Privacy Policy

Lawvek AI, Inc. ("Lawvek", "we", "us" or "our") respects privacy and is committed to protecting personal information. This Privacy Policy explains how we collect, use, disclose, retain, transfer and protect personal information when individuals visit our website, communicate with us, request a demo, use our AI-powered obligation management platform, or otherwise interact with our services.

Lawvek is designed for business and enterprise use. Our platform helps customers manage contracts, policies, obligations, workflows, integrations, evidence, audit trails and related legal or compliance tasks. Because our services may process contracts, legal documents, communications, metadata and workflow records, this Privacy Policy distinguishes between information that Lawvek controls for its own business purposes and information that Lawvek processes on behalf of its customers.

This Privacy Policy should be read together with any applicable agreement between Lawvek and the relevant customer, including any order form, master services agreement, data processing addendum, security addendum or other written terms. If there is a conflict between this Privacy Policy and a customer agreement regarding Customer Content, the customer agreement will govern to the extent of that conflict.

1. Scope of this Privacy Policy

This Privacy Policy applies to personal information processed in connection with:

• the Lawvek website, including lawvek.ai and related pages controlled by Lawvek;
• demo requests, sales enquiries, marketing communications, events and business communications;
• customer account administration, onboarding, billing, support and relationship management;
• use of the Lawvek platform, including uploads, contract repositories, obligation extraction, workflow automation, integrations, audit logs and AI-assisted processing; and
• support, troubleshooting, security, service monitoring and product operations.

This Privacy Policy does not apply to third-party websites, applications, integrations, services or platforms that are not controlled by Lawvek, even if they are linked to or integrated with the Lawvek platform. Those third parties are responsible for their own privacy practices.

2. Key Terms Used in this Policy

• "Personal Information" or "Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an identified or identifiable individual, as understood under applicable privacy laws.
• "Customer Content" means contracts, legal documents, policies, correspondence, records, data, text, files, metadata, workflow inputs, integration data and other materials uploaded, submitted, connected, transmitted or otherwise made available to Lawvek by or on behalf of a customer through the services.
• "Customer Personal Information" means Personal Information contained in or derived from Customer Content, including Personal Information relating to a customer's employees, contractors, users, vendors, counterparties, customers, signatories or other third parties.
• "Usage Data" means technical, operational, diagnostic, analytics, log and activity data generated through use of the website or services.
• "AI Services" means AI-enabled functionality within the Lawvek platform, including document analysis, obligation extraction, clause identification, workflow suggestions, structured outputs, deadline mapping, risk tagging, summarisation and related features.
• "Subprocessor" means a third-party service provider engaged by Lawvek to process Personal Information in connection with providing the services.

3. Our Role: Controller, Processor, Business and Service Provider

Lawvek may act in different roles depending on the context.

For website visitors, prospects, demo requesters, customer administrative contacts, billing contacts, support contacts and marketing contacts, Lawvek generally acts as an independent controller or business for the relevant Personal Information, because Lawvek determines the purposes and means of processing that information.

For Customer Content and Customer Personal Information processed through the Lawvek platform, Lawvek generally acts as a processor, service provider or contractor on behalf of the relevant customer, except where applicable law or the customer agreement provides otherwise. The customer is responsible for determining what Customer Content is submitted to Lawvek, ensuring that it has a lawful basis or authority to submit such Customer Content, and providing any notices or consents required from individuals whose Personal Information is included in the Customer Content.

Where the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 apply, Lawvek may act as a Data Fiduciary for Personal Data that it determines and controls for its own business purposes, and as a Data Processor for Personal Data processed on behalf of a customer. Where the EU or UK GDPR applies, Lawvek may act as a controller for account and business contact data and as a processor for Customer Content. Where the CCPA/CPRA applies, Lawvek may act as a business for its own data and as a service provider or contractor for Customer Content.

4. Personal Information We Collect

4.1 Information provided directly to us

We may collect information that individuals or customers provide directly, including:

• name, job title, employer name, department and business role;
• business email address, business phone number, office address and other contact details;
• account registration information, login credentials, authentication factors and user profile information;
• demo request information, company size, use-case details, procurement information and sales communications;
• billing, invoicing, tax and payment-related administrative information;
• support tickets, troubleshooting information, feedback, product requests and correspondence;
• marketing preferences, event registrations, webinar participation and survey responses; and
• any other information provided voluntarily to Lawvek.

