Privacy Policy

The data controller within the meaning of the General Data Protection Regulation ("GDPR") for this website and the processing described in this privacy policy is: SDN IT-Services GmbH Monetweg 8 60438 Frankfurt am Main Germany Phone: +49 69 90750132 Email: info@lexatech.de Managing Director: Dragisa Dragisic Commercial Register: HRB 85609, Amtsgericht Frankfurt am Main VAT ID: DE 265592063

For data protection questions or to exercise your rights, please contact us at: Email: datenschutz@lexatech.de Postal address: SDN IT-Services GmbH, Monetweg 8, 60438 Frankfurt am Main, Germany Where legally required, we will provide additional information on data-protection responsibilities upon request.

(1) We process personal data exclusively in accordance with applicable data protection legislation. (2) This privacy policy addresses: - visitors to our website, - prospects and contact persons at potential business customers, - customers and users of the LexA platform, - other persons contacting us. (3) Where we process personal data within the LexA platform on behalf of our customers, we do so as a processor within the meaning of Art. 28 GDPR. In such cases the respective customer remains the controller for its own mandate or firm data processing. (4) Where we process data for our own purposes — website operation, contract initiation, contract performance, security and communication — we act as the controller.

(1) When you visit our website, we process the technically necessary information that your browser transmits to our server, in particular: - IP address, - date and time of access, - pages and resources requested, - browser type and version, - operating system, - referrer URL, where transmitted, - technical connection and protocol data. (2) This processing serves to provide the website, ensure stability and security, and support error analysis. (3) Legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable and technically functional provision of our web presence. (4) To protect our trial signup form from automated abuse, we use Cloudflare Turnstile (Cloudflare, Inc.). This processes technical connection data (in particular IP address, browser characteristics and interaction signals from the specific request) to detect bots. Cloudflare Turnstile does not set tracking cookies and does not use the data for advertising or profiling purposes. Legal basis is Art. 6(1)(f) GDPR; our legitimate interest is in defending against automated signup attempts.

(1) If you contact us — by email, contact form, demo request, waitlist, or any other channel — we process the data you provide to handle your inquiry. (2) This may include: - name, - contact details, - firm or company reference, - content of your message, - desired service scope, - contract and communication data. (3) Processing is based on - pre-contractual measures or contract performance pursuant to Art. 6(1)(b) GDPR, to the extent your inquiry relates to a contract, - otherwise on our legitimate interest in appropriate communication and business initiation pursuant to Art. 6(1)(f) GDPR. (4) Where you contact us in your professional capacity, our legitimate interest consists in the handling of business inquiries and the building and maintenance of business relationships.

(1) If you or your organization use the LexA platform, we process personal data to provide the platform and the booked functions. (2) This may include: - setup and management of user accounts, - authentication and role management, - processing of case, contact, party, document and communication data, - technical provision of search, management, collaboration and analysis functions, - support, error analysis, backup and recovery, - billing and contract administration. (3) Where we process personal data on behalf of the customer, the processing is governed by the Data Processing Agreement concluded with that customer pursuant to Art. 28 GDPR. (4) Where we process data for our own purposes — contract administration, IT security, record-keeping, abuse prevention, or support governance — the legal basis is Art. 6(1)(b) and (f) GDPR. (5) Administrative or support-related access to customer data takes place only as needed and under internal processes, restricted to authorized personnel, and exclusively for support, security or error-analysis purposes.

(1) Depending on the booked service scope, LexA may provide AI-supported functions, in particular for the pre-structuring of content, extraction of information from documents, generation of summaries, and support for search, research, and question-answering over customer-provided content. (2) The use of such functions takes place within the contractual framework and customer-controlled use of the platform. (3) Where AI functions are used, this processing may cover content that the customer or authorized users enter, upload or retrieve within the platform. (4) SDN does not train its own AI models on customer content processed within the platform. (5) Where third-party services are used for individual AI functions, this is done exclusively within corresponding contractual and data-protection arrangements. Under the contractual terms of the services used, customer content is not used to train or improve the models, unless the contract documentation states otherwise. (6) Transparency notice pursuant to Art. 50 Regulation (EU) 2024/1689: where users interact with AI-supported functions within the platform, a corresponding indication is provided in the usage context. (7) LexA does not make automated decisions with legal effect or similarly significant impact within the meaning of Art. 22 GDPR. AI outputs serve exclusively as support and require professional review by the user.

