Privacy Policy
LexMoat — AI-Powered GDPR Compliance Platform
Effective Date: March 11, 2026
1. Introduction
LexMoat ("we," "our," or "us") operates the website lexmoat.ai and the LexMoat platform (collectively, the "Service"). We are committed to protecting your personal data and complying with applicable data-protection legislation, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and relevant US state privacy laws.
This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have. By accessing or using the Service you acknowledge that you have read and understood this policy.
2. Data Controller
The data controller responsible for your personal data is:
LexMoat (Spain)
Email: [email protected]
Website: lexmoat.ai
If you have any questions about how we process your data or wish to exercise your rights, please contact us at the address above.
3. Categories of Personal Data We Collect
We collect and process the following categories of personal data:
3.1 Data You Provide Directly
- Account registration information: name, email address, company name, job title, and billing details.
- Information submitted via contact forms, support tickets, or in-app questionnaires (e.g., data-mapping surveys for GDPR document generation).
- Business data you upload or provide for GDPR compliance purposes (e.g., descriptions of processing activities, data-flow details, vendor lists).
- Payment and billing data processed through our third-party payment provider.
3.2 Data We Collect Automatically
- Technical identifiers: IP address, device type, browser type and version, operating system, screen resolution, and language preference.
- Usage data: pages visited, features used, session duration, click paths, and referral URLs.
- Log data: server access logs containing timestamps, HTTP request/response codes, and URLs accessed.
3.3 Data We Receive from Third Parties
- Single sign-on (SSO) providers (e.g., Google Workspace) if you choose to authenticate via a third-party identity provider.
- Integration partners (e.g., Jira, Linear, GitHub) when you connect your development tools for continuous-compliance workflows.
4. Purposes and Legal Bases for Processing
We process your personal data only where we have a lawful basis under the GDPR. The table below summarises our processing activities:
| Purpose | Categories of Data | Legal Basis (Art. 6 GDPR) |
|---|---|---|
| Providing and operating the Service | Account data, business data, usage data | Performance of a contract (Art. 6(1)(b)) |
| AI-assisted GDPR document generation and compliance audits | Business data you provide, usage data | Performance of a contract (Art. 6(1)(b)) |
| Expert review of generated documents (human-in-the-loop) | Business data provided for review | Performance of a contract (Art. 6(1)(b)) |
| Billing and payment processing | Billing details, transaction data | Performance of a contract (Art. 6(1)(b)) |
| Website analytics and performance monitoring | Technical identifiers, usage data | Legitimate interest (Art. 6(1)(f)) |
| Customer support and responding to enquiries | Contact-form data, correspondence | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications (where consented) | Email address, name | Consent (Art. 6(1)(a)) |
| Security, fraud prevention, and abuse detection | Technical identifiers, log data | Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal obligations | Any relevant data | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest, we have conducted balancing tests to ensure that our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting [email protected].
5. Recipients and Third-Party Processors
We share your personal data with the following categories of recipients, each acting as a data processor or independent controller as indicated:
| Recipient | Purpose | Country | Privacy Information |
|---|---|---|---|
| Cloudflare, Inc. | Web analytics (Cloudflare Web Analytics), CDN, security | United States | cloudflare.com/privacypolicy |
| Google LLC | Email delivery (Gmail / Google Workspace) | United States | policies.google.com/privacy |
| Payment processor (to be disclosed upon selection) | Subscription billing and payment processing | EEA / United States | Will be disclosed prior to processing |
| Cloud infrastructure provider | Hosting and data storage | EEA | Will be disclosed prior to processing |
| Integration partners (Jira, Linear, GitHub) | Continuous-compliance dev-tool integrations (only when enabled by client) | United States | Respective provider privacy policies |
We do not sell your personal data to any third party. We may also disclose data to law-enforcement or regulatory authorities where required by applicable law.
6. International Data Transfers
Your data may be transferred to, and processed in, countries outside the European Economic Area (EEA), the United Kingdom, or Switzerland — in particular the United States, where some of our processors are located.
Where such transfers occur, we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
- An adequacy decision by the European Commission, where applicable.
- The EU–US Data Privacy Framework, for certified US recipients.
You may request copies of the relevant transfer mechanism by emailing [email protected].