4.2 Customer Content and platform data

When customers use the Lawvek platform, they may upload, connect or transmit Customer Content. Customer Content may include contracts, legal documents, policies, emails, obligations, deadlines, task assignments, approval records, audit evidence, comments, annotations, negotiation history, counterparty details and related metadata. Customer Content may contain Personal Information, confidential information, business-sensitive information, legal information and information relating to employees, signatories, vendors, counterparties or other third parties.

Depending on how a customer configures the services, Customer Content may also include data from integrated tools such as document repositories, email systems, collaboration tools, customer relationship management systems, ticketing tools, electronic signature platforms, identity providers, project management tools and other enterprise systems.

4.3 Information collected automatically

We may automatically collect certain technical and usage information when individuals visit our website or use the services, including:

• IP address, device identifiers, browser type, operating system, referring URLs and general location information derived from IP address;
• pages viewed, links clicked, session information, date and time stamps, feature usage and navigation patterns;
• log files, authentication events, access records, administrative actions, system events and security events;
• performance, diagnostic, crash, error, latency, availability and service telemetry data; and
• cookie identifiers and similar tracking or storage technologies, as described below.

4.4 Information from third parties and integrations

We may receive information from third parties where permitted by law, including information from customers, authorised users, business partners, professional networking platforms, public sources, lead providers, analytics providers and integrated enterprise systems. Where a customer authorises an integration, Lawvek may receive information through that integration based on the permissions, scopes and configuration selected by the customer or its administrator.

5. How We Use Personal Information

We use Personal Information for the purposes described below, subject to applicable law and the relevant customer agreement.

Purpose	Examples
Provide and operate the services	Create and administer accounts; host Customer Content; run AI Services; extract obligations; create workflows; support integrations; generate outputs; maintain audit logs.
Administer customer relationships	Manage contracts, billing, invoices, onboarding, support, renewals, service notices and account administration.
Secure the services	Authenticate users; enforce access controls; monitor suspicious activity; investigate incidents; maintain logs; prevent fraud, misuse, unauthorised access and abuse.
Improve and maintain the services	Debug, test, analyse performance, enhance reliability, understand usage patterns and develop product improvements, subject to the Customer Content limitations in this policy.
Communicate with users and customers	Respond to requests; provide support; send service notices, administrative messages, security alerts, policy updates and product information.
Sales and marketing	Respond to demo requests; provide information about Lawvek; send marketing communications where permitted by law; manage preferences and opt-outs.
Legal and compliance purposes	Comply with law, court orders, legal process, regulatory requests, audits, contractual obligations and internal governance requirements; enforce rights; resolve disputes.

6. Customer Content, Contract Data and AI Processing

Lawvek provides AI-assisted features that analyse Customer Content to identify obligations, deadlines, key terms, ownership, action items, conditional logic, evidence requirements and related workflow information. These features may generate structured outputs, summaries, suggested actions, classifications, risk tags or other machine-generated results.

Customer Content remains subject to the customer agreement. As a default position:

• Customer instruction: Lawvek processes Customer Content only to provide, secure, support, maintain and improve the contracted services, or as otherwise instructed by the customer.
• No sale of Customer Content: Lawvek does not sell Customer Content.
• No advertising use: Lawvek does not use Customer Content for behavioural advertising or cross-context advertising.
• No AI model training without opt-in: Lawvek does not use Customer Content to train Lawvek AI models or third-party AI models unless the customer provides express written opt-in consent in a separate agreement or setting.
• Confidentiality: Lawvek treats Customer Content as confidential information and restricts access to personnel and subprocessors who require access for authorised purposes.
• Customer responsibility: The customer is responsible for reviewing AI-generated outputs before relying on them, including for legal, compliance, operational, financial or contractual decisions.

Lawvek may use aggregated or de-identified information derived from the operation of the services to understand service performance, improve functionality, maintain security and develop aggregated usage insights, provided that such information does not identify the customer or any individual and is not reasonably capable of being re-identified.

7. Third-Party AI Services and Subprocessors

Lawvek may engage Subprocessors, including AI model providers, cloud infrastructure providers, logging and monitoring providers, analytics providers, support providers, email providers, identity and security providers, and other technology vendors needed to provide the services.

