LEGALLast updated: May 2026

Privacy Policy.

Who We Are

Lexilio ("we", "us", "our") is operated by Lexilio Inc., a company incorporated in Delaware, United States. We provide AI-powered contract intelligence software for construction and procurement teams.

This Privacy Policy explains what personal data we collect, how we use it, and your rights in relation to it. We will update this policy from time to time. The "Last Updated" date above reflects the most recent revision.

Data Protection Officer: Muhammad Y Malik
Contact: hello@lexilio.co

Our Role in Relation to Your Data

Depending on the circumstances, Lexilio acts as either a data controller or a data processor.

As a controller: When you visit our website, create an account, or contact us as a prospective customer or employee, we determine how your personal data is processed.

As a processor: When you upload contracts or other data through our platform, you are the data controller. We process that data solely on your instructions to provide the service.

Information We Collect

Information you provide

  • Name, work email address, and company name when you register or contact us
  • Payment information (processed by Stripe; we do not store card details)
  • Contracts and documents you upload to the platform
  • Messages and correspondence with our team

Information collected automatically

  • Technical data: IP address, browser type, operating system, device type
  • Usage data: pages viewed, features used, navigation paths, errors encountered
  • Session data managed via secure cookies (see our Cookie Policy)

How We Use Your Data

Providing the platform
Performance of contract
Account management and support
Performance of contract
Billing and payment processing
Performance of contract
Security and fraud prevention
Legitimate interests
Improving our services
Legitimate interests (anonymised data only)
Marketing and communications
Legitimate interests or consent
Legal compliance
Legal obligation

AI Processing and Your Contract Data

Lexilio uses trusted third-party AI providers to analyse contracts and generate compliance reports.

Key commitments:

  • We do not use your uploaded contracts to train any AI or machine learning models, ever.
  • AI providers may temporarily retain request and response data for up to 30 days for security and abuse prevention purposes, after which it is deleted in accordance with provider policies.
  • We do not enable data-sharing programmes that would allow AI providers to retain or train on your data beyond this security window.
  • When you delete a contract from Lexilio, it is permanently removed from our systems.

How Long We Keep Your Data

Account data
Retained while account is active, deleted 30 days after account deletion
Contract data
Retained while account is active, deleted 30 days after account deletion
Billing data
Retained for 7 years for tax and legal compliance
Marketing data
Until you unsubscribe or withdraw consent
Server logs
90 days

Where We Store Your Data

Your data is stored and processed in the European Union and United States via our infrastructure providers. All data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256).

For transfers of personal data outside the UK or EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

Who We Share Your Data With

We do not sell your personal data.

We share data only with:

  • Infrastructure and hosting providers (AWS, Railway, Supabase, Vercel)
  • AI processing providers (subject to the commitments in Section 5 above)
  • Payment processor (Stripe)
  • Customer support tooling (Crisp)
  • Analytics (anonymised, aggregated data only)
  • Legal and regulatory authorities where required by law
  • Buyers in the event of a business sale or restructuring, subject to equivalent privacy protections

A full list of sub-processors is available in our Data Processing Agreement.

Your Rights

Depending on your location, you may have the following rights under GDPR, UK GDPR, or applicable data protection law:

  • Right of access (Subject Access Request)
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with your supervisory authority

To exercise any of these rights, contact hello@lexilio.co. We will respond within 30 days.

Cookies

We use essential cookies to operate the platform and, with your consent, analytics cookies to understand how our site is used. For full details, see our Cookie Policy.

Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, contact hello@lexilio.co immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. Continued use of the platform after changes constitutes acceptance of the updated policy.

Contact

Questions about this policy or your personal data?

Data Protection Officer: Muhammad Y Malik
Email: hello@lexilio.co
Address: Lexilio Inc., Delaware, United States

You also have the right to lodge a complaint with your local data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In the EU, contact your local Data Protection Authority.