Privacy

Personal data: Information relating to an identified or identifiable natural person

Processing: Operations carried out on personal data (collection, organization, use, transmission, etc.)

Data Controller: Entity that determines purposes and means of processing personal data (Outlex for account/billing)

Data Processor: Entity that processes personal data on behalf of the controller (Outlex for Customer Data)

Account & Business Data: Name, work email, company, role, billing contacts, subscription tier

Usage/Technical Data: Device/OS info, IP, timestamps, event logs, telemetry, cookie IDs

Customer Data: Documents, contract text, comments, AI prompts/outputs, tags, metadata

Support Data: Tickets, severity, recordings (with consent)

Payment Data: Handled by PSP; we store tokens/last4 only

Marketing & Communication Data: Preferences, campaign interactions, waitlist forms, event sign-ups

Special categories: As Controller, we do NOT seek special category data. As Processor, categories are determined by you; we apply heightened safeguards.

Provide and secure the Service

Contract/legitimate interests for fraud/security

Improve and develop features/AI quality

Legitimate interests. Customer Data not used for foundation model training by default

Support & incident response

Contract/legitimate interests

Compliance & protection of rights

Legal obligations/legitimate interests

Marketing Communications

You may withdraw consent or opt out at any time.

Sub-processors: Cloud, monitoring, analytics, email, payments, LLM providers under DPAs. Live list at outlex.ai/subprocessors with 30-day notice

Human legal reviewers/partners: Expressly engaged by you, bound by confidentiality and access logging

Others: Affiliates (internal operations), Authorities (when legally required), Successors (business transfer with notice)

We do NOT sell personal data

EU-US Data Privacy Framework (DPF) for certified US providers for certified US providers

EU Standard Contractual Clauses (SCCs 2021/914) with supplementary measures with supplementary measures

For UK transfers: UK IDTA or UK Addendum to EU SCCs

Customer Data is NOT used to train foundation models by default. You can allow limited anonymised/aggregated learning signals via an org-level toggle (disable anytime).

Human review is opt-in and bound by strict access logging and NDAs.

We track EU AI Act milestones with staged obligations through 2025-2027.

We do NOT make decisions based solely on automated processing that produce legal or similarly significant effects.