Privacy Policy
This Privacy Policy explains how LexiPanel collects, uses, and protects personal data when you use the Service. It is written to comply with the EU General Data Protection Regulation (GDPR) and the Ukrainian Law on Personal Data Protection.
1. Data controller
The data controller for personal data processed via LexiPanel is Yaroslav Baienko (Україна), a practicing Senior Associate and sole operator of the Service.
Contact for privacy matters: zerhug@gmail.com. A written request will be answered within thirty (30) days.
There is no designated Data Protection Officer. Given the scale and nature of processing this is not mandatory under Art. 37 GDPR; this will be reviewed as the business grows.
2. What data we collect
Account data — email address, display name, firm name, role, hashed password. Provided by you on registration.
Usage data — login timestamps, session duration, feature-use counts. Collected automatically for security and product quality.
Matter content — the legal matters, time entries, clients, notes you upload into the Service. You are the controller of this content; we are the processor. See the Data Processing Addendum (available on request for Enterprise).
Payment data — handled entirely by Stripe. We store only your Stripe customer ID and subscription status. We never see card numbers.
Technical data — IP address (used briefly for rate limiting and abuse detection), user-agent string.
Cookies — strictly necessary only: `NEXT_LOCALE` (language preference), theme preference (`localStorage`), encrypted authentication session. No analytics cookies, no advertising cookies, no cross-site tracking.
3. Purposes and legal basis
Service delivery — performance of contract (Art. 6(1)(b) GDPR).
Billing and tax compliance — contract + legal obligation (Art. 6(1)(b) and (c)).
Security monitoring, rate limiting, abuse detection — our legitimate interests in keeping the Service safe (Art. 6(1)(f)).
Responding to your requests (support, data-subject rights) — contract + legal obligation.
Product improvement — based on aggregated, non-identifying usage metrics only; our legitimate interest (Art. 6(1)(f)). You may object at any time.
We do not use your data for marketing, profiling, or automated decision-making that produces legal effects.
4. Sub-processors
Stripe Payments Europe, Ltd. — payment processing. Certified GDPR compliant; Standard Contractual Clauses in place for any transfers.
Hetzner Online GmbH (Germany) — cloud hosting. All primary data storage occurs on servers physically located in Germany (EU).
Supabase / PostgreSQL (self-hosted) — database. Operated by us on the Hetzner infrastructure above; no data leaves the EU under normal operation.
Google Fonts — web font delivery (Montserrat, JetBrains Mono). Request headers are seen by Google LLC but contain no personal data.
This list is current as of the Last updated date. Any material change will be announced with 30 days' notice.
5. International transfers
Your personal data is stored and processed within the European Union (Germany). We do not routinely transfer personal data outside the EU/EEA.
Limited exceptions: request headers reaching Stripe (Ireland) and Google Fonts (Ireland/USA via Google LLC with SCCs) during normal page loads. No matter content, account data, or usage logs are transmitted outside the EU.
6. Retention
Account data — retained while your subscription is active and for 30 days after cancellation. On written request we will delete earlier, subject to legal retention requirements (tax records: 7 years).
Matter content — retained for the lifetime of your subscription. Exportable at any time. On cancellation, deleted within 30 days unless you instruct otherwise.
Usage logs — 90 days.
Backups — encrypted, 90-day rolling window. Backups are part of our business-continuity posture; deletions propagate through backup rotation.
7. Your rights
Under the GDPR and Ukrainian law you have the right to:
— access your personal data and receive a copy;
— rectify inaccurate data;
— erase your data (right to be forgotten), subject to legal retention;
— restrict processing while a complaint is investigated;
— port your data to another provider in a machine-readable format (CSV + JSON);
— object to processing based on legitimate interests;
— withdraw consent at any time where processing relies on consent;
— lodge a complaint with the Ukrainian Parliament Commissioner for Human Rights (the national supervisory authority) or with any EU Data Protection Authority.
To exercise any of these rights, email zerhug@gmail.com. Identity verification may be requested for security. Responses within 30 days, free of charge (unless requests are manifestly unfounded or excessive).
8. Security
The Service has 616 automated tests in continuous integration, including 32 live integration tests against the production database.
Multi-tenant data isolation is enforced server-side, not by the client.
All traffic is encrypted in transit (TLS 1.3). Data at rest is encrypted at the storage-volume level.
Eight iterations of a self-imposed security gate are documented internally; a summary report is available to Enterprise prospects under NDA.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and affected users without undue delay, per Art. 33–34 GDPR.
10. Children
LexiPanel is a B2B legal SaaS intended for licensed lawyers and law firms. It is not directed at, and should not be used by, individuals under the age of 18. We do not knowingly collect data from minors.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced by email to active account holders with at least 30 days' notice before they take effect. The Last updated date above reflects the most recent revision.
12. Contact
Questions, requests, or complaints about privacy practices: zerhug@gmail.com.
If you are unhappy with our response, you may lodge a complaint with the Ukrainian Parliament Commissioner for Human Rights (ombudsman.gov.ua) or with your local EU Data Protection Authority.