Privacy Policy
Lexyno, Inc. · Last Updated: May 18, 2026
This Privacy Policy explains how Lexyno ("Lexyno," "we," "us," "our") collects, uses, discloses, and retains personal information when you visit our marketing website, create an account or use our application, request sample demands, subscribe to a plan, or otherwise interact with us (collectively, the "Services").
Quick Summary (Notice at Collection)
We collect the following categories of information:
- Account and contact information (e.g., name, work email, firm name, title/role).
- Billing and subscription information (handled through our payment processor; we receive limited billing metadata).
- Usage and device data (e.g., IP address, browser/device details, activity logs).
- Customer Content submitted in the app (e.g., case documents, case facts, medical chronology data) when our customers upload or enter information for a matter.
We use this information to:
- Provide, maintain, and secure the Services.
- Operate case workflows and deliver exports (including Google Docs export).
- Provide customer support and communicate with you.
- Improve reliability, performance, and product features.
- Send marketing communications where permitted (with opt-out controls).
We disclose information to service providers that help us run the Services (hosting, analytics, payment processing, security, customer support tooling, and AI infrastructure), and to authorities or others as required by law.
1) Important Role Distinction: Customer Data vs. Lexyno Website Data
A. When Lexyno processes Customer Content in the app
Lexyno is typically a processor/service provider and the law firm (our customer) is typically the controller/business for case-related personal information (including claimant medical information). We process Customer Content only to provide the Services and under our customer's instructions (for example: parsing, extracting medical events, enforcing Fact-Lock, generating demand letter sections, and exporting drafts to Google Docs).
To the extent Customer Content includes Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations ("HIPAA"), Lexyno acts as a "business associate" of the law firm. Our handling of PHI is governed by a separate Business Associate Agreement ("BAA") entered into between Lexyno and the law firm, which controls over this Privacy Policy with respect to PHI. Where Lexyno has not yet executed a BAA with a customer, that customer is responsible for de-identifying PHI to the extent practicable, consistent with 45 C.F.R. § 164.514, before submitting it to the Services.
If you are a claimant/patient whose information was uploaded by a law firm using Lexyno, direct privacy requests to that law firm first, because they control the case file and the legal basis for processing.
B. When you use our marketing website
We act as the controller for information collected on our marketing website (e.g., "Request Sample Demands" submissions, newsletter signups, and website analytics).
2) Personal Information We Collect
2.1 Information you provide directly
- Marketing and account data: name, email, phone number (if provided), firm name, title/role, jurisdiction/state, and information you submit via forms.
- Support communications: messages and content you send to us (support requests, feedback, and correspondence).
- Subscription and billing-related data: subscription status, plan tier, invoice references, and limited payment metadata (payment processing is handled by our payment processor, such as Stripe).
- Customer Content (in-app): case documents and files uploaded for a matter (which may include medical records and other sensitive information), and structured case facts and medical events extracted and stored to support chronology and Fact-Lock workflows.
2.2 Information collected automatically
- Device and connection data: IP address, device type, OS, browser, and approximate location.
- Usage data: pages/screens viewed, feature usage, clicks, timestamps, and referrer URLs.
- Cookies and similar technologies:see "Cookies, Analytics, and Advertising" below.
2.3 Information from third parties
- Integrations: authentication and integration signals (e.g., Google OAuth) if you connect third-party services.
- Payments: payment and subscription signals from our payment processor (e.g., successful payment, failure, refunds/chargebacks if applicable).
- Analytics/advertising partners: information from vendors that help measure marketing performance (if enabled).
3) How We Use Personal Information
- Provide and operate the Services: create accounts, authenticate users, administer firm tenants, run case workflows, process uploaded files, extract case facts/medical events, and generate draft outputs.
- Security and fraud prevention: monitor for abuse, enforce access controls, maintain audit logs, and protect the integrity of the Services.
- Customer support and communications: respond to requests, provide service messages, and send product/administrative updates.
- Improve and develop the Services: debug, analyze performance, improve reliability, and build new features. We may create aggregated/de-identified data for analytics and product improvement.
- Marketing (where permitted): send newsletters and product updates. You can opt out at any time.
AI / Model Use of Customer Content
Lexyno may use third-party AI infrastructure to provide the Services (for example, extraction or drafting). We do not use Customer Content to train our own models without the customer's consent, and we do not permit third-party AI providers to use Customer Content to train or improve their models for the benefit of other customers. Where PHI is involved, these restrictions are reinforced by the applicable BAA.
