1. Scope and Definitions
This Privacy Policy applies to all personal data processed by Xycora, Inc. ("Xycora", "we", "us") in connection with the Xycora platform and any related services. The following defined terms apply throughout this document:
- Firm Data — all content, documents, and data uploaded by your firm to the platform, including matter files, evidence, correspondence, and any annotations or outputs generated during use.
- Processor — Xycora, acting only on your documented instructions in relation to the processing of personal data contained in Firm Data.
- Controller — your firm, as the entity that determines the purposes and means of processing personal data held within Firm Data.
- Privileged Communication — any content within Firm Data that is subject to attorney-client privilege or legal professional privilege under applicable law.
- Sub-processor — any third-party AI provider or infrastructure provider that processes Firm Data on our behalf in order to deliver the contracted service.
2. Data We Collect
We collect and process personal data across three categories:
- Account data — name, email address, firm name, billing contact details, and role and permission settings assigned within the platform.
- Matter data — documents uploaded to the platform, AI prompts and outputs generated during use, the full audit trail of platform activity, and any annotations or work product created within Xycora.
- Technical data — SHA-256 hashed IP addresses, truncated user-agent strings, timestamps, and error logs collected automatically to support platform security and reliability.
3. Purpose of Processing
We process each category of data for the following purposes, under the lawful bases indicated:
- Account data — to deliver and administer your subscription, including account management, billing, and support. Lawful basis: performance of a contract (GDPR Article 6(1)(b)).
- Matter data — to provide the AI-assisted legal analysis, document processing, and drafting services described in your subscription. Lawful basis: performance of a contract (Article 6(1)(b)); legitimate interest for security monitoring and audit retention (Article 6(1)(f)).
- Technical data — for platform security monitoring, incident investigation, and service improvement. Lawful basis: legitimate interest (Article 6(1)(f)).
4. Zero-Training Commitment
Firm Data is never used to train any foundation model or fine-tuned model, whether owned by Xycora or by any sub-processor. This is a contractual commitment reflected in our sub-processor agreements with Anthropic, OpenAI, and Google. No prompt, document, or output generated on the Xycora platform is used for model training purposes under any circumstances.
5. Sub-processors
We engage the following sub-processors to provide the platform. Each is bound by a data processing agreement that imposes obligations equivalent to those in this policy:
| Sub-processor | Location | Data use | Privacy policy |
|---|---|---|---|
| Anthropic | United States | Zero-retention API inference | anthropic.com/legal/privacy |
| OpenAI | United States | Zero-retention API inference (Enterprise terms) | openai.com/policies/privacy-policy |
| Google (Gemini) | United States | No training on customer data under API terms | cloud.google.com/terms/data-processing-terms |
We will provide 30 days' advance notice to account owners before adding any new sub-processor that processes Firm Data.
6. Data Retention
We apply the following default retention periods, subject to any overriding legal-hold obligations:
- Matter data — 7 years from the date of last activity on the relevant matter.
- AI prompt logs — 90 days, after which they are permanently deleted from all systems.
- Audit events — 24 months.
Firm Data will be deleted in full within 30 days of a written deletion request, subject to any applicable legal-hold obligations communicated to Xycora in advance. Early deletion can be requested at any time by contacting [email protected].
7. Regional Processing
Xycora offers three processing regions. Data is processed within the region selected at the time of subscription, and does not leave that region except as required to provide the service:
- US region — AWS us-east-1
- EU region — AWS eu-west-1 (Ireland)
- UK region — AWS eu-west-2 (London)
8. Encryption
All Firm Data is encrypted at rest using AES-256 and in transit using TLS 1.3 (minimum). Customers on the Firm subscription tier may use bring-your-own-key (BYO-key) encryption via AWS KMS or Azure Key Vault, so that Xycora holds no plaintext copy of stored documents.
9. Privileged Communications
Xycora does not access Privileged Communications except through customer-initiated AI calls made in the course of using the platform. No Xycora employee reviews the content of customer documents except (a) with the customer's prior written consent, or (b) under a valid court order or other binding legal obligation — in which case we will notify the customer as promptly as is legally permissible unless prohibited from doing so by law.
10. Your Rights
Subject to applicable law, you have the right to access, correct, delete, export, restrict the processing of, and object to the processing of your personal data. All requests should be directed to [email protected] and will be fulfilled within 30 days. Where you are located in the EEA, UK, or Switzerland, you also have the right to lodge a complaint with your local data protection supervisory authority.
11. Security Incident Response
In the event of an actual or reasonably suspected personal data breach affecting Firm Data, Xycora will provide initial notification to the affected customer within 24 hours of becoming aware, and a detailed follow-up report within 72 hours. Security incidents should be reported to [email protected].
12. International Transfers
Where Firm Data is transferred from the European Economic Area or the United Kingdom to countries that have not received an adequacy decision, the transfer is governed by the Standard Contractual Clauses approved by the European Commission under Decision 2021/914 (EU SCC 2021) and, where applicable, the UK International Data Transfer Addendum (IDTA) issued by the ICO, and the Swiss-US Data Privacy Framework. Executed copies of applicable SCCs are available on request.
13. Age Restriction
The Xycora platform is intended solely for use by professional legal practitioners and authorised firm personnel. The platform is not directed at and should not be used by any person under the age of 18.
14. Contact
For all privacy-related enquiries, please contact: [email protected].
Data Protection Officer: Legal Team, Xycora Inc., [registered address].
15. Updates to This Policy
We will provide at least 30 days' advance notice of any material changes to this Privacy Policy via email to account owners. Continued use of the platform following the effective date of a revised policy constitutes acceptance of those changes.
This document was last reviewed on April 2026. For redlines against your template, contact [email protected].