Lex
Sign inSign up
Legal

Privacy Policy

Last updated · 2026-06-26

This Privacy Policy explains what personal data Lex collects, why we collect it, how we use it, and what rights you have under the EU General Data Protection Regulation (GDPR). Lex is a language-learning toolkit operated from Nuremberg, Germany.

1. Data controller (Verantwortlicher)

The data controller (Verantwortlicher i.S.d. Art. 4 Nr. 7 DSGVO) responsible for processing your personal data is:

Akif Mursalov
Stephanstr. 37
Nuremberg, Germany
Email: thelabmarketplace@hotmail.com

2. What data we collect

Account data

When you create an account, we store your email address and a hashed password (managed by Supabase Auth). We also store your account creation date, trial start date, and subscription status.

Learning data

We store the content you create and save inside Lex: vocabulary entries, essays you write, reading texts you paste or save, and exercise progress. This data is tied to your account and is what makes Lex useful to you across devices.

AI feature inputs

When you use an AI-powered feature — essay feedback, AI text generation, AI translation, prompt generation — the relevant text (your essay, your prompt, the word being translated) is sent to OpenAI for processing. We do not allow OpenAI to use this data to train their models (OpenAI's API does not train on submitted content by default). We log a row in our own database recording that an AI call happened, against which feature, whether it succeeded, and when — but not the content of the call.

Free check (anonymous)

The free essay check on our landing page does not require an account. To prevent abuse we store a hashed cookie token and a hashed IP address (SHA-256 with a server-side secret — we never store the raw IP). We also store the language, the estimated CEFR level the AI returned, and the essay length in characters. We do not store the essay text itself.

Billing data

When you subscribe, our payment processor (Stripe) stores your billing details, including name, address, and payment method. We receive a customer ID, subscription status, and billing metadata from Stripe but never see your card number or full payment details.

Product analytics

We use PostHog to understand how Lex is used. PostHog sets a first-party cookie on your browser containing an anonymous identifier. We have disabled session recording and disabled automatic click tracking — only events we explicitly name (e.g. signup completed, first word saved, subscription started) are captured. PostHog does not track you across other websites.

We also use Vercel Web Analytics, a cookieless service that records aggregate page views and basic request metadata (country, referrer, browser type) without setting cookies and without identifying you personally.

What we don't collect

No advertising cookies, no behavioral tracking across other sites, no cross-site profiles. We do not sell your data.

3. Legal basis for processing

  • Contract performance (Art. 6(1)(b) GDPR) — for account creation, subscription management, AI processing of content you submit, and providing the service you signed up for.
  • Legitimate interest (Art. 6(1)(f) GDPR) — for fraud prevention (anonymous-check rate limiting), security, basic server logs, and product analytics aimed at improving Lex.
  • Legal obligation (Art. 6(1)(c) GDPR) — for retaining invoices and tax records as required by German law.
  • Consent (Art. 6(1)(a) GDPR) — for any optional processing where we ask you separately.

4. Subprocessors

We use the following service providers to operate Lex. Each is bound by a Data Processing Agreement (DPA) and processes data on our behalf:

5. Cookies

Lex sets a small number of first-party cookies:

  • lex_session — your signed-in session token (strictly necessary, HTTP-only, expires after 7 days).
  • lex_anon_check — set on visitors who use the free essay check on the landing page, to enforce the one-free-check limit (strictly necessary, HTTP-only, expires after 1 year).
  • ph_…_posthog — set by PostHog for product analytics (functional). Contains an anonymous identifier; expires after 1 year.

We do not set any advertising cookies. PostHog's functional cookie is disclosed in this policy; if you wish to disable it, your browser's privacy controls (Do Not Track, content-blocking extensions) will block it.

6. Data retention

Account data and your learning content are retained while your account is active. If you delete your account, we delete or anonymize your data within 30 days, except where we are required by law to retain it longer (e.g. tax-relevant invoices for 10 years per § 147 AO). Anonymous-check records are auto-pruned once they fall outside the 24-hour rate-limit window. Subscription cancellation does not automatically delete your account.

7. Your rights under the GDPR

You have the right to:

  • Request access to your personal data (Art. 15 GDPR)
  • Request rectification of inaccurate data (Art. 16 GDPR)
  • Request deletion of your data (Art. 17 GDPR)
  • Request restriction of processing (Art. 18 GDPR)
  • Request data portability (Art. 20 GDPR)
  • Object to processing based on legitimate interest (Art. 21 GDPR)
  • Withdraw consent at any time, where consent is the basis
  • Lodge a complaint with a supervisory authority (Art. 77 GDPR) — for Germany, the relevant authority is the data protection commissioner of your federal state, or for Bavaria the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).

To exercise any of these rights, email thelabmarketplace@hotmail.com. We respond within 30 days.

8. International transfers

Some of our subprocessors (Stripe, OpenAI, PostHog, Vercel) may process data outside the EU/EEA. These transfers are protected by EU Standard Contractual Clauses or comparable safeguards.

9. Changes

We may update this Privacy Policy. Material changes will be communicated by email or via a prominent notice on this site.