Privacy Policy

1. Data Controller

LexSignal.ai is the data controller for the personal data processed through our Service. For questions about data processing, contact our Data Protection Officer at [email protected].

2. Data We Collect

Account Information

When you create an account, we collect your name, email address, and password (stored as a secure hash). If you join an organization, we may also process your role and team membership information.

Subscription & Billing Data

Payment processing is handled by Stripe, Inc. We do not store your credit card numbers. Stripe provides us with a limited set of billing information (last four digits, card type, billing address) for transaction records. See Stripe's Privacy Policy for details.

Usage Data

We collect information about how you use the Service, including topic configurations, document views, searches, and notification preferences. This data helps us improve the Service and provide personalized regulatory intelligence.

Regulatory Data

The legislative documents, court cases, and regulatory notices processed by our platform are publicly available government publications. We do not collect personal data from these documents — they are processed solely to deliver regulatory intelligence to our users.

3. How We Use Your Data

• To provide and maintain the Service, including AI-powered document analysis and scoring
• To manage your account and subscription
• To send regulatory alerts and notifications based on your topic preferences
• To process payments and manage billing through Stripe
• To respond to your inquiries and provide customer support
• To improve and optimize the Service

4. Legal Basis for Processing (GDPR Art. 6)

We process your personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you subscribed to
• Legitimate interest (Art. 6(1)(f)): Service improvement, security monitoring, and fraud prevention
• Legal obligation (Art. 6(1)(c)): Tax and accounting requirements for billing records
• Consent (Art. 6(1)(a)): Marketing communications (you may withdraw consent at any time)

5. Data Sharing

We share your personal data only with the following categories of recipients:

• Supabase: Database hosting and authentication infrastructure
• Stripe: Payment processing
• OpenRouter/Google: AI document analysis (we send only public legislative text, never your personal data)

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

6. International Transfers

Your data is primarily stored on Supabase infrastructure. Where data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as required by GDPR Chapter V.

7. Data Retention

We retain your account data for as long as your account is active. If you cancel your subscription, we retain your data for 30 days to allow for reactivation, after which it is permanently deleted. Billing records are retained for 7 years as required by tax regulations. Audit trail data on the Enterprise plan is retained for the duration of your subscription.

8. Your Rights

Under GDPR, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Restriction: Request restriction of processing in certain circumstances

To exercise these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9. Cookies

We use essential cookies for authentication and session management. For detailed information about the cookies we use, please see our Cookie Policy.

10. Children's Privacy

Our Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and, where appropriate, by email. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact Us

For questions about this Privacy Policy or our data practices, contact our Data Protection Officer: