This policy is available in English. A Dutch version (Nederlandstalige versie) is available on request at privacy@lex-aero.eu.
1. Who we are
lex-aero is operated by Projectus B.V., registered in the Netherlands (KvK: 62234447), with registered office at Torenallee 101, 5617 BR Eindhoven. For questions about this privacy policy, contact us at privacy@lex-aero.eu.
2. What data we collect
2.1 Account data
When you create an account we collect: your email address, optionally your full name and organisation, and your hashed password (managed by Supabase Auth).
2.2 Usage data
We store the search queries you submit, the AI-generated answers returned, and the source documents cited. This is necessary to provide the service and to improve answer quality.
2.3 Waitlist data
If you submit a waitlist request, we store your email address and optionally your organisation name.
2.4 Technical data
We collect standard web server logs including IP addresses, browser type, and request timestamps. These are retained for a maximum of 90 days for security and debugging purposes.
3. Legal basis (AVG / GDPR)
We process your personal data on the following legal bases:
Performance of contract (Art. 6(1)(b) GDPR) — for account data and query history necessary to deliver the service.
Legitimate interests (Art. 6(1)(f) GDPR) — for technical logs used for security monitoring and abuse prevention.
Consent (Art. 6(1)(a) GDPR) — for marketing communications, which you can withdraw at any time.
4. How we use your data
To provide and improve the lex-aero service
To send transactional emails (account creation, password reset, invite links)
To detect and prevent fraudulent or abusive use
To comply with legal obligations
We do not sell your personal data to third parties. We do not use your queries to train AI models.
5. Data processors
We use the following sub-processors, all of whom process data under adequate data protection agreements:
Supabase Inc. — database and authentication (EU region: Frankfurt, Germany)
Vercel Inc. — frontend hosting (EU region available)
Anthropic PBC — AI answer generation (queries sent to Claude API; Anthropic does not use API data for training by default)
Voyage AI Inc. — query embedding generation
Resend Inc. — transactional email delivery
6. Data retention
Account data: retained for the duration of your account plus 30 days after deletion
Query history: retained for 12 months, then anonymised
Waitlist requests: retained until processed, then deleted or converted to an account
Technical logs: maximum 90 days
7. Your rights
Under the GDPR, you have the right to:
Access — request a copy of the personal data we hold about you
Rectification — correct inaccurate data
Erasure — request deletion of your data ("right to be forgotten")
Portability — receive your data in a machine-readable format
Objection — object to processing based on legitimate interests
Restriction — request that we limit processing of your data
To exercise any right, email privacy@lex-aero.eu. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
8. Cookies
We use strictly necessary cookies for authentication sessions. See our Cookie Policy for details.
9. Changes to this policy
We may update this policy from time to time. We will notify registered users by email of material changes at least 14 days in advance.