Privacy Policy

How LexBuddy collects, uses, and protects your personal data.

PRIVACY NOTICE — LEXBUDDY

Version 1.1 | Last updated: June 4, 2026

1. IDENTITY AND ADDRESS OF THE DATA CONTROLLER

LEX BUDDY, S.A.P.I. DE C.V. (hereinafter, “LexBuddy”), with its registered address at Av. Lázaro Cárdenas 2424, Piso 15 Oficina 3, Col. Residencial San Agustín, San Pedro Garza García, Nuevo León, México, C.P. 66260, is the data controller responsible for the processing of personal data collected through its artificial intelligence platform for legal support, accessible at lexbuddy.ai/legal .

2. PERSONAL DATA WE COLLECT

LexBuddy collects the following categories of personal data:

2.1 Identification and contact data

  • Full name.
  • Email address.
  • Telephone number (optional).
  • Where applicable, the legal name of the law firm or organization you represent.

2.2 Billing and payment data

  • Legal name and tax address (when an invoice is required).
  • RFC (Mexican tax ID).
  • Payment method information (processed through certified financial service providers).

2.3 Platform usage data

  • Conversations you hold with LexBuddy.
  • Documents you upload to the platform.
  • Documents generated by the platform from your inputs.
  • Information about clients, matters, and conversations you organize within the platform.
  • Usage metadata (date, time, type of functionality used).

2.4 Technical data

  • IP address.
  • Device and browser type.
  • Session identifiers.
  • Events during sessions
  • Cookies and similar technologies (see section 12).

2.5 Third-party personal data

Information that the user uploads to the platform may contain personal data of third parties — clients of the law firm, counterparties, persons mentioned in documents. The user represents that they have the necessary legal authorizations for the processing of such data. LexBuddy acts as a data processor with respect to this information.

2.6 Sensitive personal data

LexBuddy does not request the processing of sensitive personal data. To the extent that information the user uploads to the platform contains sensitive data relating to their clients (for example, in family law, labor law, or health contexts), the user is responsible for obtaining the necessary authorizations.

3. PURPOSES OF PROCESSING

3.1 Primary purposes with legitimate aims (necessary for the service)

LexBuddy processes personal data for the following primary purposes, which are indispensable for the provision of the service:

  1. To create, authenticate, and manage your user account.
  2. To provide the platform’s functionalities: document drafting, legal research, organization of matters and conversations, storage, integrations.
  3. To process your queries through artificial intelligence models.
  4. To charge the fees corresponding to the subscribed plan and issue tax receipts where applicable.
  5. To provide technical support and respond to user requests.
  6. To ensure platform security and investigate incidents.
  7. To comply with applicable legal obligations.
  8. To manage individual user accounts within a law firm or organization subscribed to LexBuddy.
  9. Platform usage analysis — exclusively on aggregated and anonymized data — to improve the service. This analysis never includes specific content from conversations or documents.

3.2 Secondary purposes (requiring your consent)

Additionally, LexBuddy may use your data for the following secondary purposes, which require your express consent:

  1. Communications about new features, platform improvements, or relevant commercial information.
  2. Satisfaction surveys and market research.

If you do not wish your data to be used for these secondary purposes, you may state so at any time in accordance with section 9 of this Notice, without affecting the provision of the service.

4. NO USE FOR ARTIFICIAL INTELLIGENCE TRAINING

LexBuddy does NOT use user information — conversations, documents, personal data, or any other content — to train, improve, or develop artificial intelligence models.

This restriction also applies to external artificial intelligence providers used by the platform. LexBuddy contractually requires its providers not to retain or use processed inputs and outputs for training purposes (Zero Data Retention).

5. DATA TRANSFERS

5.1 Data processors LexBuddy shares personal data with data processors that provide services necessary for the operation of the platform. These processors are contractually obligated to process data in accordance with this Privacy Notice and applicable legislation.

Categories of processors:

  1. Artificial intelligence provider — to process queries and generate responses. Such provider operates under Zero Data Retention conditions and without human access to processed data.
  2. Cloud infrastructure providers — for storage of user information.
  3. Financial service providers — for payment processing.
  4. Support and user communication service providers.

5.2 International transfers

Some data processors are located outside Mexico (primarily in the United States of America). These transfers are necessary for the provision of the service and are carried out under the legal mechanisms provided for in the LFPDPPP (Federal Law on Protection of Personal Data Held by Private Parties), including contractual clauses that guarantee an adequate level of protection of personal data.

By accepting this Privacy Notice, you acknowledge that you are informed of and agree to such international transfers.

5.3 Transfers to authorities

LexBuddy may transfer personal data to competent authorities when legally required, without disclosing user information beyond what is strictly required by law.

5.4 No sale of data

LexBuddy does NOT sell personal data to third parties under any circumstances.

5.5 Current list of subprocessors

LexBuddy maintains an up-to-date list of subprocessors involved in the processing of personal data, available at lexbuddy.ai/legal/suppliers . This list is updated when relevant subprocessors are added, modified, or removed.

6. CONFIDENTIALITY AND SECURITY

6.1 Security measures

LexBuddy implements reasonable administrative, technical, and physical measures to protect personal data against unauthorized access, loss, alteration, or disclosure. These measures include, among others:

  • Encryption of data in transit and at rest.
  • Role-based access control and robust authentication.
  • Audit logs for any internal access to user data.
  • Separation of production and development environments.
  • Periodic security audits.

