FeaturesPricingDocumentationSupport
Get Early Access
Legal

Privacy Policy

Last updated: February 18, 2026

Key Takeaways

  • We never sell your personal information
  • We never train AI models on your content
  • You own all your data and AI-generated insights in your account
  • De-identified platform patterns may be derived from workflow learnings to improve the service -- you can opt out at any time
  • You can request a full export or deletion of your data at any time
  • We use enterprise-grade security (AES-256 encryption, TLS 1.3, row-level data isolation)
  • Architecture designed for GDPR, CCPA, and SOC 2 compliance

Overview

Lexic.io ("Lexic," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered knowledge management platform.

If you have any questions or concerns, please contact us at privacy@lexic.io.

Information We Collect

Account Information

  • Email address (required for account creation)
  • Full name
  • Password (encrypted and never stored in plain text)
  • Profile picture (optional)
  • Organization name (for business accounts)

User Content

  • Notes, documents, and knowledge base content you create
  • Connections and relationships between notes
  • Tags, categories, and organizational structures
  • Canvas and workspace configurations

Payment Information

  • Processed securely by Stripe (PCI-DSS compliant). We store only the last 4 digits of your card, card type, and billing address. Full credit card numbers are never stored on our servers.

Usage and Device Data

  • Features accessed and actions taken within the platform
  • Browser type, operating system, IP address, and device identifiers
  • Performance metrics and error logs

How We Use Your Information

  • Provide, maintain, and improve our services
  • Process your content through AI for entity extraction, knowledge graphs, and synthesis features
  • Process payments and manage subscriptions
  • Send service-related communications and notifications
  • Analyze aggregated usage patterns to optimize performance
  • Derive de-identified patterns from workflow learnings to improve platform capabilities (see Platform Intelligence)
  • Prevent fraud, abuse, and unauthorized access
  • Comply with legal obligations and enforce our terms

AI and Machine Learning Transparency

Our Commitment: We Do NOT Train AI Models on Your Data

  • We do not use your content to train AI models
  • OpenAI does not retain or use API data for training (zero data retention policy)
  • Your notes and content remain your intellectual property
  • All AI-generated outputs belong to you

When you use AI features, we process your content to generate embeddings for semantic search, extract entities and key concepts, create summaries, build knowledge graphs, and synthesize insights. Content is sent to OpenAI in real-time and is not stored by OpenAI after processing. Your data is isolated at the database level using row-level security, and no cross-tenant data access is possible.

Platform Intelligence

Key Principle: Your Content Stays Yours

  • Full contextual learnings remain in your account under your control
  • Only de-identified, generalized patterns are used for platform improvement
  • You can opt out of Platform Intelligence at any time in your settings
  • Opting out does not affect any other features or service quality

What We Collect

When you use Lexic Loops (autonomous task execution), the system generates task learnings -- technical observations about patterns, tools, and approaches discovered during execution. These learnings are stored in your lexicon and belong to you.

With your consent, we may process these learnings to derive de-identified, generalized patterns. The de-identification process removes proper nouns, specific file paths, project names, code snippets, and any other information that could identify you, your organization, or your projects.

How We Use De-Identified Patterns

  • Improve context assembly quality for all users (e.g., learning that certain types of tasks benefit from specific context)
  • Identify common workflow patterns that help the platform serve tasks more effectively
  • Optimize task decomposition and execution strategies

De-identified patterns are stored separately from user data with no association to your account, lexicon, or organization. They cannot be traced back to any individual user.

For the avoidance of doubt, deriving de-identified workflow patterns is distinct from training AI models. Your notes, documents, and content are never used to train any AI model.

De-Identification Process

Our de-identification process strips the following from learnings before any pattern is stored:

  • User names, email addresses, and account identifiers
  • Organization and project names
  • Specific file paths and code snippets
  • Domain names and URLs
  • Any other personally identifiable information

We use the term "de-identified" rather than "anonymized" because we retain the original learnings in your account. While the derived patterns themselves contain no identifying information, we maintain this transparency about our process. If you delete your account, we verify that no residual identification is possible in any previously derived patterns.

