Privacy Policy
Last Updated: November 27, 2025
Your privacy matters to us. This Privacy Policy explains how QueryLex collects, uses, stores, and protects your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
GDPR Compliance: QueryLex is fully committed to protecting your privacy rights under GDPR. All data is stored in the EU (Paris, France), and you have full control over your personal data including the right to access, export, and delete it at any time.
Table of Contents
- 1. Data Controller
- 2. Personal Data We Collect
- 3. Purposes of Processing
- 4. Legal Basis for Processing
- 5. Data Retention
- 6. Third-Party Service Providers
- 7. International Data Transfers
- 8. Your Rights Under GDPR
- 9. Security Measures
- 10. Cookies and Tracking
- 11. Children's Privacy
- 12. Changes to This Policy
- 13. Contact Information
1. Data Controller
The data controller responsible for your personal data is:
QueryLex
Email: andrius@querylex.com
Website: https://querylex.com
For any questions or concerns about your personal data, please contact us at the email address above.
2. Personal Data We Collect
We collect and process the following categories of personal data:
2.1 Account Information
| Data Type | Description | Purpose |
|---|---|---|
| Email Address | Your registered email | Account authentication, communications |
| Username | Your chosen display name | Account identification |
| Full Name | Your legal name (optional) | Personalization, invoicing |
| Company | Your organization (optional) | Business context, invoicing |
| Job Title | Your role (optional) | Service customization |
| Password | Hashed, never stored in plain text | Account security |
2.2 Service Usage Data
| Data Type | Description | Retention |
|---|---|---|
| Chat Sessions | Your conversation history with AI | Until account deletion |
| Messages | Individual messages in chats | Until account deletion |
| Chat Folders | Organization of your chats | Until account deletion |
| Models | Your document collections | Until account deletion |
| Documents | Uploaded files (encrypted) | Until account deletion |
| Usage Logs | Query history, tokens used, timestamps | Until account deletion |
2.3 Financial Data
| Data Type | Description | Processed By |
|---|---|---|
| Credit Balance | Your available credits | QueryLex |
| Credit Transactions | Purchase and usage history | QueryLex |
| Payment Information | Card details, billing address | Stripe (we never see full card numbers) |
2.4 Feedback and Preferences
| Data Type | Description |
|---|---|
| App Feedback | Ratings and comments you provide about the service |
| Model Feedback | Feedback on specific models and AI responses |
| Questionnaire Responses | Answers to onboarding or survey questions |
| Email Preferences | Your notification and marketing email settings |
2.5 Consent Records
To comply with GDPR Article 7 (demonstrating consent), we maintain records when you accept our Terms of Service and Privacy Policy:
| Data Type | Description | Purpose |
|---|---|---|
| Consent Type | The action for which consent was given (e.g., model creation) | Audit trail of consent |
| Policy Versions | Version numbers of Terms and Privacy Policy accepted | Legal compliance - proving which version you agreed to |
| Timestamp | When consent was given | Demonstrating valid consent |
| IP Address | Your IP address at the time of consent | Fraud prevention and consent verification |
| User Agent | Browser/device information | Consent verification |
3. Purposes of Processing
We process your personal data for the following purposes:
- Service Delivery: To provide, maintain, and improve QueryLex services
- Account Management: To create and manage your user account
- Payment Processing: To process payments and manage subscriptions
- Communication: To send service updates, security alerts, and support messages
- Marketing: To send promotional communications (only with your consent)
- Security: To detect, prevent, and address fraud and security issues
- Legal Compliance: To comply with legal obligations (tax records, audit logs)
- Service Improvement: To analyze usage patterns and improve our AI models
4. Legal Basis for Processing
Under GDPR Article 6, we process your data based on the following legal grounds:
| Processing Activity | Legal Basis (GDPR Art. 6) |
|---|---|
| Account creation and service delivery | Contract Performance (Art. 6(1)(b)) - necessary to fulfill our contract with you |
| Payment processing | Contract Performance (Art. 6(1)(b)) - necessary to process your purchases |
| Security and fraud prevention | Legitimate Interest (Art. 6(1)(f)) - protecting our service and users |
| Marketing communications | Consent (Art. 6(1)(a)) - only with your explicit opt-in |
| Tax and financial records | Legal Obligation (Art. 6(1)(c)) - required by tax laws |
| Service improvement analytics | Legitimate Interest (Art. 6(1)(f)) - improving our service |
| Consent records storage | Legal Obligation (Art. 6(1)(c)) - GDPR Art. 7(1) requires ability to demonstrate consent |
5. Data Retention
We retain your personal data only as long as necessary for the purposes described:
| Data Category | Retention Period |
|---|---|
| Account data (profile, preferences) | Until account deletion + 30 days |
| Chat history and messages | Until account deletion |
| Documents and models | Until deletion by user or account deletion |
| Usage logs | Until account deletion |
| Payment/transaction records | 10 years (legal requirement for tax purposes) |
| Security audit logs | 1 year |
| Encrypted backups | 90 days after deletion |
| Consent records | Until account deletion (deleted with account) |
Account Deletion: When you delete your account, all your personal data is permanently removed within 30 days, except for data we are legally required to retain (e.g., financial records for tax compliance).
