Privacy Policy

1. Information We Collect

We collect information when you create an account, use our platform, interact with our attorney directory, or contact us. The categories of information we collect depend on how you use Lexfora.

1.1 Account and Profile Information

Attorneys and Firm Admins: Full name, email address, phone number, firm name, firm size, practice areas, bar number, bar state, law school, years of experience, office address, website URL, professional bio, and profile photo.
Firm Staff: Name, email address, assigned role (e.g., paralegal, billing clerk), and permissions.
Service Providers: Business name, provider type (e.g., court reporter, expert witness), description, website, and contact information.
Clients (via Client Portal): Name, email address, phone number, and any information submitted through portal forms or shared with the attorney on the platform.

1.2 Practice Management Data

When attorneys and their teams use Lexfora to manage their practice, we store data they create on the platform, including:

Matter and case records (matter name, status, practice area, billing type)
Client records and contact information entered by attorneys
Lead intake records
Time entries and activity logs
Tasks, deadlines, and calendar events
Documents and files uploaded to the platform
Notes, playbook templates, and communications
Electronic signature records
Statute of limitations and filing deadline tracking data

1.3 Billing and Payment Information

Subscription plan, billing cycle, and payment history for Lexfora subscriptions.
Invoice records, expense records, and payment records created within the platform for the attorney's own clients.
Payment processing is handled by Stripe. We do not store raw credit card numbers; Stripe manages and encrypts all card data under PCI DSS standards.
Trust account ledger entries and IOLTA transaction records.

1.4 AI Feature Data

AI Time Capture: If you connect Google Calendar, we access the titles and dates of calendar events solely to suggest time entries. We do not access email content, calendar descriptions, attendee lists, or any other calendar data beyond event titles and times.
AI Bio and Headline Tools: We process the text content you provide (draft bio, firm details) to generate suggestions. This content is not used to train AI models.

1.5 Usage and Technical Data

Pages visited, features used, and time spent on the platform
IP address, browser type, operating system, and device information
Referring URLs and search terms used to find us
Error logs and crash reports (processed by Sentry)
Product analytics events (processed by PostHog, consent-gated for marketing/analytics cookies)

1.6 Communications

Emails and messages you send to our support team or through our contact form
Support ticket content and resolution history
Waitlist and newsletter sign-up information (email address and preferences)

2. How We Use Your Information

We use the information we collect only to the extent necessary to provide and improve our services. Specifically:

2.1 Providing the Platform

Creating and managing your account and firm workspace
Storing and retrieving your matters, clients, time entries, and other practice data
Processing subscription payments and managing billing through Stripe
Generating invoices, expense reports, and billing statements
Facilitating trust account ledger management
Delivering video consultation sessions via Daily.co
Powering the attorney directory and enabling potential clients to contact you
Operating the service provider marketplace
Providing the client portal and enabling document sharing between attorneys and clients

2.2 AI-Powered Features

Analyzing connected calendar event titles to suggest billable time entries (AI Time Capture)
Generating professional bio and headline suggestions for directory profiles (AI Bio and Headline tools)
Providing a profile completeness score and guided improvement recommendations (AI Completeness Coach)

2.3 Communications

Sending transactional emails (account confirmation, password reset, billing receipts)
Delivering product updates, changelog notifications, and feature announcements
Sending marketing communications where you have opted in (you may unsubscribe at any time)
Responding to support requests and feedback
Sending SOL deadline alerts and calendar reminders

2.4 Platform Improvement and Security

Analyzing usage patterns to improve product features and UX
Detecting and preventing fraud, abuse, and security threats
Debugging errors and improving platform stability
Conducting internal analytics and reporting

2.5 Legal and Compliance

Complying with applicable laws and regulations
Responding to lawful requests from courts, regulators, or law enforcement
Enforcing our Terms of Service
Maintaining audit logs for security and compliance purposes

3. Legal Basis for Processing

For users in the European Economic Area (EEA), the United Kingdom, or other jurisdictions requiring a lawful basis for processing personal data, we process your data on the following grounds:

Performance of a Contract: Processing that is necessary to provide you with the services you have subscribed to, including account management, practice data storage, billing, and platform functionality.
Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our services, detecting fraud, maintaining security, and sending product update communications to existing customers — where these interests are not overridden by your rights.
Consent: Processing that is based on your freely given, specific, and informed consent — including analytics cookies, marketing emails, and AI calendar access. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal Obligation: Processing necessary to comply with applicable laws, including financial record-keeping, tax reporting, and responding to lawful legal process.

