Privacy Policy
1. Who We Are
DraftLex, Inc. ("DraftLex," "we") operates the DraftLex platform at www.draftlex.online. We are the data controller for account and usage data. For data processed on behalf of law firm customers, we act as a data processor under our Data Processing Agreement (DPA).
2. Data We Collect
Account Data
Name, work email, firm name, bar number (optional), and payment information (processed by our PCI-DSS compliant payment provider — we never store raw card numbers).
Usage Data
Feature usage, template selections, session logs, and integration connections. This data is not linked to the content of your email drafts.
Email Draft Content
Prompts and outputs processed in your tenant-isolated environment. See Section 4 for our specific commitments.
Integration Data
When you connect Clio, MyCase, Gmail, or Outlook, we access only the matter and contact data required to populate email drafts. We do not read or store existing emails.
3. How We Use Your Data
- To provide and operate the DraftLex service
- To process payments and manage your subscription
- To send transactional emails (receipts, password resets)
- To send product updates (opt out at any time)
- To detect fraud and security threats
- To comply with legal obligations
We do not sell your personal data. We do not use your data for targeted advertising.
4. AI Processing & Your Client Data
- Your data never trains any AI model — ours or any provider's. Contractually guaranteed in our DPA.
- Email draft content is processed in a tenant-isolated environment — never co-mingled with another firm's data.
- Draft content is not retained after delivery, except in your account's matter-level audit log (which you control and can delete).
- AI subprocessors are contractually prohibited from using your data for any purpose other than inference delivery.
5. Data Sharing
We share data only with: (a) listed subprocessors; (b) legal authorities when required by law; (c) a successor entity in an acquisition (with notice). All subprocessors sign DPAs. We never sell data.
6. Data Retention
Account data is retained for the duration of your subscription plus 30 days. You may request deletion at any time. Anonymised aggregate statistics may be retained indefinitely.
7. Your Rights
GDPR (EEA/UK)
Right to access, rectify, erase, restrict, and port your data. Email privacy@draftlex.online — we respond within 30 days.
CCPA (California)
Right to know, delete, and opt out of sale (note: we do not sell). Submit requests to privacy@draftlex.online.
8. Security
AES-256 at rest, TLS 1.3 in transit, role-based access controls, annual pen testing, and SOC 2 Type II certification. See our Security page for full details.
9. Contact
Email: privacy@draftlex.online
Mail: DraftLex, Inc., Attn: Privacy, 548 Market Street Suite 29000, San Francisco CA 94104