Privacy Policy
Last updated: 10 March 2026
At a glance:
Lexlens is a GDPR-compliant service operated from Portugal. We collect only what is necessary to run the platform, never sell your data, and do not use advertising or tracking tools. Push notifications and digest emails are always opt-in. You can request deletion of your account and all associated data at any time by emailing privacy@lexlens.io.
1. Data Controller
Lexlens is operated by Opiniões Diligentes, Consultoria Estratégica ("Lexstream", "we", "us", "our"), PT516025660, a company registered in Portugal. Lexstream is the data controller responsible for processing your personal data under the EU General Data Protection Regulation (GDPR) and the Portuguese data protection framework.
For all data protection enquiries: privacy@lexlens.io
2. Personal Data We Collect
2.1 Account Information
When you create a Lexlens account we collect:
- Email address
- Display name and username
- Avatar image (if provided)
- Password — stored exclusively as a bcrypt hash (cost factor 12); your plain-text password is never stored or accessible to us
- Preferred legal categories and jurisdiction
2.2 Usage Data
To personalise your feed and remember your preferences, we record:
- Articles you save, mark as read, or flag as important
- Custom keyword lenses you create (Pro subscribers)
- Notification and digest email preferences
- Last login timestamp
2.3 Device and Technical Data
- Push notification tokens — device identifiers required to deliver notifications via Apple Push Notification service (APNs). These tokens do not identify you personally and are removed on logout or app uninstall.
- Offline cache — the mobile app stores up to 200 recent articles of publicly-available information in your device's local database for offline reading. This data remains on your device and expires automatically after 24 hours.
- Biometric credentials — if you enable Face ID or Touch ID, your authentication token is stored in the iOS Keychain (hardware-encrypted by Apple's Secure Enclave). We never access or store your biometric data itself.
2.4 Payment Data
Subscription payments are processed entirely by Stripe, a PCI DSS-certified payment processor. We store only your Stripe customer ID and subscription status. We have no access to your card number, bank account details, or other financial information.
2.5 Data We Do Not Collect
- We do not use analytics or tracking services (no Google Analytics, no advertising trackers)
- We do not log IP addresses
- We do not profile users for advertising purposes
- We do not sell, rent, or share your personal data with advertisers or data brokers
3. Legal Basis for Processing (GDPR Art. 6)
The table below sets out the legal basis we rely on for each processing activity.
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| Delivering articles and personalised feeds | Contract performance (Art. 6(1)(b)) |
| Push notifications and digest emails | Consent (Art. 6(1)(a)) — opt-in only |
| Subscription billing via Stripe | Contract performance (Art. 6(1)(b)) |
| Bot protection (reCAPTCHA v3) | Legitimate interests (Art. 6(1)(f)) — platform security |
| Email verification and password reset | Contract performance (Art. 6(1)(b)) |
Where we rely on your consent (e.g. push notifications, digest emails), you may withdraw that consent at any time without affecting the lawfulness of prior processing. See Section 7 for how to exercise your rights.
4. Third-Party Services and International Data Transfers
We use a limited number of carefully selected third-party processors to operate Lexlens. Each processor is bound by a Data Processing Agreement (DPA) and, where data is transferred outside the European Economic Area, by EU Standard Contractual Clauses (SCCs) or an equivalent adequacy mechanism.
| Service | Purpose | Data Shared | Location | Transfer Basis |
|---|---|---|---|---|
| Heroku (Salesforce) | Backend hosting & database | Account and usage data | EU (Ireland) | Adequacy |
| Vercel | Frontend hosting (CDN) | Static assets only — no user data | Global CDN | Adequacy / SCCs |
| Stripe | Payment processing | Email, display name, customer ID | US | EU SCCs |
| Firebase (Google) | Push notification delivery | Device tokens, notification content | US | EU SCCs |
| Resend | Transactional & digest emails | Email address, email content | US | EU SCCs |
| Google reCAPTCHA v3 | Bot protection | Browser interaction signals — no personal data | US | EU SCCs |
| LearnWorlds | Single sign-on (optional) | Email, name, profile data (via OAuth) | EU | Adequacy |
| Anthropic (Claude AI) | Article classification & summaries | Article text only — no user data | US | EU SCCs |
We do not transfer personal data to countries without adequate protection or appropriate safeguards. If you would like a copy of the relevant SCCs or DPAs, contact us at privacy@lexlens.io.
5. Cookies and Local Storage
Lexlens uses minimal cookies and local storage, strictly limited to what is necessary to provide the service. We do not use advertising cookies, social media cookies, or third-party tracking cookies.
- Session cookie (
session) — a secure, HTTP-only cookie containing your encrypted authentication token. Expires after 7 days. Strictly necessary for the service to function. - Local storage token — a copy of your session token stored in your browser for API requests. Cleared automatically on logout.
- IndexedDB offline cache — articles cached for offline reading (24-hour expiry, device-only, never transmitted to our servers).
6. Data Retention
We retain your data only for as long as necessary to provide the service or comply with legal obligations.
- Account data — retained while your account is active; deleted within 30 days of an account deletion request.
- Usage data (saved, read, and important articles) — retained while your account is active; deleted with your account.
- Email verification tokens — expire automatically after 24 hours.
- Password reset tokens — expire automatically after 1 hour.
- Offline cache — expires automatically after 24 hours on your device.
- Push notification tokens — removed when you log out or uninstall the app.
- Digest email logs — retained for service monitoring purposes and anonymised after 90 days.
7. Your Rights Under the GDPR
As a data subject in the European Economic Area you have the following rights. To exercise any of them, contact us at privacy@lexlens.io. We will respond within 30 days.
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — ask us to correct inaccurate personal data.
- Right to erasure (Art. 17) — request deletion of your account and all associated personal data.
- Right to restriction (Art. 18) — ask us to restrict processing of your data in certain circumstances.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)) — withdraw consent for push notifications or digest emails at any time without affecting the lawfulness of prior processing.
You also have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD — www.cnpd.pt) or the supervisory authority in your EU Member State.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. Key measures include:
- All connections encrypted with TLS/HTTPS
- Passwords hashed using bcrypt (cost factor 12)
- Authentication tokens are HTTP-only, secure-flagged, and time-limited
- Biometric credentials stored exclusively in the iOS Keychain (hardware-encrypted by Apple's Secure Enclave)
- Database access restricted to authorised services and encrypted at rest
- Payment data handled exclusively by PCI DSS-compliant Stripe
- Bot protection via Google reCAPTCHA v3
No method of transmission over the internet is 100% secure. If you become aware of a security concern relating to your account, please contact us immediately at privacy@lexlens.io.
9. Children's Privacy
Lexlens is a professional legal intelligence service and is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@lexlens.io and we will delete it promptly.
10. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify you by email or through the Lexlens platform at least 14 days before the changes take effect. The "last updated" date at the top of this page indicates when this policy was last revised. Continued use of the service after changes take effect constitutes acceptance of the revised policy.
11. Contact Us
For any questions about this privacy policy or our data practices, please get in touch:
Email: privacy@lexlens.io
Website: lexlens.io
We aim to respond to all enquiries within 5 business days.