Privacy Policy
Last updated: 22 April 2026
This Privacy Policy describes how LexCodex.ai ("we", "us", "our") collects, uses and protects your personal data in accordance with the EU General Data Protection Regulation (GDPR).
Quick summary: Contract texts and legal content you analyse are never stored on our servers. We don't sell any data, we don't use your material for AI training, and you can delete your entire account directly from /en/account.
1. Data controller
The data controller is LexCodex.ai, operated by Nordicbysight HB (registration number 969787-0346).
Contact: support@lexcodex.ai
2. What data we collect
- Account information: First name, last name, email address and organisation when you register.
- Authentication: Hashed password (bcrypt), optional MFA key and backup codes (hashed).
- Usage data: Number of analyses per month, which tools were used (aggregated, without contract content).
- Contact form: Name, email, organisation and message.
- Technical data: IP address, browser type, operating system (security logging and rate limiting).
- Analytics (Google Analytics): Anonymous page statistics, only enabled after your consent.
- Cookies: See section 6 below.
3. Data we do not store
- Contract texts and legal content sent for analysis — exists only in memory during the call.
- AI analysis responses — returned to you and not stored on our servers.
- Uploaded PDF/DOCX files — text is extracted, sent to AI, and discarded immediately after the response.
4. Legal basis for processing
- Contract (Art. 6.1 b): Account information and usage data are required to provide the service.
- Legitimate interest (Art. 6.1 f): Security logging, rate limiting and protection against misuse.
- Legal obligation (Art. 6.1 c): Accounting and invoicing data under the Swedish Bookkeeping Act.
- Consent (Art. 6.1 a): Analytics cookies and Google Analytics are only enabled after your consent.
5. How we use the data
- Provide, administer and bill your account.
- Respond to contact requests.
- Improve the service via aggregated, anonymous usage statistics.
- Protect against misuse, brute force and unauthorised access.
6. Third parties and data transfers
- Anthropic (Claude AI): Text you send for analysis is processed by Anthropic's API. Anthropic does not use your data for model training. Data is not stored permanently at Anthropic. Certified under SOC 2 Type II, ISO 27001, ISO 42001, HIPAA.
- Easywebbhotell (Sweden): Server and database hosting. Swedish jurisdiction.
- Stripe: Payment processing for Pro and Enterprise plans. PCI DSS Level 1.
- Google reCAPTCHA: Protects registration and contact forms from spam. Subject to Google's privacy policy.
- Google Analytics: Anonymous web statistics, enabled after consent. Data may be transferred to the US under the EU-US Data Privacy Framework and Standard Contractual Clauses.
7. Cookies
We use the following types of cookies:
- Necessary cookies: Session cookie for sign-in (
__Host-LEXSESSID). Secure, HttpOnly, SameSite=Lax. Cannot be disabled. - Analytics cookies: Google Analytics (_ga, _gid). Only enabled after your consent via the cookie banner.
You can change your cookie settings at any time via the banner at the bottom of the page.
8. Your rights
Under GDPR you have the right to:
- Art. 15 — Access: Download all your stored data as a JSON file via the "Download my data" button at /en/account.
- Art. 16 — Rectification: Request correction at support@lexcodex.ai.
- Art. 17 — Erasure ("right to be forgotten"): Delete the account and all associated data directly via the "Delete my account" button at /en/account. Deletion is immediate and permanent.
- Art. 18 — Restriction: Contact support.
- Art. 20 — Data portability: Same JSON export as under Art. 15 — machine-readable format.
- Art. 21 — Objection: Contact support.
- Withdraw consent for analytics cookies at any time via the cookie banner.
9. Retention period
- Contract texts and AI responses: Not stored — only exist in memory during the analysis itself.
- Account information: As long as the account is active. Deleted immediately when you use the Art. 17 button at /en/account.
- Accounting and invoice data: 7 years under Chapter 6, Section 1 of the Swedish Bookkeeping Act (required by law even after account deletion).
- Shared analyses (share links): Max 7 days, deleted automatically.
- Contact form: 12 months after the request has been answered.
- Security logs (rate limit): Rolling 1 hour.
- Server logs (access/error): 30 days.
- Google Analytics: 26 months (Google's default setting).
10. Data protection
We protect your data with TLS 1.3, bcrypt-hashed passwords, optional two-factor authentication (MFA/TOTP), CSP, HSTS preload, CSRF token and rate limiting. See Security & Trust for the full list.
11. Supervisory authority
You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY):
www.imy.se/en
12. Changes
We may update this policy. Material changes are communicated via email or on the website.