Your Choices

Platform Intelligence requires your explicit consent and is not enabled by default. You will be asked to opt in when the feature becomes available. You can change your choice at any time:

  • Opt in: Enable Platform Intelligence in your account settings to contribute de-identified patterns
  • Opt out: Disable Platform Intelligence at any time. We will stop processing new learnings for pattern derivation. Previously derived patterns that have already been de-identified are retained, as they contain no identifying information.
  • No service impact: Your choice does not affect the quality or availability of any Lexic features, including Loops

Legal Basis (GDPR)

The legal basis for processing learnings into de-identified patterns is your explicit consent under GDPR Article 6(1)(a). You may withdraw consent at any time by disabling Platform Intelligence in your settings. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.

De-identified patterns that meet the threshold of true anonymization (where re-identification is not reasonably possible by any means) fall outside the scope of GDPR per Recital 26 as a factual matter.

Your Rights Regarding Platform Intelligence

  • Right of access: Request a copy of any learnings that have been processed for pattern derivation
  • Right to erasure: Request deletion of your source learnings. De-identified patterns that cannot be traced to you are retained.
  • Right to restriction: Request that we stop processing your learnings while you consider your options
  • Right to withdraw consent: Disable Platform Intelligence at any time in your settings
  • Right to object: Object to specific processing activities by contacting privacy@lexic.io

Data Protection Impact Assessment

We are conducting a Data Protection Impact Assessment (DPIA) for Platform Intelligence as required by GDPR Article 35 for new processing activities involving profiling or large-scale data processing. The DPIA evaluates the necessity and proportionality of the processing, risks to data subjects, and safeguards in place. A summary of the DPIA findings will be available upon request by contacting dpo@lexic.io.

Information Sharing and Disclosure

We do NOT sell, trade, or rent your personal information to third parties.

Service Providers

We share information with trusted third-party providers who assist in service delivery:

  • Stripe: Payment processing and subscription management (PCI-DSS compliant)
  • OpenAI: AI processing with zero data retention (see above)
  • Cloud infrastructure provider: Database hosting, authentication, and real-time features
  • Application hosting provider: Hosting and content delivery
  • Transactional email provider: Service-related email delivery

A complete list of our sub-processors, including company names and processing locations, is available upon request by contacting privacy@lexic.io.

Other Disclosures

  • Legal requirements: When required by court orders, subpoenas, or legal processes
  • Business transfers: In connection with a merger, acquisition, or sale of assets (with prior notice to you)
  • Aggregated data: De-identified, aggregated data that cannot identify you may be shared for research or analytics

Data Security

  • Encryption at rest: AES-256 encryption for all stored data
  • Encryption in transit: TLS 1.3 for all data transmission
  • Data isolation: Row-level security for multi-tenant isolation
  • Access controls: Role-based access control and authentication requirements
  • Audit logging: Tamper-proof audit trails for all data operations
  • Monitoring: Real-time security monitoring and intrusion detection

In the unlikely event of a data breach, we will notify affected users within 72 hours of discovery via email and report to relevant regulatory authorities as required by law.

Your Privacy Rights

Access and Portability

  • Access your personal information and user content
  • Request a complete copy of all data we hold about you, delivered in JSON or CSV format
  • Export your knowledge graph and note relationships

To request a data export, contact us at privacy@lexic.io. We will fulfill your request within 30 days and provide a secure, time-limited download link.

Correction and Deletion

  • Update or correct your personal information directly in your account settings
  • Delete individual notes or content from within the application
  • Remove AI-generated insights and embeddings
  • Request complete deletion of your account and all associated data

To request account deletion, contact us at privacy@lexic.io. Account deletion includes a 30-day grace period during which you can cancel. After the grace period, all personal data is permanently deleted and records required for legal compliance (such as billing history and audit logs) are anonymized.

