Privacy Policy
Last updated: March 2026
1. Introduction
LexVault ("we," "us," or "our") operates an AI-powered document intelligence platform for law firms (the "Service") at lexvault.legal. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.
By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service. For questions, contact us at privacy@lexvault.legal.
2. Information we collect
2.1 Account information
When you register, we collect your name, email address, firm name, and (when billing is activated) billing information. We do not store full payment card details — payments are processed by our third-party payment processor.
2.2 Documents and content you upload
You may upload legal documents, case files, contracts, emails, and other files to the Service ("Customer Content"). This content is stored in an isolated environment associated solely with your firm and is not accessible by any other firm or user.
2.3 Usage data
We collect information about how you interact with the Service, including query logs (the questions you ask the AI), document upload and deletion activity, feature usage, and response times. This data is used to operate, maintain, and improve the Service.
2.4 Cookies and similar technologies
We use cookies and similar technologies to operate the Service. For details, see our Cookie Policy.
2.5 Communications
If you contact us by email or through the Service, we retain the content of your communications and our responses.
3. How we use your information
- To provide, operate, and maintain the Service
- To process your queries against your uploaded documents using AI
- To manage your account and subscription
- To send transactional emails (account confirmations, team invitations, service notices)
- To respond to support requests
- To monitor performance, detect abuse, and fix errors
- To comply with legal obligations
We do not use your Customer Content — including documents or AI queries — to train AI models, whether by us or by our AI providers. This is contractually enforced with OpenAI under their API terms.
AI-generated outputs are derived solely from the documents you upload and the context of your queries. Results may be incomplete, imprecise, or inapplicable to a specific legal situation. You remain responsible for independently reviewing any AI-generated response before relying on it.
4. Data sharing and disclosure
We do not sell, rent, or trade your personal information or Customer Content. We share information only in the following limited circumstances:
4.1 Service providers (sub-processors)
We use the following service providers to deliver the Service:
| Provider | Purpose | Data transferred |
|---|---|---|
| Supabase, Inc. | Database, file storage, and authentication | Account data, uploaded documents and embeddings |
| OpenAI, LLC | AI completions, document embeddings, data extraction, and conflict analysis | Query text and relevant document excerpts — not used for model training per OpenAI API terms |
| Vercel, Inc. | Web application hosting and content delivery | HTTP request data |
| Resend, Inc. | Transactional email delivery | Recipient email addresses and email content |
4.2 Legal requirements
We may disclose information if required by law, court order, or governmental authority, or if necessary to protect the rights, property, or safety of LexVault, our users, or the public.
4.3 Business transfers
In the event of a merger, acquisition, or sale of all or part of our assets, your information may be transferred to the acquiring entity, subject to the same privacy protections described in this policy. We will notify you by email prior to any such transfer.
5. Data retention
We retain your account data and Customer Content for as long as your account is active. Upon cancellation:
- All Customer Content is deleted within 30 days of account termination.
- Billing records are retained for 7 years for tax and legal compliance (name, email, payment history only — no Customer Content).
- Audit log entries are retained for 3 years.
- Anonymized, aggregated usage statistics (no identifying information) may be retained indefinitely.
6. Data security
We implement the following security measures to protect your information:
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest (managed by Supabase/AWS)
- Firm-level data isolation via database row-level security — your data is never commingled with another firm's data
- Role-based access controls (owner, admin, member) for all firm resources
- Tamper-evident audit logging of all material actions within the Service
No method of transmission or storage is 100% secure. We take commercially reasonable steps to protect your information but cannot guarantee absolute security.
7. Your US privacy rights
Depending on the state where you reside, you may have the following rights regarding your personal information. These rights apply to residents of California, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and other states with applicable privacy laws.
| Right | What it means |
|---|---|
| Right to know / access | Request a copy of the personal information we hold about you and how we use and disclose it. |
| Right to correct | Request that we correct inaccurate personal information. |
| Right to delete | Request deletion of personal information we hold about you, subject to legal retention obligations. |
| Right to portability | Request an export of your Customer Content and account data in a machine-readable format. |
| Right to opt out of sale | We do not sell your personal information. No opt-out is required, but you may confirm this in writing. |
| Right to opt out of targeted advertising | We do not use your data for targeted or behavioral advertising. |
| Right to non-discrimination | We will not discriminate against you for exercising any of these rights (no denial of service, different pricing, or reduced quality). |
| Right to limit sensitive PI use | We do not use or disclose sensitive personal information for purposes beyond providing the Service. |
How to submit a request
Email privacy@lexvault.legal with "Privacy Request" in the subject line. We will verify your identity and respond within:
- California (CCPA/CPRA): 45 days (extendable by 45 days with notice)
- Virginia, Colorado, Connecticut, Texas, and other state laws: 45 days (extendable by 45 days with notice)
Authorized agents
California and other state residents may designate an authorized agent to submit privacy requests on their behalf. We will require written proof of authorization and may verify the request directly with you.
8. Do Not Sell or Share My Personal Information
LexVault does not sell, share, or disclose your personal information to third parties for monetary consideration or for cross-context behavioral advertising. This applies to all users, including California residents under CCPA/CPRA.
If you have concerns about how your data is used, contact us at privacy@lexvault.legal.
9. California-specific disclosures (CCPA/CPRA)
For California residents, we provide the following additional disclosures as required by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Categories of personal information collected
- Identifiers (name, email address)
- Professional or employment-related information (firm name, role)
- Internet or network activity (usage logs, feature interactions)
- Customer Content (documents and data you upload — content and nature determined by you)
Business purposes for collection
Providing and improving the Service, security and fraud prevention, and legal compliance. No personal information is sold or used for targeted advertising.
Shine the Light (California Civil Code § 1798.83)
California residents may request information about disclosures of personal information to third parties for direct marketing purposes. We do not make such disclosures. To submit a request, email privacy@lexvault.legal.
10. Attorney-client confidentiality
LexVault is designed with attorney professional responsibility obligations in mind. We operate as a service provider — not a data controller — with respect to your client documents. We do not access, review, or use your client documents for any purpose other than providing the Service, and LexVault personnel do not read customer documents.
We recommend that firms review their state bar's guidance on cloud storage and AI use with client data before uploading confidential matter files. We can provide information about our security architecture and data handling practices to assist with any required disclosure or ethics review.
Attorneys are solely responsible for the accuracy and completeness of any work product that incorporates or was assisted by AI-generated content. AI responses are research aids — not legal advice — and do not replace the professional judgment and independent verification required of a licensed attorney.
11. GDPR (users in the EEA and UK)
If you are located in the European Economic Area (EEA) or United Kingdom, our lawful bases for processing your personal data include:
- Contract performance: Processing necessary to provide the Service you have subscribed to.
- Legitimate interests: Service improvement, security, and fraud prevention.
- Legal obligation: Compliance with applicable law.
We offer a Data Processing Agreement (DPA) compliant with GDPR Article 28. Read our DPA →
12. Children's privacy
The Service is not directed to individuals under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal data, contact us at privacy@lexvault.legal and we will delete it promptly.
13. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the Service at least 14 days before the change takes effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.
14. Contact us
If you have questions about this Privacy Policy or our data practices, contact us: