LexFlo
Draft — pending legal review.This document is a draft prepared by LexFlo's software vendor. It has not been reviewed by licensed counsel as of April 22, 2026. Do not rely on it until the "Draft" label is removed in a future version.

Privacy Policy

Last updated: April 22, 2026 · Version 1.0

1. Introduction

LexFlo, Inc. ("LexFlo," "we," "our") operates lexflo.ai, a software platform that law firms use to automate client intake, call handling, and paralegal tasks. This Privacy Policy explains how we collect, use, store, and share information for two groups of people:

  • Firms (our customers). Attorneys and authorized firm staff who hold a LexFlo account.
  • End clients of firms.People who fill out a firm's intake form on a LexFlo-powered URL, or who call a phone number handled by the LexFlo AI receptionist.

2. Information we collect

From firms (our customers)

  • Account information. Attorney name, work email, firm name, practice area, role.
  • Billing information. Billing is processed by Stripe. We store a Stripe customer identifier and a subscription identifier; we do not store full credit card numbers or CVV codes on our systems.
  • Integration credentials. OAuth tokens for Clio (when a firm connects a Clio account), Twilio phone number assignments, and Vapi assistant identifiers.
  • Account configuration. Intake form branding and fields, notification preferences, receptionist greeting, voice, and business-hours settings.
  • Usage data. Login timestamps, feature usage, error logs, and performance metrics.

From end clients of firms

When a firm uses LexFlo to run its intake, the people who interact with that firm through a LexFlo URL or phone number are interacting with the firm's use of LexFlo. We process the following on the firm's behalf:

  • Intake-form submissions. Name, email, phone number, the matter type the end client selected, the free-text description of their situation, how they heard about the firm, and any custom fields the firm has configured.
  • Call data. Audio recordings, written transcripts, structured extractions (caller name, matter type, urgency, action items), and call metadata (start time, end time, duration, caller phone number, number dialed).
  • Technical data. IP address and user agent of form submitters, for rate-limiting and abuse prevention.

3. How we use it

We use the information we collect to:

  • Provide the LexFlo service — route calls, qualify leads, send notifications to attorneys, draft follow-up emails.
  • Process subscription payments.
  • Debug issues and keep the service running reliably.
  • Send service-related announcements (outages, material changes to this Policy, security updates).

We do not use firm data or end-client data to train AI models. Per our contracts with our AI vendors, customer content submitted through LexFlo is not used by those vendors to train their general-purpose models either. (See §5 for the vendors involved.)

4. AI processing disclosure

LexFlo uses the following third-party AI services to deliver the product:

  • Anthropic Claude — lead qualification, call transcript analysis, legal-research drafting, deadline hint parsing.
  • Vapi — orchestration of the AI receptionist (routing audio between caller, transcriber, language model, and voice synthesizer).
  • ElevenLabs— text-to-speech for the AI receptionist's voice.
  • Deepgram — real-time speech-to-text transcription of phone calls.

Per our vendor contracts, content processed by these services in the course of providing the LexFlo service is not used to train their general-purpose models.

5. Sub-processors

LexFlo uses the following sub-processors. Each processes only the minimum data needed to perform its function.

VendorPurposeLocation
SupabasePostgres database and authenticationUS (AWS us-east)
VercelHosting and CDNUS
StripePayment processingUS
AnthropicClaude AI (qualification, drafting, analysis)US
VapiAI voice orchestrationUS
ElevenLabsText-to-speech for the AI receptionistUS
DeepgramSpeech-to-text transcriptionUS
TwilioTelephony (phone numbers, SMS, call routing)US
ResendTransactional email deliveryUS
ClioCRM integration (customer's own account)US / Canada

6. Data storage and security

All LexFlo data is stored in US regions. Data in transit is encrypted with TLS. Data at rest is encrypted using our providers' standard server-side encryption. Each firm's data is isolated at the database layer using row-level security policies, enforced on every query.

7. Retention

  • Call recordings. 90 days, then deleted.
  • Call transcripts and structured extractions. Retained with the associated lead record.
  • Lead records. Retained until the firm deletes them or closes the account.
  • Account data. Retained for 30 days after account cancellation, then permanently deleted.

8. Your rights

Firms can access, correct, and export their data from the LexFlo dashboard. For deletion requests, data-portability requests, or any other question about information we hold, contact support@lexflo.ai. We respond within 30 days.

9. End clients of firms

If you filled out an intake form on a URL like lexflo.ai/intake/<firm>, or called a phone number handled by a firm's LexFlo AI receptionist, you were interacting with a law firm that uses LexFlo as its software vendor. In that interaction:

  • The firm is the data controller — they decide what information to collect, how long to keep it, and what to do with it.
  • LexFlo is the data processor— we process the information on the firm's behalf to deliver the service.

For access, correction, or deletion requests related to your interaction with a specific firm, please contact that firm directly. They are the point of contact for your data.

10. Changes to this policy

We will notify firms by email when we make material changes to this Policy. The "Last updated" date at the top of this page always reflects the latest version.

11. Contact

Questions or requests about this Privacy Policy: support@lexflo.ai.