Privacy Policy
How we handle your data, code, and personal information. Transparency first.
Last updated: February 27, 2026
What We Collect
We collect account information (name, email, organization), usage data (feature usage, session metadata), and operational data (agent logs, tool invocations, audit events). We do not train AI models on your code, conversations, or outputs.
How We Use Your Data
Your data is used to operate and improve the Service: authenticating users, enforcing policies, routing model requests, generating audit logs, and computing cost analytics. Usage patterns inform product improvements in aggregate - never at the individual or organization level.
Code & Conversation Data
Code you write, prompts you send, and agent outputs are processed transiently to fulfill requests. They are not stored beyond your configured retention period. When using BYOK (Bring Your Own Key), model requests go directly to providers - we only see metadata for governance.
Third-Party Model Providers
Lex routes requests to AI model providers (Anthropic, OpenAI, Google, etc.) based on your organization's routing rules. Each provider has their own privacy policy. With BYOK, your API keys are encrypted at rest using AES-256 and are never exposed in logs.
Audit Logs
Audit logs record agent actions, policy evaluations, cost data, and user approvals. Log retention is configurable per organization (30 days to unlimited). Logs are encrypted in transit and at rest. Enterprise customers can export logs to their own SIEM systems.
Data Storage & Security
Data is stored in encrypted databases with access controls. We use TLS 1.3 for all data in transit. Infrastructure runs on SOC 2 Type II certified cloud providers. Access to production systems requires multi-factor authentication and is logged.
Data Sharing
We do not sell your data. We share data only with: (a) AI model providers to fulfill requests, (b) infrastructure providers to operate the Service, and (c) as required by law. All sub-processors are bound by data processing agreements.
Your Rights
You can access, export, correct, or delete your data at any time through the control plane dashboard or by contacting us. Organization administrators can manage data retention policies. Upon account deletion, all data is purged within 30 days.
Cookies
We use essential cookies for authentication and session management. We do not use tracking cookies or third-party analytics on the marketing site. The dashboard uses functional cookies to remember preferences.
International Transfers
Data may be processed in the UK, EU, and US. Where transfers occur, we use Standard Contractual Clauses and ensure adequate protections per GDPR. Enterprise customers can specify data residency requirements.
Children's Privacy
The Service is intended for professional use by organizations. We do not knowingly collect data from anyone under 16. If we learn that we have, we will delete it promptly.
Changes to This Policy
We will notify you of material changes via email and in-product notification at least 30 days before they take effect. Minor clarifications may be made without notice.
Contact
For privacy inquiries, data requests, or to reach our Data Protection Officer, email privacy@project-lex.co.uk or hello@project-lex.co.uk.
Questions about your data?
Contact Us