LexlensLegal Intelligence

Privacy Policy

Last updated: 14 July 2026

At a glance:

Lexlens is a GDPR-compliant service operated from Portugal. We collect only what is necessary to run the platform, never sell your data, and do not use advertising or tracking tools. Push notifications and digest emails are always opt-in. You can request deletion of your account and all associated data at any time by emailing [email protected].

1. Data Controller

Lexlens is operated by Opiniões Diligentes, Consultoria Estratégica ("Lexstream", "we", "us", "our"), PT516025660, a company registered in Portugal. Lexstream is the data controller responsible for processing your personal data under the EU General Data Protection Regulation (GDPR) and the Portuguese data protection framework.

For all data protection enquiries: [email protected]

2. Personal Data We Collect

2.1 Account Information

When you create a Lexlens account we collect:

  • Email address
  • Display name and username
  • Avatar image (if provided)
  • Password — stored exclusively as a bcrypt hash (cost factor 12); your plain-text password is never stored or accessible to us
  • Preferred legal categories and jurisdiction

2.2 Usage Data

To personalise your feed and remember your preferences, we record:

  • Articles you save, mark as read, or flag as important
  • Custom keyword lenses you create (Pro subscribers)
  • Notification and digest email preferences
  • Last login timestamp

Search queries. When you search, the text you type is sent to our semantic search provider (Voyage AI, US) so that it can be matched against our article index. This includes the keywords of any Custom Lens you open, because opening a lens runs it as a search. No user identifier is attached to these requests — the provider receives the query text alone and cannot link it to you. We flag this explicitly because Custom Lenses are often used to track a named client or matter. If that is a concern for your organisation, contact us at [email protected] and we will discuss options.

Personalisation. Your reading behaviour is used to rank your feed. It is computed entirely inside our EU database and is never sent to any third party.

2.3 Device and Technical Data

  • Push notification tokens — device identifiers required to deliver notifications via Apple Push Notification service (APNs). These tokens do not identify you personally and are removed on logout or app uninstall.
  • Offline cache — the mobile app stores up to 200 recent articles of publicly-available information in your device's local database for offline reading. This data remains on your device and expires automatically after 24 hours.
  • Biometric credentials — if you enable Face ID or Touch ID, your authentication token is stored in the iOS Keychain (hardware-encrypted by Apple's Secure Enclave). We never access or store your biometric data itself.

2.4 Payment Data

Subscription payments are processed entirely by Stripe, a PCI DSS-certified payment processor. We store only your Stripe customer ID and subscription status. We have no access to your card number, bank account details, or other financial information.

2.5 Data We Do Not Collect

  • We do not use analytics or tracking services (no Google Analytics, no advertising trackers)
  • We do not profile users for advertising purposes
  • We do not sell, rent, or share your personal data with advertisers or data brokers
  • We do not store your IP address in our application logs or database. Your IP is processed transiently, in memory, to enforce rate limits and protect against abuse.

One honest caveat: some parts of our site load resources from third parties (web fonts, reCAPTCHA, and video embeds on our marketing pages). Because your browser connects to them directly, those providers receive your IP address. We do not send them any other data. They are all listed on our Subprocessors page.

3. Legal Basis for Processing (GDPR Art. 6)

The table below sets out the legal basis we rely on for each processing activity.

Processing ActivityLegal Basis
Account creation and authenticationContract performance (Art. 6(1)(b))
Delivering articles and personalised feedsContract performance (Art. 6(1)(b))
Semantic search (query text processed by Voyage AI)Contract performance (Art. 6(1)(b))
Push notifications and digest emailsConsent (Art. 6(1)(a)) — opt-in only
Subscription billing via StripeContract performance (Art. 6(1)(b))
Bot protection (reCAPTCHA v3) and rate limitingLegitimate interests (Art. 6(1)(f)) — platform security
Email verification and password resetContract performance (Art. 6(1)(b))

Where we rely on your consent (e.g. push notifications, digest emails), you may withdraw that consent at any time without affecting the lawfulness of prior processing. See Section 7 for how to exercise your rights.

4. Third-Party Services and International Data Transfers

We use a limited number of carefully selected third-party processors to operate Lexlens. Where a processor is located outside the European Economic Area, we rely on the safeguards set out in that provider's data processing terms.

