Last updated: June 20, 2026

Privacy Policy

Your privacy matters to us. This policy explains what information we collect, how and why we use it, who we share it with, how long we keep it, and the rights and choices you have. It applies to the Lexax website, applications, AI agent, and related services (collectively, the "Service") operated by Lexax Inc. ("Lexax," "Company," "we," "us," or "our"). Capitalized terms not defined here have the meaning given in our Terms of Service.

1. Scope and Our Roles

This policy covers personal information we process as a controller — information about you as a user of the Service. When you use the Service to build, run, deploy, or operate your own applications, automations, or agent workflows, you act as the controller of any data those creations collect or process, and we act as a processor handling that data on your behalf and under your instructions. You are responsible for providing your own privacy notices to, and obtaining any required consents from, the end users and recipients of the applications, messages, and automations you create.

2. Information We Collect

We collect information you provide directly, information generated through your use of the Service, and information collected automatically. This includes:

  • Account and identity: Your name, email address, and (where available) profile picture, received from the third-party single sign-on or identity provider you choose to authenticate with. We request only the basic profile and email scope needed to create and secure your account; we do not receive your password for that provider.
  • Workspace and collaboration: Organization and workspace names, membership, roles, permissions, and invitations. When you invite someone, your name and email may appear in the invitation message they receive.
  • Prompts, conversations, and User Content: The prompts, instructions, and messages you submit; text, files, documents, and images you upload or paste; project names, descriptions, code, and assets; and the outputs generated for you. Your conversation and project history is stored so you can return to your work.
  • Connected-account data: When you connect a third-party account, we process the authorization needed to perform the actions you request and the specific data exchanged with that account at your direction and within the scope you authorize.
  • Communications and messaging data: Messages, requests, and content you send or receive when you interact with the Service through supported messaging channels, including phone numbers and message contents, and when you contact support.
  • Billing data: Plan, subscription status, credit balances, billing email, and transaction history. Payment-card details are entered with and handled by our third-party payment processor; we do not collect or store full card numbers. We retain records and copies of billing-related notifications we receive for accounting and fraud-prevention purposes.
  • Usage and diagnostic data: Credit consumption, feature usage, run and activity logs, model and token-usage metadata, and diagnostic information used to operate, secure, meter, and improve the Service.
  • Device, presence, and log data: IP address, browser and device type, operating system, language, approximate location derived from IP, per-session and per-tab presence identifiers, and access timestamps collected automatically.
  • Secrets you provide: API keys, credentials, or environment values you choose to supply so the Service can perform tasks for you. These are stored encrypted and are not exposed to the AI model in plain text.
  • Inbound trigger and webhook data: When you configure automations or integrations, we receive and may retain the event data that triggers them.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, maintain, secure, and improve the Service.
  • Process your prompts and instructions to generate code, content, and components, and to build, run, preview, and deploy your projects.
  • Execute the agent actions, integrations, automations, and scheduled or triggered tasks you configure, to the extent you authorize them.
  • Manage your account, workspaces, roles, invitations, and collaboration features.
  • Measure and display usage credits, process subscriptions, and handle billing.
  • Send transactional communications such as invitations, receipts, billing and credit notices, security alerts, and service messages.
  • Monitor, detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms.
  • Comply with legal obligations and enforce our agreements.

Depending on your jurisdiction, our legal bases include performance of our contract with you, your consent, our legitimate interests in operating and securing the Service, and compliance with legal obligations.

4. AI and Automated Processing

The Service uses artificial intelligence. When you use its AI features, your prompts and the relevant project context — which may include text, code, files, and images you provide — are transmitted to and processed by one or more third-party AI and machine-learning model providers acting as our sub-processors in order to generate the output you request. For performance, portions of your context may be cached by those providers for a limited time. We do not use your User Content to train our own foundation models, and we seek to use providers and configurations intended to prevent your inputs and outputs from being used to train their models; provider data handling is otherwise governed by the providers' applicable terms, and we will honor an opt-out where you set one. AI output is associated with your account and treated as User Content. AI output is generated automatically and may be inaccurate or incomplete; see our Terms of Service for the related disclaimers.

5. Autonomous Agent Actions and Tool Use

The Service includes an AI agent that, at your direction, can take actions to complete tasks — for example, reading and writing project files, running code and commands in an isolated environment, searching the web and retrieving web content, operating a browser, generating media and documents, deploying applications, and performing actions in third-party accounts you connect. To carry out these actions, the agent processes the related inputs and results and may transmit the data necessary to perform a requested action to the relevant sub-processor or destination. You are responsible for the actions you instruct the agent to take and their consequences; see our Terms of Service.

6. Code Execution and Isolated Environments

Building, previewing, and running your projects requires executing code in isolated, sandboxed environments provisioned for your workspace by a third-party code-execution provider. These environments are logically separated per project, hold the files and state needed to run your application, may have outbound internet access to perform tasks you request, and can serve live previews at temporary URLs that may be reachable by anyone who has the link. We apply access controls so that one workspace cannot reach the environments or data of another. Do not place secrets or sensitive data in code, prompts, or files unless necessary; use the dedicated secret feature so sensitive values are handled securely.

7. Connected Third-Party Accounts

You may connect external accounts so the agent can act on your behalf within them. The authorization for those connections is held by our integration sub-processor; we access third-party data only at your direction and for the scope you authorize. Depending on your workspace settings, a connection made by an administrator may be usable by other members of the same workspace. Data read from or written to connected accounts may be processed as part of your conversation context and transmitted to AI model providers to fulfill your request. Your use of connected services remains subject to those services' own terms and privacy policies.

