How Lex handles your data and your clients' data

Last updated: 29 April 2026 · Effective: 29 April 2026

Lex is built for Nigerian lawyers who carry a duty of confidentiality to their clients under the Rules of Professional Conduct and the Nigeria Data Protection Act 2023. This policy explains what we collect, where it goes, and how you keep control of it.

On this page

1. Who we are
2. Scope and roles
3. Data we process
4. How we use it
5. Lawful basis
6. Sub-processors
7. AI processing
8. Cross-border transfers
9. Retention
10. Security
11. Your rights
12. Your clients' data
13. Breach notification
14. Cookies and storage
15. Changes
16. Contact

1. Who we are

Lex is operated by Lex Technology, a Nigerian technology company building practice intelligence software for legal practitioners. References to "Lex", "we", "us", or "our" mean Lex Technology. References to "you" mean the lawyer, paralegal, or firm staff member who registers a Lex account, and where the context requires, your law firm.

You can reach us at hello@uselex.app. For data-protection enquiries specifically, write to privacy@uselex.app.

2. Scope and roles

Lex processes two distinct categories of personal data, and our role under the Nigeria Data Protection Act 2023 (NDPA) and equivalent foreign laws is different for each:

Your personal data as a Lex user. When you sign up, log in, pay your subscription, or use the product, we are a data controller. This policy is our notice to you.
Your clients' personal data and matter information. When you upload case documents, draft client communications, transcribe meetings, or run analyses, you remain the controller of that data. Lex acts as your data processor and processes it strictly on your instructions, in support of the legal services you provide.

This split matters: you continue to owe your own clients the duty of confidentiality and the disclosures required of a data controller. Lex is the tool you use; it does not replace your obligations to your clients.

3. Data we process

3.1 Account and identity data

Your name, email address, phone number, professional bar number, and primary practice areas.
Your law firm or chambers name, your role within it (partner, associate, staff), and your firm's settings.
Authentication data — email, hashed password, session tokens, multi-factor authentication state. Hashing is performed by our authentication provider; we do not see plaintext passwords.
Accessibility preferences (font size, contrast mode, text-to-speech enabled).

3.2 Practice and matter data

Client records you create — names, contact details, referrer information, matter histories.
Matter and case information — title, court, opposing parties, status, billing status, practice area, proceedings, obligations, deadlines.
Documents you upload to a matter or to your firm's library — contracts, briefs, court filings, exhibits, screenshots, correspondence.
Documents you draft inside Lex's editor, including version history and reviewer comments.
Calendar events, tasks, task comments, and task attachments.
Invoices and bills of charges you generate.
Forms you create and forms your clients fill via shared links you control.

3.3 Communications data

Audio you record through Lex's recorder, and the transcripts produced from it.
Meeting recordings and transcripts produced by the meeting bot when you dispatch it to a Zoom, Google Meet, or Microsoft Teams call.
Your chat history with the Lex assistant, including the queries you sent and the responses generated.

3.4 Billing data

Subscription plan, billing status, trial state, renewal dates, coupon redemptions.
Payment metadata returned by Paystack (transaction reference, masked card details, channel). We do not see or store full card numbers, CVV codes, or PINs.

3.5 Technical data

Your IP address, browser, device type, and operating system, captured automatically when you load the application.
Service-worker cache state and push notification subscription endpoints, where you've enabled notifications.
Application diagnostic logs containing request paths, response codes, error traces, and the user identifier of the requester. We do not log document or chat content into diagnostic logs.

4. How we use it

To run the service — show your matters, route documents, schedule reminders, send notifications you configure.
To answer your AI requests — when you ask the Lex assistant a question, run a document analysis, transcribe audio, or proofread a draft, the relevant content is sent to the AI provider noted in section 6.
To bill you — process subscription payments through Paystack and reconcile invoices.
To support you — respond to email enquiries, investigate issues you report, and guide you through onboarding.
To keep the service safe — detect abuse, prevent unauthorized access, monitor service health, comply with legal obligations.
To improve Lex — analyse aggregated, non-content metrics (active users, feature engagement, error rates). We do not train AI models on your matter content; see section 7.