Where Customer Content is transmitted to AI Subprocessors, Lawvek will use commercially reasonable and legally appropriate measures designed to ensure that:

• only the information reasonably necessary for the requested processing is transmitted;
• the transmission is protected using encryption in transit;
• the AI Subprocessor is contractually restricted from using Customer Content to train its models or for its own independent purposes;
• the AI Subprocessor is required to maintain appropriate confidentiality, security and data protection obligations;
• Customer Content is not retained by the AI Subprocessor longer than necessary to provide the relevant processing or as otherwise permitted under the customer agreement; and
• Lawvek conducts reasonable diligence and oversight appropriate to the nature of the processing and risk.

A current list of Lawvek Subprocessors, including AI Subprocessors where applicable, is available at [insert subprocessor URL] or on request at privacy@lawvek.ai. Customer notice and objection rights for new Subprocessors, if any, will be governed by the applicable customer agreement or data processing addendum.

8. Integrations and Connected Services

Customers may choose to connect Lawvek with third-party services, including collaboration tools, document repositories, CRM systems, ticketing tools, electronic signature platforms, project management tools, identity providers and other enterprise applications. When an integration is enabled, Lawvek may access, process, store, transmit or update data from the connected service as authorised by the customer or its administrator.

Customers are responsible for reviewing integration permissions, approving scopes, managing user access, configuring least-privilege access and ensuring that they have the authority to connect third-party services to Lawvek. Lawvek is not responsible for the privacy or security practices of third-party services outside Lawvek's control.

9. Cookies and Similar Technologies

We may use cookies, pixels, local storage, software development kits, log technologies and similar tools to operate the website and services, maintain sessions, remember preferences, secure accounts, understand site traffic, analyse usage and improve functionality.

Cookies and similar technologies may include:

• Strictly necessary cookies: used for authentication, security, session management, load balancing and core functionality.
• Functional cookies: used to remember preferences and improve user experience.
• Analytics cookies: used to understand how visitors and users interact with the website and services.
• Marketing cookies: used only where deployed and legally permitted to measure campaigns or provide relevant communications. If Lawvek uses such technologies, users will be provided legally required choices.

Users may control cookies through browser settings and, where available, through Lawvek's cookie preference tool. Blocking certain cookies may affect website or platform functionality.

Some browsers transmit "Do Not Track" or similar signals. Because there is not yet a uniform industry standard for responding to such signals, Lawvek will respond to legally recognised opt-out preference signals where required by applicable law.

10. How We Disclose Personal Information

We do not sell Personal Information. We may disclose Personal Information in the circumstances described below:

• Customers and authorised users: Customer Content and platform information may be made available to the relevant customer, its authorised users, administrators and other persons configured by the customer.
• Subprocessors and service providers: We may disclose information to vendors and Subprocessors who provide hosting, infrastructure, AI processing, security, analytics, support, email, CRM, payment, logging, monitoring and other services for Lawvek.
• Integrations selected by customers: We may transmit information to third-party services integrated with Lawvek as authorised by the customer.
• Professional advisers: We may disclose information to lawyers, auditors, insurers, bankers and other professional advisers where necessary for legitimate business, legal, accounting or risk-management purposes.
• Legal, regulatory and safety purposes: We may disclose information to comply with law, regulation, court order, subpoena, lawful request, legal process or governmental request; protect rights, safety and security; prevent fraud or abuse; or enforce agreements.
• Business transactions: We may disclose information in connection with a merger, acquisition, financing, reorganisation, sale of assets, bankruptcy or similar corporate transaction, subject to appropriate confidentiality and data protection safeguards.
• With consent or instruction: We may disclose information where the relevant individual, customer or authorised administrator instructs or consents to the disclosure.

For California residents, Lawvek does not sell Personal Information or share Personal Information for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA, unless specifically disclosed and accompanied by legally required opt-out rights.

11. International Data Transfers

Lawvek is headquartered in the United States, and Personal Information may be processed in the United States and in other countries where Lawvek, its affiliates, service providers or Subprocessors operate. These countries may have data protection laws that differ from the laws of the country where an individual is located.

Where required by applicable law, Lawvek uses appropriate safeguards for international transfers of Personal Information. These may include Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Addendum or International Data Transfer Agreement, contractual data protection commitments, technical and organisational measures, encryption, access controls and other safeguards appropriate to the processing.

