Privacy Policy

Download PDF

Last updated: April 10, 2026

Overview

Lex Redactus is built on a zero-knowledge architecture. We cannot see, access, or store your documents. This Privacy Policy explains what limited data we do collect and why.

What We Do NOT Collect

We never collect, transmit, or store:

  • Document content (PDFs, DOCX files, or any text you process)
  • Redacted output or annotated documents
  • Entity maps (the mapping between real names and anonymized tokens)
  • Any personally identifiable information from your documents

All document processing happens entirely on your local device. The Software does not make any network requests when processing documents.

What We Collect

We collect the minimum data necessary to operate the licensing and billing system:

Account Information

  • Email address (provided at purchase)
  • Stripe customer and subscription identifiers
  • Payment status (active, trialing, past due, canceled)

License Validation

  • License key
  • Device identifier (a hash unique to your machine — not reversible to hardware details)
  • Device name (e.g., "Tom's MacBook Pro")
  • App version
  • Timestamp of activation and periodic check-ins

Website Analytics

Our website may use privacy-respecting analytics (no cookies, no cross-site tracking). This includes page views, referrer, country, and browser type in aggregate form only. No individual user tracking is performed.

How We Use Your Data

  • To verify your subscription is active and authorize the Software
  • To enforce the device limit (2 devices per license)
  • To send transactional emails (purchase confirmation, payment issues)
  • To provide customer support when you contact us

We do not sell, rent, or share your personal information with third parties for marketing purposes. We do not engage in cross-context behavioral advertising.

Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for processing your personal data are:

  • Contract performance: Processing account and license data is necessary to provide the Software and fulfill our contractual obligations to you.
  • Legitimate interest: Processing device identifiers and check-in timestamps is necessary for license enforcement and fraud prevention.
  • Consent: Where required by law, we obtain your consent before processing. You may withdraw consent at any time.

Third-Party Services

We use the following third-party services, each of which processes limited data on our behalf:

  • Stripe (San Francisco, CA) — Payment processing. Stripe handles all credit card data directly. We never see or store your full card number. See Stripe's Privacy Policy.
  • Fly.io (Chicago, IL) — API hosting. Our license validation server runs on Fly.io infrastructure in the United States.

We do not share your data with any other third parties.

Data Retention

  • Active subscriptions: Account and license data is retained while your subscription is active.
  • After cancellation: Data is retained for 90 days to support reactivation, then permanently deleted.
  • Payment records: Transaction records may be retained for up to 7 years as required by tax and financial reporting laws.
  • Support correspondence: Retained for 2 years after the last interaction, then deleted.

Data Security

  • License validation uses RSA-signed JWT tokens transmitted over encrypted HTTPS connections
  • API requests include replay protection (timestamps, nonces)
  • Rate limiting on all endpoints to prevent abuse
  • Request validation and structured audit logging
  • Database encryption at rest (managed PostgreSQL)
  • No document content is ever transmitted or stored on our infrastructure

International Data Transfers

Our servers are located in the United States. If you access the Software from outside the United States, your license validation data (license key, device identifier, timestamps) will be transferred to and processed in the United States. By using the Software, you consent to this transfer. For EEA/UK users, transfers are conducted pursuant to Standard Contractual Clauses where required.

Your Rights

All Users

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format

California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have additional rights:

  • Right to know: You may request the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Right to delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to opt out of sale: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact privacy@lexredactus.com. We will respond within 45 days as required by CCPA.

EEA/UK Residents (GDPR)

If you are in the European Economic Area or United Kingdom, you also have the right to:

  • Restrict processing of your personal data in certain circumstances
  • Object to processing based on legitimate interests
  • Data portability — receive your data in a structured, machine-readable format
  • Withdraw consent at any time where processing is based on consent
  • Lodge a complaint with your local data protection authority

To exercise these rights, contact privacy@lexredactus.com. We will respond within 30 days as required by GDPR.

Children

Lex Redactus is not intended for use by individuals under 18. We do not knowingly collect data from minors. If we learn we have collected data from a person under 18, we will delete it promptly.

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or on our website at least thirty (30) days before taking effect. The "Last updated" date at the top indicates the most recent revision.

Contact

Questions about privacy? Contact us at:

Redactus Legal Inc
Email: privacy@lexredactus.com

For GDPR inquiries, you may also contact your local data protection authority.