6. Third-Party Service Providers
We share your data with the following third-party processors who help us deliver our services:
6.1 Infrastructure and Storage
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, storage | EU (Paris, France - eu-west-3) |
6.2 AI and Processing
| Provider | Purpose | Data Shared | When Used |
|---|---|---|---|
| OpenRouter | AI language model API (default) | Query text and document excerpts for generating responses | Default for most AI models |
| OpenAI | AI language model API (optional) | Query text and document excerpts for generating responses | When you select OpenAI models (GPT-4o, o1, o3, etc.) |
| DeepSeek | AI language model API (optional) | Query text and document excerpts for generating responses | When you select DeepSeek models (deepseek-chat, deepseek-reasoner) |
| HuggingFace | Embedding model (BAAI/bge-large-en-v1.5) | Document text for creating searchable embeddings | All document processing |
Note: OpenAI is based in the USA. DeepSeek is based in China. When you select models from these providers, your query data is processed according to their respective privacy policies. You can choose which AI provider to use for each conversation.
6.3 Payments
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, name, billing address, payment method |
All third-party providers are contractually obligated to protect your data and process it only according to our instructions.
Note on Authentication Emails: Password reset emails, email confirmations, and other authentication-related communications are sent directly by Supabase using their email infrastructure.
7. International Data Transfers
EU Data Residency: Your data is stored exclusively in the European Union (Paris, France - AWS eu-west-3 region) through our Supabase infrastructure.
When data must be transferred outside the EU (e.g., to AI providers), we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): Approved by the European Commission
- Data Processing Agreements: With all third-party processors
- Encryption: All data is encrypted in transit using TLS/SSL
8. Your Rights Under GDPR
Under GDPR, you have the following rights regarding your personal data:
Right of Access (Article 15)
You can request a copy of all personal data we hold about you. Use the "Download My Data" button in your Profile settings to export your data instantly as PDF or JSON. This includes all account data, chat history, models, usage logs, feedback, and consent records.
Right to Rectification (Article 16)
You can update your personal information at any time through your Profile settings, or contact us to correct inaccurate data.
Right to Erasure / "Right to be Forgotten" (Article 17)
You can delete your account and all associated data using the "Delete Account" button in your Profile settings. This permanently removes:
- Profile information
- All chat sessions and messages
- All models and documents
- Usage logs and credit transactions
- All feedback and questionnaire responses
- All consent records
Right to Data Portability (Article 20)
You can export your data in machine-readable format (JSON) at any time using the data export feature in your Profile settings.
Right to Restrict Processing (Article 18)
You can request that we limit how we process your data. Contact us to exercise this right.
Right to Object (Article 21)
You can object to processing based on legitimate interests. You can also opt out of marketing communications at any time through your Profile settings or by clicking "unsubscribe" in any email.
Right to Withdraw Consent (Article 7)
Where processing is based on consent, you can withdraw it at any time through your Profile settings or by contacting us.
Right to Lodge a Complaint (Article 77)
You have the right to lodge a complaint with your local data protection authority. For France, this is the CNIL (www.cnil.fr).
To exercise any of these rights, you can either use the self-service options in your Profile settings or contact us at andrius@querylex.com. We will respond within 30 days.
9. Security Measures
We implement comprehensive security measures to protect your personal data:
9.1 Technical Measures
- Encryption at Rest: All documents encrypted using Fernet symmetric encryption
- Encryption in Transit: All connections secured with TLS/SSL (HTTPS)
- Row-Level Security (RLS): Database access restricted to your own data only
- Password Hashing: Passwords hashed using bcrypt (never stored in plain text)
- Session Security: Secure, HTTP-only session cookies with expiration
- Rate Limiting: Protection against brute-force attacks
9.2 Organizational Measures
- Access Control: Limited access to personal data on a need-to-know basis
- Audit Logging: All data access and operations are logged
- Regular Backups: Encrypted backups with secure retention policies
- Incident Response: Procedures in place for data breach notification
10. Cookies and Tracking
QueryLex uses cookies for service operation and analytics:
10.1 Essential Cookies
These cookies are necessary for the website to function and cannot be disabled:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Session Cookie | Maintains your login session | Session (expires on browser close or after 1 hour inactivity) |
| Authentication Token | Secure user authentication | 1 hour |
| Theme Preference | Remembers your dark/light mode choice | Persistent (localStorage) |
10.2 Analytics Cookies (Google Analytics 4)
We use Google Analytics 4 to understand how visitors interact with our website. This helps us improve our service. Google Analytics uses cookies to collect anonymous usage data:
| Cookie Name | Purpose | Duration |
|---|---|---|
| _ga | Distinguishes unique users by assigning a randomly generated number | 2 years |
| _ga_* | Used by Google Analytics to persist session state | 2 years |
| _gid | Distinguishes unique users | 24 hours |
What we track: Page views, user interactions, feature usage, and performance metrics to improve QueryLex.
What we do NOT track: The content of your documents, your queries, or any personal data within your legal work.
Data processing: Google processes this data on our behalf. For more information, see Google's Privacy Policy.
10.3 What We Do NOT Use
We do not use:
- Advertising cookies or ad tracking
- Social media tracking pixels (Facebook, Twitter, LinkedIn, etc.)
- Cross-site tracking for advertising purposes
- Retargeting or remarketing cookies
10.4 Managing Your Cookie Preferences
If You Have an Account:
Your cookie consent preference is stored and can be managed through your Profile settings. When you delete your account, all associated data is removed.
If You Don't Have an Account (Anonymous Visitors):
Analytics data collected via Google Analytics is linked to a randomly generated identifier in your browser cookies, not to your personal identity. Here's how you can manage this data:
Options for Anonymous Visitors:
- Decline cookies: When you first visit, click "Decline" on the cookie banner. No analytics cookies will be set.
- Clear existing cookies: Delete cookies from your browser settings. This removes the link between your browser and any previously collected data.
- Use browser privacy mode: Private/Incognito browsing prevents analytics tracking.
- Install opt-out tools: Use the Google Analytics Opt-out Browser Add-on.
- Manage Google data: If you were signed into a Google account while browsing, you can manage your data at myactivity.google.com.
Important Note: Because anonymous analytics data is not linked to your identity, we cannot identify or delete specific visitor data in Google Analytics. However, clearing your browser cookies effectively breaks any connection between you and the historical data, and Google Analytics automatically deletes user-level data after our retention period (14 months).
If you have questions about analytics data or wish to make a data request, please contact us at privacy@querylex.ai.
11. Children's Privacy
QueryLex is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last Updated" date at the top of this page
- We will notify you via email for significant changes
- We may display an in-app notification
Your continued use of QueryLex after changes constitutes acceptance of the updated policy.
13. Contact Information
For any questions about this Privacy Policy or your personal data, please contact us:
QueryLex - Data Protection
Email: andrius@querylex.com
Website: https://querylex.com
Data Subject Requests:
For access, deletion, or other GDPR requests, email us at andrius@querylex.com or use the self-service tools in your Profile settings.
Supervisory Authority:
If you are not satisfied with our response, you may lodge a complaint with your local data protection authority. For France: CNIL - www.cnil.fr