Privacy Policy
Effective Date: 27 May 2026 | Last Updated: May 2025 | Version: 1.0
1. INTRODUCTION
LexOS Intell ("LexOS Intell," "we," "our," "us") is committed to protecting your privacy. This Privacy Policy explains:
- What information we collect
- How we use that information
- Who we share it with
- How long we keep it
- Your rights regarding your data
This Privacy Policy applies to all users of the LexOS Intell Platform, including individual users, organization admins, and organization members.
2. INFORMATION WE COLLECT
2.1 Information You Provide
Account Registration:
- Full name, email address, phone number (optional)
- Organization/firm name, industry
- Professional credentials (optional, for verification)
- Password (encrypted)
Billing Information:
- Payment method (card, bank account)
- Billing address and contact information
- Invoice history and payment records
Customer Data (Documents Uploaded):
- Legal contracts, briefs, policies, SOPs
- Metadata: document titles, dates, file types
- Activity logs: who accessed what, when, modifications made
Communication:
- Support tickets, messages, feedback
- Email correspondence with our team
2.2 Information Collected Automatically
Usage Data:
- Modules accessed, features used, time spent
- Documents processed, search queries
- IP address, browser type, device information
- Approximate location (country/region, from IP)
Cookies & Tracking:
- Session cookies (necessary for login)
- Preference cookies (remember your settings)
- Analytics cookies (understand Platform usage)
- See Cookie Policy for details
2.3 Information from Third Parties
Payment Processors:
- Razorpay, Stripe: payment transaction data
- Limited to transaction amount, date, status (not full card details)
Infrastructure Providers:
- GCP, AWS: logs related to service delivery
- Never raw Customer data
3. HOW WE USE YOUR INFORMATION
3.1 Service Delivery
- Provide access to the Platform
- Process documents and generate outputs
- Maintain account security (MFA, authentication)
- Deliver customer support
- Send service updates and notifications
3.2 Billing & Payment
- Process subscription payments
- Issue invoices and manage billing
- Detect and prevent fraud
- Respond to payment-related inquiries
3.3 Legal & Compliance
- Comply with legal obligations (tax, regulatory, court orders)
- Enforce this Privacy Policy and other agreements
- Protect against fraud, security threats, or abuse
- Respond to government requests (if legally required)
3.4 Business Operations
- Understand Platform usage (anonymized, aggregated)
- Improve features, security, and performance
- Communicate about account status, changes to terms
- Send important administrative notifications
3.5 Legitimate Interests
- Prevent misuse of the Platform
- Ensure fair access for all users
- Market our Platform responsibly
- Resolve disputes
3.6 What We DO NOT Do
- ❌ Sell personal data to third parties
- ❌ Share Customer data with competitors or external AI companies for model training
- ❌ Use Customer documents to train our AI models
- ❌ Use personal information for targeted advertising
- ❌ Combine data from multiple customers
4. WHO WE SHARE YOUR INFORMATION WITH
4.1 Subprocessors & Service Providers
We share limited information with trusted partners:
Infrastructure Providers:
- GCP, AWS: Infrastructure, storage, compute (encrypted data only)
- Firebase: Authentication, identity verification
Payment Processors:
- Razorpay: Payment processing (INR transactions)
- Stripe: Payment processing (international transactions)
- Limited to: Transaction amount, date, status, currency
Security & Monitoring:
- Automated security scanning, penetration testing, vulnerability detection
All subprocessors are contractually bound by Data Processing Agreements (DPAs) and cannot use your data for other purposes.
Subprocessor Consent:
- We maintain a public list at lexosintell.com/subprocessors
- We notify you of material subprocessor changes (30 days notice)
- You have the right to object to new subprocessors
4.2 Legal & Regulatory Requests
We may disclose information if required by law:
- Court order, subpoena, or government request
- Law enforcement investigation
- Legal compliance (tax, regulation)
Our Commitment:
- We will notify you of legal requests (unless legally prevented)
- We will disclose only the minimum required by law
- We will not voluntarily provide data to government agencies
4.3 No Third-Party Sales
We do NOT sell, rent, or trade your personal information with third parties for marketing purposes.