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law. Our retention criteria are:
- Account and service data: retained for the duration of your active subscription and for 12 months after account deletion to allow for reactivation or dispute resolution, unless a longer period is required by law.
- Billing data: retained for the period required by applicable tax and accounting regulations (minimum 5 years under Spanish law).
- Analytics and log data: retained for a maximum of 26 months from collection, then aggregated or deleted.
- Contact-form enquiries: retained for 12 months after the last interaction, then deleted.
- Marketing consent records: retained for as long as consent is active, plus 3 years for proof-of-consent purposes.
When retention periods expire, data is securely deleted or irreversibly anonymised.
8. Website Analytics
We use Cloudflare Web Analytics to collect anonymised, aggregate usage statistics (page views, referral sources, country of origin). This service does not use cookies, does not collect personal data, does not track individual users, and is fully privacy-preserving. No consent is required under the ePrivacy Directive.
9. Your Rights as a Data Subject
Under the GDPR and applicable local laws, you have the following rights in relation to your personal data:
- Right of access (Art. 15 GDPR): obtain confirmation of whether we process your data and request a copy.
- Right to rectification (Art. 16 GDPR): correct inaccurate or incomplete data.
- Right to erasure (Art. 17 GDPR): request deletion of your data where there is no compelling reason for continued processing.
- Right to restriction of processing (Art. 18 GDPR): restrict processing in certain circumstances.
- Right to data portability (Art. 20 GDPR): receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21 GDPR): object to processing based on legitimate interest, including profiling.
- Right to withdraw consent: where processing is based on consent, withdraw at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint: you have the right to lodge a complaint with a supervisory authority. In Spain, the competent authority is the Agencia Española de Protección de Datos (AEPD) at aepd.es. You may also contact the supervisory authority in your country of residence.
To exercise any of these rights, please email [email protected]. We will respond within one month, extendable by two further months for complex requests.
10. Opt-Out Mechanisms
Account deletion: request deletion of your account and associated data by emailing [email protected].
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
- Access controls and role-based permissions with the principle of least privilege.
- Regular security assessments, vulnerability scanning, and penetration testing.
- Incident-response procedures in accordance with Art. 33/34 GDPR.
- Staff training on data-protection and information-security best practices.
No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
12. Children's Privacy
The Service is not directed at individuals under the age of 16 (or 13 in jurisdictions where that threshold applies). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without verified parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact [email protected].
13. Use of Artificial Intelligence
LexMoat uses artificial intelligence (AI) to generate GDPR compliance documentation and perform compliance audits. Important points regarding AI and your data:
- Client data is not used for AI model training. We do not use the business data you provide to train, fine-tune, or improve general-purpose AI models without your explicit, separate consent.
- AI-generated outputs undergo expert review (human-in-the-loop) on applicable subscription tiers to ensure accuracy and legal validity.
- Self-service tier outputs include a disclaimer that they have not been reviewed by a legal professional.
For more details on how AI is used within the Service, please refer to our Terms of Use.
14. Region-Specific Disclosures
14.1 European Economic Area (EEA) and United Kingdom
If you are located in the EEA or UK, the GDPR (or UK GDPR) applies to our processing of your personal data. Your rights as described in Section 9 apply in full. Our lead supervisory authority is the Agencia Española de Protección de Datos (AEPD), Spain.
14.2 United States
If you are a resident of a US state with comprehensive privacy legislation (including but not limited to the California Consumer Privacy Act as amended by the CPRA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and similar laws), you may have additional rights, including:
- The right to know what personal data we have collected and how it is used.
- The right to request deletion of your personal data.
- The right to opt out of the sale or sharing of personal data. We do not sell personal data.
- The right to non-discrimination for exercising your privacy rights.
To exercise these rights, please email [email protected]. We may verify your identity before processing your request. You may also designate an authorised agent to make a request on your behalf.
Do Not Track: Our website does not currently respond to "Do Not Track" browser signals.
15. Changes to This Privacy Policy
We may update this policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. The "Effective Date" at the top of this policy indicates when it was last revised.
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data-processing practices, please contact us at:
LexMoat
Email: [email protected]
Website: lexmoat.ai
We aim to respond to all enquiries within 30 days.