FeaturesPricingDocumentationSupport
Get Early Access
Legal

Privacy Policy

Last updated: January 28, 2026

Key Takeaways

  • We never sell your personal information
  • We never train AI models on your content
  • You own all your data and AI-generated insights
  • You can request a full export or deletion of your data at any time
  • We use enterprise-grade security (AES-256 encryption, TLS 1.3, row-level data isolation)
  • Architecture designed for GDPR, CCPA, and SOC 2 compliance

Overview

Lexic.io ("Lexic," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered knowledge management platform.

If you have any questions or concerns, please contact us at privacy@lexic.io.

Information We Collect

Account Information

  • Email address (required for account creation)
  • Full name
  • Password (encrypted and never stored in plain text)
  • Profile picture (optional)
  • Organization name (for business accounts)

User Content

  • Notes, documents, and knowledge base content you create
  • Connections and relationships between notes
  • Tags, categories, and organizational structures
  • Canvas and workspace configurations

Payment Information

  • Processed securely by Stripe (PCI-DSS compliant). We store only the last 4 digits of your card, card type, and billing address. Full credit card numbers are never stored on our servers.

Usage and Device Data

  • Features accessed and actions taken within the platform
  • Browser type, operating system, IP address, and device identifiers
  • Performance metrics and error logs

How We Use Your Information

  • Provide, maintain, and improve our services
  • Process your content through AI for entity extraction, knowledge graphs, and synthesis features
  • Process payments and manage subscriptions
  • Send service-related communications and notifications
  • Analyze aggregated usage patterns to optimize performance
  • Prevent fraud, abuse, and unauthorized access
  • Comply with legal obligations and enforce our terms

AI and Machine Learning Transparency

Our Commitment: We Do NOT Train AI Models on Your Data

  • We do not use your content to train AI models
  • OpenAI does not retain or use API data for training (zero data retention policy)
  • Your notes and content remain your intellectual property
  • All AI-generated outputs belong to you

When you use AI features, we process your content to generate embeddings for semantic search, extract entities and key concepts, create summaries, build knowledge graphs, and synthesize insights. Content is sent to OpenAI in real-time and is not stored by OpenAI after processing. Your data is isolated at the database level using row-level security, and no cross-tenant data access is possible.

Information Sharing and Disclosure

We do NOT sell, trade, or rent your personal information to third parties.

Service Providers

We share information with trusted third-party providers who assist in service delivery:

  • Stripe: Payment processing and subscription management (PCI-DSS compliant)
  • OpenAI: AI processing with zero data retention (see above)
  • Cloud infrastructure provider: Database hosting, authentication, and real-time features
  • Application hosting provider: Hosting and content delivery
  • Transactional email provider: Service-related email delivery

A complete list of our sub-processors, including company names and processing locations, is available upon request by contacting privacy@lexic.io.

Other Disclosures

  • Legal requirements: When required by court orders, subpoenas, or legal processes
  • Business transfers: In connection with a merger, acquisition, or sale of assets (with prior notice to you)
  • Aggregated data: Anonymized data that cannot identify you may be shared for research or analytics

Data Security

  • Encryption at rest: AES-256 encryption for all stored data
  • Encryption in transit: TLS 1.3 for all data transmission
  • Data isolation: Row-level security for multi-tenant isolation
  • Access controls: Role-based access control and authentication requirements
  • Audit logging: Tamper-proof audit trails for all data operations
  • Monitoring: Real-time security monitoring and intrusion detection

In the unlikely event of a data breach, we will notify affected users within 72 hours of discovery via email and report to relevant regulatory authorities as required by law.

Your Privacy Rights

Access and Portability

  • Access your personal information and user content
  • Request a complete copy of all data we hold about you, delivered in JSON or CSV format
  • Export your knowledge graph and note relationships

To request a data export, contact us at privacy@lexic.io. We will fulfill your request within 30 days and provide a secure, time-limited download link.

Correction and Deletion

  • Update or correct your personal information directly in your account settings
  • Delete individual notes or content from within the application
  • Remove AI-generated insights and embeddings
  • Request complete deletion of your account and all associated data

To request account deletion, contact us at privacy@lexic.io. Account deletion includes a 30-day grace period during which you can cancel. After the grace period, all personal data is permanently deleted and records required for legal compliance (such as billing history and audit logs) are anonymized.