4. Third-Party Services

We use the following third-party service providers. Each provider processes data on our behalf under their own privacy policies and, where applicable, data processing agreements:

Infrastructure

Supabase: Database, authentication, and file storage. Data is encrypted at rest and in transit. Supabase Privacy Policy
Vercel: Web hosting, edge network, and deployment. Vercel Privacy Policy

Payments

Stripe: Payment processing for subscriptions and client invoice payments. Stripe is PCI DSS Level 1 certified. We do not store raw card data. Stripe Privacy Policy

Communications

SendGrid (Twilio): Transactional and marketing email delivery. Twilio Privacy Policy

Analytics and Monitoring

PostHog: Product analytics and feature flag management (consent-gated). PostHog Privacy Policy
Google Analytics: Website traffic analytics (consent-gated). Google Privacy Policy
Sentry: Application error monitoring and performance tracing. Error reports may contain technical metadata but are not used for advertising. Sentry Privacy Policy

Video

Daily.co: Real-time video and audio for video consultation sessions. Media streams are end-to-end encrypted where supported. Daily.co Privacy Policy

Mapping

Mapbox: Interactive maps for the attorney directory search and radius filtering. Mapbox Privacy Policy

Optional Integrations

You may optionally connect third-party practice management tools (Clio, MyCase, QuickBooks) or Google Calendar. When you authorize these integrations, data is exchanged between Lexfora and those services under the terms of your agreements with each provider.

5. Cookies and Tracking

We use cookies and similar technologies to authenticate sessions, remember your preferences, and — with your consent — analyze how you use our platform. You can manage your cookie preferences at any time through our cookie banner or the preferences center linked in the footer. For full details about the specific cookies we use, their purposes, and durations, see our Cookie Policy.

6. Your Rights

Regardless of where you are located, you have the following rights with respect to your personal information:

Right of Access: Request a copy of the personal information we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete personal information.
Right to Erasure: Request deletion of your personal information, subject to legal retention obligations.
Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another service.
Right to Restriction: Request that we restrict the processing of your data in certain circumstances.
Right to Object: Object to processing based on legitimate interests, including direct marketing.
Right to Withdraw Consent: Withdraw consent at any time where processing is consent-based, without affecting the lawfulness of prior processing.
Right to Opt Out of Marketing: Unsubscribe from marketing emails via the unsubscribe link in any email or by contacting us directly.

To exercise any of these rights, please contact us at our privacy contact form or through our Contact form. We will respond within 30 days.

8. CCPA / California Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:

Right to Know: The right to know what personal information we collect, use, disclose, and share about you.
Right to Delete: The right to request deletion of your personal information, subject to certain exceptions.
Right to Correct: The right to request correction of inaccurate personal information.
Right to Opt Out of Sale or Sharing: We do not sell your personal information to third parties and do not share personal information for cross-context behavioral advertising. There is nothing to opt out of under this right.
Right to Limit Use of Sensitive Personal Information: Where we process sensitive personal information (such as government IDs like bar numbers), we use it only for the purposes of providing our services.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your California privacy rights, please contact us at our privacy contact form or through our Contact form. We will respond within 45 days as required by law.

9. Data Security

We implement multiple layers of security to protect your data:

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
Encryption at Rest: Data stored in our database is encrypted at rest by Supabase.
Row-Level Security (RLS): Our database enforces row-level security policies that ensure users can only access data belonging to their own organization.
Authentication: Account authentication is handled by Supabase Auth with support for multi-factor authentication (MFA).
Payment Security: All payment data is handled exclusively by Stripe, which maintains PCI DSS Level 1 compliance. We never store raw payment card numbers.
Access Controls: Internal access to production data is restricted to authorized personnel on a need-to-know basis.
Monitoring: We monitor our systems for anomalies, unauthorized access attempts, and security incidents using automated tooling and error tracking (Sentry).

