What is legal file noting?

Legal file noting is the practice of recording detailed notes about client interactions, court appearances, meetings, and other legal activities. These notes form a critical part of the legal record and are essential for maintaining accurate case histories, meeting professional obligations, and protecting against potential disputes.

How does Lex Protocol's voice-to-text work?

Simply speak naturally about what happened during your client interaction, court appearance, or meeting. Our AI processes your recording using advanced speech recognition trained on legal terminology, then structures it into a professional file note with proper formatting, legal citations, and organised sections.

Is my client data secure with Lex Protocol?

Absolutely. We use AES-256-GCM encryption for all stored data and end-to-end encryption for data in transit. Your voice recordings are processed and immediately deleted. We never sell your data and we never use your content to train AI models.

Ask Lexi is your AI legal research assistant built into Lex Protocol. Ask questions about your matters, get cited answers from your own file notes, and never miss a critical detail. Available on Premium and Gold plans.

Is there a free plan?

Yes! Our Starter plan is completely free and includes 12 notes per month with PDF export. No credit card required. Compare that to competitors like Smokeball ($49/user/month) or Clio ($49/user/month).

Privacy Policy | Lex Protocol

Effective Date: 01 July 2025 | Last Updated: 05 May 2026

1. Introduction

Lex Protocol, developed by Avci Technologies (ABN: 69688146581), is committed to protecting your privacy and maintaining the confidentiality of your legal information. This Privacy Policy explains how we collect, use, store, and protect your information when you use our mobile application and related services.

This Privacy Policy applies to all users and complies with:

Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth)
General Data Protection Regulation (GDPR) for European Union users
Applicable app store requirements (Apple App Store, Google Play Store)

2. Information We Collect

Account Information

Name and email address
Professional credentials and firm information
Password (stored in encrypted form)

Legal Content

Voice recordings (processed and then deleted)
Legal file notes and documents
Matter organization and categorization

Usage Information

App usage patterns and feature utilization
Error logs and performance data
Subscription and billing information

3. How We Use Your Information

Service Delivery

Process voice recordings into legal file notes
Organize and categorize your legal matters
Synchronize data across your devices
Generate PDF and Word document exports

Communication

Send service-related notifications
Provide customer support
Send subscription and billing updates

4. Data Security and Protection

Technical Safeguards

TLS encryption for all data in transit
AES-256-GCM encryption for stored note content
Secure cloud infrastructure with Google Firebase
Regular security audits and monitoring

Professional Protections

Attorney-client privilege considerations
Confidential information handling protocols
Staff confidentiality agreements
Limited access controls and logging

5. Information Sharing

We DO NOT sell your personal information.

Service providers and subprocessors

Google Firebase — authentication, database hosting, cloud functions, and file storage
Deepgram (US-based) — receives voice recordings to convert speech to text. Audio is deleted from our servers immediately after the transcript is returned
OpenAI (US-based) — receives transcribed text and, where you use the Ask Lexi assistant, the relevant matter context to generate structured file notes and chat responses
Apple App Store, Google Play Store, Stripe, RevenueCat — payment and subscription processing
Sentry — application error tracking and service reliability (receives anonymised user identifiers and error data, not legal content)
Professional service providers (legal advisors, auditors, consultants) when required
Clio Manage (user-initiated) — if you connect your Clio account, file note content, task names, and time entries are synced to your Clio matters. OAuth tokens are stored AES-256-GCM encrypted. Data synced to Clio is governed by Clio's privacy policy. You can disconnect at any time, which revokes access and deletes stored tokens

What our AI providers do and don't do with your content

Under the standard API terms we rely on with OpenAI and Deepgram, content you submit through their APIs is not used to train their models. Both providers may retain submitted content for a limited period (typically up to 30 days) for abuse monitoring and service reliability, after which it is deleted. We do not have visibility into those retention systems.

We do not sell your data, we do not use your content to train our own models, and we do not share your content with any third party other than the service providers listed above for the specific purposes of operating Lex Protocol.

If you handle content that is subject to legal professional privilege, you should consider whether transmission to a third-party AI provider under these terms is acceptable for your specific matter before using the voice recording and Ask Lexi features.

Legal disclosure: We may disclose information when required by law or to protect our legal rights, but we will notify you unless legally prohibited.

6. Consent for Recording and Third-Party Content

If you use the voice recording or transcription features while a client, witness, or other third party is present, you are responsible for obtaining their informed consent before recording where required by the law of your jurisdiction. Recording-consent laws vary significantly by state, territory, and country — you remain solely responsible for compliance.

You are also responsible for ensuring that any client information you enter into the App (including matter names, client details, and content uploaded to Ask Lexi) is handled consistently with your professional conduct obligations and any confidentiality undertakings you have given.

