Legal
Privacy Policy
Last updated: February 24, 2026
This policy describes the rules for processing personal data within the Lexense website, web application, mobile application (iOS/Android), Lexense browser extension for Google Docs, and the handling of contact, support, and waitlist services.
1. Data Controller
The controller of personal data is: Consulting Wojciech Bajer, sole proprietorship, registered address: Kokota 23, 41-400 Mysłowice, Silesian Voivodeship, Poland, NIP (Tax ID): 2220919309, REGON: 388306534, authorized representative: Wojciech Bajer, contact email: support@lexense.ai. For data protection matters, please contact: support@lexense.ai. The Controller has not appointed a Data Protection Officer. For all matters related to personal data processing, please contact the Controller directly at the address indicated above.
2. Scope of the Policy
This Policy covers data processing within: - the Lexense website, - the Lexense web application, - the Lexense mobile application (iOS/Android), - the Lexense browser extension for Google Docs, - contact, support, and waitlist handling.
3. What Data We Process
Depending on how you use the Services, we process: 1. Account data: email address, first name, last name, username, social account identifiers (e.g., Google/Apple subject). 2. Profile and settings data: language, app preferences, privacy settings, optionally profile data for document templates (e.g., company, tax ID, REGON, address, phone). 3. Content data: uploaded documents and their metadata, OCR text, chat and query content, case management data, information about generated documents. 4. Technical and operational data: system and diagnostic logs, device/app identifiers, push notification tokens (FCM, including device data). 5. Payment and subscription data: customer and subscription identifiers (e.g., Stripe customer/subscription ID), subscription status and billing period. Payment card data is handled by payment operators and app stores — the Controller does not store payment card data. 6. Contact and marketing data: contact form data (name, email, message), email address subscribed to the waitlist. 7. Analytics data: product and telemetry events (e.g., mobile analytics), data from analytics tools deployed in the service/app (e.g., Microsoft Clarity), if active and if the User has consented.
4. Purposes and Legal Bases for Processing
We process data based on Articles 6 and 9 of the GDPR (where applicable), in particular: 1. Performance of a contract for the provision of services (Art. 6(1)(b) GDPR): registration and login, account management, documents, chats, AI features, subscription and limit management. 2. Compliance with legal obligations (Art. 6(1)(c) GDPR): accounting, taxes, pursuing/defending claims, exercising data subject rights. 3. Legitimate interests of the Controller (Art. 6(1)(f) GDPR): system security and abuse prevention, developing and improving services, support and complaint handling. 4. Consent (Art. 6(1)(a) GDPR), where required: selected analytics/marketing features, communications requiring consent under applicable law.
5. Data Recipients and Processors
Data may be disclosed to entities supporting the provision of Services, in particular: - hosting and cloud infrastructure providers (e.g., Google Cloud Platform), - AI/LLM model and OCR providers (e.g., OpenAI, Anthropic) — to the extent necessary for analyzing content submitted by the User, - file storage providers (e.g., Google Cloud Storage), - push notification and email service providers (e.g., Firebase Cloud Messaging), - analytics and diagnostic tool providers (e.g., Microsoft Clarity — only with User consent), - payment operators and app stores (e.g., Stripe, Apple App Store, Google Play), - entities providing legal, accounting, and audit services. The Controller engages processors based on appropriate data processing agreements (Art. 28 GDPR). Important: As part of providing the Services, content of documents submitted by the User may be transmitted to external AI model providers for analysis. Analysis results are automated and are not used by AI providers to train their models, unless a separate agreement with the provider states otherwise.
6. Data Transfers Outside the EEA
When using global providers, data may be transferred outside the European Economic Area. Such transfers are carried out with appropriate legal safeguards, in particular: - standard contractual clauses approved by the European Commission (Art. 46(2)(c) GDPR), - European Commission adequacy decisions (Art. 45 GDPR), - or other mechanisms provided for in Chapter V of the GDPR.