No method of data transmission or storage is 100% secure. If you discover a security vulnerability, please report it promptly to our security contact form.

10. Data Retention

We retain your information for as long as necessary to provide our services and meet our legal obligations. Specific retention periods by data category:

Account and Profile Data: Retained for the duration of your active subscription plus 12 months after account closure, to allow for reactivation or data export. After that period, account data is permanently deleted unless a longer period is required by law.
Practice Management Data (matters, clients, time entries, documents): Retained as long as your account is active. Upon cancellation, data remains accessible for 30 days for export, after which it is scheduled for permanent deletion.
Billing and Financial Records: Subscription billing records and invoice data are retained for 7 years to comply with IRS record-keeping requirements and applicable state financial regulations.
Audit Logs: Security and access audit logs are retained for 3 years.
Cookie Consent Records: Consent records are retained for 3 years from the date of consent to support compliance verification.
Analytics Data: Product analytics data (PostHog) is retained according to our configured retention settings (12 months by default). Google Analytics data retention follows Google's applicable policies.
Support Communications: Support tickets and email correspondence are retained for 2 years.
Trust Account Records: Trust account ledger data is retained for the period required by applicable state bar rules, which is typically 5–7 years. See Section 13 for more detail.

You may request early deletion of your personal data at any time, subject to our legal retention obligations. Deletion requests will be processed within 30 days.

11. Client Data and Attorney Obligations

When attorneys use Lexfora to manage their own clients' data (client records, matter files, communications, and similar information), the attorney's law firm acts as the data controller for that client data and GradeCircle acts as a data processor, processing data solely on the attorney's instructions.

Attorneys using Lexfora are responsible for:

Complying with their own applicable privacy laws and bar ethics rules regarding client confidentiality (e.g., ABA Model Rules 1.6, 1.15, and applicable state equivalents)
Obtaining any client consents required to store client data on cloud-based platforms
Ensuring their use of the platform is consistent with applicable professional responsibility rules in their jurisdiction
Promptly exporting or requesting deletion of client data upon termination of the attorney-client relationship as required by applicable rules

Law firms that require a formal Data Processing Agreement (DPA) to comply with GDPR, CCPA, or other data protection laws may contact us at our privacy contact form.

12. AI Features and Data

Lexfora includes AI-powered features designed to assist attorneys with time capture and profile presentation. We are committed to responsible AI use:

AI Time Capture — Calendar Access: When you authorize connection to Google Calendar, Lexfora retrieves only event titles and times. We do not access email content, event descriptions, meeting notes, attendee information, or any other calendar or email data. Calendar access is used solely to suggest draft time entries for your review; all suggested entries require explicit approval before they are created. You may revoke calendar access at any time from your settings.
AI Bio and Headline Suggestions: The text you provide is used only to generate suggestions in that session. It is not stored beyond the generation request, not used to profile you for advertising, and not used to train any AI model.
No Training on Your Data: We do not use your practice management data, client data, or professional content to train AI models — including any underlying third-party AI model providers we may engage.
Human Review Required: All AI-generated suggestions (time entries, bio text, headlines) require explicit human review and approval before taking effect. Attorneys retain full responsibility for the accuracy and bar-rule compliance of any content they publish.

13. Trust Account Data

Lexfora provides tools for tracking IOLTA and other trust account ledgers. Trust account records — including deposits, disbursements, and reconciliation data — are highly sensitive and are treated with the highest level of data protection on our platform:

Trust account data is subject to the same encryption, RLS, and access controls described in Section 9.
Trust account records are retained for the period required by applicable state bar rules for IOLTA record-keeping, which typically ranges from 5 to 7 years depending on the jurisdiction.
Lexfora is a record-keeping and ledger tool. We are not a bank, escrow agent, or financial institution, and we do not hold, manage, or disburse client funds on the attorney's behalf.
Attorneys are solely responsible for ensuring their trust accounting practices comply with the professional responsibility rules of their state bar, including three-way reconciliation requirements.

