GDPR, the EU AI Act and data processed entirely within the European Union. Clear processing roles and the data processing agreement included in our Terms & Conditions.
100%
Data in the EU
GDPR
European framework
AI Act
AI regulation
Never
Your data trains AI
— Regulatory frameworks —
LexyAi is built to operate within Europe's most demanding data protection and artificial intelligence frameworks.
We process data under the principles of privacy by design and by default, with an explicit legal basis for each purpose and data minimization.
We comply with Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights, which adapts the GDPR to Spanish law.
We apply algorithmic transparency and human oversight. Every analysis is advisory and remains subject to your judgement, never a binding automated decision.
All infrastructure —database, storage, analytics and AI processing— runs in regions located within the European Union.
— GDPR —
Designed from day one under the principles of privacy by design and by default of the European Union's General Data Protection Regulation.
Servers and database 100% within the European Union
Compliance with Art. 32 GDPR — technical and organizational measures
Right to erasure: complete cascade deletion upon request
Data minimization and purpose limitation
Auditable and traceable activity logs
Explicit legal basis for each data processing activity
— Processing roles —
Full transparency on how data flows between you, LexyAi and our subprocessors.
That's you. You decide which contracts you upload and for what purpose. You retain ownership and control of your data at all times.
That's LexyAi. We process your data solely on your instructions and to provide the analysis service, never for our own purposes.
AI and infrastructure providers acting under a DPA. They process only what is strictly necessary and are prohibited from using your data for other purposes.
— Legal basis —
Every processing activity we carry out relies on one of the legal bases recognized by Art. 6 of the GDPR.
We process your data to provide the analysis service you signed up for and to meet our obligations to you (Art. 6.1.b).
For optional purposes such as marketing communications or analytics, we ask for your consent, which you can withdraw at any time (Art. 6.1.a).
We retain certain information when a law requires it, for example for tax or invoicing purposes (Art. 6.1.c).
For security, fraud prevention and service improvement, on the basis of a legitimate interest assessed and balanced against your rights (Art. 6.1.f).
— Commitment —
If something went wrong, you'd know what's happening and how it affects you. No fine print.
If a security breach affected your personal data, we would notify you without undue delay, in accordance with Art. 33 and 34 of the GDPR.
Where applicable, we would notify the incident to the competent supervisory authority (in Spain, the AEPD) within a maximum of 72 hours.
For any query about how we process your data, email us at soporte@lexyai.app. We respond within a maximum of 30 days.
— Standards —
Our infrastructure runs on providers with the most demanding security certifications in the market.
Certifications correspond to the underlying infrastructure on which LexyAi operates
ISO 27001
Information Security Management
ISO 27017
Security for Cloud Services
ISO 27018
Protection of Personal Data in the Cloud
SOC 2 Type II
Security and Availability Controls
CSA STAR
Cloud Security Alliance Level 1
ENS Medio
Spanish National Security Framework
— Your rights —
The GDPR grants you these rights over your data. At LexyAi you can exercise them easily.
Request a copy of the personal data we process about you.
Correct any inaccurate or incomplete data from your profile.
Delete any analysis or your entire account in cascade whenever you want.
Download your analyses in PDF whenever you want.
Object to specific processing of your personal data.
Request that we restrict the processing of your data in certain cases.
To exercise any of these rights, email us at soporte@lexyai.app. We respond within a maximum of 30 days.
— Frequently asked questions —
Analyze your contracts knowing that data processing complies with the GDPR and follows the principles of the EU AI Act, with your data always in the European Union.