Regulatory compliance

Compliance, by design.

GDPR, the EU AI Act and data processed entirely within the European Union. Clear processing roles and the data processing agreement included in our Terms & Conditions.

Scroll

100%

Data in the EU

GDPR

European framework

AI Act

AI regulation

Never

Your data trains AI

—  Regulatory frameworks  —

The rules we comply with

LexyAi is built to operate within Europe's most demanding data protection and artificial intelligence frameworks.

GDPR (EU) 2016/679

We process data under the principles of privacy by design and by default, with an explicit legal basis for each purpose and data minimization.

Privacy by designMinimization

LOPDGDD (Spain)

We comply with Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights, which adapts the GDPR to Spanish law.

Law 3/2018Digital rights

EU AI Act

We apply algorithmic transparency and human oversight. Every analysis is advisory and remains subject to your judgement, never a binding automated decision.

TransparencyHuman oversight

EU data residency

All infrastructure —database, storage, analytics and AI processing— runs in regions located within the European Union.

EU infrastructureNo transfers

—  GDPR  —

European compliance, no exceptions

Designed from day one under the principles of privacy by design and by default of the European Union's General Data Protection Regulation.

Servers and database 100% within the European Union

Compliance with Art. 32 GDPR — technical and organizational measures

Right to erasure: complete cascade deletion upon request

Data minimization and purpose limitation

Auditable and traceable activity logs

Explicit legal basis for each data processing activity

DATAIN THE EU

—  Processing roles  —

Who is responsible for what

Full transparency on how data flows between you, LexyAi and our subprocessors.

1

Data controller

That's you. You decide which contracts you upload and for what purpose. You retain ownership and control of your data at all times.

2

Data processor

That's LexyAi. We process your data solely on your instructions and to provide the analysis service, never for our own purposes.

3

Subprocessors

AI and infrastructure providers acting under a DPA. They process only what is strictly necessary and are prohibited from using your data for other purposes.

—  Legal basis  —

On what basis we process your data

Every processing activity we carry out relies on one of the legal bases recognized by Art. 6 of the GDPR.

Performance of the contract

We process your data to provide the analysis service you signed up for and to meet our obligations to you (Art. 6.1.b).

Consent

For optional purposes such as marketing communications or analytics, we ask for your consent, which you can withdraw at any time (Art. 6.1.a).

Legal obligation

We retain certain information when a law requires it, for example for tax or invoicing purposes (Art. 6.1.c).

Legitimate interest

For security, fraud prevention and service improvement, on the basis of a legitimate interest assessed and balanced against your rights (Art. 6.1.f).

—  Commitment  —

Transparency in case of incidents

If something went wrong, you'd know what's happening and how it affects you. No fine print.

Breach notification

If a security breach affected your personal data, we would notify you without undue delay, in accordance with Art. 33 and 34 of the GDPR.

Notice to the authority

Where applicable, we would notify the incident to the competent supervisory authority (in Spain, the AEPD) within a maximum of 72 hours.

Privacy contact

For any query about how we process your data, email us at soporte@lexyai.app. We respond within a maximum of 30 days.

—  Standards  —

Audited and certified infrastructure

Our infrastructure runs on providers with the most demanding security certifications in the market.

Certifications correspond to the underlying infrastructure on which LexyAi operates

ISO 27001

Information Security Management

ISO 27017

Security for Cloud Services

ISO 27018

Protection of Personal Data in the Cloud

SOC 2 Type II

Security and Availability Controls

CSA STAR

Cloud Security Alliance Level 1

ENS Medio

Spanish National Security Framework

—  Your rights  —

Data subject rights

The GDPR grants you these rights over your data. At LexyAi you can exercise them easily.

Access

Request a copy of the personal data we process about you.

Rectification

Correct any inaccurate or incomplete data from your profile.

Erasure

Delete any analysis or your entire account in cascade whenever you want.

Portability

Download your analyses in PDF whenever you want.

Objection

Object to specific processing of your personal data.

Restriction

Request that we restrict the processing of your data in certain cases.

To exercise any of these rights, email us at soporte@lexyai.app. We respond within a maximum of 30 days.

—  Frequently asked questions  —

Compliance questions

Analyze your contracts knowing that data processing complies with the GDPR and follows the principles of the EU AI Act, with your data always in the European Union.

LexyAi — Analyse contracts with AI | LexyAi