6.2 Restricted internal access

Access by the LexBuddy team to user information is restricted to strictly necessary cases — such as resolution of security incidents or technical support authorized by the user — and is recorded in audit logs.

6.3 Incident notification

In the event of a security incident that significantly affects the user’s personal data, LexBuddy will notify the data subject in accordance with applicable legislation.

7. DATA RETENTION

7.1 During the life of the account LexBuddy retains the user’s personal data while they maintain an active account, in accordance with the purposes described in this Notice.

7.2 After cancellation Within 30 days after account cancellation, LexBuddy will delete user information, except:

  1. Information that LexBuddy is legally required to retain (tax information, authority requests).
  2. Information that the user has expressly authorized to be retained.
  3. Information necessary to fulfill pending obligations (collections, defense against claims).

7.3 Export before cancellation Before canceling your account, you may export your conversation history and documents in the available formats.

8. ARCO RIGHTS

As the data subject, you have the right to:

8.1 Access your personal data in our possession and know the characteristics of the processing.

8.2 Rectify your personal data when they are inaccurate or incomplete.

8.3 Cancel your personal data when you consider that they are not required for any legitimate purpose, are no longer necessary, or you believe that their processing does not comply with applicable legislation.

8.4 Object to the processing of your personal data for specific purposes.

Additionally, you have the right to:

8.5 Revoke the consent you have granted for the processing of your personal data for secondary purposes.

8.6 Limit the use or disclosure of your personal data.

8.7 Request the portability of your personal data in a structured format.

9. PROCEDURE TO EXERCISE ARCO RIGHTS

9.1 Means of exercise To exercise your ARCO rights or any other right relating to your personal data, you may send a request to the following email address: privacidad@lexbuddy.ai

9.2 Information your request must include

  1. Full name of the data subject and an address or means to receive a response.
  2. Document proving your identity or, where applicable, the authority of your representative.
  3. Clear and precise description of the right you wish to exercise and the data to which your request relates.
  4. Any other element that facilitates locating your personal data.

9.3 Response period LexBuddy will respond to your request within 20 business days following receipt, in accordance with Article 32 of the LFPDPPP. The resolution may be implemented within the 15 business days following the date on which the response is communicated.

9.4 Cost The exercise of ARCO rights is free of charge. LexBuddy may charge only justified shipping or reproduction expenses where applicable.

10. PERSONAL DATA CONTACT

LexBuddy SAPI de C.V. is the data controller and handles ARCO rights requests.

Contact details:

  • Email: privacidad@lexbuddy.ai
  • Address: Av. Lázaro Cárdenas 2424, Piso 15 Oficina 3, Col. Residencial San Agustín, San Pedro Garza García, Nuevo León, México, C.P. 66260

11. MINORS

LexBuddy is not directed at persons under 18 years of age. The platform does not intentionally collect personal data from minors. If you are aware that a minor has provided personal data to LexBuddy, please contact us at the email indicated above and we will proceed to delete such information.

12. COOKIES AND SIMILAR TECHNOLOGIES

LexBuddy uses cookies and similar technologies to:

  1. Keep you logged in to the platform.
  2. Remember your usage preferences.
  3. Analyze aggregated and anonymized use of the platform to improve the service.
  4. Ensure platform security.

You may manage cookies through your browser settings. Disabling some cookies may limit platform functionality.

13. DATA PROTECTION AUTHORITY

If you consider that your right to the protection of personal data has been violated, you may file a complaint with the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI):

14. USER RESPONSIBILITY REGARDING THIRD-PARTY DATA

If you are a lawyer or professional who uploads to LexBuddy information containing personal data of your clients, counterparties, or other third parties, you represent that:

  1. You have the necessary legal authorizations for the processing of such personal data.
  2. You comply with your own transparency obligations toward the data subjects whose personal data you process through the platform.
  3. You maintain confidentiality with respect to sensitive or privileged information in accordance with your professional duty.

LexBuddy acts as a data processor with respect to third-party information that the user uploads to the platform, and undertakes to process it only in accordance with the user’s instructions and this Privacy Notice.

15. CHANGES TO THE PRIVACY NOTICE

LexBuddy may modify this Privacy Notice at any time. Modifications will be published on the platform and, when they constitute material changes, users will be notified with reasonable advance notice.

Continued use of the platform after the modifications take effect implies acceptance of the updated Notice. LexBuddy will not modify its obligations regarding confidentiality, non-training, or handling of user data in a manner that adversely affects the user without their express consent.

16. ACCEPTANCE

By using the LexBuddy platform, you accept this Privacy Notice and consent to the processing of your personal data in accordance with the primary purposes described.

For secondary purposes, you may express your consent or refusal at registration or at any later time, in accordance with the procedure described in section 9.

17. CONTACT

For any questions, comments, or requests relating to this Privacy Notice, you may contact us at:

- Email: privacidad@lexbuddy.ai

- Address: Av. Lázaro Cárdenas 2424, Piso 15 Oficina 3, Col. Residencial San Agustín, San Pedro Garza García, Nuevo León, México, C.P. 66260