8. Automated and Scheduled Tasks

The Service can run tasks automatically on a schedule or in response to an external event, including when you are not present. When you create such an automation, we store its configuration (including the saved instructions, schedule, and selected options) and process the inbound event data that triggers it. Automated runs consume usage credits and may generate content and perform actions in connected accounts or messaging channels you have authorized. You can disable, edit, or set an expiration for automations at any time.

9. Messaging Channels

Where enabled, you can interact with the Service over supported messaging channels through a third-party messaging provider. In that case we process phone numbers, message contents, delivery metadata, and opt-in/opt-out status. Messaging is limited to enrolled numbers, and standard opt-out keywords (such as STOP) stop further messages. You are responsible for ensuring that anyone you message through the Service has consented to receive those messages. Message-and-data rates may apply through your carrier.

10. Sub-Processors and Service Providers

We rely on a limited set of vetted third-party sub-processors to run the Service. Each is bound by contractual obligations to protect your information, to process it only on our instructions, and to maintain appropriate security. For security and competitive reasons we do not name individual providers in this public policy; instead, we disclose the categories of sub-processors we use:

  • Cloud hosting and computing infrastructure.
  • Authentication and identity management.
  • Database, storage, content delivery, and secret management.
  • Isolated code-execution and sandbox environments.
  • AI and machine-learning model processing.
  • AI media generation (image, video, and voice).
  • Web search and web-content retrieval.
  • Browser-automation infrastructure.
  • Third-party integration and connectivity services.
  • Application hosting and deployment for your published apps.
  • Source-code hosting (when you connect a repository).
  • Messaging delivery.
  • Payment and subscription processing.
  • Email and notification delivery.

A more specific list of sub-processors is available to enterprise customers under a confidentiality obligation on request. We remain responsible for the handling of personal information by our sub-processors.

11. How We Share Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share information only in these limited circumstances:

  • Workspace members: Your name, email, role, activity, and the content you contribute are visible to other members of workspaces you belong to.
  • Sub-processors: The service providers described in Section 10 process information on our behalf and under contract.
  • At your direction: When you connect an external account, deploy an application, push code to a repository, send a message, or instruct the agent to use an external service, we transmit the data necessary to perform that action. Those external destinations are governed by their own terms and privacy practices.
  • Legal and safety: We may disclose information when required by law, legal process, or governmental request, or where we believe disclosure is necessary to protect the rights, property, or safety of Lexax, our users, or the public, or to investigate fraud or security issues.
  • Business transfers: In connection with a merger, acquisition, financing, or sale of assets, information may be transferred as part of the transaction, subject to this policy.

12. Cookies and Sessions

We use strictly necessary cookies and similar technologies for authentication, session management, security, and preserving your preferences, including a short-lived token used to deliver real-time updates within your workspace. These are essential for the Service to function and cannot be switched off through the Service. We do not use advertising cookies, and we do not sell information collected through cookies. Session cookies are encrypted and expire according to your session and authentication settings.

13. Data Storage and Security

We implement administrative, technical, and organizational safeguards designed to protect your information, including encryption in transit, encryption of stored secrets in a managed vault, scoped access controls, tenant-isolation rules that restrict each user and workspace to their own data, signature verification on inbound webhooks, secrets management, and monitoring. Access to production systems is limited to authorized personnel on a need-to-know basis. Tenant isolation is enforced at the application and database layers. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a personal-data breach that affects you, we will notify you and the relevant authorities as required by applicable law.

14. Data Retention and Deletion

We retain information for as long as needed to provide the Service and for the purposes described in this policy:

  • Account information and User Content (including your conversation and project history) are retained while your account or the relevant project is active. Deleting a project removes its record and initiates release of its associated execution environment.
  • Execution-environment storage may persist while a project exists so your work can resume, and is released when the project is deleted or otherwise reclaimed.
  • Certain records are retained even after a project is deleted where we have a legal, accounting, security, or audit reason to keep them — for example, billing and usage ledgers and records of third-party notifications we receive — and are kept for the period required.
  • Backups and operational logs are retained for a limited period and then expire on a rolling basis.

When you ask us to delete your account, we delete or anonymize your personal information within thirty (30) days, except where longer retention is required by law or for the legitimate business purposes described above.

15. Your Rights and Choices

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate or incomplete information.
  • Request deletion of your personal information.
  • Object to or restrict certain processing activities.
  • Receive a copy of your data in a portable format.
  • Withdraw consent where processing is based on consent, without affecting prior processing.
  • Lodge a complaint with your local data-protection authority.

To exercise these rights, contact us at privacy@lexax.dev. We will verify your request and respond within the time required by applicable law, and we will not discriminate against you for exercising your rights. For data processed on behalf of another user (for example, content within a workspace you do not own, or data handled by an application another user built), we may direct your request to the responsible controller.

16. Children's Privacy

The Service is not directed to, and is not intended for, anyone under the age of 18. We do not knowingly collect personal information from individuals under 18. If you believe someone under 18 has provided us with personal information, contact us and we will take steps to delete it promptly.

17. International Data Transfers

We and our sub-processors may process your information in countries other than your country of residence, including countries that may not provide the same level of data protection as your own. Where required, we put appropriate safeguards in place for such transfers, such as standard contractual clauses or reliance on applicable adequacy decisions.

18. Third-Party Services and Your Applications

The Service lets you connect external accounts and deploy applications to destinations you choose. Those third-party services, and the applications you build, deploy, and operate, are governed by their own terms and privacy policies, over which we have no control. You are the controller of any data your applications and automations process, are responsible for their lawfulness and privacy practices, and must provide your own notices and obtain any required consents from their end users and message recipients.

19. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Service or by email at least thirty (30) days before they take effect. The "Last updated" date above reflects the most recent revision. Your continued use of the Service after a change takes effect constitutes acceptance of the updated policy.

20. Contact

For questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at privacy@lexax.dev.