Privacy Policy

Effective Date: March 10, 2026 · Last Updated: April 15, 2026

Français

1. Introduction

This Privacy Policy explains how Lexonica Inc. ("Lexonica," "Company," "we," "us," or "our"), a corporation incorporated under the laws of Canada with its registered office in the Province of New Brunswick, collects, uses, discloses, stores, and protects personal information in connection with the LexFlag website, applications, and related services (collectively, the "Service").

This Privacy Policy applies to all users of the Service, including visitors, registered users, and subscribers. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy is incorporated into and forms part of our Terms of Service. Where the Service processes personal data on behalf of customers, the terms of our Data Processing Agreement (DPA) also apply. In the event of a conflict between this Privacy Policy and the Terms of Service, the Terms of Service shall prevail to the maximum extent permitted by applicable law.

You acknowledge that you do not rely on this Privacy Policy, or on any description of our data handling practices, as a guarantee of security, regulatory compliance, or risk-free processing. The Service is not intended to be relied upon as the sole basis for any legal, regulatory, compliance, or business decision regarding the processing of personal data. The disclaimers, limitations of liability, and indemnification provisions in our Terms of Service apply to all matters arising under this Privacy Policy.

Data Controller and Data Processor Roles

For the purposes of applicable data protection laws:

  • Lexonica acts as a data controller with respect to personal information collected for its own purposes, including account registration data, billing information, usage analytics, customer support communications, and website visitor data
  • Lexonica acts as a data processor with respect to personal data that users submit to the Service for screening, risk assessment, and due diligence purposes (e.g., names, addresses, and identifying information of third-party entities). In this capacity, the user is the data controller and is responsible for ensuring a lawful basis for processing such data

Where Lexonica acts as a data processor, our processing is governed by the Data Processing Agreement and the user's instructions. This Privacy Policy primarily describes Lexonica's practices as a data controller.

2. Scope and Applicable Laws

Lexonica is committed to complying with applicable privacy and data protection laws, including but not limited to:

  • Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada)
  • General Data Protection Regulation (GDPR) (European Economic Area)
  • UK GDPR (United Kingdom)
  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • Other applicable national, provincial, or state privacy laws

Where local law provides additional rights or protections, those rights apply to the extent required by law.

While Lexonica implements measures designed to comply with applicable data protection laws, we do not guarantee compliance in all jurisdictions or under all circumstances. Data protection laws vary by jurisdiction and are subject to change, differing regulatory interpretations, and evolving enforcement practices. To the extent permitted by applicable law, Lexonica disclaims liability for any non-compliance resulting from changes in law, conflicting regulatory requirements, or circumstances beyond our reasonable control.

3. Definitions

  • "Personal Information" means any information that identifies or can reasonably be linked to an identifiable individual.
  • "Sensitive Personal Information" has the meaning given under applicable privacy laws (e.g., precise location, government identifiers, financial data).
  • "Processing" means any operation performed on personal information, including collection, use, storage, disclosure, or deletion.

4. Information We Collect

4.1 Information You Provide Directly

We may collect personal information that you voluntarily provide, including:

  • Account information (name, email address, login credentials)
  • Entity profiles and vendor/company data submitted for screening
  • Screening reports, risk assessment results, and related notes
  • Team membership and organizational information
  • Communications with customer support
  • Billing and subscription information (processed by third-party payment processors)

4.2 Information Collected Automatically

When you access the Service, we may automatically collect:

  • IP address and general location (city, country)
  • Device type, operating system, browser type
  • Log data, usage data, and interaction data
  • Cookies and similar technologies

4.3 Information from Third Parties

We may receive information from Third-Party Services integrated with the Service, including sanctions databases, adverse media sources, court record providers, company registries, and news aggregators. This information is used to generate screening results and risk assessments at your direction.

Personal information obtained from third-party sources may be inaccurate, incomplete, outdated, or contain errors. Lexonica does not independently verify the accuracy of data received from third-party providers and makes no representations or warranties regarding such data. You are responsible for independently verifying all information before making any decision based on it.