5. DATA RESIDENCY & SECURITY
5.1 Geographic Locations
Your data is stored based on your location:
- India Customers: GCP asia-south1 (Mumbai)
- EU Customers: GCP europe-west3 (Frankfurt) [GDPR compliant]
- US Customers: GCP us-central1 (Iowa) [available for enterprise]
- Global Customers: Multi-region with customer preference
Payment Data:
- All payment information processed in India (RBI compliance)
- Never stored outside India
5.2 Encryption
Data at Rest:
- AES-256 CBC mode encryption
- Field-level encryption for document contents
- Unique encryption keys per customer
Data in Transit:
- TLS 1.2+ HTTPS for all connections
- End-to-end encryption for sensitive payloads
- No unencrypted data transmission
5.3 Access Controls
LexOS Intell Staff Access:
- Staff cannot access encrypted Customer data without explicit permission
- Access logs are maintained for all data access
- Admin access requires approval and audit trail
- Field-level encryption ensures staff see only metadata, not content
Customer Admin Controls:
- IP whitelisting: restrict access to specific IP ranges
- SSO (SAML/OIDC): centralized identity management
- Audit logs: view all access and modifications
- User role management: granular permission controls
6. DATA RETENTION & DELETION
6.1 How Long We Keep Your Data
Account Data (emails, billing, settings):
- Retained while account is active
- Deleted 90 days after account termination
Customer Documents & Processed Data:
- Retained while subscription is active
- For 12 months after subscription ends (for data access/export)
- Permanently deleted after 12 months
Activity & Audit Logs:
- Retained for 1 year for security audits
- Automatically deleted after 1 year
Backups:
- Encrypted backups retained for 90 days for disaster recovery
- Backups automatically deleted after 90 days
6.2 Your Right to Deletion
You can request deletion of your account and data at any time:
Upon Termination:
- Account data deleted within 90 days
- Customer documents deleted within 30 days
- Data export available for 30 days
Pro-Active Deletion:
- Contact Compliance Officer to request immediate deletion
- GDPR: Right to be forgotten (subject to legal holds)
- Non-GDPR customers: Deletion at our discretion after termination
7. YOUR DATA RIGHTS
7.1 Access (Right to Know)
You have the right to request a copy of all personal data we hold about you.
Request Process:
- Submit request via support dashboard or email
- Verification: We'll confirm your identity
- Response time: Within 30 days
- Format: CSV or JSON export
7.2 Correction (Right to Rectify)
If your data is inaccurate, you can request corrections.
- Account information: Update directly in Platform settings
- Contact information: Request correction via support
- Response time: Within 14 days
7.3 Deletion (Right to be Forgotten)
You can request deletion of your data (subject to legal obligations).
Exceptions:
- If required by law (tax, regulatory)
- If subject to litigation hold
- If needed for Platform security
7.4 Portability (Right to Data Portability)
You can request your data in a portable format.
- Available format: CSV, JSON, standard formats
- Includes: Personal data, uploaded documents, activity logs
- Response time: Within 30 days
- Cost: Free for one request per year
7.5 Objection (Right to Object)
You can object to processing of your data for:
- Direct marketing
- Profiling for marketing purposes
- Automated decision-making
Exception: Objection does not apply to processing necessary for contract performance.
7.6 Appeal & Complaint
If you believe we've violated your privacy rights:
- Contact us first: Compliance Officer will respond within 30 days
- Escalation: Request review from senior management
- Regulatory complaint: File complaint with data protection authority (GDPR: EU authorities; CCPA: California Attorney General)
8. INTERNATIONAL DATA TRANSFERS
8.1 GDPR Compliance (EU Customers)
For EU customers, we process data under the GDPR:
- Data stored in EU region (Frankfurt, Germany)
- Data Processing Addendum (DPA) executed
- Standard Contractual Clauses (SCCs) in place for any transfers
- GDPR compliance audited annually
8.2 CCPA/CPRA Compliance (California Customers)
For California residents:
- All rights under CCPA apply (access, deletion, opt-out)
- We do not sell personal information
- Right to non-discrimination for exercising privacy rights
8.3 Cross-Border Transfers
For data transferred outside the customer's home country:
- Explicit customer consent obtained
- Adequate safeguards in place (encryption, contractual terms)
- Transfer notification in Privacy Policy
9. CHILDREN'S PRIVACY
LexOS Intell is not directed to individuals under 18 years of age.
