Privacy Policy

Outlex AI, Lda. ("Outlex", "we", "us") is a Portuguese limited liability company, with VAT no. 518861660 and registered address at Rua Gomes Freire 11, 1150-176 Lisbon, Portugal.

Outlex provides an AI legal workspace for business and professional users, including the AI legal agent "Lexi", document analysis, legal Q&A, workflow automation, lawyer handoff, subscriptions, credits and related services.

This Privacy Policy explains how we process personal data when you visit our website, create or use an Outlex account, interact with Lexi, upload documents, request human legal support, use integrations, contact us, or otherwise use our services.

For privacy questions, contact: privacy@outlex.ai.

Where Outlex has formally appointed a Data Protection Officer, the same contact address may be used to reach the DPO. Otherwise, this address acts as our data protection contact.

Our lead supervisory authority is expected to be the Portuguese Data Protection Authority: Comissão Nacional de Proteção de Dados — CNPD, Av. D. Carlos I, 134, 1.º, 1200-651 Lisbon, Portugal — geral@cnpd.pt.

Outlex may act in different roles depending on the context.

3.1 Outlex as controller. Outlex acts as an independent controller when we determine the purposes and means of processing, including for: website visits and cookie consent records; demo, sales and marketing communications; account creation and account administration; billing, subscription management and payment administration; security monitoring, abuse prevention and fraud prevention; service analytics, product telemetry and platform improvement, where performed for our own legitimate business purposes; legal compliance, claims, audit and corporate administration.

3.2 Outlex as processor. Outlex generally acts as a processor for Customer Data submitted to the platform by or on behalf of a customer, including: documents, contracts, policies, correspondence and matter files; prompts, chats, comments and instructions; AI outputs, drafts, summaries, redlines, clause analysis and risk flags; tasks, obligations, deadlines, counterparty information and workspace history; customer-selected integration content. In this context, the customer remains responsible for determining the lawful basis, notices, permissions and internal authorisations required to submit personal data to Outlex.

3.3 Human legal support and Professionals. Where a customer requests human legal support, Outlex may share the relevant matter context with the assigned lawyer, legal advisor, consultant or other professional ("Professional") as needed to provide the requested support. Depending on the matter, jurisdiction, engagement structure and applicable law, a Professional may act as an independent controller for their own professional legal services; a separate professional subject to professional secrecy, confidentiality and professional rules; or a service provider or subprocessor acting under Outlex's instructions. Outlex applies access controls, confidentiality commitments and access logging to lawyer handoff workflows. Only information reasonably relevant to the requested matter should be made available to the Professional.

We may process the following categories of personal data.

4.1 Website and device data. IP address, browser type, device identifiers, operating system, referring pages, pages viewed, timestamps, cookie IDs, consent preferences and similar technical information.

4.2 Account and business contact data. Name, work email, company, role, job title, team, country, billing contacts, subscription tier, workspace membership, permissions and account settings.

4.3 Customer Data submitted to Outlex. Documents, contracts, contract clauses, emails or files imported by the customer, prompts, messages, comments, AI outputs, matter descriptions, counterparty names, signatures, business terms, obligations, deadlines, document metadata, tags, tasks and workspace history. Customer Data may include personal data about employees, founders, contractors, counterparties, investors, suppliers, customers or other third parties, depending on what the customer uploads or connects.

4.4 AI interaction data. Prompts, chat history, context retrieved from the customer workspace, AI-generated answers, drafts, summaries, redlines, confidence signals, source citations, feedback, escalation decisions and logs needed to operate, secure and improve Lexi.

4.5 Integration data. Where a customer enables integrations, we may process data from connected tools according to the permissions granted by the customer or user. This may include selected Slack messages, email content forwarded or imported into Outlex, selected files from Google Drive, OneDrive or SharePoint, calendar event details, Teams messages, metadata and related access tokens. Unless expressly stated otherwise in the product, Outlex does not automatically scan all connected third-party accounts. We process integration content only as enabled, selected, forwarded, authorised or configured by the customer or user.

4.6 Payment and billing data. Payments may be processed by third-party payment providers. Outlex does not store full card details. We may store billing contact details, invoices, payment status, tax information, transaction identifiers, payment tokens, card brand and last four digits where provided by the payment provider.

4.7 Support and communications data. Support tickets, emails, chat messages, call notes, recordings where consent is obtained, diagnostic information, issue severity, attachments and related correspondence.

4.8 Marketing data. Marketing preferences, event registrations, waitlist forms, newsletter interactions, campaign engagement, lead source and opt-out status.

4.9 Special categories and criminal offence data. Outlex does not request special category personal data or criminal offence data as controller. However, Customer Data may contain sensitive information, including health data, trade union data, political opinions, employment records, immigration data, criminal offence data or other regulated information, if submitted by the customer. In those cases, Outlex processes such data as processor on the customer's documented instructions and applies appropriate safeguards. Customers should not submit special category data, criminal offence data or highly confidential information unless it is necessary, lawful and appropriate for the relevant use case and plan.

We process personal data for the following purposes.

5.1 To provide and operate the service. Creating accounts, authenticating users, operating workspaces, processing documents, generating AI outputs, enabling collaboration, managing tasks, supporting lawyer handoff, providing integrations and delivering the contracted service. Legal basis where Outlex is controller: contract performance or legitimate interests. Where Outlex is processor: customer's documented instructions under the DPA.

5.2 To provide Lexi and AI-enabled features. Processing prompts, documents, workspace context, legal sources, templates, playbooks and user instructions to generate AI outputs, summaries, redlines, risk flags, drafts, tasks and suggested next actions. Legal basis where Outlex is controller: contract performance and legitimate interests. Where Outlex is processor: customer's documented instructions under the DPA.

