1. Introduction
Lex Protocol, developed by Avci Technologies (ABN: 69688146581), is committed to protecting your privacy and maintaining the confidentiality of your legal information. This Privacy Policy explains how we collect, use, store, and protect your information when you use our mobile application and related services.
This Privacy Policy applies to all users and complies with:
- Applicable privacy law
- Applicable app store requirements (Apple App Store, Google Play Store)
For European Union and United Kingdom users, our practices are aligned with the General Data Protection Regulation (GDPR). Our processor commitments, including Standard Contractual Clauses for international transfers, are set out in our Data Processing Agreement.
2. Information We Collect
Account Information
- Name and email address
- Professional credentials and firm information
We use passwordless login (a one-time code emailed to you), so we do not collect or store account passwords.
Legal Content
- Voice recordings (processed and then deleted)
- Legal memos to file and documents
- Matter organization and categorization
Usage Information
- App usage patterns and feature utilization
- Error logs and performance data
- Subscription and billing information
Technical and Security Information
- IP address — captured when you sign in, request an account deletion or restoration, or perform other security-sensitive actions. We log it to our audit collections (accountDeletionAuditLogs, accountRestorationAuditLogs) so we can investigate unauthorised access and meet our incident-response obligations.
- Device and browser information — user agent string, operating system, screen size and timezone, used for compatibility, error diagnostics and rate-limit enforcement.
- Authentication events — timestamps of sign-in, two-factor enrollment, account deletion and restoration, written to a per-user audit log subcollection for transparency and security forensics.
Analytics and Cookies (marketing site only)
Our marketing site at lex-protocol.com uses Google Analytics 4 to understand which pages visitors find useful. GA4 sets cookies named _ga and _ga_* with a default 2-year retention, processes IP-derived approximate location (city / region), and aggregates events such as page views and link clicks. We have configured GA4 to anonymise IP addresses and have disabled Google Signals (no cross-device profiling, no advertising features). Visitors from the European Union, the United Kingdom and the EEA see a cookie consent banner and GA4 only runs after consent. Our applications (desktop and mobile) do not use Google Analytics; analytics there is limited to anonymised crash and error reports via Sentry (see § 5).
3. How We Use Your Information
Service Delivery
- Process voice recordings into legal memos to file
- Organize and categorize your legal matters
- Synchronize data across your devices
- Generate PDF and Word document exports
Communication
- Send service-related notifications
- Provide customer support
- Send subscription and billing updates
Legal Bases for Processing (EU / UK GDPR)
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
- Performance of a contract (Art 6(1)(b)) — creating your account and providing the core service: recording, transcription, AI-assisted memos to file, storage, sync and export.
- Legitimate interests (Art 6(1)(f)) — security, fraud and abuse prevention, audit logging, rate limiting, and service reliability, balanced against your rights and freedoms.
- Consent (Art 6(1)(a)) — marketing-site analytics cookies (EU/UK visitors only), which run only after you accept the cookie banner and can be withdrawn at any time.
- Legal obligation (Art 6(1)(c)) — retaining billing records and responding to lawful requests.
Where you input personal data about your own clients (including any special-category data), your firm is the controller of that data and we act as your processor under our Data Processing Agreement; you remain responsible for the lawful basis and any Article 9 / Article 10 condition for that content.
4. Data Security and Protection
Technical Safeguards
- TLS encryption for all data in transit
- AES-256-GCM encryption for stored note content
- Secure cloud infrastructure with Google Firebase
- Regular security audits and monitoring
Professional Protections
- Attorney-client privilege considerations
- Confidential information handling protocols
- Staff confidentiality agreements
- Limited access controls and logging
5. Information Sharing
We DO NOT sell your personal information.