For individuals in India, Lawvek will process and transfer digital personal data in accordance with the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025, including any restrictions, conditions or notifications issued by the Central Government or applicable sectoral regulators. This Privacy Policy does not override stricter data localisation or sector-specific data storage requirements that may apply to particular customers or datasets.

12. Legal Bases for Processing

Where the EU GDPR, UK GDPR or similar laws require a legal basis for processing, Lawvek relies on one or more of the following legal bases:

• Contract: to provide the services, administer accounts, manage customer relationships and perform agreements.
• Legitimate interests: to operate, secure, improve and market the services; prevent fraud and abuse; respond to enquiries; maintain business records; and manage legal or operational risk, where those interests are not overridden by individual rights.
• Consent: where required for marketing communications, certain cookies, optional features or other processing based on consent.
• Legal obligation: to comply with applicable laws, legal process, tax obligations, accounting requirements, regulatory requirements and lawful requests.
• Vital interests or public interest: where necessary to protect safety or comply with obligations in exceptional circumstances recognised by law.

For Customer Content, the customer is generally responsible for identifying the applicable legal basis, notice, consent or other lawful authority for submitting Customer Content to Lawvek.

13. Data Retention and Deletion

We retain Personal Information for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law, contract, dispute-resolution needs, security requirements or legitimate business purposes.

Subject to the applicable customer agreement:

• Customer Content: retained for the duration of the customer account or subscription unless deleted earlier by the customer or as otherwise agreed. Upon termination or expiry of the relevant customer agreement, Lawvek will delete or return Customer Content within the period specified in the customer agreement or, if no period is specified, within 90 days, unless retention is legally required or necessary for dispute resolution, security, backup, audit or compliance purposes.
• Account and business contact data: retained for the duration of the business relationship and for a limited period thereafter, generally not longer than 3 years after the relationship ends unless a longer period is required for legal, tax, accounting, contractual, dispute or compliance purposes.
• Usage logs and security logs: retained for operational, security and audit purposes, generally for up to 12 months unless a longer period is required for security investigations, legal compliance, customer agreement obligations or legitimate business needs.
• Backups: deleted or overwritten in accordance with Lawvek's ordinary backup and disaster recovery cycles, subject to technical and legal constraints.

Deletion requests will be handled in accordance with applicable law and the relevant customer agreement. Where Lawvek processes Personal Information on behalf of a customer, individuals may need to direct requests to the relevant customer, and Lawvek will assist the customer as required by the customer agreement and applicable law.

14. Security

Lawvek uses reasonable and appropriate administrative, technical and organisational safeguards designed to protect Personal Information against unauthorised access, loss, misuse, alteration, disclosure or destruction. These safeguards may include, as applicable:

• encryption in transit and, where applicable, encryption at rest;
• role-based access controls and least-privilege access practices;
• multi-factor authentication for administrative access and sensitive systems;
• logging, monitoring and audit trails for relevant access and system events;
• segregation of customer environments or logical access controls, as applicable;
• secure development, vulnerability management and security review practices;
• subprocessor diligence and contractual security obligations;
• incident response procedures and breach escalation processes; and
• periodic review of security controls appropriate to the nature of the services.

No system can be guaranteed to be completely secure. Customers and users are responsible for maintaining the confidentiality of credentials, configuring appropriate permissions, using secure devices and networks, and promptly notifying Lawvek of suspected unauthorised access or misuse.

15. Security Incidents and Personal Data Breaches

If Lawvek becomes aware of a security incident that results in unauthorised access to or disclosure, alteration, loss or destruction of Personal Information, Lawvek will investigate and take steps reasonably appropriate to the nature and risk of the incident. Where required by law or the applicable customer agreement, Lawvek will notify affected customers, individuals, regulators or other required recipients within the applicable timeframe.

Where Lawvek processes Customer Content as a processor or service provider, Lawvek will notify the relevant customer in accordance with the customer agreement or data processing addendum, so that the customer can assess and satisfy any notification obligations it may have.

