LEXI AI — PRIVACY POLICY
OpenLaw, Inc. · lexi.law · Version 2.0 · Effective: June 10, 2026
1. Overview and Scope
OpenLaw, Inc. (“Lexi,” “we,” “us,” or “our”) is committed to protecting the privacy of the legal professionals and firms that use our services. Lexi is a brand and product of OpenLaw, Inc. This Privacy Policy explains how we collect, use, disclose, and safeguard information in connection with the Lexi AI platform, the websites at lexi.law and related subdomains, the Lexi web application, and the Lexi applications and agents available through Slack, Microsoft Teams, and other supported environments (collectively, the “Service”). This Policy is incorporated into and forms part of our Terms of Service.
This Policy covers the Lexi business product offered at lexi.law. The OpenLaw consumer marketplace at openlaw.com is governed by its own privacy policy. Capitalized terms not defined here have the meanings given in the Terms of Service.
2. Our Role: Controller vs. Service Provider
Because Lexi serves law firms and legal teams, we process two distinct kinds of information, and our role differs for each:
• Account and business data — Lexi as controller. For information about our customers and their personnel — such as account registration details, billing information, marketing interactions, support communications, and Site usage data — Lexi determines how and why the data is processed and acts as a “controller” (or “business” under U.S. state privacy laws). The rest of this Policy primarily describes this processing.
• Customer Content — Lexi as processor / service provider. Documents, messages, matter and case data, and other materials that a firm or its authorized users submit to the Service (“Customer Content”) often include personal information about the firm’s own clients and other third parties. Lexi processes Customer Content only on the firm’s behalf and at its direction, as a “processor” or “service provider,” under our Terms of Service, including the Data Processing Terms in Section 10 of the Terms. The firm — not Lexi — is responsible for its own privacy notices to, and its legal bases for processing data about, its clients. If you are a client of a law firm that uses Lexi and you have questions or requests about your information, please contact that firm directly; we will support the firm in responding as its service provider.
3. Information We Collect
3.1 Information you provide
• Account information: name, email address, phone number, firm name, and role when you create an account or are invited to join a firm.
• Payment information: billing details processed through our third-party payment processor (Stripe). We do not store full card numbers on our servers.
• Firm and case data (Customer Content): documents, workflows, matter information, and other data you provide through the Service in the course of using it.
• Connection credentials: OAuth tokens, access/refresh tokens, and credentials for integrations you enable (for example, Slack, Microsoft Teams, Clio, Google Workspace). Integrations may be workspace-shared; related credentials and tool settings may be available to authorized members of that workspace through the Service.
• Communications: support requests, feedback, testimonials, and correspondence you send to us.
3.2 Web application data
When you access Lexi through the web application at lexi.law, we collect the account and profile information you provide at sign-in or invitation (such as name, email, firm, and role); the documents, matter information, and other content you upload, create, or work with directly in the application (which is Customer Content); and in-application activity such as the features and pages you use, requests you submit to Lexi, and related timestamps and session information, which we use to authenticate you, operate and secure the application, and provide the Service. You do not need to use Slack or Microsoft Teams to use the web application.
3.3 Workspace and messaging data (Slack and Microsoft Teams)
When you install or use Lexi in Slack or Microsoft Teams, we may store workspace or tenant identifiers and limited metadata needed to operate the integration; administrator name and email for the installing user; user identifiers (such as platform user ID, display name, and email if provided by the platform); and platform-to-internal user mapping data to associate actions and permissions with users. When you interact with Lexi in these platforms, we access message content from channels where Lexi is invited, direct messages to the Lexi bot, and thread replies, which we use to process your requests, maintain conversation context, and provide the Service.
3.4 Information collected automatically
We collect usage data (pages visited, features used, timestamps, interaction patterns), device information (browser type, operating system, device identifiers, IP address), service logs (timestamps, error logs, request/response metadata, tasks executed), and information from cookies, local storage, and similar technologies used to maintain sessions, remember preferences, and analyze usage (see Section 12).
4. How We Use Information
We use information to: provide, operate, maintain, and secure the Service; authenticate users and workspaces and maintain integrations you enable; process transactions and manage accounts; communicate about accounts, support, and service updates; improve and personalize the Service; detect, prevent, and address fraud, abuse, and security issues; comply with legal obligations; and enforce our Terms.
4.1 AI processing
Relevant portions of Customer Content may be processed by AI systems to produce responses, reports, and other outputs at your direction. We do not use Customer Content for advertising, we do not sell Customer Content, and we do not train our own or any third party’s foundation models on Customer Content. Any learning or personalization is specific to your firm’s account and is not shared across customers.
