Privacy Policy
OpenLaw AI, Inc. (“OpenLaw AI,” “we,” “us,” or “our”) is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Lexi AI platform and related services.
Effective Date: March 27, 2026
Last Updated: March 27, 2026
1. Information We Collect
We collect only the information necessary to provide, maintain, and secure the Lexi AI platform.
1.1 Information You Provide
- Account Information: Name, email address, phone number, firm name, and role when you create an account or are invited to join a firm.
- Payment Information: Billing details processed through our third-party payment processor (Stripe). We do not store full credit card numbers on our servers.
- Firm and Case Data: Documents, workflows, passwords, integrations, and other data you provide through the Lexi AI platform in the course of using our services.
- Connection Credentials: OAuth tokens, access/refresh tokens, and credentials for third-party integrations you enable (e.g., Slack, Clio, Google Workspace). Integrations in Lexi AI may be workspace-shared; related credentials and tool settings may be available for use by authorized members of that workspace through Lexi AI.
- Communications: Support requests, feedback, and correspondence you send to us.
1.2 Slack Workspace and User Information
When you install or use Lexi AI in Slack, we may store:
- Slack workspace identifiers (e.g., workspace/team ID) and limited workspace metadata needed to operate the integration.
- Administrator information for the person who installs Lexi AI (name and email address as provided by Slack).
- User identifiers for users who interact with Lexi AI (e.g., Slack user ID, display name, and email address if provided by Slack).
- Slack-to-internal user mapping data to associate actions and permissions with users.
1.3 Slack Message Content
When you interact with Lexi AI in Slack, we access message content from channels where Lexi AI is invited, direct messages to the bot, and thread replies. This data is used to process your requests, maintain conversation context, and provide the service.
1.4 Information Collected Automatically
- Usage Data: Pages visited, features used, timestamps, and interaction patterns.
- Device Information: Browser type, operating system, device identifiers, and IP address.
- Service Logs: Timestamps, error logs, request/response metadata, tasks executed, and feature usage signals needed to operate and improve reliability.
- Cookies and Similar Technologies: We use cookies, local storage, and similar technologies to maintain sessions, remember preferences, and analyze usage.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Lexi AI platform
- Authenticate users and workspaces and maintain integrations you enable
- Process transactions and manage your account
- Communicate with you about your account, support requests, and service updates
- Improve and personalize the platform experience
- Ensure the security and integrity of our services
- Comply with legal obligations and enforce our terms
2.1 AI Processing
Relevant portions of Customer Data may be processed by AI systems to produce responses, reports, and other outputs at your direction. We do not use Customer Data for advertising. We do not train our own or third-party foundation models on Customer Data.
3. How We Share Your Information
We do not sell your personal information. We may share information with:
- Your Firm: If you are part of an enterprise firm on Lexi AI, certain information (such as shared passwords, workflows, and activity) may be visible to other firm members and firm owners as described in our platform features.
- Legal Requirements: When required by law, subpoena, court order, or governmental regulation, or when we believe disclosure is necessary to protect our rights or the safety of others.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
3.1 Sub-Processors
We use the following sub-processors to host, operate, and support the Lexi AI platform. These providers may process Customer Data on our behalf solely to provide, secure, and support the service.
| Sub-Processor | Service / Purpose | Data Potentially Processed |
|---|---|---|
| Slack | Core platform integration (OAuth, messaging, app functionality) | Slack messages and metadata in channels/DMs where Lexi AI is used |
| Google Cloud / Firebase | Hosting, authentication, database, storage, Cloud Functions | Service data, user accounts, stored firm data, logs |
| Vercel | Web hosting, frontend infrastructure, edge network | Request metadata, logs, and content required to serve the application |
| Stripe | Payments and billing | Billing contact info, transaction metadata (payment details handled by Stripe) |
| OpenAI | AI/LLM provider for natural language processing | Prompts and context necessary to generate AI responses |
| Anthropic | AI/LLM provider for natural language processing | Prompts and context necessary to generate AI responses |
| Google (Gmail / Drive / Calendar) | Integrations (if enabled by customer) | Data accessed via integration scopes authorized by customer |
| Microsoft (Outlook / OneDrive) | Integrations (if enabled by customer) | Data accessed via integration scopes authorized by customer |
| Clio | Legal practice management integration (if enabled by customer) | Case, contact, and matter data authorized by customer |
| DocuSign | Document signing integration (if enabled by customer) | Document and signing data authorized by customer |
| QuickBooks | Finance/accounting integration (if enabled by customer) | Accounting records authorized by customer |
| Dropbox | Cloud storage integration (if enabled by customer) | Files and metadata authorized by customer |
| Pipedream | Integration orchestration and workflow automation | Integration metadata and API requests |
3.2 AI Technology Partners (LLM Providers)
When you invoke AI features, relevant portions of data (e.g., the prompt and context needed to generate an output) may be sent to third-party AI providers. We require these providers to use your data only to provide the requested service and not for advertising or training their general models.
- LLM models used: OpenAI GPT-4o, OpenAI o1, Anthropic Claude (Sonnet & Opus families). The specific model used depends on the nature of the request and may change as we optimize for quality and performance.
- Data tenancy: Customer Data is processed in isolated API requests and is not shared with or visible to other customers. Each request is stateless and scoped to the individual user or firm context.
