Legal

Privacy Policy

Last updated: 1 March 2026

Who we are

LexiCo AS is a Norwegian company and the data controller for any personal data we collect when you use this service. If you have questions about how we handle your data, contact us at contact us.

What we collect and why

We collect the minimum data needed to operate the service:

  • Account data — your email address and a hashed (bcrypt) version of your password. Used to authenticate you and manage your account.
  • Usage metadata — token counts, request counts, latency, and cost per request. Used for billing, rate limiting, and service monitoring. We do not store the content of your AI conversations.
  • Billing data — Stripe customer ID and transaction history. Used to process payments and maintain your prepaid credit balance.
  • Security and audit data — login events, API key creation, and other security-relevant actions. Used to detect abuse and investigate incidents.

Your provider API keys

API keys for third-party providers (such as OpenAI or Anthropic) are passed through in-memory with each request and forwarded directly to your provider. They are never written to disk, logged, or stored in any database. You remain solely responsible for your provider account and any usage billed there.

Cookies and local storage

We use a single session cookie (lexi_session) to keep you signed in. It is HTTP-only and not accessible to JavaScript. We do not use advertising cookies or third-party tracking scripts.

Third-party services

  • Stripe — processes payments. Your card data is held by Stripe and subject to their privacy policy. We receive only a customer reference ID.
  • Resend — delivers transactional emails (password reset links). Your email address is shared with them for this purpose only.

We do not sell, rent, or share personal data with any other third parties.

Data retention

  • Account data — retained for the lifetime of your account. After a deletion request, removed within 30 days.
  • Usage records — retained for 12 months for billing and support.
  • Audit logs — retained for 12 months.
  • Context processing data — ephemeral. Not retained after each request completes.

Your rights under GDPR

As a person whose data we process, you have the right to:

  • Access — request a copy of the data we hold about you.
  • Rectification — have inaccurate data corrected.
  • Erasure — request deletion of your account and associated data.
  • Data portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Lodge a complaint — with the Norwegian Data Protection Authority (Datatilsynet) if you believe your rights have been violated.

To exercise any of these rights, contact us at contact us.

Changes to this policy

We may update this policy when we change how we handle data. Material changes will be communicated by email to registered accounts at least 14 days before taking effect.

Contact

LexiCo AS, Norway
contact us

An unhandled error has occurred. Reload X