Privacy Policy

Last updated: 2026-04-19

This Privacy Policy explains how LexiPanel collects, uses, and protects personal data when you use the Service. It is written to comply with the EU General Data Protection Regulation (GDPR) and the Ukrainian Law on Personal Data Protection.

1. Data controller

The data controller for personal data processed via LexiPanel is Yaroslav Baienko (Україна), a practicing Senior Associate and sole operator of the Service.

Contact for privacy matters: zerhug@gmail.com. A written request will be answered within thirty (30) days.

There is no designated Data Protection Officer. Given the scale and nature of processing this is not mandatory under Art. 37 GDPR; this will be reviewed as the business grows.

2. What data we collect

Account data — email address, display name, firm name, role, hashed password. Provided by you on registration.

Usage data — login timestamps, session duration, feature-use counts. Collected automatically for security and product quality.

Matter content — the legal matters, time entries, clients, notes you upload into the Service. You are the controller of this content; we are the processor. See the Data Processing Addendum (available on request for Enterprise).

Payment data — handled entirely by Stripe. We store only your Stripe customer ID and subscription status. We never see card numbers.

Technical data — IP address (used briefly for rate limiting and abuse detection), user-agent string.

Cookies — strictly necessary only: `NEXT_LOCALE` (language preference), theme preference (`localStorage`), encrypted authentication session. No analytics cookies, no advertising cookies, no cross-site tracking.

4. Sub-processors

Stripe Payments Europe, Ltd. — payment processing. Certified GDPR compliant; Standard Contractual Clauses in place for any transfers.

Hetzner Online GmbH (Germany) — cloud hosting. All primary data storage occurs on servers physically located in Germany (EU).

Supabase / PostgreSQL (self-hosted) — database. Operated by us on the Hetzner infrastructure above; no data leaves the EU under normal operation.

Google Fonts — web font delivery (Montserrat, JetBrains Mono). Request headers are seen by Google LLC but contain no personal data.

This list is current as of the Last updated date. Any material change will be announced with 30 days' notice.

5. International transfers

Your personal data is stored and processed within the European Union (Germany). We do not routinely transfer personal data outside the EU/EEA.

Limited exceptions: request headers reaching Stripe (Ireland) and Google Fonts (Ireland/USA via Google LLC with SCCs) during normal page loads. No matter content, account data, or usage logs are transmitted outside the EU.

6. Retention

Account data — retained while your subscription is active and for 30 days after cancellation. On written request we will delete earlier, subject to legal retention requirements (tax records: 7 years).

Matter content — retained for the lifetime of your subscription. Exportable at any time. On cancellation, deleted within 30 days unless you instruct otherwise.

Usage logs — 90 days.

Backups — encrypted, 90-day rolling window. Backups are part of our business-continuity posture; deletions propagate through backup rotation.

7. Your rights

Under the GDPR and Ukrainian law you have the right to:

access your personal data and receive a copy;

rectify inaccurate data;

erase your data (right to be forgotten), subject to legal retention;

restrict processing while a complaint is investigated;

port your data to another provider in a machine-readable format (CSV + JSON);

object to processing based on legitimate interests;

withdraw consent at any time where processing relies on consent;

lodge a complaint with the Ukrainian Parliament Commissioner for Human Rights (the national supervisory authority) or with any EU Data Protection Authority.

To exercise any of these rights, email zerhug@gmail.com. Identity verification may be requested for security. Responses within 30 days, free of charge (unless requests are manifestly unfounded or excessive).

8. Security

The Service has 616 automated tests in continuous integration, including 32 live integration tests against the production database.

Multi-tenant data isolation is enforced server-side, not by the client.

All traffic is encrypted in transit (TLS 1.3). Data at rest is encrypted at the storage-volume level.

Eight iterations of a self-imposed security gate are documented internally; a summary report is available to Enterprise prospects under NDA.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and affected users without undue delay, per Art. 33–34 GDPR.

9. Cookies

LexiPanel uses only strictly necessary cookies and local-storage entries:

— `NEXT_LOCALE` — your language choice (EN / UK), 1-year expiry;

— theme preference — light/dark/system, stored in browser `localStorage`;

— authentication session — encrypted cookie, set only after login, `SameSite=Strict`, `Secure`.

No analytics, no advertising, no cross-site trackers, no third-party tags. Because all cookies are strictly necessary under the ePrivacy Directive exception, no consent banner is shown on the site itself.

10. Children

LexiPanel is a B2B legal SaaS intended for licensed lawyers and law firms. It is not directed at, and should not be used by, individuals under the age of 18. We do not knowingly collect data from minors.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email to active account holders with at least 30 days' notice before they take effect. The Last updated date above reflects the most recent revision.

12. Contact

Questions, requests, or complaints about privacy practices: zerhug@gmail.com.

If you are unhappy with our response, you may lodge a complaint with the Ukrainian Parliament Commissioner for Human Rights (ombudsman.gov.ua) or with your local EU Data Protection Authority.