Legal

Privacy Policy.
DPDP Act compliant.

How LexVio.ai collects, uses, stores, and protects your personal data — under India's Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable law.

Last updated: 23 May 2026 · Effective: 1 June 2026

1. Who we are

LexVio.ai is a product of Global Synapse Technologies, a private limited company registered in Delhi, India (the “Data Fiduciary”, “we”, “us”). Registered address: Delhi, India. GSTIN: 07AOVPR7411P1ZY. Contact: info@globalsynapsetech.com.

When you use LexVio.ai, you (the “Data Principal”) interact with us as a data subject under the DPDP Act 2023. This policy explains the personal data we process, why we process it, and the rights you can exercise.

2. What personal data we collect

We collect the following categories of personal data:

  • Account data — name, work email, mobile number, organisation, role.
  • Authentication data — encrypted password hashes, OAuth tokens (Google), SAML assertions (enterprise SSO), session identifiers, two-factor codes.
  • Billing data — invoicing name, GSTIN, billing address, payment method tokens (we do not store full card numbers — these are handled by Razorpay/Stripe).
  • Document content — contracts, agreements, and other legal documents you upload, paste, or generate within LexVio for analysis, review, or storage in your vault.
  • Usage data — pages visited, features used, search queries, clicks, IP address, user agent, device identifiers, referral URL, timestamps.
  • Communications — messages you send via our contact form, support tickets, WhatsApp, or email; testimonials you submit.
  • Cookies and similar technologies — see our Cookies Policy.

3. Why we process your data (purposes)

  • To provide the service — analyse contracts, run compliance checks, deliver tax intelligence, store documents in your vault, manage your account.
  • To bill you and issue tax invoices — process payments, raise GST-compliant invoices, recover dues.
  • To support you — respond to queries, troubleshoot issues, send transactional emails (password resets, billing receipts, deadline alerts).
  • To improve LexVio — analyse aggregated, de-identified usage patterns to fix bugs and prioritise features. We do not train AI models on your document content without your explicit consent.
  • To comply with law — respond to government requests, court orders, regulatory directions, and tax / accounting obligations under Indian law.
  • To detect abuse — prevent fraud, account takeover, spam, denial-of-service, and other malicious activity.

4. Legal basis for processing

Under the DPDP Act, we process your personal data based on (a) your consent (for marketing communications, AI model improvement opt-in, and similar opt-in features); (b) legitimate uses under Section 7 (provision of subscribed service, employment-related processing, performance of any law, response to medical/disaster emergencies); and (c) compliance with law (tax, accounting, court orders).

5. How long we keep your data

  • Account data — for the duration of your subscription plus 30 days after cancellation (to permit reinstatement). Then deleted, unless retention is required by law.
  • Document content — stored as long as you keep the document in your vault. Deleted within 30 days of vault deletion. Backups are purged within 90 days.
  • Billing data — retained for 8 years from the end of the relevant financial year (Companies Act 2013 §128, Income Tax Act §44AA).
  • Usage logs — retained for 12 months for security and audit, then aggregated and anonymised.
  • Audit / Compliance logs — retained for the period mandated by SOC 2, ISO 27001, or applicable regulation (typically 12-36 months).

6. Where your data is stored (data localisation)

Your personal data is stored on infrastructure located in India (AWS ap-south-1 region, Mumbai). Encrypted backups are replicated to a secondary AWS region in India.

We may use sub-processors located outside India for narrow purposes (model inference, email delivery, error monitoring). The current list is available on request via info@globalsynapsetech.com. Each sub-processor is bound by data processing terms equivalent to this policy. Transfers outside India are permitted under DPDP Act §16 for jurisdictions not restricted by the Central Government.

7. Who we share your data with

  • Service providers — cloud hosting (AWS), payment processors (Razorpay, Stripe), error monitoring (Sentry), product analytics (PostHog), AI inference (Anthropic). Each is a data processor under our control.
  • Authorised users in your organisation — anyone you add to your LexVio workspace as a team member, administrator, or guest.
  • Compelled disclosure — to government authorities, courts, or regulators if required by Indian law, after notifying you where legally permissible.
  • Business transfer — in connection with a merger, acquisition, or sale of all/part of our business, after binding the recipient to terms equivalent to this policy.

We do not sell your personal data. We do not share document content with third parties for marketing or advertising.

8. Your rights as a Data Principal

Under DPDP Act §11–§14 you have the following rights:

  • Right to access — request a summary of the personal data we hold about you, the categories of processing, and the entities with whom it has been shared.
  • Right to correction and erasure — request correction of inaccurate data, completion of incomplete data, or erasure of data no longer necessary for processing.
  • Right of grievance redressal — escalate complaints to our Grievance Officer; see Grievance.
  • Right to nominate — nominate another individual to exercise your rights in the event of death or incapacity.
  • Right to withdraw consent — withdraw consent for processing you previously authorised. Withdrawal does not affect lawful processing before withdrawal.

To exercise any of these rights, email support@globalsynapsetech.com. We will respond within 30 days, as required by the DPDP Act.

9. Children

LexVio is not directed to children under 18. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us and we will delete it.

10. Security

We protect your data with AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, multi-factor authentication on administrative access, encrypted backups, and regular vulnerability scanning. We are pursuing SOC 2 Type II and ISO 27001 certification. Read more on our Security page.

Despite these measures, no system is 100% secure. In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals within the timelines required by DPDP Act §8(6).

11. Changes to this policy

We may update this policy. Material changes will be communicated by email and posted here at least 14 days before they take effect. The “Last updated” date at the top tells you when this policy was last revised.

12. Contact

Questions about this policy or your data: info@globalsynapsetech.com
Grievance Officer: see /legal/grievance
Postal: Global Synapse Technologies, Delhi, India.

Notice: This document is provided in good faith and reflects our current practices. It is not legal advice. For interpretation under your specific circumstances, consult an advocate.