Service providers and subprocessors
- Google Firebase — authentication, database hosting, cloud functions, and file storage
- Deepgram (US-based) — receives voice recordings to convert speech to text. Audio is deleted from our servers immediately after the transcript is returned
- OpenAI (US-based) — receives transcribed text and, where you use the Ask Lexi assistant, the relevant matter context to generate structured memos to file and chat responses. Our OpenAI traffic is covered by a Zero Data Retention amendment (attachments excepted, see below)
- Apple App Store, Google Play Store, Stripe, RevenueCat — payment and subscription processing
- Resend (US-based, with email processing in Japan) — transactional email delivery (login codes and account notifications); receives your email address and the content of service emails
- Sentry — application error tracking and service reliability (receives anonymised user identifiers and error data, not legal content)
- Discord (US-based) — internal operational and error monitoring. Our backend posts service alerts (such as sign-ups, subscription changes, and backend errors, together with limited account identifiers like a user ID or email) to a private team channel so we can respond quickly. No memos to file, recordings, transcripts, or matter content are ever sent
- Professional service providers (legal advisors, auditors, consultants) when required
What our AI providers do and don't do with your content
Under the API terms we rely on, content you submit is not used to train either provider's models. We opt out of Deepgram's Model Improvement Program on every request; under Deepgram's published terms, opted-out request data is retained only for the duration necessary to process the request. Our OpenAI traffic is covered by a Zero Data Retention amendment: the text we submit (transcripts, notes and chat messages) is not retained by OpenAI and is not logged for abuse monitoring. The exception is attachments shared with the Ask Lexi assistant (images and scanned documents), which fall outside Zero Data Retention and may be retained by OpenAI for up to 30 days for safety screening before deletion. Scanned documents we upload for processing are removed from OpenAI immediately after each response. We do not have visibility into those providers' internal systems.
We do not sell your data, we do not use your content to train our own models, and we do not share your content with any third party other than the service providers listed above for the specific purposes of operating Lex Protocol.
If you handle content that is subject to legal professional privilege, you should consider whether transmission to a third-party AI provider under these terms is acceptable for your specific matter before using the voice recording and Ask Lexi features.
Legal disclosure: We may disclose information when required by law or to protect our legal rights, but we will notify you unless legally prohibited.
6. Consent for Recording and Third-Party Content
If you use the voice recording or transcription features while a client, witness, or other third party is present, you are responsible for obtaining their informed consent before recording where required by the law of your jurisdiction. Recording-consent laws vary significantly by state, territory, and country — you remain solely responsible for compliance.
You are also responsible for ensuring that any client information you enter into the App (including matter names, client details, and content uploaded to Ask Lexi) is handled consistently with your professional conduct obligations and any confidentiality undertakings you have given.
7. Your Privacy Rights
Privacy Rights Under Applicable Law
- Access your personal information
- Correct inaccurate information
- File complaints about privacy practices
GDPR Rights (EU Users)
- Right of access and data portability
- Right to rectification and erasure
- Right to object to processing
- Right to withdraw consent
California Residents (CCPA / CPRA Rights)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). See Section 8 for the full disclosure and how to exercise those rights. You can also visit our Your Privacy Choices page.
Exercising these rights in the app
Most of the rights above can be self-served directly inside Lex Protocol, without needing to contact support:
- Access / portability (GDPR 15 + 20, APP 12, CCPA right to know): Settings → Account & Data → Download your data. We generate a JSON archive of your account, memos to file, matter data, tasks and chat history on demand (up to 3 exports per day).
- Rectification (GDPR 16, APP 13, CCPA right to correct): Settings → Profile — edit your name, email, firm and professional details directly.
- Erasure / deletion (GDPR 17, APP, CCPA right to delete): Settings → Account & Data → Delete account. Soft-deleted accounts can be restored within 30 days; after that the data is permanently purged.
- Withdraw consent (GDPR Art 7(3)): account deletion is the effective withdrawal of all consents given to us. We recommend running Download your data first so you keep a local copy of anything you may need to retain (for example, to satisfy your professional file-retention obligations).
Non-discrimination: we will not deny services, charge different prices, or provide a different level of quality because you exercised any of the rights described in this section.
If you need help, or you would like to exercise a right that is not yet self-served in the app, contact us at privacy@lex-protocol.com or use our privacy rights request form. We acknowledge requests within 10 business days and complete them within 45 days (longer only where the law allows for complex cases, with notice).
8. California Residents
This section applies to California residents and is provided to comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). It supplements, and does not replace, the disclosures elsewhere in this Privacy Policy.
Categories of Personal Information We Collect
In the preceding 12 months we have collected the following categories of personal information about California residents:
- Identifiers — name, email address, account ID
- Commercial information — subscription status and billing records (collected via Stripe and RevenueCat)
- Internet or other electronic network activity — app usage patterns, error logs, performance data
- Audio, electronic, or similar information — voice recordings, which are sent to our transcription provider and deleted from our servers immediately after the transcript is returned
- Professional or employment-related information — firm name and professional credentials you provide
We do not collect: precise geolocation, biometric identifiers, government-issued identifiers, financial-account credentials, characteristics of protected classifications, or inferences drawn from the above to create a consumer profile.