5.3 To enable human legal support. Routing requests to Professionals, sharing relevant matter context, managing lawyer credits, supporting quality checks, maintaining audit logs and facilitating communication between the customer and the Professional. Legal basis where Outlex is controller: contract performance, legitimate interests and, where applicable, legal obligations. Where Outlex is processor: customer's documented instructions under the DPA.

5.4 To secure the service and prevent abuse. Access controls, authentication, audit logs, vulnerability management, incident detection, rate limiting, misuse prevention, fraud prevention and enforcement of our Terms. Legal basis: legitimate interests and legal obligations.

5.5 To provide support and respond to requests. Troubleshooting, responding to user questions, investigating issues and improving support quality. Legal basis: contract performance and legitimate interests.

5.6 To improve and develop Outlex. Analysing usage, performance, reliability, feature adoption and aggregated trends to improve the service, provided that Customer Data is not used to train third-party foundation models by default. Legal basis: legitimate interests, where permitted. Where required, we rely on customer settings, contractual permission, consent or separate written agreement.

5.7 To communicate with customers and prospects. Service notices, onboarding, product updates, security notices, renewal reminders, legal updates and administrative communications. Legal basis: contract performance, legitimate interests and legal obligations.

5.8 Marketing. For B2B marketing, we may contact business contacts about Outlex products and services where permitted by law and where recipients can opt out at any time. For B2C electronic marketing, or where required by law, we rely on prior consent. Legal basis: consent or legitimate interests, depending on the context.

5.9 Compliance and legal claims. Tax, accounting, regulatory compliance, dispute resolution, enforcement of agreements, corporate transactions and responding to lawful requests. Legal basis: legal obligations and legitimate interests.

Outlex uses AI systems to support legal, compliance and business workflows. Lexi may generate drafts, summaries, recommendations, checklists, redlines, risk flags, document analysis, task suggestions and other outputs.

AI outputs are probabilistic and may be inaccurate, incomplete or unsuitable for a particular situation. They are not legal advice or legal opinions unless and until reviewed, approved or provided by an appropriately qualified Professional as part of human legal support.

Outlex does not use Customer Data to train third-party foundation models by default. We configure model providers to disable provider-side training or retention where available. Any optional use of Customer Data for training, fine-tuning or product improvement will require appropriate contractual permission, product settings, consent or separate written agreement where required.

Outlex may use aggregated, anonymised or de-identified data to understand service performance, improve reliability, develop features and maintain security, provided that such data does not identify a customer or individual.

Outlex does not make decisions based solely on automated processing that produce legal or similarly significant effects for individuals. Customers are responsible for reviewing AI outputs before relying on them and for deciding when human legal support is required.

Outlex is designed to inform users when they interact with AI. Customers must not use Outlex for prohibited AI practices, high-risk AI use cases or regulated decision-making unless expressly agreed in writing with Outlex and supported by appropriate contractual, technical and compliance measures.

We use cookies and similar technologies as described in our Cookie Policy.

Strictly necessary cookies are used to provide the website and service. Analytics, marketing and other non-essential cookies are used only where legally permitted and, where required, with prior consent.

Users can manage cookie preferences through our cookie banner or browser settings.

We may share personal data with the following categories of recipients.

8.1 Service providers and subprocessors. We use third-party providers for hosting, cloud infrastructure, AI model access, monitoring, analytics, email, customer support, payments, security, productivity tools and related services. Where these providers process Customer Personal Data on behalf of Outlex, they act as subprocessors under appropriate contractual safeguards.

8.2 AI model providers. Some features rely on third-party AI model providers. We send only the information needed to provide the requested feature, subject to contractual, technical and organisational safeguards. Customer Data is not used to train third-party foundation models by default.

8.3 Professionals. Where the customer requests human legal support, we share relevant matter information with the assigned Professional as needed to provide the requested support. Professionals are subject to confidentiality obligations, and where applicable, professional secrecy, professional rules and separate engagement obligations.

8.4 Customer administrators and workspace users. Customer administrators may access information about users, workspace activity, documents, chats, permissions, usage and settings, depending on their role and configuration.

8.5 Integration providers. Where a customer enables integrations, relevant data may be exchanged with the connected third-party service according to the customer's configuration and the permissions granted.

8.6 Authorities and legal process. We may disclose personal data where required by law, court order, regulator request, law enforcement request or to protect rights, safety, security and legal interests.

8.7 Corporate transactions. If Outlex is involved in a merger, acquisition, financing, restructuring or sale of assets, personal data may be disclosed or transferred as part of that transaction, subject to appropriate safeguards and notice where required.

8.8 No sale of personal data. We do not sell personal data.

Where Outlex becomes aware of a personal data breach affecting personal data for which Outlex is controller, we will assess and notify the competent supervisory authority and affected individuals where required by GDPR.

Where Outlex becomes aware of a personal data breach affecting Customer Personal Data processed as processor, we will notify the customer without undue delay in accordance with the DPA, so the customer can meet its own legal obligations.

Outlex is intended for business and professional use only. It is not directed to children and should not be used by minors.

Outlex may interoperate with third-party services such as Slack, email providers, Google Drive, OneDrive, SharePoint, Microsoft Teams, calendar tools, payment processors and AI model providers.

Use of those services may be subject to their own terms and privacy notices. Customers should review the permissions granted to integrations and disconnect integrations that are no longer required.

We may update this Policy from time to time. If changes are material, we will provide reasonable notice, such as by email, in-product notice or website notice.

The "Last Updated" date shows when this Policy was last revised.