14. International Transfers

GradeCircle is based in the United States. Your information may be transferred to and processed in the United States or other countries where our service providers operate (see Section 4). These countries may have data protection laws that differ from those in your country.

For transfers of personal data from the EEA, UK, or Switzerland to the United States or other third countries, we rely on the following safeguards:

Standard Contractual Clauses (SCCs): Where required, we enter into Standard Contractual Clauses approved by the European Commission with our data processors and sub-processors to ensure adequate protection for transfers to third countries.
Adequacy Decisions: Where available, we rely on adequacy decisions issued by the European Commission for transfers to specific countries.
Sub-Processor SCCs: Our key sub-processors (e.g., Supabase, Stripe, Vercel) have their own transfer mechanisms and commitments for international data transfers described in their respective privacy policies.

You may request a copy of the safeguards we have put in place for international transfers by contacting us at our privacy contact form.

15. Children's Privacy

Lexfora is a professional platform intended exclusively for licensed legal professionals, their staff, and adult clients. Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a minor, we will take steps to delete it promptly. If you believe a minor has provided us with personal information, please contact us at our privacy contact form.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, product features, or applicable law. We will indicate the effective date of the current version at the top of this page.

For material changes — those that significantly affect your rights or how we use your data — we will provide at least 30 days' advance notice via email (to the address associated with your account) and/or a prominent notice on our website. Your continued use of Lexfora after the effective date of a revised policy constitutes your acceptance of those changes.

17. Contact Us

For questions about this Privacy Policy, to exercise your data rights, or to request a Data Processing Agreement, please contact:

GradeCircle

Privacy Inquiries

123 Main St, Suite 100, Austin, TX 78701

Reach us through our privacy contact form. We aim to respond to all privacy inquiries within 30 days.

1. Information We Collect

We collect information when you create an account, use our platform, interact with our attorney directory, or contact us. The categories of information we collect depend on how you use Lexfora.

1.1 Account and Profile Information

Attorneys and Firm Admins: Full name, email address, phone number, firm name, firm size, practice areas, bar number, bar state, law school, years of experience, office address, website URL, professional bio, and profile photo.
Firm Staff: Name, email address, assigned role (e.g., paralegal, billing clerk), and permissions.
Service Providers: Business name, provider type (e.g., court reporter, expert witness), description, website, and contact information.
Clients (via Client Portal): Name, email address, phone number, and any information submitted through portal forms or shared with the attorney on the platform.

1.2 Practice Management Data

When attorneys and their teams use Lexfora to manage their practice, we store data they create on the platform, including:

Matter and case records (matter name, status, practice area, billing type)
Client records and contact information entered by attorneys
Lead intake records
Time entries and activity logs
Tasks, deadlines, and calendar events
Documents and files uploaded to the platform
Notes, playbook templates, and communications
Electronic signature records
Statute of limitations and filing deadline tracking data

1.3 Billing and Payment Information

Subscription plan, billing cycle, and payment history for Lexfora subscriptions.
Invoice records, expense records, and payment records created within the platform for the attorney's own clients.
Payment processing is handled by Stripe. We do not store raw credit card numbers; Stripe manages and encrypts all card data under PCI DSS standards.
Trust account ledger entries and IOLTA transaction records.

1.4 AI Feature Data

AI Time Capture: If you connect Google Calendar, we access the titles and dates of calendar events solely to suggest time entries. We do not access email content, calendar descriptions, attendee lists, or any other calendar data beyond event titles and times.
AI Bio and Headline Tools: We process the text content you provide (draft bio, firm details) to generate suggestions. This content is not used to train AI models.

