Pre-launch draft — Lexboard is not yet operating as a legal entity. These documents are drafts under legal review and are not yet in effect or binding.
Legal
Last updated: July 2, 2026. Plain-English summary first, formal terms below.
Lexboard is a software tool law firms use to manage their cases. The data your firm puts into Lexboard belongs to your firm. We process it on your behalf, we don't sell it, share it, or train AI models on it.
Your firm's admin controls who at the firm sees what. Lexboard employees only access firm data when (a) you explicitly ask us to for support, or (b) we're responding to a security incident, and every such access is logged.
We use third parties to run the platform, Supabase for the database, Vercel for hosting, Stripe for payments, Twilio for SMS, and AI providers (Anthropic for generative AI features, OpenAI for call transcription and document-search embeddings). A summary is below; the authoritative, current list lives at /legal/subprocessors.
1
Firm data. Cases, clients, documents, communications, ledger entries, and everything your firm enters or uploads. Stored in a Postgres database isolated by firm_id. Encrypted at rest and in transit.
Account data.Names, emails, roles, and last sign-in times of your firm's team members.
Communications data.When your firm connects phone/SMS (RingCentral, Twilio), we process call metadata, SMS and fax content, call recordings, voicemails, and AI-generated transcripts on the firm's behalf. Recording consent and wiretap-law compliance are the firm's responsibility.
Document recipients and portal visitors.When a firm shares a document or invites a client to the portal or LexSign, we collect the recipient's name, phone/email, verification inputs (PIN, date of birth, or SSN digits — used only to verify), IP address, device/browser identifiers, and view/sign events, on the firm's behalf and to secure the link. We also store the push-subscription endpoint of any browser that enables notifications.
Usage telemetry.Error reports and diagnostic logs (via Sentry, first-party proxied). We do not currently run product analytics; if we add it, it will be consent-gated and disclosed here first. Never sold. Never tied to specific firm data without your firm's consent.
Billing data. Stripe handles cards directly; we receive only the customer ID and subscription status.
2
(1) Firm Data. Case files, client identities, SSNs, medical records, communications, recordings, and signatures belong to the law firm that entered them. For Firm Data, Lexboard is a processor / service provideracting only on the firm's documented instructions; the firm is the controller / business. If you are a client of (or a party in a matter handled by) a firm that uses Lexboard, direct privacy requests to that firm. If you contact us instead, we will forward your request to the firm within 10 business days and assist it in responding.
(2) Account & Billing Data. Firm-user profiles, subscription records, support tickets, and telemetry, for which Lexboard is the controller / business and to which the rights sections below apply directly.
3
To deliver the product, support your firm, secure the platform, and handle billing. We do not use firm data to train AI models.
AI features. AI features (chronology, lien negotiator, demand drafter) send relevant context via API to our AI providers: Anthropic, PBC for generative features, and OpenAI for speech-to-text (Whisper) transcription of call recordings and voicemails and for text embeddings used in document search. Both operate under commercial API terms that prohibit training on customer content; providers may retain API data for a limited period (typically up to 30 days) for abuse monitoring, after which it is deleted. Firms using their own API key (BYOK) are governed by their own agreement with the provider.
No automatic redaction.Content you submit to an AI feature — including uploaded medical-record text — is transmitted to the provider as uploaded; Lexboard does not automatically redact identifiers before transmission. Do not invoke AI features on material your firm may not disclose to a third-party processor.
5
Lexboard's core inbox connects to a firm user's Gmail (via Google's Gmail API) or Microsoft 365 mailbox (via the Microsoft Graph API). This section spells out exactly what we access, why, how long we keep it, who we share it with, and how to revoke. It applies to both providers unless stated otherwise.
OAuth scopes we request. From Google, in a single consent grant when a firm connects Google Workspace: gmail.send, gmail.readonly, gmail.modify, userinfo.email, and userinfo.profile (the core inbox); calendar.events(two-way calendar sync of deadlines and appointments — in this per-user flow we cannot see, edit, or delete your other calendars); and drive.file (store and retrieve only the case documents Lexboard creates or that you explicitly pick — we cannot see your other Drive files). Separately, and only if you choose to connect a Google Sheet as a lead source, we ask for spreadsheets.readonly at that time (incremental consent). From Microsoft: the equivalent Mail.Read, Mail.ReadWrite, Mail.Send, and User.Read.
Recipient autocomplete (optional).If you use recipient autocomplete, we ask separately (incremental consent) for read-only access to your Google Contacts and “Other contacts” (contacts.readonly, contacts.other.readonly) solely to suggest addresses as you type; we never copy your contact list to our servers beyond the suggestion cache.
Workspace domain-wide installation (optional). Firms that install Lexboard domain-wide via Google Workspace grant, at the admin's election: full calendar access (auth/calendar, for two-way sync and change notifications) and read-only directory access (admin.directory.user.readonly) used solely to list mailboxes eligible for connection. We do not request any Google or Microsoft service beyond those listed here.