Sources of Personal Information
- Directly from you when you sign up, sign in, or use the app
- From payment processors (Stripe, RevenueCat) for transaction confirmations
- From the Apple App Store and Google Play Store for purchase signals
Business and Commercial Purposes for Collection
- Providing and maintaining the Lex Protocol service
- Processing payments and managing subscriptions
- Security, abuse prevention, and service reliability
- Customer support
- Compliance with legal obligations
Categories of Third Parties We Disclose To
We disclose the categories of personal information described above to the service providers listed in Section 5 (Information Sharing) for the limited purposes described there. We do not disclose personal information to any other third parties except as required by law.
Sale or Sharing of Personal Information
We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
Because we do not sell or share personal information as those terms are defined under the CCPA, we are not technically required to provide a "Do Not Sell or Share My Personal Information" link. Nevertheless, in the interests of transparency and to make it easy for Californians to exercise their rights, we publish a dedicated Your Privacy Choices page and link to it from every page of our website. We have not engaged in any sale or sharing in the preceding 12 months and do not intend to do so.
Your California Privacy Rights
- Right to Know — request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties to whom we have disclosed it (covering the preceding 12 months)
- Right to Delete — request that we delete personal information we have collected from you, subject to statutory exceptions
- Right to Correct — request that we correct inaccurate personal information we hold about you
- Right to Opt Out of Sale or Sharing — applicable if a business sells or shares personal information; we do not, but you may still submit a request to confirm
- Right to Limit Use of Sensitive Personal Information — applicable to businesses that use sensitive PI for inferences or beyond providing the requested service; we do not collect sensitive PI categories under the CCPA, so this right is satisfied by our practices
- Right to Non-Discrimination — we will not deny services, charge different prices, or provide a different level of quality because you exercised any of these rights
How to Submit a Request
You may submit a verifiable consumer request through either of the following methods:
- Email: privacy@lex-protocol.com
- Webform: lex-protocol.com/privacy-request
Verification of Requests
To protect your data we will verify your identity before fulfilling a request. For account holders, being signed in to the app is sufficient verification. Otherwise, we may ask you to confirm information that matches what we already hold.
Response Time
We will confirm receipt of your request within 10 business days and substantively respond within 45 days. If we need more time, we will inform you of the reason and the extension (up to 90 days total).
Authorized Agents
You may designate an authorized agent to submit a request on your behalf. We will require written authorization signed by you and may verify your identity directly before acting on the request.
Right to Appeal or Complain
If you believe we have not adequately responded to your request, you may contact the California Attorney General's office at oag.ca.gov/contact/consumer-complaint-against-business-or-company.
9. Data Retention
- Account data: Retained while your account is active
- Legal notes: Retained per your document management needs
- Voice recordings: Deleted from our servers immediately after the transcript is returned. Our transcription provider (Deepgram) may briefly retain audio under its standard API terms; see section 5
- AI chat conversations (Ask Lexi): Automatically deleted after 90 days of inactivity. Conversations with no new messages for 90 days are permanently removed from our systems
- Deleted accounts: Data removed within 30 days
10. Children
Lex Protocol is a professional tool intended only for admitted legal practitioners, supervised law-firm staff and law students undertaking supervised practice — in all cases, aged 18 or over. Eligibility is set out in § 2 of our Usage Policy.
We do not knowingly collect personal information from children under 18, and Lex Protocol is not directed at children. If you become aware that we have collected personal information from a child under 18, please contact us at privacy@lex-protocol.com and we will delete the information promptly. This commitment satisfies our obligations under the Australian Privacy Principles, Article 8 of the General Data Protection Regulation (which sets the age threshold for child consent at 16 in most EU Member States) and the United States Children's Online Privacy Protection Act (COPPA), which addresses children under 13.
11. Contact Information
Complaints
- Australia: Office of the Australian Information Commissioner (OAIC)
- EU: Your local Data Protection Authority
12. Updates to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and in-app notifications. Your continued use of the service after changes constitutes acceptance of the updated policy.
By using Lex Protocol, you acknowledge that you have read, understood, and agree to this Privacy Policy.