5. How We Share Information
We do not sell personal information, and we do not “share” personal information for cross-context behavioral advertising (as those terms are defined under U.S. state privacy laws). We disclose information only as follows:
• Within your firm: if you are part of a firm account, certain information (such as shared workflows, integrations, and activity) may be visible to other firm members and firm administrators as part of the Service’s features.
• Sub-processors and service providers: vendors that host, operate, support, and secure the Service, listed in Section 6, bound by contracts limiting their use of data to providing services to us.
• Marketing identification: as described in Section 13 of the Terms of Service, we may identify customer firms by name and logo, and publish testimonials submitted or approved by firm personnel with attribution. Firms may opt out of future uses through our support page at lexi.law/support.
• Legal requirements: when required by law, subpoena, court order, or governmental request, or where we believe disclosure is necessary to protect our rights, the safety of any person, or the security and integrity of the Service.
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor this Policy or provide notice of material changes.
6. Sub-Processors
We use the following sub-processors to host, operate, and support the Service. These providers may process Customer Content on our behalf solely to provide, secure, and support the Service. We will update this list as our providers change; firms may request notice of sub-processor additions by emailing [email protected].
Sub-Processor
Service / Purpose
Data Potentially Processed
Slack
Core platform integration (OAuth, messaging, app functionality)
Messages and metadata in channels/DMs where Lexi is used
Microsoft (Teams / Outlook / OneDrive)
Platform integration and customer-enabled integrations
Messages and data within scopes authorized by customer
Google Cloud / Firebase
Hosting, authentication, database, storage, functions
Service data, user accounts, stored firm data, logs
Vercel
Web hosting, frontend infrastructure, edge network
Request metadata, logs, content required to serve the app
Stripe
Payments and billing
Billing contact info, transaction metadata
OpenAI
AI/LLM provider
Prompts and context necessary to generate outputs
Anthropic
AI/LLM provider
Prompts and context necessary to generate outputs
Google (Gmail / Drive / Calendar)
Customer-enabled integrations
Data within integration scopes authorized by customer
Clio
Practice management integration (if enabled)
Case, contact, and matter data authorized by customer
DocuSign
Document signing integration (if enabled)
Document and signing data authorized by customer
QuickBooks
Finance/accounting integration (if enabled)
Accounting records authorized by customer
Dropbox
Cloud storage integration (if enabled)
Files and metadata authorized by customer
Pipedream
Integration orchestration and workflow automation
Integration metadata and API requests
7. AI Technology Partners (LLM Providers)
When you invoke AI features, relevant portions of data (the prompt and context needed to generate an output) may be sent to third-party AI providers. We contractually require these providers to use your data only to provide the requested service, and not for advertising or for training their general models.
• Models used: models from OpenAI and Anthropic (model selection depends on the request and may change as we optimize for quality and performance).
• Data tenancy: Customer Content is processed in isolated API requests scoped to the individual user or firm context, and is not shared with or visible to other customers.
• Data residency: AI providers process data in the United States or other regions used by those providers under their enterprise/API terms. Lexi’s primary infrastructure is hosted in the United States.
• Provider retention: under our enterprise API agreements, providers may temporarily retain API data for abuse and safety monitoring only (for example, up to 30 days), after which it is deleted. Customer Content is not used to train any provider’s foundation models; we use API-tier access with zero-data-retention or abuse-only-retention agreements.
8. Data Storage and Security
Location. Customer Content is stored with reputable cloud providers in United States regions.
Safeguards. We maintain commercially reasonable, industry-standard safeguards, including encryption in transit (TLS 1.2+/1.3) and at rest (AES-256 with cloud-provider key management), role-based access controls with multi-factor authentication and least-privilege access, audit logging and monitoring, regular security assessments, and incident-response processes that include notifying affected customers and/or authorities where required by applicable law. Our security program is built on controls aligned with the SOC 2 Trust Services Criteria. Upon request, we will make available our then-current third-party assessment reports, if and when issued, subject to a non-disclosure agreement.
Shared responsibility. You are responsible for security within your own environments — for example, managing who has access to your account and the web application, limiting Slack or Teams channel access, managing administrator permissions, safeguarding credentials, and configuring integration scopes — as described in the Terms of Service. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
9. Data Retention
• Active systems: we retain personal information for as long as the account is active or as needed to provide the Service. When an account is closed or we receive a validated deletion request, we delete Customer Content from active production systems within 30 days, except as retention is required for legal, regulatory, billing, or dispute-resolution purposes.