16. Individual Privacy Rights

Depending on location and applicable law, individuals may have rights regarding their Personal Information. These rights may include the right to:

• request confirmation of whether we process Personal Information about them;
• request access to Personal Information;
• request correction or completion of inaccurate or incomplete information;
• request deletion or erasure of Personal Information;
• object to or restrict certain processing;
• request portability of Personal Information where applicable;
• withdraw consent where processing is based on consent;
• opt out of marketing communications;
• opt out of sale or sharing where applicable under California law;
• limit use or disclosure of sensitive Personal Information where applicable under California law;
• appeal or complain regarding the handling of a request where applicable; and
• nominate another individual to exercise rights after death or incapacity where applicable under India's DPDP Act.

Requests may be submitted to privacy@lawvek.ai. We may need to verify the identity and authority of the requester before acting on a request. If Personal Information is processed by Lawvek on behalf of a customer, we may refer the request to the relevant customer or act on the customer's instruction, depending on the circumstances and applicable law.

We will respond within the timeframe required by applicable law. We will not discriminate against individuals for exercising privacy rights.

17. Additional Information for India Users

Where the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 apply, individuals may have rights as Data Principals, including the right to access information about processing, the right to correction and erasure, the right to grievance redressal and the right to nominate another person to exercise rights in the event of death or incapacity.

For Personal Data processed by Lawvek as a Data Fiduciary, requests and grievances may be sent to:

• Email: privacy@lawvek.ai
• Grievance Officer: sudip@lawvek.ai

For Personal Data contained in Customer Content, the relevant customer may be the Data Fiduciary. In such cases, Lawvek may direct the requester to the relevant customer or assist the customer in responding, as required by the applicable customer agreement and law.

18. Additional Information for EEA, UK and Swiss Users

Where applicable, individuals in the European Economic Area, United Kingdom or Switzerland may exercise rights under applicable data protection laws, including access, rectification, erasure, restriction, objection, portability and withdrawal of consent. Individuals also have the right to lodge a complaint with their local supervisory authority.

19. Additional Information for California Residents

This section provides additional information for California residents under the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

Category of Personal Information	Sources	Business or Commercial Purposes	Categories of Recipients
Identifiers	Individuals, customers, integrations, devices	Account administration, communications, security, support, marketing	Service providers, customers, integrations, advisers, legal recipients
Commercial information	Customers, billing systems, communications	Billing, procurement, customer management, renewals	Service providers, advisers, legal recipients
Internet or electronic network activity	Website, platform, logs, cookies	Security, analytics, service operation, troubleshooting	Hosting, analytics, security and monitoring providers
Professional or employment-related information	Individuals, employers, customers, public/professional sources	Sales, support, account management, customer use of services	Service providers, customers, CRM and support providers
Sensitive personal information	Only if submitted in Customer Content or required for security/authentication	Provide services, secure accounts, comply with law	Service providers, subprocessors, customers as configured
Inferences	Usage data, Customer Content processing, analytics	Product functionality, obligation extraction, workflow suggestions, service improvement	Service providers and customers as configured

Lawvek does not sell Personal Information and does not share Personal Information for cross-context behavioural advertising unless specifically disclosed. California residents may exercise rights by contacting privacy@lawvek.ai. Authorised agents may submit requests where permitted by law, subject to verification.

20. Marketing Communications

We may send marketing communications to business contacts where permitted by law. Recipients may opt out of marketing emails by using the unsubscribe mechanism in the email or by contacting privacy@lawvek.ai. We may continue to send non-marketing communications, including service, security, transactional, administrative and legal notices.

21. Children's Privacy

Lawvek's services are intended for business and enterprise use and are not directed to children. We do not knowingly collect Personal Information from children under 18. If we become aware that we have collected Personal Information from a child without appropriate authority, we will take steps to delete it as required by law.

22. Automated Processing and AI Outputs

Lawvek's AI Services may assist customers by extracting, classifying, summarising and operationalising contractual and compliance information. These outputs are generated from Customer Content and customer-configured workflows. Lawvek does not use AI outputs to make employment, credit, insurance, housing, healthcare or similarly significant decisions about individuals for Lawvek's own purposes.

Customers are responsible for determining how AI outputs are used in their business processes and for applying appropriate human review, validation and governance before taking legal, compliance, operational or financial action based on such outputs.

23. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, technology, security practices or business operations. When we update the Privacy Policy, we will revise the "Last updated" date above. For material changes, we will provide additional notice where required by law or the applicable customer agreement, such as by email, in-platform notice or website notice.

24. Contact Us