lexco.io — B2B SaaS Platform
Privacy Policy
This Privacy Policy describes how LexcoIO Inc. collects, uses, stores, and discloses information in connection with your use of the lexco.io platform. This policy applies to Customer organizations and their authorized Users. Individual consumers are not intended users of this Service.
1. Scope and Applicability
This Privacy Policy applies to all data processed through the lexco.io Service, including: (a) account and subscription data provided during onboarding; (b) Customer Data uploaded or generated through use of the Service; and (c) usage and technical data collected automatically. It does not govern data practices of third-party integrations or services that may link to or from lexco.io.
2. Information We Collect
2.1 Account and Contact Information
When a Customer registers, we collect organization name, billing address, business email addresses, payment information (processed via our payment processor), and account credentials.
2.2 Customer Data
We process Customer Data solely as directed by the Customer and as necessary to provide the Service. Customer Data may include:
- Professional case materials, documents, and files uploaded to the platform
- Attorney work product and privileged legal communications
- Protected health information (where a BAA is in place)
- Other sensitive business documents
LexcoIO Inc. acts as a data processor with respect to Customer Data; the Customer is the data controller.
2.3 Usage and Technical Data
We automatically collect technical information including: IP addresses, browser and device type, operating system, session identifiers, feature usage logs, and error/performance data. This data is used to operate, secure, and improve the Service.
2.4 Communications
If you contact us via email or our support channels, we retain records of that correspondence.
3. How We Use Information
3.1 Service Delivery
We use collected information primarily to: provide, operate, and maintain the Service; authenticate Users; process payments; and deliver technical support.
3.2 Security and Fraud Prevention
We use account and usage data to detect, investigate, and prevent security incidents, abuse, unauthorized access, and fraudulent activity.
3.3 Service Improvement
Aggregated and de-identified usage data may be analyzed to improve Service functionality, performance, and reliability. We do not use identifiable Customer Data for this purpose without consent.
3.4 Communications
We use contact information to send transactional messages (receipts, security alerts, service notices) and, where permitted, product updates. Customers may manage communication preferences through their account settings.
3.5 Legal Compliance
We may use and disclose information as required to comply with applicable law, regulation, or court order; to enforce our Terms of Service; or to protect the rights, property, or safety of LexcoIO Inc., our customers, or others.
3.6 AI, Automated Processing, and Service Improvement
The Service applies automated processing technologies, including AI-assisted analysis, to Customer Data to deliver Service features. LexcoIO Inc. uses data for service improvement under a tiered model:
- De-identified and aggregated data: We may freely use aggregated usage data and data that has been irreversibly de-identified (stripped of all personal, privileged, and Customer-identifiable attributes) to improve Service performance, accuracy, and underlying processing capabilities.
- Identifiable data and sensitive case material: We do not use data that remains identifiable, constitutes attorney work product or privileged communications, or constitutes protected health information for improvement, training, or any purpose beyond direct service delivery — unless Customer has provided prior express written consent. Customers may grant or withdraw this consent at any time by contacting yang@lexco.io.
4. Sensitive and Regulated Data
4.1 Attorney-Client Privilege and Work Product
We recognize that Customer Data may include attorney-client privileged communications or attorney work product. We treat such data as strictly confidential and subject to heightened access controls. LexcoIO Inc. personnel will not review such materials except as strictly necessary to resolve a technical support issue, and only with Customer authorization or as required by law.
4.2 Protected Health Information (PHI)
If Customer intends to process PHI through the Service, a Business Associate Agreement (BAA) must be executed prior to any such processing. Without an executed BAA, Customers are prohibited from uploading PHI. Where a BAA is in place, we handle PHI in accordance with HIPAA requirements applicable to business associates.
4.3 Minimization and Purpose Limitation
We apply data minimization principles to sensitive data, accessing or processing it only to the extent necessary for the stated purpose, and we implement purpose limitation controls to prevent use beyond what is disclosed in this policy.
5. Disclosure of Information
5.1 Service Providers
We may share information with vetted third-party service providers (subprocessors) who assist in delivering the Service, including cloud infrastructure, payment processing, and security monitoring providers. Subprocessors are bound by data processing agreements that require confidentiality and appropriate security.
5.2 Legal Requirements
We may disclose information if required by law, regulation, legal process, or governmental request. Where Customer Data is involved, we will provide prompt notice to the Customer to the extent legally permitted, so the Customer may seek a protective order.
5.3 Business Transfers
In connection with a merger, acquisition, or sale of assets, Customer Data may be transferred to the successor entity, subject to the same privacy protections. Customers will be notified of any such transfer.
5.4 No Sale of Data
We do not sell, rent, or trade Customer Data or personal information to third parties for their marketing or commercial purposes.
6. Data Retention
We retain Customer Data for the duration of the active subscription and for up to sixty (60) days following termination or expiration, during which time Customer may request an export. After that period, Customer Data is securely deleted or de-identified. Aggregated, de-identified usage data may be retained longer for operational and analytical purposes. We retain account records and billing information as required by law or for legitimate business purposes, typically up to seven (7) years.
7. Security
LexcoIO Inc. implements and maintains commercially reasonable technical, organizational, and administrative safeguards to protect data against unauthorized access, disclosure, alteration, and destruction. Measures include encryption of data in transit (TLS) and at rest, role-based access controls, regular penetration testing and vulnerability assessments, and incident response procedures. In the event of a security breach affecting Customer Data, we will notify affected Customers without undue delay and in accordance with applicable breach notification requirements.
8. California Privacy Rights (CCPA/CPRA)
Because our Service is directed to business customers and their employees acting in a professional capacity, most data we collect is exempt from the California Consumer Privacy Act as B2B or employee data. To the extent any personal information of California residents that is not exempt is processed, those individuals have the right to: know what personal information is collected; request deletion; correct inaccurate information; and opt out of the sale or sharing of personal information (we do not sell personal information). To exercise these rights, contact yang@lexco.io.
9. International Data Transfers
The Service is operated in the United States. If Customer or its Users are located outside the United States, Customer Data may be transferred to and processed in the United States. For transfers from the European Economic Area or United Kingdom, we rely on appropriate transfer mechanisms, including Standard Contractual Clauses where applicable. Please contact us if you require additional information or documentation regarding cross-border transfers.
10. Third-Party Links and Integrations
The Service may include links to or integrations with third-party services. This Privacy Policy does not govern the privacy practices of those third parties. We encourage Customers to review the privacy policies of any third-party services they connect to lexco.io.
11. Changes to This Policy
We may update this Privacy Policy periodically. For material changes, we will provide at least thirty (30) days' notice via email to the Customer's account contact or through a prominent notice within the Service. Your continued use of the Service following the effective date of the updated policy constitutes acceptance.
12. Contact
For questions, requests, or concerns regarding this Privacy Policy or our data practices:
LexcoIO Inc.
Privacy Officer
Redwood City, California
yang@lexco.io
Questions: yang@lexco.io