5. Lawful basis under the NDPA

Section 25 of the NDPA requires a lawful basis for each act of processing. We rely on:

Performance of a contract — processing necessary to deliver the service you signed up for, including running AI features you invoke.
Legitimate interest — for service-quality monitoring, fraud prevention, and security incident response, balanced against your reasonable expectations.
Legal obligation — retention of billing records, response to lawful regulatory or court orders.
Consent — for optional features such as marketing emails or SMS / WhatsApp notifications, which you can withdraw at any time.

6. Sub-processors we share data with

Lex relies on the following sub-processors. Each handles a defined slice of data, under a contractual obligation to process it only on our instructions and to protect it with reasonable security measures:

Sub-processor	What they do	Data they receive	Location
Supabase	Database, authentication, file storage, edge runtime	All application data, hashed credentials, uploaded files	United States
Anthropic (Claude)	AI assistant, document analysis, proofreading, drafting, form-field detection, OCR for scanned PDFs	Your queries, document text and images, matter context, transcript snippets	United States
OpenAI	Vector embeddings for library search; text-to-speech for the "Listen" feature	Library document chunks; text you ask Lex to read aloud	United States
AssemblyAI	Audio transcription with speaker labels	Audio files you record in the recorder	United States
Recall.ai	Meeting bot that joins and records calls you dispatch it to	Meeting URL, audio and transcript of the call	United States
Paystack	Subscription and one-off payments	Name, email, phone, firm, practice area, payment instrument metadata	Nigeria
Resend	Transactional email (reminders, invites, alerts)	Recipient email and the body of the message	United States
Termii	SMS delivery for reminders and notifications	Recipient phone number and the message text	Nigeria
Twilio	WhatsApp delivery for reminders and notifications	Recipient WhatsApp number and the message text	United States
Cloudflare Pages	Static asset hosting and global content delivery	Public application files; visitor IPs at the edge	Global edge network
Google Fonts	Web typeface delivery	Visitor IPs only (no user content)	United States / Global

We keep an up-to-date list and notify you of material changes through the application before they take effect.

7. How we use AI providers

Lex's AI features are not magic — they are calls to large-language-model providers operated by third parties. We treat that as a meaningful disclosure obligation, not a footnote.

What is sent. When you invoke an AI feature, the data needed for that specific feature — for example, the document you ask Lex to summarise, the question you ask the assistant, the audio you ask the recorder to transcribe — is sent to the provider listed in section 6.
What is not sent. We do not send your matters, documents, or chat history to AI providers in the background. AI processing happens only when you take an action that requires it.
No training on your data. We have contractually arranged with our AI providers that your inputs and the model's outputs are not used to train their foundation models. This is a standard zero-data-retention or no-training arrangement on the relevant tiers; we do not opt your firm into any free tier that would change this.
Provider retention. Providers may retain inputs and outputs briefly to operate the service (for example, to detect abuse). Retention windows differ by provider and tier and may change; the figures we are aware of are documented internally and available on request.
Output is not legal advice. AI-generated summaries, drafts, citations, or recommendations are starting points for your own professional judgement, not substitutes for it. You remain the lawyer of record.

8. Cross-border transfers

As section 6 makes clear, several of our sub-processors are located outside Nigeria, principally in the United States. Section 41 of the NDPA permits transfers of personal data outside Nigeria where the recipient is subject to a law, binding corporate rule, contract, or other instrument that provides an adequate level of protection.

For each US sub-processor, we rely on contractual data-processing terms that bind them to security and confidentiality obligations comparable to the NDPA. Where you are based in a jurisdiction (such as the EU/UK) that imposes additional transfer requirements, we apply standard contractual clauses or equivalent mechanisms with the same providers.