- Data residency: AI providers process data in the United States or other regions used by those providers in accordance with their enterprise/API terms. OpenLaw AI's primary infrastructure is hosted in the United States.
- Data retention by AI providers: AI providers may temporarily retain data in accordance with their API retention policies for security and abuse monitoring. Under our enterprise API agreements, OpenAI retains API data for up to 30 days for abuse monitoring purposes only, and Anthropic applies similar short-term retention policies. Data is not used for model training.
- No training: Customer Data is not used to train or improve any AI provider's foundation models. We use API-tier access with zero-data-retention or abuse-only-retention agreements with all LLM providers.
4. Data Storage and Security
4.1 Data Center Location
United States. Customer Data is stored with reputable cloud service providers in U.S. regions.
4.2 Security Measures
We maintain industry-standard safeguards, including:
- Encryption in transit (TLS 1.2+ / 1.3)
- Encryption at rest (AES-256 with cloud-provider key management)
- Access controls (role-based access, multi-factor authentication, least-privilege access)
- Audit logging and monitoring
- Incident response processes, including notification to affected customers and/or authorities where required by applicable law
You are responsible for maintaining appropriate security in your connected workspaces (e.g., limiting Slack channel access, managing admin permissions). For more details, see our Security & Compliance page.
5. Data Retention
5.1 Active Systems
We retain your personal information for as long as your account is active or as needed to provide services. When an account is closed or we receive a validated deletion request, we delete Customer Data from active production systems within 30 days.
5.2 Backups
Encrypted backups are used only for business continuity. Remaining copies are removed as encrypted backups age out on their normal rotation (approximately 35 days), after which they are automatically overwritten or purged.
5.3 LLM Retention
Lexi AI is configured to minimize data retention by LLM providers. Under our enterprise API agreements, OpenAI may retain API input/output data for up to 30 days for abuse and safety monitoring only. Anthropic applies similar short-term retention under their API data usage policies. Neither provider retains Customer Data for model training, and data is deleted after the applicable monitoring period.
5.4 Derived Data
Derived or transformed data (such as indexes, embeddings, or other internal representations) will be deleted or disassociated from Customer Data when the underlying Customer Data is deleted, subject to backup retention and legal obligations.
5.5 Exports
Where legally permitted, customers may request an export of their data prior to deletion.
6. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access and Correction: Request a copy of the personal data we hold about you, and request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data, including workspace files, conversation threads, and related records. For workspace-level Customer Data, we may require the request to come from an authorized workspace administrator or account owner.
- Portability: Where required by law, request your data in a structured, machine-readable format.
- Opt-Out: Opt out of non-essential cookies and marketing communications.
- Authorized Agents: If permitted by law, you may designate an authorized agent to submit requests on your behalf.
To exercise any of these rights, contact us at privacy@openlaw.com or through our support page. We will respond within the timeframe required by applicable law (typically within 45 days).
7. GDPR Compliance
If you are located in the European Economic Area (EEA) or UK, we process your personal data under lawful bases including consent, contractual necessity, and legitimate interests. You have the right to object to certain processing, request restriction of processing, and lodge a complaint with your local data protection authority.
8. CCPA / CPRA Compliance
If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. Residents of certain U.S. states may have additional rights to access, correct, and opt out of certain data uses. To make a request, contact privacy@openlaw.com. We will not discriminate against you for exercising applicable privacy rights.
9. Children's Privacy
Lexi AI is not intended for use by individuals under the age of 18 (or the age of majority in their jurisdiction, if higher). We do not knowingly collect personal information from minors. If we learn that we have collected data from a minor, we will delete it promptly.
10. Third-Party Integrations
Lexi AI may integrate with third-party services (e.g., Slack, Microsoft Teams, Google Workspace, Clio). When you connect a third-party service, that service's privacy policy governs their use of your data. We encourage you to review the privacy policies of any third-party services you connect.
11. Slack Marketplace Compliance
Lexi AI accesses the following Slack data:
| Data Type | Purpose |
|---|---|
| Messages in channels where Lexi AI is invited | Process requests and provide AI assistance |
| Direct messages to the bot | Respond to direct interactions |
| Thread replies | Maintain context for requested actions |
| User profile information | Identify users and personalize responses |
| Channel information | Understand context and permissions |
| File metadata and files (if you request) | Process attachments and uploads/downloads |
Our Commitments
- We use Slack data only to provide and operate the Lexi AI service.
- We do not sell Slack data.
- We do not use Slack data for advertising.
- We affirm that Slack APIs are not used to develop, improve, or train generalized AI and/or ML models.
- We do not train our own or third-party foundation models on Customer Data.
Revoking Access
You can uninstall Lexi AI or revoke access at any time in Slack App Management. After revocation, we stop collecting new Slack data immediately. Uninstalling or revoking access does not by itself delete previously stored data. If your account is deleted or closed, or we receive a verifiable deletion request, we delete previously stored data in accordance with Section 5 (Data Retention).
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by appropriate means (e.g., notifying workspace administrators and/or emailing the address associated with the account). We will post the updated policy on this page and update the “Last Updated” date. Your continued use of Lexi AI after changes are posted constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
- Email: privacy@openlaw.com
- Support: openlaw.com/support
- Address: OpenLaw AI, Inc., United States
Trusted by Leading Law Firms
Questions about your privacy?
Book a free 30-minute assessment and we'll show you exactly where Lexi can save your firm time and money.