1.5 Usage and Technical Data

Pages visited, features used, and time spent on the platform
IP address, browser type, operating system, and device information
Referring URLs and search terms used to find us
Error logs and crash reports (processed by Sentry)
Product analytics events (processed by PostHog, consent-gated for marketing/analytics cookies)

1.6 Communications

Emails and messages you send to our support team or through our contact form
Support ticket content and resolution history
Waitlist and newsletter sign-up information (email address and preferences)

2. How We Use Your Information

We use the information we collect only to the extent necessary to provide and improve our services. Specifically:

2.1 Providing the Platform

Creating and managing your account and firm workspace
Storing and retrieving your matters, clients, time entries, and other practice data
Processing subscription payments and managing billing through Stripe
Generating invoices, expense reports, and billing statements
Facilitating trust account ledger management
Delivering video consultation sessions via Daily.co
Powering the attorney directory and enabling potential clients to contact you
Operating the service provider marketplace
Providing the client portal and enabling document sharing between attorneys and clients

2.2 AI-Powered Features

Analyzing connected calendar event titles to suggest billable time entries (AI Time Capture)
Generating professional bio and headline suggestions for directory profiles (AI Bio and Headline tools)
Providing a profile completeness score and guided improvement recommendations (AI Completeness Coach)

2.3 Communications

Sending transactional emails (account confirmation, password reset, billing receipts)
Delivering product updates, changelog notifications, and feature announcements
Sending marketing communications where you have opted in (you may unsubscribe at any time)
Responding to support requests and feedback
Sending SOL deadline alerts and calendar reminders

2.4 Platform Improvement and Security

Analyzing usage patterns to improve product features and UX
Detecting and preventing fraud, abuse, and security threats
Debugging errors and improving platform stability
Conducting internal analytics and reporting

2.5 Legal and Compliance

Complying with applicable laws and regulations
Responding to lawful requests from courts, regulators, or law enforcement
Enforcing our Terms of Service
Maintaining audit logs for security and compliance purposes

3. Legal Basis for Processing

For users in the European Economic Area (EEA), the United Kingdom, or other jurisdictions requiring a lawful basis for processing personal data, we process your data on the following grounds:

Performance of a Contract: Processing that is necessary to provide you with the services you have subscribed to, including account management, practice data storage, billing, and platform functionality.
Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our services, detecting fraud, maintaining security, and sending product update communications to existing customers — where these interests are not overridden by your rights.
Consent: Processing that is based on your freely given, specific, and informed consent — including analytics cookies, marketing emails, and AI calendar access. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal Obligation: Processing necessary to comply with applicable laws, including financial record-keeping, tax reporting, and responding to lawful legal process.

4. Third-Party Services

We use the following third-party service providers. Each provider processes data on our behalf under their own privacy policies and, where applicable, data processing agreements:

Infrastructure

Supabase: Database, authentication, and file storage. Data is encrypted at rest and in transit. Supabase Privacy Policy
Vercel: Web hosting, edge network, and deployment. Vercel Privacy Policy

Payments

Stripe: Payment processing for subscriptions and client invoice payments. Stripe is PCI DSS Level 1 certified. We do not store raw card data. Stripe Privacy Policy

Communications

SendGrid (Twilio): Transactional and marketing email delivery. Twilio Privacy Policy

Analytics and Monitoring

PostHog: Product analytics and feature flag management (consent-gated). PostHog Privacy Policy
Google Analytics: Website traffic analytics (consent-gated). Google Privacy Policy
Sentry: Application error monitoring and performance tracing. Error reports may contain technical metadata but are not used for advertising. Sentry Privacy Policy

Video

Daily.co: Real-time video and audio for video consultation sessions. Media streams are end-to-end encrypted where supported. Daily.co Privacy Policy

Mapping

Mapbox: Interactive maps for the attorney directory search and radius filtering. Mapbox Privacy Policy

Optional Integrations

5. Cookies and Tracking

6. Your Rights

Regardless of where you are located, you have the following rights with respect to your personal information:

Right of Access: Request a copy of the personal information we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete personal information.
Right to Erasure: Request deletion of your personal information, subject to legal retention obligations.
Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another service.
Right to Restriction: Request that we restrict the processing of your data in certain circumstances.
Right to Object: Object to processing based on legitimate interests, including direct marketing.
Right to Withdraw Consent: Withdraw consent at any time where processing is consent-based, without affecting the lawfulness of prior processing.
Right to Opt Out of Marketing: Unsubscribe from marketing emails via the unsubscribe link in any email or by contacting us directly.

