Privacy Policy

1. Who We Are

LexMT (“we”, “our”, “us”) is an AI-powered legal research platform built for Maltese law, operated from Malta by Thomas Kemp. We provide access to legislation, court judgments, and AI-assisted legal research tools via lex.mt.

For the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), LexMT acts as the data controller in respect of personal data processed through this platform.

2. What Data We Collect

We collect only what is necessary to provide the service:

• Account data: Email address and, where provided, organisation name.
• Query history (subscribers): Legal questions you submit and the AI responses generated are stored in your personal query history on our servers for the duration of your subscription. You may review past research via the Query History page. You can delete your history at any time via My Account or by contacting us at privacy@lex.mt. Query data is never used to train AI models.
• Saved cases (subscribers): Judgments you bookmark are stored against your account, including the case reference, parties, court, date, and summary snippet. No full judgment text is stored. You can remove individual bookmarks or delete all saved cases by deleting your account.
• Shared answers: When you use the “Share” feature, the question, AI answer, and source list are stored with a unique public link ID. Shared answers are accessible to anyone with the link and are not password-protected. Do not share answers containing sensitive or confidential client information. You may request deletion of a shared answer by emailing privacy@lex.mt with the link ID.
• Uploaded documents: Documents you upload for in-session analysis are processed in working memory only and permanently deleted immediately after your request is processed. Uploaded documents are never written to disk, never stored in our database, and never used for training. See Section 9 (Acceptable Use) for important restrictions on what may be uploaded.
• Consent records: Timestamps and IP address recorded at the point you accepted our Terms and Conditions, as required for legal compliance.
• Usage data: Aggregated, anonymised analytics to improve the platform. No individual tracking or advertising cookies.
• Billing data: Payment information is processed entirely by Stripe and is never stored on LexMT servers.

3. Legal Basis for Processing

• Contract performance (Art. 6(1)(b)): To provide the subscription service.
• Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, service improvement, where these do not override your rights.
• Consent (Art. 6(1)(a)): For optional communications such as newsletters, which you may withdraw at any time.
• Legal obligation (Art. 6(1)(c)): Where processing is required by Maltese or EU law.

4. How We Use AI (EU AI Act Compliance)

• AI classification: LexMT is classified as a Limited Risk AI systemunder the EU AI Act. It does not make legally binding decisions, replace qualified legal advice, or operate in a high-risk domain as defined by Annex III.
• Transparency: Every AI-generated response is explicitly labelled as such. The disclaimer is rendered in English or Maltese based on the detected language of your query.
• Human oversight: All responses include source citations you can independently verify.
• No automated decision-making: LexMT does not make automated decisions producing legal effects (Article 22 GDPR). All output requires human review.
• Training data: LexMT is not trained on user queries or uploaded documents.
• Limitations: AI-generated research may contain errors. Always verify citations and consult a qualified lawyer.

5. Data Retention

• Account data is retained for the duration of your subscription plus 12 months thereafter, or until you request deletion.
• Query history is retained on our servers for as long as your account is active. You may delete your query history at any time via My Account → Delete Account or by emailing privacy@lex.mt. Deletion is permanent and immediate.
• Uploaded documents are deleted immediately after your request is processed (typically within seconds). Nothing is written to permanent storage.
• Consent records are retained for 5 years for legal compliance purposes.
• Billing records are retained for 7 years as required by Maltese tax law.

6. Data Sharing

We do not sell your data. We share data only with:

• AI model providers (Anthropic): Queries are transmitted to generate responses, under a data processing agreement that prohibits training on your data.
• Infrastructure providers (Hetzner Online GmbH): Hosting within the EU (Helsinki, Finland) under standard contractual clauses. Hetzner is an EU-based provider subject to GDPR.
• Payment processors (Stripe): For billing only. No query or legal content data is shared.
• Legal obligation: We may disclose data if required by Maltese or EU law, court order, or competent authority.

7. Your Rights (GDPR)

Under the GDPR, you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase your data, including query history (“right to be forgotten”) (Art. 17)
• Restrict processing (Art. 18)
• Data portability: receive your query history in a structured format (Art. 20)
• Object to processing based on legitimate interests (Art. 21)
• Withdraw consent at any time where consent is the legal basis

Contact us at privacy@lex.mt. We will respond within 30 days. You also have the right to lodge a complaint with the Office of the Information and Data Protection Commissioner (IDPC) of Malta.

8. Cookies

We use only essential cookies required for authentication and session management (a single HttpOnly session cookie: lexmt_session). We do not use advertising, tracking, or third-party analytics cookies. Your language preference is stored in browser localStorage only and is not transmitted to our servers.

9. Acceptable Use of Document Upload

The document upload feature is provided for legitimate legal research purposes only. By uploading a document, you represent and warrant that:

• You have the legal right to upload and process the document.
• The document does not contain content that is unlawful, defamatory, obscene, or harmful.
• You are not uploading material that infringes third-party intellectual property rights.
• If the document contains personal data of third parties, you have a lawful basis for processing that data.
• You are not uploading content in breach of legal professional privilege without appropriate authorisation.

Prohibited uploads include: child exploitation material (which will be reported to competent authorities immediately), material used to facilitate criminal activity, documents uploaded with intent to extract or circumvent legal process, and any content that would constitute an offence under Maltese or EU law.

LexMT does not review uploaded content prior to processing and does not retain it after processing. However, we reserve the right to terminate access and report to relevant authorities where we have reasonable grounds to believe illegal content has been uploaded.

Limitation of liability: You are solely responsible for the content you upload. LexMT accepts no liability for any consequences arising from the upload of inappropriate, sensitive, or unlawful material.

10. Security

We implement technical and organisational measures to protect your data including encryption in transit (TLS), access controls, and regular security reviews. Query history, saved cases, and shared answers are stored in an access-controlled database on EU infrastructure (Hetzner, Helsinki, Finland). Uploaded documents never leave working memory and are never written to disk.

11. Changes to This Policy

We may update this policy as our services evolve or as required by law. Material changes will be notified by email at least 14 days in advance. Continued use after changes constitutes acceptance. The current version is always available at lex.mt/privacy.

12. Contact