvory.app/privacy (Art. 13(2)(f)). We will provide at least 30 days' prior notice of any intended addition or replacement of sub-processors that materially affects your data by email and by updating that list. You may object on reasonable grounds relating to data protection by emailing privacy@lexvory.app within 30 days of notice. If we cannot accommodate your objection, you may terminate your account without penalty.

2.5 International transfers (GDPR Article 46)

Where personal data is transferred outside the EEA (including to the United States), we rely on EU Standard Contractual Clauses (SCCs) and supplementary technical and organisational measures. You may request copies of relevant safeguards by emailing privacy@lexvory.app.

3. Description of the Service

Lexvory is a B2B software tool that uses artificial intelligence to help businesses review documents for GDPR and EU AI Act compliance issues. The Service includes document upload and analysis (currently limited to five checks per account), compliance reports with suggested wording, and Inbox Copilot (when available).

4. Not legal advice

Lexvory does not provide legal advice and is not a law firm. All outputs — including compliance scores, issue descriptions, fine estimates, regulator flag probabilities, and suggested fixes — are AI-generated and for informational purposes only. They may be incomplete, inaccurate, or outdated. You must not rely on the Service as a substitute for advice from a qualified legal professional. You remain solely responsible for your compliance obligations and business decisions.

5. EU AI Act transparency (Regulation (EU) 2024/1689)

AI-generated disclosure: This Service uses AI systems. All compliance scores, findings, fine estimates, and suggested replacement text are generated by AI and labelled as such in the product interface.

  • Providers & models: we primarily use Google Gemini (e.g. gemini-2.5-flash-lite) and, where configured, Anthropic Claude — general-purpose AI models used as deployer tools for compliance decision-support.
  • Purpose: to identify potential regulatory gaps in documents you upload and suggest wording improvements — not to make binding legal determinations.
  • Training data: under our API agreements, content you submit is processed only to fulfil your request and is not used to train the providers' foundation models unless separately agreed in writing. We confirm this applies to both Google Gemini and Anthropic Claude APIs used by the Service.
  • Limitations: outputs are probabilistic, may miss issues or flag false positives, and reflect general regulatory knowledge — not your specific legal context, jurisdiction nuances, or recent case law.
  • Risk classification: we assess our deployer use case as limited-risk / GPAI-assisted compliance support, not a high-risk Annex III system, because outputs are advisory and require human review before any legal or business action.
  • GPAI (Article 53): we review published model documentation and known limitations from Google and Anthropic. Users are explicitly informed of these model capabilities and limitations in these Terms (Section 5) and in Section 12 of our Privacy Policy, including accuracy limits, probabilistic outputs, and known failure modes.

Further AI Act disclosures are in Section 12 of our Privacy Policy.

6. Human oversight (EU AI Act Article 14)

In accordance with EU AI Act Article 14, Lexvory implements human oversight:

  • You must review all AI outputs before relying on them, publishing them, or sending them to third parties;
  • You may disregard, override, edit, or re-run analysis on any output at any time;
  • Lexvory does not make autonomous decisions with legal or similarly significant effects concerning you or your data subjects;
  • Compliance scores and risk labels are advisory indicators only — not automated decisions under GDPR Article 22;
  • You may request human review of any output by contacting support@lexvory.app.

7. Automated analysis & profiling (GDPR Article 22)

The Service classifies document content and assigns compliance scores using automated processing. This does not constitute solely automated decision-making that produces legal or similarly significant effects without meaningful human involvement, because: (a) outputs are advisory; (b) you must review before action; and (c) you may obtain human intervention by contacting privacy@lexvory.app. To object to profiling based on legitimate interests (Art. 21), email privacy@lexvory.app with your grounds; we will assess and cease processing unless we have compelling legitimate grounds.

8. Eligibility & accounts

  • You must be at least 16 years old and able to form a binding contract.
  • You must provide accurate registration information and keep credentials secure.
  • You are responsible for all activity under your account. Notify us immediately of unauthorised access at support@lexvory.app.

9. Subscriptions, billing & usage limits

  • All accounts are currently limited to five document compliance checks.
  • Paid subscriptions, when offered, are billed through Stripe with your authorisation for recurring charges until cancelled.
  • Refunds follow applicable consumer protection law in your country.

10. Acceptable use

You agree not to use the Service unlawfully, upload data you are not authorised to process, circumvent usage limits, or abuse AI endpoints. We may suspend accounts that violate these rules.

11. Your content & processor terms (GDPR Article 28)

You retain ownership of documents and content you submit (“User Content”). You grant us a limited licence to store, process, and transmit User Content solely to provide the Service, including transmission to the sub-processors listed in Section 2.4.

Where User Content contains personal data of your employees, customers, or other individuals, you are the data controller and Lexvory Ltd acts as your data processor under GDPR Article 28. We will:

  • process only on your documented instructions (your upload and use of the Service);
  • ensure persons authorised to process data are bound by confidentiality;
  • implement appropriate technical and organisational security measures (Art. 32);
  • assist you with data subject requests and DPIAs where applicable;
  • delete or return User Content on termination, subject to Section 2.2 retention;
  • make available information necessary to demonstrate compliance and allow audits on reasonable notice.

Processor terms are set out in our Privacy Policy and available on request at privacy@lexvory.app. You represent that you have a lawful basis to submit User Content.

12. Intellectual property

The Service software, design, and branding are owned by Lexvory Ltd. You receive a limited, non-exclusive licence to use the Service during your access period.

13. Limitation of liability

To the maximum extent permitted by law, we are not liable for indirect or consequential damages. Our aggregate liability is capped at fees paid in the prior 12 months or €100, whichever is greater, except where mandatory consumer protection law in your EEA country requires a higher minimum. Nothing limits liability for death, personal injury from negligence, or fraud.

14. Termination & data deletion

You may delete your account at any time. Upon termination, we delete or anonymise personal data per the retention schedule in Section 2.2, except where law requires longer retention.

15. Governing law

These Terms are governed by the laws of Ireland and applicable EU law. EEA consumers retain mandatory protections under their local law.

16. Changes to these Terms and data processing

We may update these Terms at https://lexvory.app/terms. For material contractual changes, we will notify you by email or in-app at least 30 days before they take effect.

Changes to how we process personal data are communicated via our Privacy Policy. Where GDPR requires your explicit consent for new processing purposes (e.g. new optional marketing uses), we will obtain it separately —continued use of the Service does not constitute consent to expanded data processing (Art. 7). If you do not agree to updated Terms, stop using the Service and delete your account.

17. Contact

Terms: support@lexvory.app
Privacy: privacy@lexvory.app