4) How We Disclose Personal Information
- Service providers (subprocessors): hosting, database/storage, analytics, email delivery, customer support tooling, security vendors, payment processing, and AI infrastructure used to deliver the Services. Where these subprocessors process PHI, they do so under written agreements consistent with HIPAA and the applicable BAA.
- Customer-controlled recipients: when a customer exports or shares outputs (including exports to Google Docs/Drive environments the customer controls).
- Legal and compliance disclosures: to comply with law and protect rights, safety, and security.
- Business transfers: in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets.
5) Sensitive Information (Medical / Case Records)
Customer Content may include sensitive personal information, including medical information and PHI. Lexyno processes this data solely to provide the Services to law firms (for example, building a medical chronology and generating demand letter sections) and to support verification and Fact-Lock controls. Where Customer Content includes PHI, Lexyno's processing is governed by the BAA between Lexyno and the relevant law firm, and Lexyno maintains administrative, physical, and technical safeguards consistent with the HIPAA Security Rule, including encryption at rest and in transit, role-based access controls, firm-level data isolation, and audit logging.
6) Data Retention
We retain personal information for as long as reasonably necessary to provide the Services, meet contractual obligations, maintain security and audit logs, and comply with legal obligations. Customer Content is retained according to the customer contract and account settings/administration, and may persist for a limited period after account termination to allow retrieval, dispute resolution, and backup integrity (subject to contract and, for PHI, the BAA).
7) Cookies, Analytics, and Advertising
We may use cookies and similar technologies to keep you signed in (essential cookies), remember preferences (functional cookies), understand usage and improve performance (analytics cookies), and support marketing attribution and (if enabled) advertising (advertising cookies).
If your browser sends a Global Privacy Control (GPC) signal, we will treat it as a request to opt out of "sale"/"sharing" for cross-context behavioral advertising where applicable under certain laws.
8) Your Privacy Rights and Choices
8.1 Marketing opt-out
You can opt out of marketing emails by using the unsubscribe link in the email or by contacting us.
8.2 Access, correction, deletion, portability
Depending on where you live, you may have rights to request access to, correction of, deletion of, or a copy/portability of certain personal information.
8.3 "Do Not Sell or Share" (California-style rights)
Lexyno does not sell personal information for money. If we engage in cross-context behavioral advertising on the marketing site, disclosures to certain advertising partners may be considered "sharing" under California law, and you may opt out (including via GPC where applicable).
8.4 Requests involving Customer Content (claimants/patients)
If your personal information appears in a law firm's case file within Lexyno, the law firm controls that data. Submit requests to that law firm first. Lexyno will support lawful requests consistent with our contractual role as a processor/service provider and, where applicable, as a business associate under the BAA.
8.5 Limits on Your Privacy Rights and Choices
In some instances, your choices may be limited, such as where fulfilling your request would impair the rights of others, our ability to provide a service you have requested, or our ability to comply with our legal obligations and enforce our legal rights. Where we process your personal information as a processor or service provider on behalf of a business customer (for example, Customer Content within a law firm's case file, including PHI governed by a BAA), the business customer is the controller of that information; if you have questions about our privacy practices or would like to exercise any rights with respect to that information, please contact the corresponding customer. We may also verify your identity before responding to a request, and you are entitled to exercise your rights free from discrimination. If you are not satisfied with how we address your request, you may submit a complaint by contacting us as provided in the "Contact Us" section below.
9) Security
We use administrative, technical, and organizational measures designed to protect personal information. No method of transmission or storage is perfectly secure; risk cannot be eliminated.
10) International Data Transfers
Lexyno and its service providers may process information in the United States and other countries where they operate. Where required, we rely on appropriate transfer mechanisms and contractual safeguards.
11) Children
The Services are not directed to children, and we do not knowingly collect personal information from children.
12) Governing Law
This Privacy Policy and any dispute arising from or relating to it are governed by the laws of the State of Delaware, without regard to conflict-of-law principles, except where a mandatory data-protection law of the user's jurisdiction applies. This Section does not limit any non-waivable statutory privacy rights you may have under applicable law.
13) Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will update the "Last Updated" date and post the updated version on our website.
14) Contact Us
For privacy questions or requests, contact us at privacy@getlexyno.com.