Privacy policy

1. Data controller

The controller of your personal data is LexAsta (hereinafter "Controller" or "LexAsta"), with registered office at [full registered address to be defined]. For any request relating to the processing of personal data and to exercise the rights under Regulation (EU) 2016/679 ("GDPR"), including appointment of a Data Protection Officer (DPO), you may contact the Controller at the dedicated email address: privacy@lexasta.it.

2. Categories of data processed

Depending on the features you use, LexAsta may process, including through appointed technical processors, the following categories of data:

• Identification and contact data such as name, surname, email address, telephone number or other contact details provided when registering or afterwards.
• Tax and professional data including tax identification number, VAT number, billing data and certified email (PEC) where required for professional verification or administrative obligations.
• Content relating to legal matters, including case descriptions, wizard responses, uploaded documents and messages exchanged on the platform, including where they reveal special categories of personal data within the meaning of Articles 9 and 10 GDPR.
• Payment data: transaction and card details are not stored on LexAsta servers; processing is carried out by the payment service provider Stripe. Please refer to Stripe's privacy notice on its official website for details on payment data processing.
• Browsing and technical data such as IP address, session identifiers, security logs and device information, necessary to deliver the service and ensure IT security.

3. Purposes and legal bases

Data are processed for the purposes below on the corresponding legal bases:

• Provision of the LexAsta service (anonymous publication of cases, management of offers, contacts after acceptance, user account): Article 6(1)(b) GDPR (performance of a contract or pre-contractual measures).
• Accounting, tax and legal compliance, including document retention and complaint handling: Article 6(1)(c) GDPR (legal obligation) and, where applicable, (b).
• Platform security, fraud and abuse prevention: Article 6(1)(f) GDPR (legitimate interests of the Controller), balanced with data subjects' rights.
• Communications strictly necessary for the service (operational notices, essential account updates): Article 6(1)(b) GDPR.
• Non-essential analytics cookies: only with explicit consent via the cookie banner or equivalent settings: Article 6(1)(a) GDPR.
• For special-category data that may appear in case descriptions or uploaded documents, processing relies where required on explicit consent (Article 9(2)(a) GDPR) and/or voluntary manifest disclosure in the context of the service, and in any case on contract performance where permitted by law.

4. Brief anonymisation and visibility

LexAsta is designed to protect client confidentiality: information that allows direct identification of the client is not shown to professionals before the client has accepted an offer and any contractual and payment steps required by the platform have been completed. Briefs and feed content are processed and presented to reduce unjustified exposure of personal data; technical details of anonymisation may evolve while respecting this principle.

After acceptance of the chosen offer, contact details necessary to continue the professional relationship may be made available to the parties as set out in the Terms and Conditions.

5. Retention

Data are kept for as long as necessary for the purposes for which they were collected and in any case within legal limits. Criteria include:

• Duration of the contractual relationship and the account;
• Accounting and tax retention obligations;
• Need to defend legal claims or manage disputes;
• Deletion or anonymisation policies once the purpose ceases, unless another lawful basis allows retention (e.g. legal obligation).

After applicable periods, data will be erased, anonymised or rendered non-identifiable unless further retention is required by law.

6. Data subject rights

Regarding your personal data you may exercise the rights under Articles 15–22 GDPR, including access, rectification, erasure ("right to be forgotten", Article 17), restriction of processing, portability (where applicable), objection to processing based on legitimate interests and, where processing is based on consent, withdrawal of consent without affecting the lawfulness of earlier processing.

To exercise these rights you may write to privacy@lexasta.it. You also have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

8. Transfers outside the EEA

Some LexAsta suppliers may process data outside the European Economic Area. In such cases the Controller implements safeguards under the GDPR, including European Commission Standard Contractual Clauses where applicable.

Relevant suppliers include, by way of example:

• Vercel Inc. (hosting and edge infrastructure): processing may occur in the United States with supplementary measures compliant with applicable law.
• Railway Corp. (database and related infrastructure): non-EU location where applicable, with appropriate contractual clauses.
• OpenAI (language processing for platform features): processing may occur outside the EEA; contractual instructions and security measures are applied in line with LexAsta privacy-by-design rules (including limiting unnecessary identifiable data in prompts).
• Stripe (payments): processing as described in Stripe's privacy notice and its agreement with the Controller.

The list of processors may be updated periodically; for up-to-date information contact privacy@lexasta.it.