7. Your Privacy Rights

Australian Privacy Law Rights

Access your personal information
Correct inaccurate information
File complaints about privacy practices

GDPR Rights (EU Users)

Right of access and data portability
Right to rectification and erasure
Right to object to processing
Right to withdraw consent

California Residents (CCPA / CPRA Rights)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). See Section 8 for the full disclosure and how to exercise those rights.

Non-discrimination: we will not deny services, charge different prices, or provide a different level of quality because you exercised any of the rights described in this section.

To exercise these rights, contact us at supportteam@lexprotocol.co or use our privacy rights request form.

8. California Residents

This section applies to California residents and is provided to comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). It supplements, and does not replace, the disclosures elsewhere in this Privacy Policy.

Categories of Personal Information We Collect

In the preceding 12 months we have collected the following categories of personal information about California residents:

Identifiers — name, email address, account ID
Commercial information — subscription status and billing records (collected via Stripe and RevenueCat)
Internet or other electronic network activity — app usage patterns, error logs, performance data
Audio, electronic, or similar information — voice recordings, which are sent to our transcription provider and deleted from our servers immediately after the transcript is returned
Professional or employment-related information — firm name and professional credentials you provide

We do not collect: precise geolocation, biometric identifiers, government-issued identifiers, financial-account credentials, characteristics of protected classifications, or inferences drawn from the above to create a consumer profile.

Sources of Personal Information

Directly from you when you sign up, sign in, or use the app
From payment processors (Stripe, RevenueCat) for transaction confirmations
From the Apple App Store and Google Play Store for purchase signals

Business and Commercial Purposes for Collection

Providing and maintaining the Lex Protocol service
Processing payments and managing subscriptions
Security, abuse prevention, and service reliability
Customer support
Compliance with legal obligations

Categories of Third Parties We Disclose To

We disclose the categories of personal information described above to the service providers listed in Section 5 (Information Sharing) for the limited purposes described there. We do not disclose personal information to any other third parties except as required by law.

Sale or Sharing of Personal Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

Because we do not sell or share personal information as those terms are defined under the CCPA, we are not required to provide a "Do Not Sell or Share My Personal Information" link. We have not engaged in any such sale or sharing in the preceding 12 months and do not intend to do so.

Your California Privacy Rights

Right to Know — request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties to whom we have disclosed it (covering the preceding 12 months)
Right to Delete — request that we delete personal information we have collected from you, subject to statutory exceptions
Right to Correct — request that we correct inaccurate personal information we hold about you
Right to Opt Out of Sale or Sharing — applicable if a business sells or shares personal information; we do not, but you may still submit a request to confirm
Right to Limit Use of Sensitive Personal Information — applicable to businesses that use sensitive PI for inferences or beyond providing the requested service; we do not collect sensitive PI categories under the CCPA, so this right is satisfied by our practices
Right to Non-Discrimination — we will not deny services, charge different prices, or provide a different level of quality because you exercised any of these rights

How to Submit a Request

You may submit a verifiable consumer request through either of the following methods:

Email: supportteam@lexprotocol.co
Webform: lex-protocol.com/privacy-request

Verification of Requests

To protect your data we will verify your identity before fulfilling a request. For account holders, being signed in to the app is sufficient verification. Otherwise, we may ask you to confirm information that matches what we already hold.

Response Time

We will confirm receipt of your request within 10 business days and substantively respond within 45 days. If we need more time, we will inform you of the reason and the extension (up to 90 days total).

Authorized Agents

You may designate an authorized agent to submit a request on your behalf. We will require written authorization signed by you and may verify your identity directly before acting on the request.

Right to Appeal or Complain

If you believe we have not adequately responded to your request, you may contact the California Attorney General's office at oag.ca.gov/contact/consumer-complaint-against-business-or-company.

9. Data Retention

Account data: Retained while your account is active
Legal notes: Retained per your document management needs
Voice recordings: Deleted from our servers immediately after the transcript is returned. Our transcription provider (Deepgram) may briefly retain audio under its standard API terms; see section 5
AI chat conversations (Ask Lexi): Automatically deleted after 90 days of inactivity. Conversations with no new messages for 90 days are permanently removed from our systems
Deleted accounts: Data removed within 30 days

10. Contact Information

Privacy Officer

Email: supportteam@lexprotocol.co

Avci Technologies, Melbourne, VIC, Australia

Complaints

Australia: Office of the Australian Information Commissioner (OAIC)
EU: Your local Data Protection Authority

11. Updates to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and in-app notifications. Your continued use of the service after changes constitutes acceptance of the updated policy.

By using Lex Protocol, you acknowledge that you have read, understood, and agree to this Privacy Policy.