This Privacy Policy explains how Devmint Technologies ("Lexly", "we", "us") — the company that operates the Lexly platform — collects, uses, shares, and protects personal data when you use the Lexly platform and lexlyai.com (the "Service"). It should be read with our Terms of Service.
For users in the EU/UK, Lexly is the data controller for account data and acts as a data processor for the contract content you upload/generate (you are the controller of that content).
1. Data We Collect
You provide:
- Account data — name, email, password (hashed by our auth provider), language and notification preferences, jurisdiction.
- User Content — contracts you create, upload, or analyse, including any personal data contained within them; signatory names, emails, and roles you enter for eSign.
- Support communications.
Collected automatically:
- Usage data — features used (Forge/Sense/eSign), counts, timestamps, plan tier.
- Device/technical data — IP address, browser/user-agent, approximate location (derived from IP), and cookies/session identifiers.
- eSign audit data — for each signature: timestamp, IP address, approximate location, user agent, typed name, and consent text. This is recorded to evidence the signing process and is included in the audit certificate.
From third parties:
- Payment/subscription data from Lemon Squeezy (e.g., plan, status, billing period, customer ID). We do not receive or store your full card number.
- Authentication data if you sign in with Google OAuth (name, email).
2. How We Use Data
- To provide, operate, and secure the Service (create/analyse/sign/store contracts).
- To process AI generation and analysis via our AI/OCR subprocessors on your behalf.
- To manage subscriptions, billing, and usage limits.
- To send transactional emails (welcome, signing invitations and completions, expiry and renewal reminders) and, where you opt in, product announcements.
- To provide in-app notifications and site announcements.
- To monitor, debug, and improve the Service (error and product analytics).
- To comply with legal obligations and enforce our Terms.
Legal bases (EU/UK GDPR): performance of a contract (providing the Service), legitimate interests (security, improvement, analytics), consent (marketing emails, certain cookies), and legal obligation.
3. AI Processing
When you use Forge or Sense, the relevant document text and your inputs are sent to our AI and OCR providers (listed on our Subprocessors page) to generate or analyse content. These providers process the data to return a result to you. We do not use the substance of your contracts to train our own or third parties' foundation models, and we select providers whose terms support business/data-processing use. AI output may be inaccurate — see the "Not Legal Advice" section of the Terms.
4. How We Share Data
We share personal data only with:
- Subprocessors that provide infrastructure on our behalf (listed on our Subprocessors page), under contractual confidentiality and data-protection terms.
- Lemon Squeezy (Merchant of Record) for payment processing and invoicing.
- eSign recipients — signatory contact details and the document are shared with the parties you invite to sign.
- Legal/safety — where required by law, to protect rights and safety, or in connection with a merger/acquisition (with notice).
We do not sell personal data. We rely on the third-party subprocessors listed on our Subprocessors page — including each provider's purpose and processing region — to operate the Service on our behalf.
5. International Transfers
We and our subprocessors may process data in countries other than yours (including the United States, the European Union, and India). Where required, we rely on appropriate safeguards such as Standard Contractual Clauses for transfers out of the EEA/UK.
6. Data Retention
- Account & contract data is retained while your account is active.
- On account deletion, we delete your user record and associated contracts (cascading to signatories, clauses, and audit events) and remove stored files from S3, subject to a short backup-rotation window and any legal retention obligations.
- Signed documents and audit certificates may be retained as needed to evidence completed transactions unless you delete them.
- Aggregated/anonymised analytics may be retained.
7. Your Rights
Depending on your location (e.g., GDPR/UK GDPR, CCPA/CPRA), you may have the right to access, correct, delete, port, or restrict processing of your personal data, to object to certain processing, and to withdraw consent. You can:
- update profile and notification preferences in-app;
- delete your account in settings (which deletes associated data as in §6);
- contact us at privacy@lexlyai.com to exercise other rights.
California residents: we do not "sell" or "share" personal information for cross-context behavioural advertising. EU/UK users may lodge a complaint with their supervisory authority.
8. Cookies & Tracking
We use strictly necessary cookies for authentication/session management and, subject to consent where required, analytics cookies (PostHog). You can control cookies via your browser.
9. Security
We use industry-standard measures including encryption in transit (TLS) and at rest (S3 server-side encryption), access controls, scoped credentials, audit logging for administrative actions, and rate limiting. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.
10. Children
The Service is not directed to children under 18 and we do not knowingly collect their data.
11. Changes
We may update this Policy; material changes will be notified via the Service or email. The "Last updated" date reflects the latest version.
12. Contact
Data controller: Devmint Technologies, Chandigarh, Punjab, India.
Privacy contact / DPO: privacy@lexlyai.com.