What we access. Email content (subject, body, attachments, headers) for every message the connected mailbox can see; label, folder, and category information; read/unread, starred, archived, and trashed state; drafts (full content, both directions); and the account profile (verified email address, display name, profile photo); your Google Calendar events (to sync deadlines and appointments two-way); the Google Drive files Lexboard creates or that you explicitly select; the contents of any Google Sheet you connect as a lead source; and, only if you grant the optional autocomplete consent above, read-only contact names and addresses to suggest recipients. We do not access: your other Drive files, passwords, or any Google or Microsoft service beyond the grants described above.
Why we access it.
How long we retain it.While the mailbox is connected, synced data is retained according to the firm's configured retention policy (default: 7 years, the standard PI legal-hold window). When the mailbox is disconnected — by the user, a firm admin, or a Lexboard platform admin — every synced email, label, draft, and token is hard-deleted from the primary database within 30 seconds via cascade delete on the mailbox foreign key. Encrypted point-in-time-recovery backups containing the data age out automatically within 7 days (14 days where extended retention is enabled) and are not individually restorable.
Who we share it with. No third party without explicit firm-admin opt-in. Specifically:
Encryption. TLS 1.2+ in transit. AES-256 at rest in the Supabase database. OAuth refresh tokens are encrypted at rest with AES-256-GCM under a versioned platform key registry that supports key rotation without forcing users to reconnect. Tokens are never stored in plaintext and never leave the server.
Data residency. Primary storage is in US-East (AWS via Supabase). Enterprise tiers can request EU or Canada residency at contract time — email legal@lexboard.net.
How to revoke access.Any of these independently revokes Lexboard's Gmail / Microsoft 365 access and triggers a cascade delete of the synced data:
/admin/platform/integrations in response to an escalation or security event.Every revocation, whoever initiates it, is logged in our immutable platform_audit_log with actor, IP, and timestamp.
Compliance.
Data export and deletion requests.Firm admins can export all firm data, including synced mail, from the Admin area (Admin → Data export). For deletion or for individual-user export under GDPR / CCPA, email privacy@lexboard.net with subject “GDPR export” or “GDPR delete.” We respond within 30 days; exports are delivered within 60 days.
Updates to this section. Material changes to how Lexboard handles Gmail or Microsoft 365 data are emailed to firm admins at least 30 days before the change takes effect and surfaced as an in-app banner. The current policy version is tracked in platform_config.tos_version.
6
While your firm is a customer: data retained for as long as your firm wants it. Per-firm retention policies (medical records, intake leads, closed-case files) configurable from /admin.
On cancellation, firm administrators retain export access for 30 days. Customer Data is deleted from primary systems within 90 days of cancellation, except as required by law. Encrypted point-in-time-recovery backups age out automatically within 7 days of primary deletion (14 days where extended retention is enabled).
Right to delete on request: a firm admin can email privacy@lexboard.net and we'll delete sooner.
7
Export. Full firm export available to firm admins from the Admin console as JSON + CSV. Includes documents, audit log, and ledger.
Correction.Edit anything you've entered, anytime.
Deletion. Delete cases, clients, documents from the app. Hard-delete on the audit log requires written request toprivacy@lexboard.net.
Access. Email privacy@lexboard.net for a copy of any personal information we hold about you. Response within 30 days.
Opt-out preference signals. Because we do not sell or share personal information, there is nothing for an opt-out preference signal to opt you out of; we nonetheless treat the Global Privacy Control (GPC) as a valid opt-out of any future sale or sharing.
8
In the preceding 12 months we collected these categories of personal information:
Sources: you, your firm, connected services you authorize (Gmail, Microsoft 365, RingCentral, QuickBooks), and our service providers. Purposes: providing and securing the service, billing, support, and legal compliance.
We do not sell personal information and do notshare it for cross-context behavioral advertising, and we have not done so in the preceding 12 months. We use sensitive personal information only to provide the services requested and as permitted by Cal. Civ. Code §1798.121(a).
You may exercise rights to know, access, correct, delete, and data portability by emailing privacy@lexboard.net; we verify requests via your account email and respond within 45 days. You may use an authorized agent with signed permission. We never discriminate against you for exercising your rights.
9
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have rights of access, correction, deletion, portability, and opt-out of targeted advertising, sale, and significant-decision profiling. We do not sell personal data, engage in targeted advertising, or profile for significant decisions.
Submit requests to privacy@lexboard.net. If we decline a request, you may appeal within 30 days by replying “Appeal”; we respond within 45 days, and if the appeal is denied we provide your state Attorney General's contact information.
10
Lexboard is a professional tool; we do not offer it to, or knowingly collect personal information directly from, children under 13. Law firms may store information about minors in their case files; we process it solely as the firm's service provider.
11
We will notify firm admins by email and in-app notice at least 30 days before material changes to this policy take effect; the “Last updated” date above is updated with every revision.
12
Privacy questions: privacy@lexboard.net
Security incidents: security@lexboard.net
Anything else: hello@lexboard.net