Skip to main content
LEXAI

Home / Privacy Policy

Privacy Policy

Last updated: May 17, 2026

Information We Collect

We collect the following categories of personal data:

  • Account information: name, email address, phone number, and profile details when you create an account
  • Lawyer credentials (lawyer accounts only): Emirates ID number, bar licence or DIFC/ADGM registration number, and uploaded verification documents (licence scans, ID copies)
  • AI interaction data: queries submitted to our AI tools, documents uploaded for analysis, and chat history
  • Lawyer subscription records (lawyer accounts only): subscription plan, billing status, and transaction references handled by our secure payment provider — we do not store credit card numbers, CVVs, or full card details on our servers
  • Usage analytics: pages visited, features used, session duration, and interaction patterns to improve the platform (collected only with your consent via the cookie banner)

Lawful Basis for Processing

We process your personal data on the following lawful bases under the UAE Personal Data Protection Law (PDPL):

  • Contract performance: to provide the LEXAI advertising directory service to you (Art. 5(1)(b))
  • Consent: for analytics and preference cookies, marketing communications, and any optional features you opt into (Art. 4)
  • Legal obligation: to comply with UAE regulatory, anti-money-laundering, and record-keeping requirements (Art. 5(1)(c))
  • Legitimate interests: to operate, secure, and improve the platform — balanced against your rights and freedoms (Art. 5(1)(f))

How We Use Your Data

Your data is used to:

  • Provide and maintain the LEXAI advertising directory
  • Help clients discover verified lawyers by practice area, location, and language
  • Power AI features including legal research and document analysis
  • Send transactional emails (account confirmations, notifications, reminders) via our email-delivery provider
  • Enable lawyer subscription billing for our paid tiers (lawyer accounts only)
  • Comply with UAE legal and regulatory requirements

Third-Party Service Providers (Sub-processors)

We share data with the following service providers, strictly for platform functionality and under signed Data Processing Agreements:

  • Database, authentication, and storage provider — hosts user accounts, profile data, and uploaded documents
  • Application hosting and AI Gateway provider — serves the website and routes AI requests
  • AI model provider — processes AI queries via Vercel AI Gateway with Zero Data Retention enabled
  • Embeddings provider — generates vector embeddings for legal-research search
  • Transactional email provider — delivers account, notification, and reminder emails
  • Real-time messaging provider — powers lawyer-client chat
  • Secure payment provider (lawyer accounts only) — processes lawyer subscription billing; card data is handled entirely by the provider and never touches our servers
  • Error-monitoring provider — captures anonymised crash and performance telemetry
  • Product analytics provider (EU-region) — used only with your consent for usage analytics
  • Session-replay & behavioural analytics provider (United States) — used only with your consent for usage analytics

For a complete and continuously-updated list of every sub-processor (provider name, role, data category, residency, and DPA URL), see our Sub-processors page at https://lexaidxb.com/legal/sub-processors.

We never sell your personal data to advertisers or any third party.

International Transfers

Some of our sub-processors are based outside the United Arab Emirates. Under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, Articles 22–26), we are permitted to transfer your personal data to such jurisdictions when (a) you have provided informed consent by accepting this Privacy Policy, (b) the receiving processor maintains adequate technical and organisational safeguards through a binding Data Processing Agreement, and (c) we apply data minimisation — transferring only the personal data strictly necessary for the stated purpose.

The relevant transfers and their safeguards are:

  • United States — AI model provider (inference), embeddings provider, transactional email provider, error-monitoring provider, and session-replay / behavioural analytics provider. These providers are bound by signed DPAs published on their public legal pages and listed on our Sub-processors page.
  • Multi-region — application hosting + AI Gateway, real-time messaging provider, secure payment provider (lawyer subscription billing only). Routing is configured to keep data within the closest available region where commercially feasible.
  • European Union — product analytics provider (EU endpoint, no personal identifiers attached to events).

For AI processing specifically, queries are routed through Vercel AI Gateway with Zero Data Retention (ZDR) enabled to Anthropic Claude. Anthropic is contractually bound under ZDR to (a) not retain your queries after the response is returned, (b) not use your data to train AI models, and (c) not share your data with any third party. The Vercel AI Gateway acts purely as a transit layer and does not persist message content. This combination — explicit DPAs + ZDR + data minimisation (we send only the user's question and the retrieved legislation snippets, never email, name, phone, or account ID) — is how LEXAI satisfies PDPL Art. 22–26 for AI processing.

For the full list of every sub-processor, the data residency, and the DPA URL, see https://lexaidxb.com/legal/sub-processors.

AI Data Handling

AI queries are processed via Vercel AI Gateway using Anthropic Claude models. The AI provider does not retain your data after processing each request — there is zero data retention at the AI provider level.

We do not use your data to train AI models.

AI chat history is stored on our platform for your convenience so you can review past conversations. Each conversation is automatically deleted 12 months after your last activity in it. You can pin up to 25 conversations to keep them indefinitely. Deleting your account purges all chat data immediately.

Data Retention

  • Account data: retained while your account is active. When you delete your account, your profile and personal identifiers are permanently and irreversibly removed. Some records are retained afterwards only where required by law or for legitimate operational needs — specifically lawyer–client consultation/case records, subscription billing records, and security/audit logs (each described below).
  • Lawyer–client consultations & messages: retained for the life of the account; case records linked to a consultation may be retained after deletion where required for legal record-keeping or dispute resolution.
  • AI chat sessions: 12 months from your last activity in each conversation, then automatically purged. Pin a conversation (up to 25 per account) to keep it indefinitely. Account deletion purges all chat data immediately.
  • Lawyer subscription billing records (lawyer accounts only): retained per UAE financial-record-keeping requirements (up to 7 years) and the data-retention policies of our payment provider.
  • Deleted account records: a minimal record (reason for deletion, account type, deletion date) is kept in our deleted_accounts table for admin reference and returning-user detection.

Your Rights Under UAE PDPL

Under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), you have the right to:

  • Access your personal data
  • Correct inaccurate or incomplete data
  • Request deletion of your data
  • Export your data in a portable format
  • Withdraw consent for data processing at any time
  • Object to automated decision-making
  • Lodge a complaint with the UAE Data Office (the supervisory authority under PDPL Art. 13)

You can exercise most of these rights directly from the Data & Privacy page in your account settings. Account deletion requires password confirmation and typing "DELETE" to proceed — deletion is immediate and cannot be reversed.

Cookies

LEXAI uses both essential and optional cookies. Essential cookies (session, authentication, language preference) are required for the platform to function and cannot be disabled. Optional cookies (analytics, additional preferences) are set only after you grant consent through our cookie banner; you can change or withdraw your consent at any time.

We do not use advertising or cross-site tracking cookies. For full details of each cookie, its purpose, and how to control it, see our Cookie Policy at https://lexaidxb.com/cookies.

Data Breach Response

We maintain technical and organisational safeguards designed to prevent unauthorised access, loss, alteration, or disclosure of your personal data — including encryption in transit, role-based access controls, and audit logging.

In the event of a personal data breach affecting your data, we will:

  • Notify the UAE Data Office within 72 hours of becoming aware of the breach, as required by UAE PDPL Art. 9.
  • Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by UAE PDPL Art. 10.
  • Document the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken to address it.

Contact

For data privacy inquiries or to exercise your PDPL rights, contact us:

Email: info@lexaidxb.com Location: Dubai, United Arab Emirates

We will respond to all data requests within 30 days as required by UAE PDPL.

Questions?

If you have questions about this policy, contact us at info@lexaidxb.com