Privacy Policy.

How LegisDex collects, uses, stores, and shares personal data when you use the website, apps, APIs, and related services.

Last updated: April 29, 2026

1. Overview

This Privacy Policy explains how LegisDex collects, uses, stores, and shares personal data when you use our website, apps, APIs, and related services (the "Service").

2. Information We Collect

  • Account and authentication data: name, email address, hashed password, account role, authentication identifiers, provider account identifiers, email verification status, OAuth provider tokens when needed for sign-in flows, and two-factor authentication settings.
  • Profile, onboarding, and preference data: profile image, locale, time zone, company name, job title, industry, team size, primary use case, saved AI model preference, sharing defaults, retention settings, and tracker notification preferences.
  • Service content: prompts, chat history, message parts, message ratings, file attachments, shared chat metadata, compliance playbooks and rules, uploaded compliance contracts and analysis runs, and tracker records such as projects, contracts, financial fields, legal terms, claims, milestones, and areas of concern that you create or submit.
  • Billing data: Stripe customer/subscription identifiers, plan and billing status (we do not store full card numbers).
  • Technical and usage data: IP address, request metadata, cookies/session tokens, device/browser details, analytics, and rate-limit/security logs.

3. How We Use Information

  • Provide, operate, and maintain chat, compliance, tracker, account, and sharing features.
  • Authenticate users, support sign-in methods you choose, and protect account security.
  • Personalize the product using saved profile, onboarding, model, time-zone, and notification settings.
  • Process payments, subscriptions, and plan-based feature access.
  • Send transactional emails such as verification and password reset messages, and tracker digest emails if you enable them.
  • Generate shared chat links, provide data exports, and apply retention or sharing settings that you configure.
  • Improve product quality, reliability, and performance.
  • Detect abuse, rate-limit usage, enforce policies, and comply with law.

4. Legal Bases (Where Applicable)

Depending on your location, we process personal data based on: performance of a contract, legitimate interests (such as security and service improvement), consent where required, and compliance with legal obligations.

5. Sharing and Account Controls

The Service includes controls that let you manage how certain data is used or exposed:

  • You can create read-only shared chat links. Anyone with the tokenized link may view that shared page until you revoke it or it expires. New shared-link tokens are stored as keyed hashes rather than reusable plaintext token values.
  • You can disable creation of new shared links and set default expiry periods in account settings.
  • You can configure tracker alert preferences, muted projects or categories, and email digest cadence.
  • You can export account-related data from settings. Export payloads currently include account, chat, tracker, and compliance records associated with your account.
  • You can request deletion of your account from settings, subject to any records we must retain for legal, security, or billing purposes.

6. Third-Party Service Providers

We use third-party service providers to run the platform, including:

  • Authentication and identity services (including NextAuth and Google OAuth when selected by you).
  • Payment processing and subscription billing (Stripe).
  • Email delivery (Resend).
  • Scheduled delivery tooling for tracker digests when enabled by you (Upstash QStash).
  • Hosting, performance, and analytics tooling (Vercel services).
  • Database, cache, and rate-limiting infrastructure.
  • AI model providers used to generate responses.

We do not sell your personal information for money.

7. Cookies and Similar Technologies

We use cookies and similar mechanisms for authentication, session management, security, and analytics. You can control cookies through browser settings, but disabling certain cookies may limit Service functionality.

8. Data Retention

  • Account, billing, tracker, and compliance records are retained for as long as needed to provide the Service, maintain operational records, resolve disputes, and meet legal obligations.
  • Chat retention can be configured in account settings. If you set a chat retention period, older chats may be pruned based on that setting.
  • Shared chats may include an expiry date. Expired shared chats can be removed automatically, and you can revoke active shared links from your settings.
  • Account data exports are available from settings and are currently rate limited to once every 24 hours.

9. Security

We apply technical and organizational security measures designed to protect personal data. These include account authentication, session controls, optional two-factor authentication for eligible password-based accounts, and abuse-prevention controls such as rate limiting. No system is perfectly secure, so we cannot guarantee absolute security.

  • Passwords are stored as password hashes rather than plaintext passwords.
  • Selected sensitive stored fields are encrypted at rest using AES-256-GCM, including persisted chat content, uploaded compliance contract data, compliance analysis source/evaluation data, two-factor authentication secrets, and OAuth provider tokens.
  • New email verification, password reset, and shared-chat link tokens are stored as keyed hashes. During migration, older plaintext token records may still be accepted until replaced, used, revoked, or expired.

10. Your Rights and Choices

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, object to processing, or export your personal data, and to withdraw consent where processing relies on consent.

Within the product, you can currently update account profile and onboarding information, change model preferences, manage tracker alert and digest settings, control chat sharing defaults and retention, export account data, revoke shared links, and submit an account deletion request.

To request privacy rights, contact info@legisdex.com. We may need to verify your identity before processing requests.

11. International Data Transfers

Your data may be processed in countries other than your own. Where required, we use safeguards designed to protect transferred personal data in accordance with applicable law.

12. Children's Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child has provided personal data, contact us so we can investigate and take appropriate action.

13. Policy Updates

We may update this Privacy Policy periodically. We will update the "Last updated" date and provide additional notice when changes are material.

14. Contact

For privacy-related questions or requests, contact info@legisdex.com.