Privacy Policy

1. Introduction

YR Legal Services Ltd (trading as Lexona.AI) ("we", "our", "us") is committed to protecting your privacy and ensuring the security of your personal data. This comprehensive Privacy Policy explains how we collect, process, store, and safeguard your information when you visit our website (lexona.ai), use our AI-powered legal software platform, or interact with our services.

As a provider of legal technology services, we adhere to stringent data protection standards, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable global privacy frameworks. YR Legal Services Ltd is a company registered in England and Wales under company number 16885532, acting as the Data Controller for personal data concerning our own customers, and as a Data Processor for personal data uploaded by legal practices (including sole practitioners and law firms) utilizing our platform.

2. Information We Collect

We collect several categories of information to provide and improve our services:

2.1 Information You Provide to Us

• Account Information: Name, professional email address, phone number, legal practice name, job title, and authentication credentials.
• Financial Information: Billing address, payment details (processed securely via our payment gateways, e.g., Stripe), and subscription history.
• Communications Data: Information you provide when contacting customer support, submitting feedback, or participating in webinars and surveys.

2.2 Information Automatically Collected

• Device and Usage Data: IP addresses, browser types, operating systems, referring URLs, pages viewed, API calls, and interaction metrics.
• Cookies and Tracking Technologies: Information gathered via cookies, web beacons, and similar tracking technologies to analyze trends and administer the platform (see Section 11 regarding Cookies).
• Security Logs: Authentication attempts, access logs, and anomaly detection data to ensure platform security.

2.3 Client and Matter Data (Processor Role)

In the context of providing our core AI services to legal practices (including sole practitioners and law firms), we process highly sensitive information, including case files, client identities (KYC/AML documents), financial records, and legal correspondence. For this data, Lexona acts solely as a Data Processor acting on the strict, documented instructions of the relevant legal practice (the Data Controller). We do not use this data for our own purposes, nor do we use it to train underlying foundational AI models without explicit, opt-in consent from that legal practice.

3. How We Use Your Information (Legal Bases)

We process your personal data under the following lawful bases established by the UK GDPR:

4. Data Sharing and Disclosure

We strictly limit the sharing of your personal data. We do not sell, rent, or trade your personal information. We may share data under the following circumstances:

• Service Providers (Sub-processors): We engage trusted third-party vendors to assist with hosting (e.g., AWS, Vercel), database infrastructure (e.g., Supabase, Qdrant), payment processing (Stripe), and email communications. A full list of our authorized sub-processors is available upon request.
• AI Model Providers: To deliver specialized legal AI functions, data may be processed through API-based Large Language Models (LLMs) such as OpenAI or Anthropic. Importantly, our enterprise agreements dictate zero data retention by these providers, meaning your data is never used to train their base models.
• Legal Compliance and Protection: We may disclose information if required to comply with a legal obligation, court order, or regulatory request (e.g., ICO, SRA requirements), or to protect our legal rights against fraud or security threats.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, data may be transferred subject to confidentiality agreements and notification to users.

5. Data Security and Confidentiality

We deploy enterprise-grade security controls aligned with SOC 2 Type II principles and ISO 27001 standards:

• Encryption: All data is encrypted at rest using AES-256 and in transit utilizing TLS 1.3 over HTTPS.
• Access Controls: We implement strict Role-Based Access Control (RBAC), multi-tenant isolation, and the principle of least privilege. Internal access to production data is severely restricted and audited.
• Monitoring: 24/7 security monitoring, automated vulnerability scanning, and routine penetration testing are conducted on our infrastructure.
• Incident Response: We maintain a comprehensive Incident Response Plan to swiftly detect, mitigate, and notify users of any potential data breaches within statutory timelines (within 72 hours for ICO requirements).

6. Data Retention Policies

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy:

• Account Data: Kept for the duration of the active subscription, plus a standard archiving period (usually 6-12 months) to facilitate account recovery or handle billing disputes.
• Client and Matter Data: Retained during the term of the agreement. Upon termination or specific request by the relevant legal practice, all associated matter data is securely deleted or anonymized within 30 days, unless longer retention is mandated by law (e.g., anti-money laundering regulations).
• Logs and Analytics: Security and audit logs are typically retained for 12 months for compliance purposes before being purged.

7. International Data Transfers

Our primary data infrastructure is hosted entirely within the United Kingdom and/or the European Economic Area (EEA), ensuring compliance with strict data sovereignty requirements preferred by the legal sector.

In circumstances where engaging a sub-processor necessitates transferring data outside the UK/EEA (e.g., to the United States), we ensure that such transfers are safeguarding by legal mechanisms, primarily the UK International Data Transfer Agreement (IDTA) or the European Commission's Standard Contractual Clauses (SCCs), supplemented by the UK Addendum.

8. Your Data Subject Rights

Depending on your location (such as if you reside in the UK, EU, or California), you possess significant rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data under certain conditions.
• Right to Restrict Processing: Request suspension of data processing in specific scenarios.
• Right to Data Portability: Receive your data in a structured, machine-readable format to transfer to another provider.
• Right to Object: Object to processing based on legitimate interests or direct marketing purposes.
• Automated Decision Making: The right not to be subject to a decision based solely on automated processing that produces legal effects. Lexona ensures human oversight (Human-in-the-Loop) is maintained for critical legal actions.

To exercise these rights, please contact our Data Protection Officer at privacy@lexona.ai. We will respond within 30 days. Legal practice clients handling data subject requests from their own end-clients can utilize platform administration tools to satisfy these requests.

9. Additional Notice for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act provides specific rights regarding your personal information. We do not "sell" or "share" your personal information for cross-context behavioral advertising. You have the right to request access to the specific pieces of personal information we have collected, request deletion, and not face discrimination for exercising these rights. We act as a "Service Provider" when processing data on behalf of our business clients.

10. Children's Privacy

Our services are designed exclusively for business professionals and legal practices, including sole practitioners and law firms. We do not knowingly collect personal data directly from children under the age of 18. If a parent or guardian becomes aware that a minor has provided us with personal information, they should contact us immediately.

11. Cookies and Tracking

Our website utilizes cookies to distinguish you from other users, providing a personalized and secure experience.

• Strictly Necessary Cookies: Essential for authentication, security, and session management.
• Performance and Analytics Cookies: Used to aggregate anonymous metrics on site usage to improve functionality.
• Functional Cookies: Remember your preferences (e.g., theme, language).

You can manage your cookie preferences at any time via your browser settings or our website's cookie consent banner. Please note that disabling necessary cookies may impede platform functionality.

12. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy periodically to reflect technological changes, new features, or evolving legal frameworks. We will notify you of material changes by posting the updated policy on our website and, where appropriate, sending an email notification to registered administrators. Continued use of the platform after updates signifies acceptance of the revised terms.

13. Contact Information and Complaints

If you have inquiries, concerns, or complaints regarding this Privacy Policy or our data handling practices, please contact our Data Protection Officer:

You retain the right to lodge a formal complaint with the UK supervisory authority, the Information Commissioner's Office (ICO), at https://ico.org.uk/, or with your local data protection authority.