- We do not knowingly collect data from minors
- If we become aware of data from a minor, we'll delete it immediately
- Organization Admin is responsible for ensuring only authorized users access the account
10. COOKIES & TRACKING
10.1 Cookie Types
Essential Cookies:
- Session tokens (required to stay logged in)
- CSRF tokens (prevent unauthorized requests)
- Security settings
Functional Cookies:
- Language preference
- UI preferences (dark mode, layout)
- Saved searches
Analytics Cookies:
- Usage patterns (modules accessed, features used)
- Performance monitoring
- Error tracking (anonymized)
Marketing Cookies:
- Tracking across web properties (if you click links from our website)
- Remarketing (if you visit other sites)
10.2 Cookie Management
- You can disable non-essential cookies in browser settings
- Disabling cookies may affect Platform functionality
- See Cookie Policy for detailed list
11. THIRD-PARTY LINKS & SERVICES
LexOS Intell may contain links to third-party websites (documentation, tutorials, external resources).
- We are not responsible for third-party privacy practices
- Review their privacy policies before providing data
- We do not control external websites
12. SECURITY MEASURES
12.1 Technical Safeguards
- End-to-end encryption (AES-256)
- Intrusion detection systems
- Automated vulnerability scanning
- Firewall and DLP (Data Loss Prevention)
- Secure API authentication (OAuth, API keys)
12.2 Operational Safeguards
- Employee access controls and training
- Background checks for staff with data access
- Confidentiality agreements for all employees
- Regular security audits (annual)
- Incident response and security escalation procedures designed to address security incidents in a timely manner.
12.3 Breach Notification
If we discover a breach of unencrypted personal data:
- Internal notification: Immediate (within 1 hour)
- Customer notification: Without undue delay.
- Regulatory notification: As required by law
13. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)
If you are a California resident, you have the following rights:
- Right to Know: Request what personal information we collect and use
- Right to Delete: Request deletion of personal information (with exceptions)
- Right to Opt-Out: Opt out of "sales" of personal information (we don't sell data, but right applies)
- Right to Correct: Request correction of inaccurate information
- Right to Limit: Limit use of personal information to purposes disclosed
- Right to Non-Discrimination: We will not discriminate based on exercise of rights
How to Exercise:
- Submit request via support dashboard
- Or email privacy request to Compliance Officer
- We'll respond within 45 days
14. EUROPEAN PRIVACY RIGHTS (GDPR)
If you are a data subject under GDPR (EU, UK, EEA):
Your Rights:
- Right of Access, Rectification, Erasure, Portability
- Right to Object to processing
- Right to restrict processing
- Right to lodge complaint with supervisory authority
Data Controller:
LexOS Intell | IntellAxis AI Pvt Ltd | Pune, Maharashtra
Data Protection Officer:
Sanket Kedar (Compliance Officer)
Contact via support channel
Your Remedy:
- Contact us first for resolution
- Lodge complaint with your data protection authority (e.g., GDPR supervisory authority)
15. INDIA PRIVACY COMPLIANCE
LexOS Intell complies with India's IT Act 2000 and emerging data protection regulations.
Sensitive Personal Data:
- Encrypted storage and access controls
- Minimal collection (only necessary for services)
- No sharing without explicit consent
Reasonable Security:
- ISO 27001 certified security practices
- Regular security audits and vulnerability testing
16. UPDATES TO THIS POLICY
16.1 Changes
- We may update this policy at any time
- Material changes require 30 days notice
- Notice via email and in-app notification
- Continued use = acceptance of new policy
16.2 Version Control
All versions maintained at lexosintell.com/privacy-archive with change log.
17. CONTACT US
Questions about privacy?
- Escalation: Sanket Kedar, Compliance Officer
- Channel: In-app ticketing dashboard
- Email subject: "Privacy Request"
- Response time: 30 days for formal requests; 7 days for urgent inquiries
ACKNOWLEDGMENT
By using LexOS Intell, you acknowledge that you have read and understood this Privacy Policy.
If you have concerns about our privacy practices, please contact us immediately.
LexOS IntellIntellAxis AI Pvt Ltd
Pune, Maharashtra
Version 1.0 | Effective 27 May 2026