Back to Home

Privacy Policy

Last updated: 28/04/2026

LexyAi (hereinafter “LexyAI” or the “Controller”) is committed to protecting the privacy of its users. This document has been prepared in accordance with Regulation (EU) 2016/679 on the Protection of Personal Data (“GDPR”), Organic Law 3/2018 on the Protection of Personal Data and guarantee of digital rights (“LOPDGDD”), and other applicable regulations.

To the extent that the Service involves the use of artificial intelligence technologies, please be informed that LexyAI has been developed in compliance with Regulation (EU) 2024/1689 on artificial intelligence, ensuring ethical and responsible operations aligned with the principles of transparency, security, fairness and human oversight.

1. Basic Information

Data Controller

LexyAi

Data Protection Officer (DPO)

dpo@lexyai.app

Purposes

  • Service provision and query management
  • Document anonymisation and AI interaction
  • Storage of analyses on the platform (not in the AI)
  • Sending commercial or promotional communications (with consent)
  • Compliance with legal obligations

Legal Basis

  • Performance of a contract or pre-contractual measures (Art. 6.1.b GDPR)
  • Compliance with legal obligations (Art. 6.1.c GDPR)
  • Consent of the data subject (Art. 6.1.a GDPR)
  • Legitimate interest (Art. 6.1.f GDPR)

International Transfers

No transfers are made outside the European Economic Area.

Exercise of Rights

You may exercise your rights of access, rectification, erasure, objection, restriction and portability by sending an email to dpo@lexyai.app.

2. Data Controller and DPO

The personal data you provide in the context of using LexyAI, or collected during the contractual or pre-contractual relationship arising from use of the AI-based contract analysis service, will be processed by LexyAi as the Data Controller.

You may contact the Controller regarding any matter related to the processing of your personal data or the exercise of your rights at dpo@lexyai.app. LexyAI has a Data Protection Officer (DPO) whom you may contact at dpo@lexyai.app.

3. Data Processed

As a result of using the LexyAI contract analysis service, we will process the following personal data:

  • Identification and contact data: name, surname, email address and any other data you provide at registration.
  • Payment and billing data: payment methods used, transaction reference and information required to manage subscription billing.
  • Service usage data: documents you upload for analysis and the reports generated, which will be linked to your profile.
  • Browsing and technical data: online identifiers, IP address and data collected through technical cookies necessary for the operation of the service.
LexyAI has signed Data Processing Agreements (DPAs) with all artificial intelligence providers used in the service. Under these agreements, your personal data will not be used to train, improve or feed any artificial intelligence model. Both the databases and the AI models used in the service are hosted entirely on servers located within the European Union.

Original files (PDF, DOCX, TXT) are deleted from our servers immediately after text extraction, in compliance with the data minimisation principle (Art. 5.1.c GDPR).

4. How We Collect Your Personal Data

The data we process in LexyAI has been provided directly by you through the registration form available on the platform and through direct interaction with the service (uploaded documents and generated reports). In no case is data obtained from publicly accessible sources or from third parties processed, except where required by law or where you have provided it yourself.

You warrant that the personal data provided is true, accurate, complete and up to date, and you undertake to keep it duly updated. If you provide personal data belonging to a third party (for example, if the contract includes information about another person), you declare that you have informed that person of this privacy policy and obtained their consent.

5. Purposes and Legal Bases for Processing

Service provision

Your data will be processed to manage your registration as a user, enable access to the service and provide you with automated contract analyses. This includes processing identification and payment data to manage your subscription and issue invoices.

Legal basis: Performance of the contractual relationship (Art. 6.1.b GDPR).

Anonymisation and AI interaction

Documents undergo an anonymisation procedure to remove any reference to personal data before being processed by the AI, in application of the purpose limitation principle (Art. 5.1.b GDPR). The AI does not access information that could identify you.

Legal basis: Performance of the contractual relationship (Art. 6.1.b GDPR) and compliance with legal obligations (Art. 6.1.c GDPR).

Sending commercial communications

Your data may be processed to send you commercial or promotional communications relating to products and services of LexyAI or partner companies, only when you have given your express consent. You may withdraw your consent at any time.

Legal basis: Consent of the data subject (Art. 6.1.a GDPR).

Compliance with legal obligations

Your data may be processed to comply with obligations arising from national or European regulations, as well as requirements from judicial or administrative authorities.

Legal basis: Compliance with a legal obligation (Art. 6.1.c GDPR).

6. Recipients of Your Personal Data

Your personal data may be disclosed to the following recipients, solely to the extent necessary for the purposes indicated:

  • Public authorities and judicial bodies, where there is a legal obligation to disclose data.
  • External service providers (data processors), acting on behalf of the Controller to provide auxiliary services (hosting, IT services, payment tools), with whom the corresponding data processing agreements will be formalised. The main sub-processors are:
    • Supabase — database, authentication and storage (EU).
    • Vercel — hosting and front-end delivery.
    • Stripe — payment processing.
    • Inngest — background task orchestration.
    • Resend — transactional email delivery.
    • Google (Gemini) — AI model for contract analysis.
    • Sentry — error monitoring (without contract content).
    • PostHog — anonymous product analytics (without contract content or PII beyond the internal user identifier).
  • External advisors or collaborators, where the nature of your query or your request requires the involvement of third-party professionals. Such disclosure will always be made in accordance with Art. 6.1.b GDPR.

7. International Transfers

No international transfers of personal data are made outside the European Economic Area (EEA). Both the databases and the artificial intelligence models used in the service are hosted entirely on servers located within the European Union. All AI providers with access to service data have signed GDPR-compliant Data Processing Agreements (DPAs) guaranteeing that data will not be transferred outside the EEA or used to train AI models.

8. Data Retention

Your data will be retained for as long as the contractual relationship with you arising from the use of the LexyAI service subsists, and thereafter for the legally applicable retention periods depending on the type of data and the purpose of processing.

When processing is no longer necessary, the affected data will be blocked and will only be available upon request from public authorities or courts. Once all legal retention periods have expired, the data will be permanently deleted.

9. Rights of Data Subjects

Users have the right to access, rectify, erase, object to, restrict the processing of and request portability of their personal data, as well as the right not to be subject to automated decisions with legal or significant effects. Where processing is based on consent, users may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, you may send a written request to dpo@lexyai.app, providing proof of identity by means of a copy of your national ID, passport or equivalent official document. LexyAI will respond to the request within a maximum of one (1) month from receipt, extendable by up to two (2) additional months if necessary.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es) if you consider that your data protection rights have been infringed.

10. Security

LexyAI has adopted the security levels required by applicable regulations and implemented technical and organisational measures to prevent loss, misuse, alteration, unauthorised access or disclosure of personal data. All documents are transmitted and stored with AES-256 encryption. Nevertheless, users should be aware that no security measure on the Internet is absolutely impenetrable.

11. Changes to this Policy

LexyAI reserves the right to modify, update or revise the content of this privacy policy at any time, in response to regulatory changes, case law, organisational or technical needs, or the evolution of the service itself. Where material changes are introduced, users will be clearly informed via the website or by email. The updated version will apply from the moment of its publication.

Privacy Policy | LexyAi