Privacy Policy
🔒 LexAra is committed to protecting your privacy under the Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, and applicable Ontario privacy law. Contract documents you submit for analysis are never stored, retained, or used for training AI models.
1. Who We Are
LexAra Inc. ("LexAra", "we", "us", or "our") operates the AI contract analysis platform at lexara.tech. We are the data controller responsible for personal information collected through the Platform.
Privacy Officer: privacy@lexara.tech
2. Information We Collect
2.1 Account Information
When you register, we collect:
- Name and email address
- Password (stored as a one-way cryptographic hash — never in plaintext)
- Organization name (optional)
- Billing information (processed by Stripe; we do not store card numbers)
2.2 Usage Data
We collect anonymized platform usage data including:
- Number of analyses performed, analysis types requested
- API usage metrics (request count, response times)
- Browser type, operating system, and IP address (for security and fraud prevention)
- Pages visited and features used
2.3 Contract Text — Critical Notice
Contract documents and text submitted for analysis are processed in memory only and are NOT stored, logged, or retained in any form. We do not read your contracts, share them with third parties, or use them to train AI models. Processing occurs in an isolated environment and the data is permanently discarded upon completion of the analysis request.
3. How We Use Your Information
| Purpose | Legal Basis (PIPEDA) | Retention |
|---|---|---|
| Providing and improving the Services | Contractual necessity / consent | Duration of account |
| Billing and payment processing | Contractual necessity | 7 years (tax law) |
| Security and fraud prevention | Legitimate interest | 12 months |
| Service communications (transactional) | Contractual necessity | Duration of account |
| Marketing emails (opt-in only) | Consent | Until withdrawal of consent |
| Analytics (aggregated, anonymized) | Legitimate interest | 24 months |
4. Disclosure of Personal Information
We do not sell, rent, or trade your personal information. We may share information with:
- Service Providers: Stripe (payment processing), AI infrastructure providers (analysis processing — contract text only, not personal data), cloud infrastructure providers — all bound by data processing agreements
- Legal Requirements: If required by law, court order, or regulatory authority in Canada
- Business Transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users
All third-party service providers are contractually required to protect your information and use it only for the specified purpose.
5. AI Processing Technology
LexAra's analysis engine is powered by third-party large language model (LLM) technology provided by our AI infrastructure partners. Contract text submitted for analysis is transmitted securely via encrypted API to our AI processing infrastructure. Our agreements with AI service providers prohibit use of API inputs for model training or any purpose beyond fulfilling the immediate request. We do not send personal identifying information (name, email, account data) alongside contract text. Each analysis request is stateless and independent, with no data retained by our AI partners after the response is returned.
The specific AI models and providers used by LexAra may change over time as we improve our Services. Material changes to our AI processing infrastructure will be reflected in an updated version of this Policy.
6. Data Security
We implement industry-standard security measures including:
- TLS 1.3 encryption for all data in transit
- Encrypted storage for personal data at rest (AES-256)
- Role-based access controls limiting employee access to personal data
- Regular security audits and vulnerability assessments
- Breach notification procedures compliant with PIPEDA's mandatory breach reporting requirements (reporting to the Office of the Privacy Commissioner within 72 hours of discovery)
7. Your Rights Under PIPEDA
You have the following rights regarding your personal information:
- Access: Request a copy of personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Withdrawal of Consent: Withdraw consent for non-essential processing at any time (this may limit your ability to use certain features)
- Deletion: Request deletion of your account and associated personal data (subject to legal retention requirements)
- Complaint: File a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) if you believe your rights have been violated
To exercise these rights, contact our Privacy Officer at privacy@lexara.tech. We will respond within 30 days.
8. Cookies and Tracking
We use minimal, necessary cookies for:
- Session authentication (strictly necessary — cannot be disabled)
- User preferences (functional)
- Aggregate analytics via privacy-respecting tools (no cross-site tracking)
We do not use advertising cookies, third-party tracking pixels, or behavioral profiling technologies. You can control cookies through your browser settings.
9. Data Retention
We retain personal information only as long as necessary for the stated purpose or as required by law. Upon account deletion, personal data is purged within 30 days (except where retention is legally required, e.g., financial records for 7 years under the Income Tax Act).
10. Children's Privacy
The Platform is not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe a minor has provided us personal information, contact us at privacy@lexara.tech and we will promptly delete it.
11. AODA Accessibility
Our privacy processes are designed to be accessible to persons with disabilities in accordance with the AODA. If you require an accessible format of this Privacy Policy or assistance exercising your privacy rights, contact accessibility@lexara.tech.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be communicated via email at least 14 days in advance. The "Last updated" date at the top of this page reflects the most recent revision.
13. Contact Our Privacy Officer
For any privacy-related questions, requests, or concerns:
Privacy Officer, LexAra Inc.
Email: privacy@lexara.tech
Response time: Within 30 days of receipt
You also have the right to escalate concerns to the Office of the Privacy Commissioner of Canada:
30 Victoria Street, Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376 | priv.gc.ca