🔒 Privacy

Privacy Policy

Version 1.0 Last updated: April 2026 LexCap.io

DIFC DPL GDPR eIDAS

1. Who We Are

Privacy enquiries: privacy@lexcap.io

This policy reflects our commitment to data privacy across the jurisdictions we operate in, including GDPR where applicable.

2. What We Collect

Account data: Full name, email address, password (salted hash — we never see plain text), organisation name, primary jurisdiction.
Platform usage data: Layla.ai conversation history, documents you upload or generate, Playbook content, compliance policies, template content, signing envelope data, credit transactions.
Billing data: Subscription plan, billing history, Stripe customer ID. We do not store card details.
Booking and session data: Consultant bookings, session notes, action items from meeting transcripts.
Technical data: IP address, browser type, OS, log data, cookie data.
Consent records: Timestamp and IP address of disclaimer acceptance, and version of Terms and Privacy Policy accepted.

3. AI Processing — Important Disclosure

Layla.ai is powered by Anthropic's Claude API. When you submit a message or upload a document, that content is transmitted to Anthropic's servers for processing.

Anthropic acts as a data processor under a Data Processing Agreement with LexCap
Anthropic does not use API inputs to train its models
Anthropic's infrastructure is in the United States — we have implemented standard contractual clauses for international data transfers
LexCap does not use your documents, Playbook, or conversations to train any AI model
If you include third-party personal data in documents or conversations, you are responsible for having a legal basis for that processing

4. How We Use Your Data

Legal basis	Purposes
Performance of contract	Account management, Layla.ai processing, document storage, payments, consultant bookings, signing envelopes
Legitimate interests	Security monitoring, fraud detection, platform analytics, error monitoring
Legal obligations	Record-keeping required by applicable law, responses to lawful requests
Consent	Marketing emails (withdraw anytime), non-essential cookies

5. Data Sharing & Processors

We share your data only with these processors, only as necessary:

Processor	Purpose	Location	DPA
Anthropic	Claude API — Layla.ai processing	USA	Yes
Supabase	Database & file storage	EU West (Ireland)	Yes
Stripe	Payment processing	USA / EU	Yes
Resend	Transactional email	EU	Yes
PostHog	Product analytics	EU	Yes
Sentry	Error monitoring	USA	Yes

We do not sell your personal data. We do not share your data with advertisers.

6. Data Retention

Data type	Retention	Notes
Account data	Until deletion + 90 days	Grace period for export
Conversation history	90 days rolling	You can delete any time
Documents	Until you delete them	You control deletion
Billing records	7 years	Applicable commercial law
Disclaimer acceptance	7 years	Legal compliance
Signing envelopes	7 years	Legal enforceability
Security logs	12 months	Fraud prevention

7. Your Rights

Depending on your jurisdiction, you may have rights to: access your data, correct inaccuracies, request erasure, restrict processing, receive your data in portable format, object to processing, and withdraw consent.

Most data management is self-service via Settings → Data & Privacy in your account. To exercise any right, email privacy@lexcap.io. We will respond within 30 days.

8. Security

AES-256 encryption at rest for all stored documents and personal data
TLS 1.3 encryption in transit
Row-level security in Supabase — your data is logically isolated from other users
Bcrypt password hashing — we never store or see plain-text passwords
API keys stored as server-side environment variables only
Staff access restricted on a need-to-know basis

To report a security issue: security@lexcap.io

9. International Transfers

Your data may be transferred to the United States in connection with our processors (Anthropic, Stripe, Sentry). All transfers are subject to appropriate safeguards including standard contractual clauses. If you are in the UK, Canada, Australia, or another jurisdiction with specific transfer requirements, we apply equivalent safeguards. Contact privacy@lexcap.io for jurisdiction-specific information.

10. Cookies

Category	Consent required	Examples
Essential	No	Session auth, CSRF tokens, load balancing
Analytics	Yes	PostHog — anonymised feature usage
Preference	Yes	Theme, UI preferences

We do not use advertising cookies. We do not allow third-party advertising on the Platform.

11. Children

The Platform is not directed at anyone under 18. Contact privacy@lexcap.io if you believe we have inadvertently collected data from a minor.

12. Changes to This Policy

We will notify you of material changes by email at least 14 days before they take effect.

13. Complaints

If you believe we have not handled your data appropriately, you can complain to:

DIFC: DIFC Commissioner of Data Protection — dataprivacy.difc.ae
EU residents: Your local supervisory authority
UK residents: Information Commissioner's Office — ico.org.uk
Canadian residents: Office of the Privacy Commissioner — priv.gc.ca

We would always prefer to resolve concerns directly — contact privacy@lexcap.io first.

Contact

Privacy matters: privacy@lexcap.io

Security issues: security@lexcap.io