Skip to main content
LexLogik LogoLexLogik

Legal

Privacy Policy

Our Commitment to Data Protection

The protection and confidentiality of our clients' data is our top priority. We are committed to European data sovereignty and ensure that all documents and files transmitted to LexLogik are processed exclusively on our own, sovereign servers in Germany.

  • No training of AI models with your content data.
  • No transfer to US cloud providers for document processing.
  • Document processing runs on our own infrastructure in Germany; uploaded files are not routed through US hyperscale cloud providers for that processing.

Contact: info@lexlogik.com

Data Privacy Statement

1. Data Controller

The entity responsible for data collection and processing is:

LexLogik UG (haftungsbeschränkt)
Mahlgasse 4
88339 Bad Waldsee
Germany
Managing Director: Jonas Maximilian RegulEmail: info@lexlogik.comPhone: +44 20 3885 1681 (International Support)VAT ID (Germany): DE460852323

Please note: Our UK phone number connects you to our central support team in Germany. We do not maintain a physical office in the United Kingdom.

Article 27 UK GDPR (representative in the UK): LexLogik UG is established in Germany and does not maintain an establishment in the United Kingdom. Where our processing of personal data of individuals in the UK is in scope of Article 3(2) UK GDPR, a UK representative must be designated. We are currently completing this designation. Until the representative is published here, please address all UK data protection enquiries to the controller above at info@lexlogik.com; this does not affect your right to lodge a complaint with the ICO (see section 11).

2. Collection and Storage of Personal Data

When you visit our website, your browser automatically sends information to our server (log files).

  • Data collected: IP address, date/time of access, file requested, referrer URL, browser type, and operating system.
  • Purpose: Ensuring a smooth connection, system security, and administration.
  • Legal Basis: Art. 6 (1) (f) UK GDPR (legitimate interest).

Retention: Log files are deleted automatically after 14 days unless a security-relevant incident requires extended retention.

Business outreach & onboarding emails

Where we send you informational or follow-up emails about LexLogik to a business email address (for example after a phone call, an introduction, or as part of a 12-day onboarding series for people who filled in the login form), we process your email address, optionally your name and firm, and the context of the outreach.

  • Legal basis: legitimate interest in B2B business development with regulated professionals (Art. 6 (1) (f) UK GDPR / EU GDPR). Where a freely given consent is in place (for example, ticking a newsletter checkbox on the login form), the legal basis is consent (Art. 6 (1) (a) GDPR), which can be withdrawn at any time.
  • Processors: email delivery via our processor Mailgun (Sinch); editorial outreach may also be sent from our ordinary business inboxes.
  • Retention: until you object or the purpose lapses. If you opt out via the unsubscribe link, your address is moved to a suppression list.

Suppression list: we keep your unsubscribed email address together with the date of the opt-out for the sole purpose of reliably excluding it from future LexLogik mailings. This processing rests on our overriding interest in honouring your objection on a lasting basis (Art. 6 (1) (f) UK GDPR / EU GDPR, see Recital 47); deleting the suppression list would undermine that protection.

3. Cloudflare (Security & Performance)

We use services from Cloudflare, Inc. (USA/EU) to protect our infrastructure against DDoS attacks and optimise loading times.

  • Important: Cloudflare is only used for the delivery of the web interface (frontend). Documents you upload for processing are transmitted directly to our servers in Germany and do not pass through Cloudflare's infrastructure.
  • Legal Basis: Art. 6 (1) (f) UK GDPR (security of the IT infrastructure).
  • International transfers: Cloudflare is certified under the EU - U.S. Data Privacy Framework (UK extension); transfers from the UK rely on the UK Addendum to the EU Standard Contractual Clauses or the International Data Transfer Agreement (IDTA) where applicable.

4. Stripe (Payment Processing)

For the billing of our "Counsel" and "Professional" plans, we use the payment service provider Stripe (Stripe Payments Europe Ltd., Ireland / Stripe Inc., USA).

  • When you subscribe, your payment details are transmitted directly to Stripe. LexLogik does not store full credit card details.
  • Legal Basis: Art. 6 (1) (b) UK GDPR (performance of contract).
  • International transfers: Stripe is certified under the EU - U.S. Data Privacy Framework (UK extension); transfers from the UK rely on the UK Addendum to the EU Standard Contractual Clauses or the IDTA where applicable.

5. Self-hosted Analytics (Privacy-First)

We do not use Google Analytics or Meta Pixels. To statistically evaluate page views, we use a self-hosted analytics tool on our own servers in Germany.

  • IP addresses are anonymised immediately.
  • No data is shared with third parties.
  • Legal Basis: Art. 6 (1) (f) UK GDPR (audience measurement without personal reference).

