Privacy Policy

Last updated: 22 April 2026

This Privacy Policy describes how LexCodex.ai ("we", "us", "our") collects, uses and protects your personal data in accordance with the EU General Data Protection Regulation (GDPR).

Quick summary: Contract texts and legal content you analyse are never stored on our servers. We don't sell any data, we don't use your material for AI training, and you can delete your entire account directly from /en/account.

1. Data controller

The data controller is LexCodex.ai, owned and operated by Nordicbysight.
Contact: support@lexcodex.ai

2. What data we collect

Account information: First name, last name, email address and organisation when you register.
Authentication: Hashed password (bcrypt), optional MFA key and backup codes (hashed).
Usage data: Number of analyses per month, which tools were used (aggregated, without contract content).
Contact form: Name, email, organisation and message.
Technical data: IP address, browser type, operating system (security logging and rate limiting).
Analytics (Google Analytics): Anonymous page statistics, only enabled after your consent.
Cookies: See section 6 below.

3. Data we do not store

Contract texts and legal content sent for analysis — exists only in memory during the call.
AI analysis responses — returned to you and not stored on our servers.
Uploaded PDF/DOCX files — text is extracted, sent to AI, and discarded immediately after the response.

4. Legal basis for processing

Contract (Art. 6.1 b): Account information and usage data are required to provide the service.
Legitimate interest (Art. 6.1 f): Security logging, rate limiting and protection against misuse.
Legal obligation (Art. 6.1 c): Accounting and invoicing data under the Swedish Bookkeeping Act.
Consent (Art. 6.1 a): Analytics cookies and Google Analytics are only enabled after your consent.

5. How we use the data

Provide, administer and bill your account.
Respond to contact requests.
Improve the service via aggregated, anonymous usage statistics.
Protect against misuse, brute force and unauthorised access.

6. Third parties and data transfers

We engage the following categories of certified third-party providers, all bound by data processing agreements (DPA):

AI processing: Text you send for analysis is processed by an AI provider certified under SOC 2 Type II and ISO 27001. Your data is not used for model training and is not stored permanently (Zero Data Retention).
Hosting: Server and database operated in a certified data centre in Sweden.
Payment processing: Pro and Enterprise subscriptions are handled by Stripe (PCI DSS Level 1-certified, EU-based).
Spam protection: Registration and contact forms are protected by a third-party anti-bot service.
Web analytics (optional): Anonymous web statistics are activated only after your consent via the cookie banner. Data may be transferred to third countries under the EU-US Data Privacy Framework and Standard Contractual Clauses.

A complete list with provider names, function, location and certifications is provided to enterprise customers under NDA as part of onboarding, or upon request at support@lexcodex.ai.

7. Cookies

We use the following types of cookies:

Necessary cookies: Session cookie for sign-in (__Host-LEXSESSID). Secure, HttpOnly, SameSite=Lax. Cannot be disabled.
Analytics cookies: Google Analytics (_ga, _gid). Only enabled after your consent via the cookie banner.

You can change your cookie settings at any time via the banner at the bottom of the page.

8. Your rights

Under GDPR you have the right to:

Art. 15 — Access: Download all your stored data as a JSON file via the "Download my data" button at /en/account.
Art. 16 — Rectification: Request correction at support@lexcodex.ai.
Art. 17 — Erasure ("right to be forgotten"): Delete the account and all associated data directly via the "Delete my account" button at /en/account. Deletion is immediate and permanent.
Art. 18 — Restriction: Contact support.
Art. 20 — Data portability: Same JSON export as under Art. 15 — machine-readable format.
Art. 21 — Objection: Contact support.
Withdraw consent for analytics cookies at any time via the cookie banner.

9. Retention period

Contract texts and AI responses: Not stored — only exist in memory during the analysis itself.
Account information: As long as the account is active. Deleted immediately when you use the Art. 17 button at /en/account.
Accounting and invoice data: 7 years under Chapter 6, Section 1 of the Swedish Bookkeeping Act (required by law even after account deletion).
Shared analyses (share links): Max 7 days, deleted automatically.
Contact form: 12 months after the request has been answered.
Security logs (rate limit): Rolling 1 hour.
Server logs (access/error): 30 days.
Google Analytics: 26 months (Google's default setting).

10. Data protection

We protect your data with TLS, bcrypt-hashed passwords, optional two-factor authentication (MFA/TOTP), CSP, HSTS preload, CSRF token and rate limiting. See Security & Trust for the full list.

11. Supervisory authority

You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY):
www.imy.se/en

12. Changes

We may update this policy. Material changes are communicated via email or on the website.