4.4 Your Responsibility for Third-Party Personal Data

When you submit personal data of third parties (such as names, addresses, dates of birth, national identifiers, or other identifying information of individuals or entities) to the Service for screening or due diligence purposes, you are the data controller for that data and bear sole responsibility for:

  • Ensuring you have a lawful basis under applicable data protection laws (e.g., GDPR Article 6, PIPEDA Section 5) for submitting such data to the Service
  • Providing any required privacy notices to, and obtaining any required consents from, the individuals whose data you submit
  • Ensuring the accuracy and relevance of the data you submit
  • Complying with any data subject requests (access, rectification, erasure) relating to data you have submitted

Lexonica processes this data solely as a data processor under your instructions and in accordance with our Data Processing Agreement. Lexonica disclaims all liability arising from your failure to comply with your obligations as data controller for third-party personal data submitted to the Service.

You assume all risks associated with submitting, processing, and storing personal data through the Service, including the risk that screening results based on such data may be inaccurate, incomplete, or outdated. Lexonica does not verify the lawfulness or accuracy of data you submit.

5. How We Use Personal Information

We use personal information for the following purposes:

  • To provide, operate, maintain, and improve the Service
  • To create and manage user accounts and team memberships
  • To perform entity screenings, risk assessments, and due diligence analyses
  • To process subscriptions and payments
  • To communicate with you regarding the Service
  • To provide customer support
  • To ensure security, fraud prevention, and abuse detection
  • To comply with legal obligations and enforce our Terms of Service

We do not sell personal information.

Aggregate and De-identified Data

Lexonica may create aggregate, anonymized, or de-identified data derived from personal information by removing or obscuring any identifying characteristics. Such data is not personal information under applicable data protection laws. Lexonica may use, disclose, and retain aggregate or de-identified data for any lawful purpose, including service improvement, analytics, research, benchmarking, and statistical reporting, without restriction and without obligation to you.

Legal and Compliance Purposes

Lexonica may process and retain personal information where reasonably necessary to:

  • Comply with legal obligations, court orders, subpoenas, or binding requests from regulatory or law enforcement authorities
  • Establish, exercise, or defend legal claims or proceedings
  • Investigate, prevent, or address fraud, security incidents, or violations of our Terms of Service
  • Protect the rights, property, or safety of Lexonica, its users, or the public
  • Fulfill regulatory reporting obligations, including anti-money laundering, sanctions, and tax compliance requirements

Personal information retained for these purposes will be processed only to the extent necessary and will be protected with appropriate safeguards.

Where GDPR applies, Lexonica processes personal information based on one or more of the following legal bases:

  • Contractual necessity — to provide the Service, manage your account, and fulfill our obligations under the Terms of Service
  • Consent — where you have given explicit, informed, and freely given consent (e.g., for non-essential cookies or optional communications)
  • Legitimate interests — to improve, secure, and operate the Service, including fraud prevention, analytics, and product development, where our interests are not overridden by your data protection rights
  • Legal obligations — to comply with applicable laws, regulations, court orders, or binding requests from law enforcement or regulatory authorities

How We Obtain and Record Consent

Where consent is the legal basis for processing, Lexonica obtains consent through clear, affirmative actions, including:

  • Checking a required consent checkbox during account registration to accept the Terms of Service and this Privacy Policy
  • Checking a required age confirmation checkbox during account registration to confirm that you are at least 16 years old
  • Responding to the cookie consent banner presented on first visit, where you may accept all cookies or limit to strictly necessary cookies only

Consent records — including the type of consent, timestamp, IP address, and method (e.g., checkbox, banner) — are stored in our database. These records are retained for the duration required to demonstrate compliance with applicable laws.

You may withdraw consent at any time by contacting us at tim@lexonica.com, deleting your account through your account settings, or adjusting your cookie preferences by clearing your browser cookies (which will re-trigger the consent banner). Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

7. Artificial Intelligence and Automated Processing

The Service includes AI-assisted features that analyze data from multiple sources to produce risk assessments and screening reports.

  • Lexonica does not train proprietary AI models using your Personal Information
  • AI outputs — including risk scores, entity analyses, and screening findings — are generated based on inputs you provide and data retrieved from third-party sources
  • You remain responsible for reviewing and verifying all AI-generated content

Accuracy Disclaimer

AI-generated outputs may be inaccurate, incomplete, outdated, or misleading. Screening results may produce false positives (incorrectly flagging an entity) or false negatives (failing to identify a genuine risk indicator). AI outputs are provided on an "as is" basis and do not constitute legal, regulatory, compliance, or professional advice. You must independently verify all AI-generated content before making any decision. Lexonica disclaims all liability for decisions, actions, losses, or consequences arising from reliance on AI-generated outputs, to the maximum extent permitted by applicable law.

The limitations of liability, disclaimers, and indemnification provisions set out in our Terms of Service (Sections 16, 17, and 18) apply with full force to all data processing and AI-generated outputs described in this Privacy Policy.

Automated Decision-Making

Lexonica does not make automated decisions that produce legal or similarly significant effects solely through automated processing, within the meaning of applicable data protection laws. Risk scores and screening results are provided as informational tools to support human decision-making. No screening result generated by the Service should be treated as a final determination of risk or compliance status.

8. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

Cookies Set by the Service

  • Session cookie — a strictly necessary cookie that identifies your browser session. It is required for core functionality, authentication, and CSRF protection. This cookie expires when you close your browser (or after the server-side session timeout)
  • XSRF-TOKEN cookie — a strictly necessary cookie used by the framework for cross-site request forgery (CSRF) protection
  • Remember-me cookie — set only if you select the "Remember me" option during login. This persistent cookie allows you to remain authenticated across browser sessions

Third-Party Cookies

  • Google reCAPTCHA — the Service uses Google reCAPTCHA v3 for bot detection and abuse prevention on forms. When reCAPTCHA loads, your browser may interact with Google's servers, and Google may set its own cookies on your device. Google's use of this data is governed by Google's Privacy Policy and Terms of Service. As part of reCAPTCHA verification, your IP address is transmitted to Google

The Service does not currently use analytics cookies, advertising cookies, or tracking pixels. If we introduce such technologies in the future, this Privacy Policy will be updated accordingly.

Cookie Consent Banner

On your first visit, a cookie consent banner is displayed at the bottom of the page, allowing you to choose between:

  • "Accept All" — permits all cookies listed above, including third-party security cookies from Google reCAPTCHA
  • "Necessary Only" — permits only strictly necessary cookies required for core functionality (session, CSRF protection)

Your preference is stored in a cookie (cookie_consent) for up to 12 months. You may reset your preference at any time by clearing your browser cookies, which will re-trigger the consent banner on your next visit.

Note: Google reCAPTCHA is used for security and abuse prevention. Even if you select "Necessary Only," reCAPTCHA may still be loaded on form submissions to protect the Service from automated abuse, as this falls under the legitimate interest and security exemption under applicable cookie regulations.

Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. Because there is no universally accepted standard for how to respond to DNT signals, the Service does not currently alter its data collection or processing practices in response to DNT signals. If a uniform standard is adopted in the future, we will update this Privacy Policy accordingly.

Additional Choices

You may also control cookies through your browser settings, including blocking or deleting cookies. However, disabling strictly necessary cookies may prevent you from using the Service. Third-party cookies set by Google reCAPTCHA can be controlled through your browser settings or Google's own privacy controls.

9. Data Sharing and Disclosure

We may share personal information only in the following circumstances:

  • Service providers — third parties who perform services on our behalf, including cloud hosting, infrastructure management, analytics, customer support, and payment processing (e.g., Stripe). These providers are bound by Data Processing Agreements and may only process personal information for the specific purposes we authorize
  • Third-party data providers — sanctions databases, adverse media sources, court record services, company registries, and news aggregators, used to perform screenings and risk assessments at your direction
  • Legal and regulatory authorities — where disclosure is required to comply with a court order, subpoena, legal process, or binding request from a law enforcement or regulatory authority with jurisdiction; to respond to a lawful national security or emergency request; or to comply with applicable anti-money laundering, sanctions, tax, or other regulatory reporting obligations
  • Business transactions — in connection with a merger, acquisition, corporate reorganization, financing, or sale of all or a portion of our assets, where personal information may be transferred as part of the transaction, subject to confidentiality obligations
  • Protection of rights — where reasonably necessary to protect the rights, property, or safety of Lexonica, its users, or the public, including to enforce our Terms of Service and to investigate potential violations

All service providers and sub-processors are contractually required to protect personal information, use it only for authorized purposes, and implement security measures consistent with this Privacy Policy. Lexonica does not sell, rent, or lease personal information to third parties.

While Lexonica requires its service providers and sub-processors to maintain appropriate data protection standards, Lexonica is not responsible for the independent actions, omissions, security practices, or data breaches of third-party service providers (including Stripe, Google, SendGrid, and third-party data sources) that act beyond the scope of Lexonica's instructions. Lexonica's liability for third-party processing is limited to the extent set out in our Terms of Service (Section 17) and Data Processing Agreement.

10. International Data Transfers

Personal information may be processed and stored in Canada, the United States, or other jurisdictions where our service providers operate. These jurisdictions may have data protection laws that differ from those in your country of residence.

Safeguards for Cross-Border Transfers

When transferring personal information outside of your jurisdiction, Lexonica implements one or more of the following safeguards to ensure an adequate level of protection:

  • Adequacy decisions — transferring data to jurisdictions that have been recognized as providing an adequate level of data protection (e.g., Canada has been recognized as adequate by the European Commission)
  • Standard Contractual Clauses (SCCs) — relying on EU-approved Standard Contractual Clauses incorporated into our service providers' data processing terms for transfers to jurisdictions without an adequacy decision, as permitted under GDPR Article 46(2)(c)
  • Data Processing Agreements (DPAs) — requiring all sub-processors and service providers to execute binding contractual commitments that include obligations regarding data protection, security, confidentiality, and breach notification. Our Data Processing Agreement details how we process data on behalf of our customers and lists our current sub-processors
  • Supplementary measures — where necessary, implementing additional technical measures (such as encryption in transit via TLS) and organizational measures to supplement the protections provided by SCCs or other transfer mechanisms

You may request a copy of the safeguards used for specific transfers by contacting us at tim@lexonica.com.

11. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected. The following retention guidelines apply:

Retention Guidelines by Data Type

  • Account information (name, email, credentials) — retained for the duration of your account. When you delete your account through your account settings, your account information is deleted from the primary database. Residual copies may persist in encrypted backups for a limited period consistent with our backup rotation schedule
  • Screening data and reports (entity profiles, risk assessments, due diligence records) — retained for the duration of your account. Upon account deletion, associated screening data is deleted from the primary database. We aim to complete all associated deletions within a reasonable timeframe, unless longer retention is required by applicable law
  • Billing and transaction records — retained for a minimum of 7 years after the last transaction, as required by tax, accounting, and financial reporting obligations. Billing data processed by Stripe is also subject to Stripe's own retention policies
  • Server logs — retained in accordance with the logging configuration of our hosting infrastructure, typically for a limited period for security and debugging purposes
  • Customer support communications — retained for as long as reasonably necessary to provide ongoing support and resolve disputes
  • Cookies — session cookies expire when you close your browser; the optional remember-me cookie persists until you log out or it expires; third-party reCAPTCHA cookies are governed by Google's policies

Where personal information is retained to comply with legal obligations, resolve disputes, or enforce our agreements, it will be retained only for as long as required by the applicable obligation and then deleted.

Account Deletion

You may delete your account at any time through your account settings. Account deletion removes your profile information and associated data from the primary database. You may also request deletion by contacting us at tim@lexonica.com. We will respond to deletion requests within 30 days, subject to legal retention requirements.