To exercise any of these rights, please contact us at our privacy contact form or through our Contact form. We will respond within 30 days.

8. CCPA / California Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:

Right to Know: The right to know what personal information we collect, use, disclose, and share about you.
Right to Delete: The right to request deletion of your personal information, subject to certain exceptions.
Right to Correct: The right to request correction of inaccurate personal information.
Right to Opt Out of Sale or Sharing: We do not sell your personal information to third parties and do not share personal information for cross-context behavioral advertising. There is nothing to opt out of under this right.
Right to Limit Use of Sensitive Personal Information: Where we process sensitive personal information (such as government IDs like bar numbers), we use it only for the purposes of providing our services.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your California privacy rights, please contact us at our privacy contact form or through our Contact form. We will respond within 45 days as required by law.

9. Data Security

We implement multiple layers of security to protect your data:

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
Encryption at Rest: Data stored in our database is encrypted at rest by Supabase.
Row-Level Security (RLS): Our database enforces row-level security policies that ensure users can only access data belonging to their own organization.
Authentication: Account authentication is handled by Supabase Auth with support for multi-factor authentication (MFA).
Payment Security: All payment data is handled exclusively by Stripe, which maintains PCI DSS Level 1 compliance. We never store raw payment card numbers.
Access Controls: Internal access to production data is restricted to authorized personnel on a need-to-know basis.
Monitoring: We monitor our systems for anomalies, unauthorized access attempts, and security incidents using automated tooling and error tracking (Sentry).

No method of data transmission or storage is 100% secure. If you discover a security vulnerability, please report it promptly to our security contact form.

10. Data Retention

We retain your information for as long as necessary to provide our services and meet our legal obligations. Specific retention periods by data category:

Account and Profile Data: Retained for the duration of your active subscription plus 12 months after account closure, to allow for reactivation or data export. After that period, account data is permanently deleted unless a longer period is required by law.
Practice Management Data (matters, clients, time entries, documents): Retained as long as your account is active. Upon cancellation, data remains accessible for 30 days for export, after which it is scheduled for permanent deletion.
Billing and Financial Records: Subscription billing records and invoice data are retained for 7 years to comply with IRS record-keeping requirements and applicable state financial regulations.
Audit Logs: Security and access audit logs are retained for 3 years.
Cookie Consent Records: Consent records are retained for 3 years from the date of consent to support compliance verification.
Analytics Data: Product analytics data (PostHog) is retained according to our configured retention settings (12 months by default). Google Analytics data retention follows Google's applicable policies.
Support Communications: Support tickets and email correspondence are retained for 2 years.
Trust Account Records: Trust account ledger data is retained for the period required by applicable state bar rules, which is typically 5–7 years. See Section 13 for more detail.

You may request early deletion of your personal data at any time, subject to our legal retention obligations. Deletion requests will be processed within 30 days.

11. Client Data and Attorney Obligations

Attorneys using Lexfora are responsible for:

Complying with their own applicable privacy laws and bar ethics rules regarding client confidentiality (e.g., ABA Model Rules 1.6, 1.15, and applicable state equivalents)
Obtaining any client consents required to store client data on cloud-based platforms
Ensuring their use of the platform is consistent with applicable professional responsibility rules in their jurisdiction
Promptly exporting or requesting deletion of client data upon termination of the attorney-client relationship as required by applicable rules

Law firms that require a formal Data Processing Agreement (DPA) to comply with GDPR, CCPA, or other data protection laws may contact us at our privacy contact form.

