Privacy Policy

Preamble

LEXTEUR (hereinafter "LEXTEUR") is committed to protecting the privacy and personal data of its users, in accordance with Regulation (EU) 2016/679 of April 27, 2016 (GDPR) and French Law No. 78-17 of January 6, 1978, as amended (Data Protection Act). This privacy policy describes the conditions under which your personal data is collected, processed, and protected when using the LEXTEUR service.

Data Controller

The data controller is LEXTEUR, represented by its director. For any questions regarding the protection of your data, you may contact our Data Protection Officer (DPO) at: dpo@lexteur.com.

Personal Data Collected

In providing the service, LEXTEUR collects the following categories of data, limited to what is strictly necessary (principle of data minimization, Article 5(1)(c) GDPR):

• Identification data: last name, first name, professional email address, provided during account creation
• Technical connection data: IP address, browser type and version, operating system, connection timestamps, automatically collected for service security
• Service usage data: number of analyses performed, case creation dates, aggregated usage statistics
• Billing data: processed exclusively by our provider Stripe Inc. — LEXTEUR does not collect, store, or have access to any credit card numbers or sensitive payment data

IMPORTANT: LEXTEUR does not collect, store, or have access to the content of your legal documents or your clients' personal data. All document processing (text extraction, character recognition, anonymization) is performed locally on your workstation via the desktop application. Only text previously anonymized through tokenization (replacement of identifying data with generic tokens such as [PERSON_1], [ADDRESS_1]) is transmitted to the analysis service. This mechanism is designed to preserve attorney-client privilege.

Purposes and Legal Bases

• Contract performance (Article 6(1)(b) GDPR): provision, management, and improvement of the LEXTEUR service, user account management
• Contract performance (Article 6(1)(b) GDPR): subscription management, billing, and payment processing
• Legitimate interest (Article 6(1)(f) GDPR): customer support, responding to inquiries, service-related communications
• Legitimate interest (Article 6(1)(f) GDPR): anonymized statistical analysis for service improvement, security, and abuse prevention

Legal Basis for Transfers Outside the EU

Some of our subprocessors are established outside the European Economic Area (EEA). Data transfers to these providers are governed by standard contractual clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) GDPR, or by adequacy decisions where applicable. You may obtain a copy of the safeguards in place by contacting dpo@lexteur.com.

Local Processing Architecture and Professional Privilege

LEXTEUR's architecture is designed to guarantee by design (privacy by design, Article 25 GDPR) the protection of your clients' data and your case files. Document processing is performed entirely on your workstation: (1) text extraction via embedded optical recognition (local execution), (2) named entity detection via proprietary NER engine (local execution), (3) tokenization of identifying data into pseudonymized tokens. Only the anonymized text is transmitted to the analysis API (Anthropic). This architecture ensures that no identifying data from your clients leaves your workstation, thus preserving attorney-client privilege.

Subprocessors (Article 28 GDPR)

• Supabase Inc. (user database hosting, authentication) — Data hosted in EU region (Frankfurt, Germany) — Transfers governed by SCCs
• Stripe Inc. (secure payment processing, PCI-DSS Level 1 certified) — Data transferred to the United States — Transfers governed by the EU-US Data Privacy Framework and SCCs
• Anthropic PBC (AI processing of anonymized text only, no identifying data transmitted) — United States — Transfers governed by SCCs — Anthropic does not retain data transmitted via the API and does not use it to train its models

LEXTEUR contractually ensures that each subprocessor provides sufficient guarantees regarding the implementation of appropriate technical and organizational measures, in compliance with GDPR requirements. The list of subprocessors may be updated; any material change will be notified to users.

Data Retention Periods

Account data (identification, profile): retained for the duration of the contractual relationship, then 3 years after the last account activity (standard civil statute of limitations under French law). Billing data: retained for 10 years in accordance with accounting and tax obligations (Article L.123-22 of the French Commercial Code). Connection data (technical logs): retained for 12 months in accordance with Article L.34-1 of the French Postal and Electronic Communications Code. Documents and analyses: no server-side retention — documents are processed locally and are never stored by LEXTEUR. You may request deletion of your data at any time (subject to legal retention obligations) by contacting dpo@lexteur.com.

Cookies and Trackers

The lexteur.com website uses only cookies strictly necessary for the operation of the service: authentication session cookie, theme preference cookie (light/dark), and language preference cookie (FR/EN). No advertising, profiling, or audience measurement cookies are placed. These essential cookies do not require your prior consent under the French Data Protection Act.

Your Rights (Articles 15 to 22 GDPR)

In accordance with the General Data Protection Regulation, you have the following rights regarding your personal data:

• Right of access (Article 15): obtain confirmation that your data is being processed and receive a complete copy
• Right to rectification (Article 16): have inaccurate or incomplete data corrected
• Right to erasure (Article 17): obtain the deletion of your data, subject to legal retention obligations
• Right to data portability (Article 20): receive your data in a structured, commonly used, and machine-readable format
• Right to object and restriction (Articles 18 and 21): object to the processing of your data or request its restriction in cases provided by the GDPR

To exercise any of these rights, send your request along with proof of identity to: dpo@lexteur.com. We commit to responding within one month (Article 12(3) GDPR). If you experience difficulty exercising your rights, you may lodge a complaint with the French Data Protection Authority (CNIL) — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr.

Technical and Organizational Security Measures

LEXTEUR implements state-of-the-art security measures (Article 32 GDPR): TLS 1.3 encryption in transit, AES-256 encryption at rest, password hashing (bcrypt), PKCE authentication, least-privilege access control, continuous monitoring, and regular auditing. For more details, see our Security page.

California-Specific Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA): the right to know the categories and purposes of data collected, the right to deletion, and the right to non-discrimination for exercising your rights. LEXTEUR does not "sell" or "share" your personal data as defined by CCPA/CPRA. LEXTEUR does not engage in behavioral profiling for advertising purposes.

International Provisions

LEXTEUR is committed to complying with data protection regulations in the jurisdictions where the service is available. For users in the European Economic Area (EEA) and the United Kingdom: data processing complies with the GDPR and UK GDPR. For users in the United Arab Emirates and Middle East: processing respects applicable local laws, including the DIFC Data Protection Law and ADGM Data Protection Regulations where applicable. For users in the United States: state-specific rights (California, Colorado, Connecticut, Virginia, Utah) are respected. International data transfers are governed by appropriate mechanisms (SCCs, adequacy decisions, or equivalent safeguards).

Protection of Minors

The LEXTEUR service is intended exclusively for legal professionals who are of legal age. We do not knowingly collect personal data from individuals under 18 years of age (or the age of majority in the applicable jurisdiction). If we learn that a minor has created an account, we will immediately delete the associated data. If you become aware that a minor is using the service, please contact us at dpo@lexteur.com.

Changes to This Privacy Policy

LEXTEUR reserves the right to modify this privacy policy to adapt to regulatory developments or service changes. Any material modification will be communicated to users by email or in-app notification at least 30 days before it takes effect. The date of the last update is indicated at the top of this page.