This Privacy Policy explains what personal information LexaAI, Inc. ("LexaAI", "we", "us") collects through the LexaAI desktop agent, Chrome extension, and web application (collectively, the "Service"), why we collect it, who we share it with, and what rights you have. Capitalised terms used but not defined here have the meaning given in our Terms of Service.
Two types of people interact with LexaAI: the firm or company that licenses the Service (the "Subscriber") and the lawyers, paralegals, and staff who work at that firm (the "Authorized Users"). With respect to data captured by the Service, the Subscriber is the data controller and LexaAI is the data processor. This Privacy Policy describes our practices as processor. The Subscriber's own privacy policy governs its relationship with Authorized Users and clients.
The Service captures and processes the following categories of personal information:
| Category | Specifics | Source |
|---|---|---|
| Account information | Name, work email, firm name, role, password hash (scrypt) | Subscriber on signup |
| Workstation activity | Application names, window titles, foreground-window timestamps, captured approximately every five to ten seconds | Desktop agent |
| Browser activity | URL, page title, domain, and a five-hundred-character summary of foreground-page content | Chrome extension |
| Email metadata | From, to, subject, send timestamp — used to attribute time. Bodies are not captured. | Gmail/Microsoft Graph integration, with user consent |
| Client and matter records | Client names, matter names, billing rates, UTBMS codes | Subscriber input |
| Billing entries | Proposed and approved billing entries, narratives, durations, audit history | Generated by the Service from the above |
| Operational telemetry | IP address, user-agent string, login timestamps, error logs, LLM usage logs (token counts) | Captured automatically |
The Service does not capture: screenshots, audio from the microphone or system, video from the camera, biometric identifiers (fingerprints, face geometry, retina scans), passwords typed into other applications, or the full body text of any document or email.
We share Customer Data only with the subprocessors needed to deliver the Service:
| Subprocessor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | Commercial API for generating proposed billing entries from captured activity. Inputs are not used to train Anthropic models by default, with a default seven-day retention window and a zero-data-retention addendum available. | United States |
| Amazon Web Services, Inc. | Hosting for the LexaAI web application and per-tenant databases. | United States (us-east-1) |
| Resend | Transactional email delivery (account verification, password reset). | United States |
The full, current list of subprocessors is at subprocessors.html. We will publish at least thirty (30) days' advance notice of any addition.
We do not sell or share personal information for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA").
When the Service generates a proposed billing entry, it sends the following fields to Anthropic's commercial API: application name, window title, URL, domain, page-content summary (up to five hundred characters), and the client and matter hints the Authorized User has stored in the firm's account. We instruct Anthropic not to use these inputs to train any model, and we rely on Anthropic's contractual commitment to that effect.
We do not send email bodies or full document contents. We do not currently strip client names from the LLM payload; data-minimisation features are on the roadmap. If you require name-redaction before launch, contact legal@lexaai.tech.
The web app uses a small number of strictly necessary cookies and local-storage entries for authentication and CSRF protection. The Chrome extension stores an authentication token in extension- scoped local storage. We do not use third-party advertising cookies. We honour the Global Privacy Control signal where technically feasible.
| Data category | Retention |
|---|---|
| Account information | Until account deletion + 60 days |
| Workstation and browser activity | Until used to generate a billing entry, then archived for audit; deleted on tenant data deletion + backup-rotation window (typically 35 days) |
| Approved billing entries and invoices | Seven (7) years, to support audit and bar-mandated record-keeping |
| LLM usage logs (token counts, no content) | Two (2) years |
| Authentication and security logs | One (1) year |
| Data sent to Anthropic API | Up to seven (7) days at Anthropic, then deleted by Anthropic; zero-retention addendum available |
No system is invulnerable. In the event of a personal-data breach that creates a risk to rights and freedoms, we will notify the Subscriber without undue delay and within seventy-two (72) hours of becoming aware, as required by Article 33 of the GDPR and equivalent U.S. state law.
Because LexaAI generally acts as a data processor for the Subscriber, please direct rights requests to the Subscriber in the first instance. If you cannot reach the Subscriber, we will assist on its behalf.
If you are a California resident (CCPA): you have the right to know the categories of personal information collected (above, Section 1), the right to delete personal information, the right to correct inaccurate personal information, the right to limit use of sensitive personal information, the right to portability, and the right not to be retaliated against for exercising any of these rights. Submit requests to privacy@lexaai.tech. We will respond within forty-five (45) days, extendable by forty-five (45) days where reasonably necessary.
If you are in the EU/EEA or UK (GDPR / UK GDPR): you have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21). You may withdraw consent at any time without affecting the lawfulness of prior processing. You may lodge a complaint with your supervisory authority.
Verifiable requests. To protect Authorized Users and clients, we will verify your identity before acting on a rights request. We may decline a request that we cannot reasonably verify, and will explain why.
The Service does not respond to Do Not Track ("DNT") signals, which are inconsistently interpreted across browsers. The Service honours the Global Privacy Control ("GPC") signal as a valid request to opt out of any "sale" or "sharing" of personal information under the CCPA, where applicable.
The Service is not intended for children. We do not knowingly collect personal information from anyone under the age of sixteen (16). If you believe we have, contact privacy@lexaai.tech and we will delete it.
LexaAI is based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. Where the Subscriber is established in the EU/EEA or UK, our Data Processing Agreement incorporates the EU Standard Contractual Clauses (Module 2, Controller-to- Processor) and, where applicable, the UK International Data Transfer Addendum.
We will post material changes at this URL and, where the change is material, send notice to the Subscriber by email or in-product banner at least thirty (30) days before the change takes effect.
Privacy questions or requests: privacy@lexaai.tech. Legal notices: legal@lexaai.tech.