• Backups: encrypted backups are used only for business continuity and age out on their normal rotation (approximately 35 days), after which they are overwritten or purged.
• LLM retention: as described in Section 7, provider-side API retention is limited to short-term abuse and safety monitoring, after which data is deleted.
• Derived data: indexes, embeddings, and other internal representations are deleted or disassociated when the underlying Customer Content is deleted, subject to backup rotation and legal obligations.
• Exports: where legally permitted, customers may request an export of their data before deletion, as provided in the Terms of Service.
10. Your Rights and Choices
Depending on your jurisdiction, you may have rights to access, correct, delete, or receive a portable copy of your personal information, to opt out of certain processing, and to designate an authorized agent to act for you. To exercise rights, contact [email protected]; we will verify your request (for workspace-level Customer Content, we may require the request to come from an authorized firm administrator) and respond within the time required by applicable law (typically within 45 days). If your personal information was submitted to Lexi by a law firm as part of its Customer Content, we will refer your request to that firm and assist it as its service provider, consistent with Section 2. You may opt out of marketing emails via the unsubscribe link in any message; we may still send transactional and service communications.
11. United States State Privacy Rights
This section applies to residents of California and other U.S. states with comprehensive privacy laws (including Colorado, Connecticut, Texas, Virginia, and Utah) and supplements the rest of this Policy.
Categories collected. In the preceding 12 months we have collected the categories of personal information described in Section 3, which correspond to the following statutory categories, from the sources and for the purposes described in Sections 3–5:
Category
Examples
Disclosed To
Identifiers
Name, email, phone, IP address, account IDs
Service providers / sub-processors (Section 6)
Commercial information
Subscription history, billing records
Payment processor, service providers
Internet / network activity
Usage data, device data, logs, cookies
Hosting and analytics service providers
Professional information
Firm name, role, work contact details
Service providers; marketing as described in Section 5
Communications content
Messages with the Lexi bot, support requests, Customer Content
Sub-processors solely to provide the Service
Sensitive personal information
May appear within Customer Content (e.g., in legal matters); log-in credentials
Processed only to provide the Service at the firm’s direction
Your rights. Subject to verification and applicable exceptions, you may request: to know/access the personal information we hold about you; correction; deletion; portability; and to limit the use of sensitive personal information (we use sensitive personal information only to provide the Service and for the purposes permitted by Cal. Civ. Code § 1798.121(a) and similar laws). We do not sell personal information and do not share it for cross-context behavioral advertising, and we have no actual knowledge of selling or sharing the personal information of minors. We will not discriminate against you for exercising your rights. We honor opt-out preference signals such as Global Privacy Control for any applicable cookie-based processing. California residents may also request the notice described in Civil Code § 1798.83 (“Shine the Light”). Submit requests to [email protected] or via our support page; authorized agents may submit requests with proof of authorization.
12. Cookies and Similar Technologies
We use strictly necessary cookies (authentication, security, session state), preference cookies, and analytics cookies/local storage to understand usage and improve the Service. You can control cookies through your browser settings and, where offered, our cookie preferences tool; disabling necessary cookies may impair the Service. We respond to Global Privacy Control signals as described in Section 11.
13. GDPR and UK Data Protection
If you are in the European Economic Area, the United Kingdom, or Switzerland: for processing where Lexi is a controller (Section 2), our legal bases are performance of a contract (providing the Service), legitimate interests (securing and improving the Service, business communications with firm personnel), consent (where required, e.g., certain cookies or marketing), and compliance with legal obligations. You have the rights of access, rectification, erasure, restriction, portability, and objection, and the right to withdraw consent and to lodge a complaint with your supervisory authority. Where Customer Content is transferred to the United States or other countries, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses, which we will execute with customers upon request. Article 28 processor terms are set out in the Data Processing Terms (Section 10) of our Terms of Service, and our sub-processor list appears in Section 6 of this Policy. Contact for EU/UK inquiries: [email protected].
14. Children’s Privacy
The Service is a business product and is not intended for, or directed to, individuals under 18 (or the age of majority in their jurisdiction, if higher). We do not knowingly collect personal information from minors; if we learn that we have, we will delete it promptly.
15. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by appropriate means — for example, by notifying workspace administrators, emailing the address associated with the account, or presenting an in-product notice — before the changes take effect, and will post the updated Policy with a new “Last Updated” date. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.
16. Contact Us
Questions, requests, or complaints regarding this Policy or our data practices may be directed to:
OpenLaw, Inc. — Attn: Privacy
7900 NW 155th St. #105, Miami Lakes, FL 33016
Email: [email protected] · Support: [email protected]