12. Data Security

Lexonica implements reasonable administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, loss, misuse, or disclosure. These measures include, but are not limited to:

  • Encryption in transit — all communications between your browser and the Service are encrypted using TLS (HTTPS). In production, the Service enforces HTTPS and sets HTTP Strict Transport Security (HSTS) headers
  • Password security — user passwords are hashed using industry-standard one-way hashing algorithms (bcrypt) and are never stored in plaintext
  • CSRF and session protection — the Service implements cross-site request forgery (CSRF) tokens, secure session management, and HTTP security headers (including X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy)
  • Bot and abuse protection — public forms are protected by Google reCAPTCHA v3 and rate limiting to prevent automated abuse
  • Access controls — access to personal information is restricted to authorized personnel. The Service implements role-based access controls, email verification, and team-based permission scoping
  • Application logging — the Service maintains application logs for debugging, error tracking, and security review. These logs are accessible only to authorized administrators

No system is completely secure, and Lexonica cannot guarantee absolute security. Despite our commercially reasonable efforts, unauthorized access, data breaches, or security incidents may occur. Lexonica does not guarantee that the Service will be secure or free from unauthorized access, vulnerabilities, viruses, or other security threats. To the maximum extent permitted by applicable law, Lexonica shall not be liable for any unauthorized access to, or breach of, our security measures, except where such breach results directly from our gross negligence or willful misconduct. For the purposes of this Privacy Policy, "gross negligence" and "willful misconduct" shall be interpreted narrowly under the applicable governing law, consistent with the definitions in our Terms of Service (Section 17), and shall not include the inherent limitations of technology, third-party service failures, or security threats that could not reasonably have been prevented.

In the event of a data breach affecting your personal information, Lexonica will notify you and the relevant supervisory authorities without undue delay and in accordance with applicable breach notification laws, including PIPEDA, GDPR Article 33/34, and applicable state breach notification laws.

13. Your Rights and Choices

Depending on your jurisdiction, you may have the right to:

  • Access — request a copy of the personal information we hold about you
  • Rectification — request correction of inaccurate or incomplete personal information
  • Erasure — request deletion of your personal information, subject to legal retention requirements
  • Restriction — request that we restrict processing of your personal information in certain circumstances
  • Objection — object to processing based on legitimate interests or direct marketing
  • Withdrawal of consent — withdraw consent at any time where consent is the legal basis for processing
  • Data portability — receive a copy of your personal information in a structured, commonly used, and machine-readable format
  • Lodge a complaint — file a complaint with a supervisory authority in your jurisdiction if you believe your data protection rights have been violated

Self-Service Data Access

Authenticated users can exercise certain rights directly through their account settings:

  • Data export — use the "Download My Data" feature in your profile settings to receive a machine-readable JSON export of your account information, team memberships, entity profiles, screening results, and consent records
  • Account deletion — use the "Delete Account" feature in your profile settings. Prior to deletion, a consent record and audit log entry are created to document that the erasure was user-initiated
  • Cookie preferences — use the "Cookie Preferences" link in the website footer to reset and reconfigure your cookie consent choices at any time

How to Submit a Request

For requests that cannot be fulfilled through self-service features, you may email tim@lexonica.com with the subject line "Data Subject Request." We may verify your identity before processing your request to prevent unauthorized access.

Response Times

Lexonica will acknowledge receipt of your request within 5 business days and will respond substantively within 30 calendar days of receipt. If your request is complex or we receive a high volume of requests, we may extend the response period by an additional 60 days, in which case we will notify you of the extension and the reasons for it within the initial 30-day period, as permitted under GDPR Article 12(3).

There is no fee for exercising your data protection rights, unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline the request, as permitted by applicable law.

