Legal
Privacy Policy
Last Updated: May 19, 2026 · Effective: May 19, 2026
1. Introduction & Scope
LexGuard AI ("we," "us," "our") is an AI-powered compliance auditing platform that analyzes privacy policies and legal documents against India's Digital Personal Data Protection (DPDP) Act, 2023. This Privacy Policy explains how we collect, use, process, and protect your personal data when you use our landing page, dashboard, API, or any related services.
This policy applies to all users — including visitors to our landing page who use the free audit widget, registered dashboard users, and enterprise API consumers. By using LexGuard AI, you acknowledge and agree to the practices described herein.
2. Data We Collect
We collect the minimum data necessary to deliver our services:
2.1 Account Information
When you create an account via Supabase Auth (email/password or Google OAuth), we store your email address, authentication tokens, and account metadata (e.g., credit balance, premium status). This data is managed by Supabase and stored in their infrastructure.
2.2 Documents Submitted for Audit
Policy text pasted into the landing-page widget or uploaded via the dashboard is transmitted to our backend for AI analysis. This content is processed ephemerally and is never stored permanently. See Section 3 for details.
2.3 Audit Results & Metadata
Compliance scores, flagged clauses, and audit metadata (timestamps, analysis IDs) are stored in our MongoDB database to enable report retrieval and credit tracking. Raw document text is not stored alongside results.
2.4 Lead Information
When you unlock a full report via the landing page widget, we collect your email (and optionally name/company) to facilitate delivery and communicate service updates.
2.5 Technical & Usage Data
We collect IP addresses (hashed for anonymous users), request timestamps, and anonymized usage metrics for rate limiting, security monitoring, and service improvement. We do not use third-party analytics trackers.
3. Ephemeral Processing & Data Minimization
LexGuard AI is engineered as a non-custodial auditing platform:
- ✓ Documents submitted for audit are held in memory only for the duration of inference processing.
- ✓ Session-scoped RAG vector indices (ChromaDB) are purged upon session termination.
- ✓ Raw policy text is never written to persistent storage, logs, or backup systems.
- ✓ IP addresses for anonymous users are SHA-256 hashed before any processing or storage.
4. No Model Training
Critical Commitment: We never use your uploaded documents, legal clauses, audit results, or any user-submitted content to train, fine-tune, or improve any AI/ML models — including our own systems or any third-party models (Google Gemini, Groq Llama). Your proprietary legal data remains entirely yours.
5. Third-Party Data Processors
We use the following third-party services to deliver LexGuard AI:
| Provider | Purpose | Data Retention |
|---|---|---|
| Google Gemini | Primary LLM inference | Ephemeral (not retained) |
| Groq (Llama 3) | Fallback LLM inference | Ephemeral (not retained) |
| Supabase | Authentication & user management | Per Supabase policy |
| MongoDB Atlas | Audit metadata & credits | Active account duration |
| Vercel | Frontend hosting & serverless proxy | Standard CDN logs |
| AWS EC2 | Backend compute | No persistent user data |
6. Cookies & Local Storage
LexGuard AI uses browser local storage to persist Supabase authentication sessions. We do not deploy third-party tracking cookies, advertising pixels, or fingerprinting technologies. The Feedi feedback widget may set its own minimal cookies — please refer to Feedi's privacy policy for details.
7. Security Measures
- • All data in transit is encrypted via TLS 1.3.
- • API endpoints are protected by per-IP rate limiting (SlowAPI).
- • Security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options) are enforced on all responses.
- • Suspicious request patterns (e.g., .env/.git probing) are logged and monitored.
- • License keys are stored as SHA-256 hashes — raw keys are never persisted.
8. Your Rights under DPDP 2023
As a Data Principal under the DPDP Act 2023, you have the right to:
- → Access — Request a summary of personal data we hold about you.
- → Correction — Request rectification of inaccurate personal data.
- → Erasure — Request deletion of your account and associated data.
- → Grievance Redressal — Lodge a complaint with our Data Protection Officer.
- → Nomination — Nominate a representative to exercise rights on your behalf.
Since we do not retain your uploaded documents, data access/erasure rights primarily apply to account information and lead data.
9. Data Retention
Account data is retained for the duration of your active account. Lead capture data is retained for up to 24 months for business communication purposes. Audit metadata (scores, timestamps) is retained to support your dashboard history. You may request deletion at any time by contacting us.
10. Children's Privacy
LexGuard AI is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users or through a prominent notice on our landing page. Continued use of LexGuard AI after changes constitutes acceptance of the updated policy.
12. Contact & Data Protection Officer
For any privacy-related inquiries, data access requests, or to exercise your DPDP 2023 rights, please contact:
Sujal Meena — Data Protection Officer
Email: meenasujal60@gmail.com
We aim to respond to all data protection requests within 72 hours.