7. What Data Is Processed by AI (GPT-5.2)
As part of AI features (GPT-5.2), the following categories of data may be processed in particular: 1. Content of documents submitted by the User for analysis, including relevant excerpts and context. 2. Content of questions and messages provided in AI chat or forms. 3. Selected technical metadata required to perform the analysis and ensure service security. 4. Special categories of personal data (Art. 9 GDPR) and data relating to criminal convictions and offences (Art. 10 GDPR), if included by the User in document or query content. The Controller does not require Users to provide special-category data, but such data may appear in materials submitted by the User.
8. Data Transfer to OpenAI and Server Location
To provide AI features, selected document content and user queries may be transferred to OpenAI acting as a processor. Processing by OpenAI may take place on infrastructure located in the European Economic Area, the United States, or other jurisdictions indicated by the provider, depending on service configuration and infrastructure availability. Where a transfer takes place outside the EEA, mechanisms compliant with Chapter V GDPR are applied, including standard contractual clauses or adequacy decisions.
9. Data Processing Agreement (DPA) with OpenAI
The Controller has entered into a Data Processing Agreement (DPA) with OpenAI that defines, among other things, the scope and purpose of processing, confidentiality obligations, security measures, and support for data subject rights. Where required by law, transfers of data to third countries are based on appropriate legal mechanisms, including standard contractual clauses.
10. Private Mode (On-Device) as a No-Transfer Alternative
The Lexense mobile application provides a private mode (on-device). In this mode, analysis is performed locally on the User's device, and document content is not transferred to an external AI provider. Availability of on-device mode and its feature scope may depend on the subscription plan, device type, and selected functionality.
11. Data Retention Period
1. Account and operational data — for the duration of Service use and the period necessary for settlements and defense of claims. 2. Subscription and billing data — for the period required by tax and accounting regulations (generally 5 years from the end of the tax year). 3. Waitlist and contact data — until the purpose is fulfilled, consent is withdrawn, or a successful objection is made. 4. Data after account deletion: active data is deleted promptly; selected information may be archived for up to 7 years after account deletion, to the extent required by law or justified by compliance requirements (e.g., tax settlements, defense of claims). After the archival period, data is permanently deleted. 5. Data export links and temporary files — for the technically necessary period (e.g., expiring temporary links).
12. Data Subject Rights
You have the right to: - access your data (Art. 15 GDPR), - rectify your data (Art. 16 GDPR), - erase your data (Art. 17 GDPR), - restrict processing (Art. 18 GDPR), - data portability (Art. 20 GDPR), - object to processing based on legitimate interest (Art. 21 GDPR), - withdraw consent (where processing is based on consent) — withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal, - lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, Poland) or another competent supervisory authority. To exercise the above rights, write to: support@lexense.ai.
13. Automated Processing and Profiling
Lexense uses automated content analysis tools (AI). AI results support the User but do not constitute decisions producing legal effects within the meaning of Art. 22 GDPR. The User is not subject to decisions based solely on automated processing, including profiling, that would produce legal effects or similarly significantly affect them.
14. Data Security
We apply technical and organizational measures appropriate to the risk, including access controls, transmission encryption (TLS), encryption of data at rest, and security monitoring mechanisms.
15. Children's Data
The Services are not directed at persons under 16 years of age. A person under 16 may use the Services only with the consent of a parent or legal guardian, in accordance with Art. 8 GDPR and national regulations. If unauthorized processing of a child's data is detected, the data will be promptly deleted.
16. Chrome Extension — Additional Information
When using the browser extension for Google Docs, the following data may additionally be processed: - content of the Google Docs document selected for analysis, - identifiers associated with the Google account and OAuth authorization, - session tokens and technical data necessary for the extension to function. The scope of extension permissions results from the manifest configuration and is limited to functions necessary for providing the service. Google Docs document content is transmitted to the Lexense server solely for the purpose of performing analysis and is subsequently processed in accordance with this Policy.
17. Contact
For privacy matters, write to: support@lexense.ai.
18. Changes to the Privacy Policy
1. This Policy may be updated in response to legal changes and product development. 2. We will notify you of significant changes at least 14 days in advance via the app, website, or email. 3. The current version of the Policy is published with the date and version number.