By signing up to Lex, you authorise these cross-border transfers as necessary to deliver the service you have requested.

9. How long we keep data

Documents and folders you delete — held in soft-delete for seven days, then permanently purged from the database. Underlying storage objects are removed on the same schedule.
Account, matter, client, and chat data — retained for as long as your account is active. We treat this as part of your firm's working file; we do not auto-delete it.
Recordings and transcripts — retained until you delete them, in line with the working-file principle above.
Billing records — retained for at least seven years after the last transaction to satisfy tax and accounting requirements.
Diagnostic logs — retained for up to ninety days, then rotated.
Deleted accounts — when you close your account, we delete account and matter data within thirty days, except where we are obliged to retain specific records (billing, regulatory). On request we will issue written confirmation of deletion.

10. Security

All traffic between your browser and Lex is encrypted in transit using TLS 1.2 or higher.
Data at rest is stored in encrypted database and storage volumes managed by our infrastructure providers.
Access between firms is enforced at the database layer through row-level security policies — staff in one firm cannot read another firm's records, even with a valid login.
Administrative access to production systems is restricted to a small number of named engineers, authenticated with strong credentials.
We log authentication events and material configuration changes.
We do not claim to be impregnable. No system is. We commit to applying current good practice and to telling you promptly if we get something wrong (see section 13).

11. Your rights as a data subject

Under the NDPA you have the rights to:

Access the personal data we hold about you.
Rectification of inaccurate or incomplete data.
Erasure of your data, subject to retention obligations described in section 9.
Restrict or object to certain processing.
Portability — receive your data in a structured, commonly used format.
Withdraw consent at any time where consent is the lawful basis (section 5).
Lodge a complaint with the Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng.

To exercise any of these rights, email privacy@uselex.app. We will respond within thirty days. We may ask you to verify your identity before we act on a request.

12. Your clients' personal data

Important. When you put a client's name, contact, document, recording, or case fact into Lex, you remain the controller of that data. Lex is your processor. Your duties to the client under the Legal Practitioners Act, the Rules of Professional Conduct, and the NDPA continue to apply.

This means:

You should be confident that uploading client material into Lex is consistent with the privilege and confidentiality undertakings you have given the client. In most engagement letters this is uncontroversial; if yours is silent, consider whether to update it.
You should obtain whatever consent the NDPA requires from your client to allow you to use cloud-hosted tools, AI-assisted analysis, and US-based sub-processors as part of how you serve them.
Requests from your clients to access, correct, or delete their personal data go to you first, not to Lex. We will support you in fulfilling those requests, but we cannot honour them directly without your instruction.

13. Breach notification

If we become aware of a personal-data breach affecting your account or your firm's data, we will notify you without undue delay and, where the breach is likely to result in a high risk to you or your clients, within seventy-two hours of becoming aware. Our notice will describe what happened, what data was affected, what we are doing about it, and what you should do.

We will also notify the NDPC where the law requires us to do so. Where you are the controller of affected client data, we will give you the information you need to discharge your own notification duties.

14. Cookies, local storage, and the service worker

Lex sets a small number of essential cookies to keep you signed in. We do not use third-party advertising or tracking cookies.
The application uses your browser's local storage to cache things like your most recent chat with the assistant and your editor draft state, so that they survive a refresh. This data stays on your device.
The Lex service worker caches static assets so the app loads quickly and works on intermittent connections. It does not cache document content.

15. Changes to this policy

If we change how Lex handles data in a material way, we will update this page, change the "Last updated" date at the top, and notify active users by email or in-product banner before the change takes effect. Minor clarifications and link updates may be made without notice.

16. Contact us

For privacy questions, complaints, or to exercise any of the rights described above:

Email: privacy@uselex.app
General: hello@uselex.app
Postal: Lex Technology — postal address available on request.

If you remain unsatisfied after contacting us, you may lodge a complaint with the Nigeria Data Protection Commission at ndpc.gov.ng.