12. AI Features and Data

Lexfora includes AI-powered features designed to assist attorneys with time capture and profile presentation. We are committed to responsible AI use:

AI Time Capture — Calendar Access: When you authorize connection to Google Calendar, Lexfora retrieves only event titles and times. We do not access email content, event descriptions, meeting notes, attendee information, or any other calendar or email data. Calendar access is used solely to suggest draft time entries for your review; all suggested entries require explicit approval before they are created. You may revoke calendar access at any time from your settings.
AI Bio and Headline Suggestions: The text you provide is used only to generate suggestions in that session. It is not stored beyond the generation request, not used to profile you for advertising, and not used to train any AI model.
No Training on Your Data: We do not use your practice management data, client data, or professional content to train AI models — including any underlying third-party AI model providers we may engage.
Human Review Required: All AI-generated suggestions (time entries, bio text, headlines) require explicit human review and approval before taking effect. Attorneys retain full responsibility for the accuracy and bar-rule compliance of any content they publish.

13. Trust Account Data

Trust account data is subject to the same encryption, RLS, and access controls described in Section 9.
Trust account records are retained for the period required by applicable state bar rules for IOLTA record-keeping, which typically ranges from 5 to 7 years depending on the jurisdiction.
Lexfora is a record-keeping and ledger tool. We are not a bank, escrow agent, or financial institution, and we do not hold, manage, or disburse client funds on the attorney's behalf.
Attorneys are solely responsible for ensuring their trust accounting practices comply with the professional responsibility rules of their state bar, including three-way reconciliation requirements.

14. International Transfers

For transfers of personal data from the EEA, UK, or Switzerland to the United States or other third countries, we rely on the following safeguards:

Standard Contractual Clauses (SCCs): Where required, we enter into Standard Contractual Clauses approved by the European Commission with our data processors and sub-processors to ensure adequate protection for transfers to third countries.
Adequacy Decisions: Where available, we rely on adequacy decisions issued by the European Commission for transfers to specific countries.
Sub-Processor SCCs: Our key sub-processors (e.g., Supabase, Stripe, Vercel) have their own transfer mechanisms and commitments for international data transfers described in their respective privacy policies.

You may request a copy of the safeguards we have put in place for international transfers by contacting us at our privacy contact form.

15. Children's Privacy

16. Changes to This Policy

17. Contact Us

For questions about this Privacy Policy, to exercise your data rights, or to request a Data Processing Agreement, please contact:

GradeCircle

Privacy Inquiries

123 Main St, Suite 100, Austin, TX 78701

Reach us through our privacy contact form. We aim to respond to all privacy inquiries within 30 days.

Privacy Policy

1. Information We Collect

1.1 Account and Profile Information

1.2 Practice Management Data

1.3 Billing and Payment Information

1.4 AI Feature Data

1.5 Usage and Technical Data

1.6 Communications

2. How We Use Your Information

2.1 Providing the Platform

2.2 AI-Powered Features

2.3 Communications

2.4 Platform Improvement and Security

2.5 Legal and Compliance

3. Legal Basis for Processing

4. Third-Party Services

Infrastructure

Payments

Communications

Analytics and Monitoring

Video

Mapping

Optional Integrations

5. Cookies and Tracking

6. Your Rights

7. GDPR / EU and UK Rights

8. CCPA / California Rights

9. Data Security

10. Data Retention

11. Client Data and Attorney Obligations

12. AI Features and Data

13. Trust Account Data

14. International Transfers

15. Children's Privacy

16. Changes to This Policy

17. Contact Us

Privacy Policy

1. Information We Collect

1.1 Account and Profile Information

1.2 Practice Management Data

1.3 Billing and Payment Information

1.4 AI Feature Data

1.5 Usage and Technical Data

1.6 Communications

2. How We Use Your Information

2.1 Providing the Platform

2.2 AI-Powered Features

2.3 Communications

2.4 Platform Improvement and Security

2.5 Legal and Compliance

3. Legal Basis for Processing

4. Third-Party Services

Infrastructure

Payments

Communications

Analytics and Monitoring

Video

Mapping

Optional Integrations

5. Cookies and Tracking

6. Your Rights

7. GDPR / EU and UK Rights

8. CCPA / California Rights

9. Data Security

10. Data Retention

11. Client Data and Attorney Obligations

12. AI Features and Data

13. Trust Account Data

14. International Transfers

15. Children's Privacy

16. Changes to This Policy

17. Contact Us