(1) Depending on booked scope, the platform may provide functions to integrate or process communication data, e.g. in connection with email communication or comparable integrations. (2) Where customers connect their own Microsoft 365 or Google Workspace mailboxes, the processing occurs within the use initiated by the customer. The customer remains responsible for the lawfulness of such use within their organizational and mandate context. (3) Where we provide such integrations technically, this is done within contract performance and — where personal data is processed for the customer — within the processor relationship.

(1) Within our company, only those units that need personal data to fulfil their duties receive access. (2) Beyond that, data may be transmitted to external recipients or categories of recipients, where necessary for service provision, contract performance, IT security, or communication. This may include: - hosting and infrastructure providers, - providers of storage, network, authentication and security services, - providers of AI and analysis functions within the platform, - communication and collaboration providers, - payment, billing or support providers, - advisors, auditors, or other recipients where legally permitted. (3) The categories of providers used by us may include services from Amazon Web Services, Hetzner, Microsoft, Google, and further infrastructure and technology providers as the case may be. (4) A current overview of material sub-processors and any third-country links is made available to our customers within the contractual documentation or on request to an appropriate extent.

(1) The main productive processing of customer data takes place within the European Union. (2) Isolated third-country links may arise in particular where - affiliated providers outside the EU are involved, - support or incident processes are organized internationally, - customers themselves use integrations with third-party services such as Microsoft 365 or Google Workspace, - test or transitional environments are still operated at providers with potential third-country links. (3) Where personal data is transferred to a third country or a third-country access cannot be fully ruled out, this is done only in accordance with Art. 44 et seq. GDPR. (4) Where required, we base such transfers on suitable safeguards, in particular standard contractual clauses or other permissible transfer mechanisms.

(1) Our website currently uses only cookies or similar storage technologies that are technically required for the operation of the website or for functions explicitly requested by the user. (2) These may include: - language or display preferences, - technically required session or security mechanisms, - temporary storage for form or feature use. (3) No consent is required for such technically necessary storage within the meaning of § 25(2) TDDDG. (4) Should we use consent-requiring tracking, analytics, or marketing technologies in the future, we will provide separate information and — where required — obtain appropriate consent. See our Cookie Information at /cookies for further details.

(1) We store personal data only as long as necessary for the respective processing purposes or as statutory retention obligations exist. (2) Relevant criteria for the retention period include in particular: - the duration of the contractual relationship, - statutory retention periods, - completion of the processing of an inquiry, - legitimate interests in record-keeping, IT security or legal defense. (3) Data arising from platform use is generally processed and deleted in accordance with the contractual arrangements, the DPA and the customer's instructions. (4) Where individual documents or content are deleted, technically derived representations — in particular vector data or index entries generated for search or AI functions — may persist until the next regular clean-up or until manual post-processing. Corresponding deletions are carried out within existing processes.

(1) We take appropriate technical and organizational measures to protect personal data against loss, unauthorized access, unauthorized alteration, or other unlawful processing. (2) These include measures for access restriction, tenant separation, transport and storage security, data backup, permission management, monitoring, and recoverability. (3) Our security measures are reviewed and further developed on a risk-oriented basis.

(1) Subject to the statutory requirements, you have the right: - of access under Art. 15 GDPR, - to rectification under Art. 16 GDPR, - to erasure under Art. 17 GDPR, - to restriction of processing under Art. 18 GDPR, - to data portability under Art. 20 GDPR, - to object under Art. 21 GDPR. (2) Where processing is based on your consent, you may withdraw it at any time with prospective effect. (3) If you believe that the processing of your personal data infringes data protection law, you have the right to lodge a complaint with a supervisory authority. (4) The competent supervisory authority for our company is, in particular, the Hessian Commissioner for Data Protection and Freedom of Information, without prejudice to your right to contact a different supervisory authority. (5) Where we process personal data exclusively on behalf of a customer, the respective customer is generally your primary point of contact for substantive data subject requests. We support our customers within the statutory and contractual requirements in handling such requests.

Automated decision-making including profiling within the meaning of Art. 22 GDPR — which has legal effect on you or similarly significantly affects you — does not take place on this website or on the LexA platform.

We reserve the right to update this privacy policy with prospective effect where required due to changed legal, technical, or organizational conditions. The version published on our website at the relevant time shall apply.