The complete, current list of every subprocessor — what each one receives, where it is located, and the transfer mechanism we rely on — is published at lexlens.io/subprocessors. We maintain it as a single authoritative list rather than duplicating it here, so that it cannot fall out of date.

4.1 Where your data is stored

Lexlens runs in the European Union (Ireland). Your account, saved articles, notes, team feeds and preferences are stored in the EU and are not replicated outside it. The US-based providers on our subprocessor list receive only the specific, limited data described against each of them.

4.2 Artificial intelligence

Because this is the question customers ask most often, we answer it precisely:

  • Article classification and summarisation is performed by Anthropic (Claude). We send it the text of published source articles only. No user data and no user identifier is sent to Anthropic.
  • Semantic search is performed by Voyage AI. The search text you type — including the keywords of a Custom Lens when you open it — is sent to Voyage so it can be matched against our index. No user identifier accompanies it.
  • Your reading behaviour, private notes and team feeds are never sent to any AI provider. Feed personalisation is computed entirely inside our EU database.
  • Anthropic does not use data submitted through its commercial API to train its models.

For details of the safeguards that apply to any individual processor, contact us at [email protected].

5. Cookies and Local Storage

Lexlens uses minimal cookies and local storage, strictly limited to what is necessary to provide the service. We do not use advertising cookies, social media cookies, or third-party tracking cookies.

  • Session cookie (session) — a secure, HTTP-only cookie containing a signed authentication token, set when you sign in with an email address and password. Expires after 7 days. Strictly necessary for the service to function.
  • Local storage token — the web app also keeps a signed authentication token in your browser's local storage, which it sends with each API request. If you sign in with Google, Apple or your organisation's SSO, this is the only token used and no session cookie is set. It is removed from your browser when you log out.
  • IndexedDB offline cache — articles cached for offline reading (24-hour expiry, device-only, never transmitted to our servers).

6. Data Retention

We retain your data only for as long as necessary to provide the service or comply with legal obligations.

  • Account data — retained while your account is active; deleted within 30 days of an account deletion request.
  • Usage data (saved, read, and important articles) — retained while your account is active; deleted with your account.
  • Email verification tokens — expire automatically after 24 hours.
  • Password reset tokens — expire automatically after 1 hour.
  • Offline cache — expires automatically after 24 hours on your device.
  • Push notification tokens — removed when you log out or uninstall the app.
  • Digest email logs — retained for service monitoring purposes and anonymised after 90 days.

7. Your Rights Under the GDPR

As a data subject in the European Economic Area you have the following rights. To exercise any of them, contact us at [email protected]. We will respond within 30 days.

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — ask us to correct inaccurate personal data.
  • Right to erasure (Art. 17) — request deletion of your account and all associated personal data.
  • Right to restriction (Art. 18) — ask us to restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)) — withdraw consent for push notifications or digest emails at any time without affecting the lawfulness of prior processing.

You also have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD — www.cnpd.pt) or the supervisory authority in your EU Member State.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. Key measures include:

  • All connections encrypted with TLS/HTTPS
  • Passwords hashed using bcrypt (cost factor 12)
  • Authentication tokens are cryptographically signed, time-limited, and transmitted only over TLS
  • Rate limiting and account lockout on authentication endpoints
  • Biometric credentials stored exclusively in the iOS Keychain (hardware-encrypted by Apple's Secure Enclave)
  • Database access restricted to authorised services and encrypted at rest
  • Payment data handled exclusively by PCI DSS-compliant Stripe
  • Bot protection via Google reCAPTCHA v3

No method of transmission over the internet is 100% secure. If you become aware of a security concern relating to your account, please contact us immediately at [email protected].

9. Children's Privacy

Lexlens is a professional legal intelligence service and is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

10. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify you by email or through the Lexlens platform at least 14 days before the changes take effect. The "last updated" date at the top of this page indicates when this policy was last revised. Continued use of the service after changes take effect constitutes acceptance of the revised policy.

11. Contact Us

For any questions about this privacy policy or our data practices, please get in touch:

We aim to respond to all enquiries within 5 business days.