14. California Privacy Rights (CCPA/CPRA)

This section applies to California residents and supplements the information in the rest of this Privacy Policy. Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have the following rights:

  • Right to know — request disclosure of the categories and specific pieces of personal information collected, the sources and purposes of collection, and the categories of third parties with whom information is shared
  • Right to delete — request deletion of personal information, subject to legal exceptions
  • Right to correct — request correction of inaccurate personal information
  • Right to opt out of sale/sharing — opt out of the sale or sharing of personal information for cross-context behavioral advertising. Lexonica does not sell or share personal information as defined under California law
  • Right to limit use of sensitive personal information — direct Lexonica to limit the use and disclosure of sensitive personal information to purposes necessary to provide the Service. Lexonica does not use sensitive personal information for purposes beyond what is necessary to provide the Service
  • Right to non-discrimination — not be discriminated against for exercising any of these rights

Categories of Personal Information Collected

In the preceding 12 months, Lexonica has collected the following categories of personal information as defined by the CCPA: identifiers (name, email, IP address), commercial information (subscription and billing records), internet or electronic network activity (usage logs, browser type), and professional or employment-related information (job title, company name). Lexonica has not collected biometric data, precise geolocation data, or financial account numbers directly.

How to Exercise Your Rights

California residents may submit requests by emailing tim@lexonica.com with the subject line "California Privacy Request," or by using the self-service data export and account deletion features in your account settings. We will verify your identity before processing your request. Authorized agents may submit requests on your behalf with verifiable written authorization.

15. Children's Privacy

The Service is not directed to children. We do not knowingly collect personal information from children under the age of 13 (as defined by the U.S. Children's Online Privacy Protection Act, "COPPA") or under the age of 16 (as defined by the GDPR).

During account registration, users are required to confirm via a mandatory checkbox that they are at least 16 years old. If you are under the age of 13, you may not use the Service under any circumstances. If you are between 13 and 16, you may only use the Service with verifiable parental or guardian consent, as required by applicable law.

If we become aware that we have collected personal information from a child without the required parental consent, we will take prompt steps to delete such information and terminate the associated account. If you believe that a child under 13 (or under 16 in the EEA/UK) has provided us with personal information, please contact us immediately at tim@lexonica.com.

16. Limitation of Liability and Indemnification

This Privacy Policy describes Lexonica's data handling practices but does not create obligations, warranties, or guarantees beyond those required by applicable law. The limitations of liability, disclaimers, indemnification provisions, and dispute resolution mechanisms set out in our Terms of Service apply with full force to all matters arising under or in connection with this Privacy Policy.

To the maximum extent permitted by applicable law, you agree to indemnify and hold Lexonica harmless from any claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising from:

  • Your failure to comply with applicable data protection laws in your capacity as data controller for third-party personal data submitted to the Service
  • Your failure to obtain required consents, provide required notices, or establish a lawful basis for processing personal data through the Service
  • Any data subject claims, regulatory investigations, or enforcement actions arising from personal data you submitted to or processed through the Service

This indemnification obligation is in addition to, and does not limit, the indemnification provisions in the Terms of Service (Section 18).

17. Changes to This Privacy Policy

Lexonica may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. For material changes, Lexonica will provide notice by email to registered users or by prominently posting notice within the Service at least fifteen (15) days before the changes take effect, unless an earlier effective date is required by law or is necessary to address an immediate security or fraud concern.

Continued use of the Service after the effective date of any modification constitutes your acceptance of the updated Privacy Policy. If you do not agree with a material change, you must stop using the Service before the change takes effect and, if applicable, delete your account.

We encourage you to review this Privacy Policy periodically. The "Last Updated" date at the top of this page indicates when this Privacy Policy was last revised.

18. Contact Information

For questions about this Privacy Policy or to exercise your data protection rights, please contact us:

Lexonica Inc.
New Brunswick, Canada
Email: tim@lexonica.com
Website: LexFlag

Supervisory Authorities

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the appropriate supervisory authority:

  • Canada — Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca
  • European Economic Area — the data protection authority in the EU/EEA member state where you reside or where you believe the infringement occurred. A list of EU DPAs is available at edpb.europa.eu
  • United Kingdom — Information Commissioner's Office (ICO): ico.org.uk
  • California — California Privacy Protection Agency (CPPA): cppa.ca.gov

We encourage you to contact us first so that we may attempt to resolve your concern directly.

By using LexFlag, you acknowledge that you have read and understood this Privacy Policy.