6. Cookies

Today we only use cookies we classify as strictly necessary to operate and secure the service (for example login/session integrity). We do not deploy advertising or analytics cookies on this marketing site as described in section 5.

  • Under UK PECR (Privacy and Electronic Communications Regulations), consent is typically required for non-essential cookies and similar technologies; what counts as strictly necessary depends on purpose and ICO guidance, which can evolve. We therefore avoid stating categorically that no consent banner is ever required without a fresh legal review if our stack changes.
  • If we introduce optional analytics or marketing cookies (or similar tags), we will obtain consent where required - for example through a banner - before setting them.

7. Disclosure of Data

Your content data (documents) will not be disclosed to third parties unless there is a legal obligation to do so. Only the necessary master data is transmitted to Stripe for payment processing.

8. Uploaded documents (Zero-Retention architecture)

Documents that you upload for processing (PDFs, images, scans, attachments) are handled under a strict zero-retention paradigm. We use a least-data approach designed for the confidentiality requirements of UK solicitors and the duty of confidentiality under the SRA Code of Conduct.

  • Processing in volatile environments: document content is processed in volatile RAM instances or temporarily encrypted session partitions on dedicated hardware in Germany.
  • Automatic deletion: source files and processed results are deleted immediately after the workflow ends (download or session close); we do not create backups of client document content.
  • No AI training: document content is never used to train, fine-tune or evaluate machine learning models - neither ours nor any third party's.
  • No third-party AI APIs: OCR and analysis run on our own infrastructure; document content is not sent to OpenAI, Google, Anthropic or other external AI providers.
  • Legal basis: Art. 6 (1) (b) UK GDPR (performance of contract) for processing requested by you, combined with technical and organisational measures under Art. 32 UK GDPR.

9. Data Security

We use strong encryption (TLS 1.3 in transit, AES-256 at rest where data is stored at all). Production systems are hosted in Germany with Hetzner Online GmbH in ISO 27001-certified data centres; we maintain strict access controls, multi-factor authentication for administrative access and audit logging for our systems and operations. Further detail is available in our Technical and Organisational Measures (TOMs) and the data sheet linked from the security whitepaper.

10. Sub-processors

We engage a small set of vetted sub-processors strictly for operating the service. Engagement is governed by data processing agreements compliant with Art. 28 UK GDPR.

  • Hetzner Online GmbH (Germany) - hosting of dedicated servers and ISO 27001-certified data centres for document processing infrastructure.
  • Cloudflare, Inc. (USA/EU) - DDoS mitigation and frontend delivery for the marketing website. Document content is not routed through Cloudflare (see section 3).
  • Stripe Payments Europe Ltd. / Stripe, Inc. (Ireland / USA) - payment processing for paid plans (see section 4).
  • Email and transactional infrastructure for account, billing and support communications.

We will inform customers of any changes to this list in line with our DPA. A current sub-processor list is available on request at info@lexlogik.com.

11. Your Rights (Data Subject Rights)

Under the UK GDPR, you have the right to:

  • Access (Art. 15), Rectification (Art. 16), and Erasure (Art. 17).
  • Restriction of processing (Art. 18) and Data portability (Art. 20).
  • Object to processing (Art. 21) and withdraw consent (Art. 7 (3)) at any time.
  • Complaint: You have the right to lodge a complaint with the UK supervisory authority - the Information Commissioner's Office (ICO).

We typically respond to data subject requests within one month (Art. 12 (3) UK GDPR). To exercise your rights, please email info@lexlogik.com.

Right to object to direct marketing (anytime, free of charge, no formalities)

You have the right to object at any time to processing of your email address for direct-marketing purposes (sales follow-ups, onboarding tips, future campaigns) under Art. 21 (2) UK GDPR. After such an objection, we will no longer use your address for these purposes.

In practice: every marketing email we send ends with an unsubscribe link. A single click is sufficient; no confirmation reply or sign-in is required. The unsubscribed address is added to our suppression list and excluded from all LexLogik outbound channels (sales follow-ups, onboarding, future campaigns).

Alternatively, a plain email to info@lexlogik.com is enough; we will remove the address from our distribution list manually.

12. Automated decision-making and profiling

We do not carry out automated decision-making within the meaning of Art. 22 UK GDPR (decisions producing legal or similarly significant effects on individuals without human involvement) and we do not engage in profiling on this service.

13. Personal data breaches

In the event of a personal data breach, we notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach in line with Art. 33 UK GDPR. Where the breach is likely to result in a high risk to data subjects' rights and freedoms, we will notify affected individuals without undue delay in line with Art. 34 UK GDPR.

As of: June 2026