Consent Management

You can manage your preferences directly in the application:

  • Manage cookie preferences using our cookie consent banner
  • Disable AI processing features in your AI Preferences settings
  • Control notification preferences in your profile settings
  • Withdraw consent for marketing communications at any time

Restriction and Objection

  • Restrict processing of your personal data
  • Object to certain uses of your information
  • Request human review of automated decisions
  • Lodge complaints with supervisory authorities

How to Exercise Your Rights

Self-service: Update your profile, manage cookie preferences, configure AI processing, and control notifications directly in your account settings.

Requests requiring assistance: For data export, account deletion, or other privacy requests, email us at privacy@lexic.io or contact our DPO at dpo@lexic.io. We will respond within 30 days.

Cookies and Tracking Technologies

When you first visit Lexic.io, we display a cookie consent banner that lets you choose which categories of cookies to accept. You can change your preferences at any time.

Essential Cookies (Always Active)

These cookies are necessary for the website to function and cannot be disabled:

  • Authentication tokens and session management
  • Security cookies for CSRF protection
  • Load balancing and routing
  • Cookie consent preferences

Functional Cookies (Optional)

Enable enhanced functionality such as saving your preferences:

  • User preferences and display settings
  • Language selection
  • UI theme persistence (light/dark mode)

Analytics Cookies (Optional, Requires Consent)

Help us understand how visitors interact with our platform. All analytics data is collected anonymously:

  • Aggregated usage statistics and interaction patterns
  • Performance monitoring and error tracking
  • Feature adoption metrics

Marketing Cookies (Optional, Requires Consent)

Used to measure the effectiveness of our communications. We do not sell data to advertisers:

  • Campaign measurement and attribution
  • Communication preference tracking

Managing Your Cookie Preferences

  • Our cookie consent banner: Displayed on first visit with options to Accept All, choose Essential Only, or Customize individual categories
  • Your browser settings: Most browsers allow you to block or delete cookies
  • Third-party opt-out tools: Such as the Network Advertising Initiative opt-out page

If you are logged in, your cookie preferences are saved to your account. If you are not logged in, preferences are stored locally in your browser.

Data Retention

We retain your data for as long as your account is active or as needed to provide services. When your account is deleted:

  • Personal data: Permanently deleted within 30 days (after grace period)
  • Backup copies: Purged within 90 days
  • Billing records: Anonymized and retained for 7 years (tax compliance)
  • Audit logs: Anonymized and retained for 7 years (security compliance)
  • AI processing data: Embeddings and summaries are deleted with their source notes

European Privacy Rights (GDPR)

If you are a resident of the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR).

Legal Basis for Processing

  • Consent: When you sign up or enable optional features
  • Contract performance: To provide the service you requested
  • Legal obligations: To comply with applicable laws
  • Legitimate interests: For fraud prevention, security, and service improvement

Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at dpo@lexic.io.

Supervisory Authority

You have the right to lodge a complaint with your local data protection authority. A list of EU data protection authorities can be found at edpb.europa.eu.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

  • Right to Know: What personal information is collected, used, shared, or sold
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt-out of the "sale" of personal information
  • Right to Non-Discrimination: Equal service regardless of privacy choices
  • Right to Correct: Request correction of inaccurate information

We do NOT sell personal information to third parties, nor do we share personal information for cross-context behavioral advertising.

To submit a CCPA request, email privacy@lexic.io. We will respond within 45 days. You may designate an authorized agent to make requests on your behalf.

International Data Transfers

Your information may be transferred to and processed in the United States. We ensure appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission and data processing agreements with all third-party providers.

Children's Privacy

Lexic is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us at privacy@lexic.io.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page, sending email notifications, and displaying in-app notifications. Your continued use of the Service after any changes indicates your acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy, please contact us:

Privacy Inquiries

privacy@lexic.io

Data Protection Officer

dpo@lexic.io

Customer Support

support@lexic.io

We aim to respond to all privacy-related inquiries within 30 days.