Consent Management

You can manage your preferences directly in the application:

  • Manage cookie preferences using our cookie consent banner
  • Disable AI processing features in your AI Preferences settings
  • Control notification preferences in your profile settings
  • Withdraw consent for marketing communications at any time

Restriction and Objection

  • Restrict processing of your personal data
  • Object to certain uses of your information
  • Request human review of automated decisions
  • Lodge complaints with supervisory authorities

How to Exercise Your Rights

Self-service: Update your profile, manage cookie preferences, configure AI processing, and control notifications directly in your account settings.

Requests requiring assistance: For data export, account deletion, or other privacy requests, email us at privacy@lexic.io or contact our DPO at dpo@lexic.io. We will respond within 30 days.

Cookies and Tracking Technologies

When you first visit Lexic.io, we display a cookie consent banner that lets you choose which categories of cookies to accept. You can change your preferences at any time.

Essential Cookies (Always Active)

These cookies are necessary for the website to function and cannot be disabled:

  • Authentication tokens and session management
  • Security cookies for CSRF protection
  • Load balancing and routing
  • Cookie consent preferences

Functional Cookies (Optional)

Enable enhanced functionality such as saving your preferences:

  • User preferences and display settings
  • Language selection
  • UI theme persistence (light/dark mode)

Analytics Cookies (Optional, Requires Consent)

Help us understand how visitors interact with our platform. All analytics data is collected anonymously:

  • Aggregated usage statistics and interaction patterns
  • Performance monitoring and error tracking
  • Feature adoption metrics

Marketing Cookies (Optional, Requires Consent)

Used to measure the effectiveness of our communications. We do not sell data to advertisers:

  • Campaign measurement and attribution
  • Communication preference tracking

Managing Your Cookie Preferences

  • Our cookie consent banner: Displayed on first visit with options to Accept All, choose Essential Only, or Customize individual categories
  • Your browser settings: Most browsers allow you to block or delete cookies
  • Third-party opt-out tools: Such as the Network Advertising Initiative opt-out page

If you are logged in, your cookie preferences are saved to your account. If you are not logged in, preferences are stored locally in your browser.

Data Retention

We retain your data for as long as your account is active or as needed to provide services. When your account is deleted:

  • Personal data: Permanently deleted within 30 days (after grace period)
  • Backup copies: Purged within 90 days
  • Billing records: Anonymized and retained for 7 years (tax compliance)
  • Audit logs: Anonymized and retained for 7 years (security compliance)
  • AI processing data: Embeddings and summaries are deleted with their source notes
  • Platform Intelligence patterns: De-identified patterns are retained indefinitely as they contain no personal data. Source learnings in your account are deleted when you delete your account or the associated content.

European Privacy Rights (GDPR)

If you are a resident of the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR).

Legal Basis for Processing

  • Consent: When you sign up or enable optional features
  • Contract performance: To provide the service you requested
  • Legal obligations: To comply with applicable laws
  • Legitimate interests: For fraud prevention, security, and service improvement

Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at dpo@lexic.io.

Supervisory Authority

You have the right to lodge a complaint with your local data protection authority. A list of EU data protection authorities can be found at edpb.europa.eu.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

  • Right to Know: What personal information is collected, used, shared, or sold
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt-out of the "sale" of personal information
  • Right to Non-Discrimination: Equal service regardless of privacy choices
  • Right to Correct: Request correction of inaccurate information

We do NOT sell personal information to third parties, nor do we share personal information for cross-context behavioral advertising.

To submit a CCPA request, email privacy@lexic.io. We will respond within 45 days. You may designate an authorized agent to make requests on your behalf.

International Data Transfers

Your information may be transferred to and processed in the United States. We ensure appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission and data processing agreements with all third-party providers.

Children's Privacy

Lexic is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us at privacy@lexic.io.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page, sending email notifications, and displaying in-app notifications. Your continued use of the Service after any changes indicates your acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy, please contact us:

Privacy Inquiries

privacy@lexic.io

Data Protection Officer

dpo@lexic.io

Customer Support

support@lexic.io

We aim to respond to all privacy-related inquiries within 30 days.