Legal
Privacy Policy
Last updated: March 2026
LexSutra is a compliance infrastructure company. We hold ourselves to the same standards we help our clients meet. This policy is written in plain language — if something is unclear, email us at hello@send.lexsutra.com.
1. Who We Are
Data Controller: LexSutra, Netherlands.
Contact: hello@send.lexsutra.com · lexsutra.com
Supervisory Authority: Autoriteit Persoonsgegevens (AP), Netherlands — autoriteitpersoonsgegevens.nl
LexSutra provides EU AI Act compliance diagnostic services to businesses. We are not a law firm and do not provide legal advice. This privacy policy applies to our website (lexsutra.com), our client portal, and our diagnostic platform.
2. What Data We Collect
| Data | Purpose | Lawful Basis |
|---|---|---|
| Name, email, company name | Demo requests and enquiries from our website | Legitimate interest — responding to business enquiries |
| Company website URL | Automated public footprint scan as part of the diagnostic | Legitimate interest — service delivery |
| Google account details (name, email) | Authentication via Google SSO for portal access | Contract performance |
| Questionnaire responses | Core input to the EU AI Act compliance diagnostic | Contract performance |
| Uploaded documents | Evidence base for diagnostic findings (OTP-confirmed) | Contract performance |
| Activity logs (who did what, when) | Security, audit trail, and compliance record-keeping | Legitimate interest — security and legal obligation |
| IP address, browser type | Security and fraud prevention | Legitimate interest — security |
| Error logs | Platform reliability and debugging | Legitimate interest — service improvement |
We do not collect or process special category data (health, biometric, political, religious data) and we do not collect data about individuals under 18.
3. How We Use Your Data
We use your data only for the purposes listed above. Specifically:
- To deliver the compliance diagnostic service you have contracted with us
- To generate AI-assisted findings drafts (see Section 5 — AI Processing)
- To send you your diagnostic report and related communications
- To respond to demo requests and pre-sales enquiries
- To maintain security, prevent fraud, and keep an audit trail
- To comply with our own legal obligations
We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described in Section 4.
4. Data Processors & Third Parties
We share data with the following processors, all under written data processing agreements. These companies act only on our instructions and cannot use your data for their own purposes.
Supabase
EU region (Frankfurt, Germany)
Database, file storage, and authentication. All client data, documents, and questionnaire responses are stored here.
supabase.com/privacyAnthropic
United States (EU transfer covered — see Section 5)
AI-assisted findings generation. Questionnaire responses are sent to Claude (Anthropic) to generate initial diagnostic drafts, reviewed by our team before delivery.
anthropic.com/legal/data-processing-addendumResend
United States
Transactional email — OTP codes, portal access links, diagnostic notifications.
resend.com/privacyWe will notify you if we add or change processors that handle your personal data.
5. AI-Assisted Processing
Transparency about AI use
LexSutra uses Claude, an AI model developed by Anthropic, to assist in generating initial diagnostic findings. This is disclosed here, in our Terms & Conditions, and on every report we deliver.
When you submit your questionnaire, your responses are transmitted to Anthropic's API to generate a first-draft assessment of your EU AI Act compliance position. This draft is then reviewed, edited, and approved by a LexSutra human expert before it is included in your report. No AI-generated finding is delivered to you without human review.
Legal basis for transfer to Anthropic (US): The transfer is covered under Standard Contractual Clauses (SCCs) incorporated into Anthropic's Data Processing Addendum, effective 24 February 2025. Anthropic processes data only as a data processor acting on our instructions.
Anthropic's DPA is available at: anthropic.com/legal/data-processing-addendum
6. International Data Transfers
Your data is stored in the EU (Supabase, Frankfurt). The only transfer outside the EU is to Anthropic (US) for AI-assisted analysis, covered by SCCs as described in Section 5. Resend (email) also processes data in the US — covered under their standard DPA and SCCs.
We do not transfer data to countries without adequate protection unless SCCs or equivalent safeguards are in place.
7. Data Retention
| Data | Purpose | Lawful Basis |
|---|---|---|
| Client documents (uploaded) | 18 months minimum from upload date, then deleted unless actively used in an ongoing engagement | Legal obligation + contract |
| Diagnostic questionnaire responses | Duration of client relationship + 5 years for audit purposes | Legitimate interest — legal compliance |
| Diagnostic reports | Duration of client relationship + 5 years | Contract + legitimate interest |
| Demo request data | 2 years from enquiry date if no contract is formed | Legitimate interest |
| Activity & audit logs | 12 months rolling | Legitimate interest — security |
| Error logs | 90 days rolling | Legitimate interest — service reliability |
| Authentication data | Until account deletion is requested | Contract performance |
When retention periods expire, data is permanently deleted from all systems including backups. You can request early deletion — see Section 8.
8. Your Rights Under GDPR
You have the following rights. To exercise any of them, email hello@send.lexsutra.com. We will respond within 30 days.
If you are unsatisfied with our response, you have the right to lodge a complaint with the Autoriteit Persoonsgegevens: autoriteitpersoonsgegevens.nl
10. Changes to This Policy
We will notify active clients by email of any material changes to this policy at least 14 days before they take effect. The “last updated” date at the top of this page always reflects the current version.
11. Contact
For any privacy-related questions, data requests, or complaints: