Privacy Policy
How LexiCo AS collects, processes, and protects your data.
Last updated: 17 February 2026
1. Data Controller
The data controller for LEXI Cloud is LexiCo AS, a company registered in Norway.
LEXI Cloud is an AI API proxy service operated at api.lexisaas.com. It processes customer API requests to compress context before forwarding them to upstream large language model (LLM) providers.
For privacy-related enquiries, contact us at privacy@lexisaas.com.
2. Data We Process
2.1 Message content (transient)
When you send an API request through LEXI Cloud, we process the message content in memory only for the purpose of applying STONE compression. No conversation content is stored beyond the active session. Sessions are ephemeral — once the request/response cycle completes or the session expires, the content is discarded from memory.
2.2 Account information (stored)
| Data | Purpose | Basis |
|---|---|---|
| Email address, name | Account creation, authentication, communication | Contract performance |
| API key hashes | Request authentication. We store only cryptographic hashes — never the plaintext API key. | Contract performance |
| Usage records | Token counts, request counts, timestamps. Used for billing, rate limiting, and analytics. We do not store message content in usage records. | Contract performance, legitimate interest |
| Credit balance and billing information | Payment processing via Stripe. We do not store full card numbers — Stripe handles PCI compliance. | Contract performance |
2.3 Your LLM API keys
LEXI Cloud operates on a bring-your-own-key (BYOK) model. Your LLM provider API keys (e.g., OpenAI, Anthropic) are passed through to the upstream provider in real time. LEXI does not store your LLM API keys. They are held in memory only for the duration of the request and are never written to disk or logged.
3. How Data Flows
LEXI Cloud acts as a proxy between your application and upstream AI providers. The data flow is:
- Your application sends an API request containing messages and your upstream LLM API key.
- LEXI Cloud (hosted on LexiCo's servers in Norway) receives the request, applies STONE compression to the message context in memory, and forwards the compressed request to the upstream provider.
- The upstream AI provider (e.g., OpenAI, Anthropic, or other provider of your choice) processes the request and returns a response.
- LEXI Cloud passes the response back to your application. No conversation content is stored on disk at any point.
LEXI stores only account information, usage metrics, and credit balance. Conversation content is processed in memory and never persisted.
4. Cookies
LEXI Cloud uses session cookies only for dashboard authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
| Cookie | Purpose | Duration |
|---|---|---|
lexi_session |
Authenticates your dashboard session | Session (expires on browser close or after 24 hours) |
5. Third-Party Processors
We share data with the following third-party services, each acting as a data processor under GDPR:
| Provider | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing and billing | Email, billing details, transaction amounts |
| Upstream LLM providers | Processing your API requests (customer's choice of provider) | Compressed message content, your LLM API key (pass-through) |
Note on PocketBase: LEXI Cloud uses PocketBase for user data storage and authentication. PocketBase is self-hosted on LexiCo's own servers in Norway — it is not a third-party service or external data processor. All data stored in PocketBase remains on LexiCo infrastructure within the EEA.
Your choice of upstream LLM provider (e.g., OpenAI, Anthropic) is governed by that provider's own privacy policy and terms of service. LEXI acts as a proxy — the compressed content is sent to the provider you specify.
6. Data Location and Security
LEXI Cloud infrastructure is hosted on Microsoft Azure, North Europe region (Norway). All stored data (account information, usage records, billing data) resides within the European Economic Area (EEA).
We implement appropriate technical and organisational security measures, including:
- Encryption in transit (TLS 1.2+) for all API and dashboard traffic
- Encryption at rest (AES-256-GCM) for stored data
- API key hashing (never stored in plaintext)
- Role-based access control for internal systems
- Audit logging for administrative actions
When your API requests are forwarded to upstream LLM providers, the data is transmitted to wherever that provider processes requests. This is determined by your choice of provider and their infrastructure, not by LEXI.
7. Data Retention
| Data type | Retention period |
|---|---|
| Message content (in-memory) | Duration of the active session only. Not persisted to disk. |
| Account information | Until account deletion, plus 30 days for backup recovery. |
| Usage records | 24 months for billing and analytics purposes, then anonymised or deleted. |
| Billing records | As required by Norwegian accounting law (currently 5 years). |
| LLM API keys | Not retained. In-memory only for the duration of each request. |
8. Your Rights Under GDPR
As LEXI Cloud is operated by a Norwegian company, the EU General Data Protection Regulation (GDPR) applies, as implemented by the Norwegian Personal Data Act (personopplysningsloven). You have the following rights regarding your personal data:
- Right of access — Request a copy of the personal data we hold about you.
- Right to rectification — Request correction of inaccurate personal data.
- Right to erasure — Request deletion of your personal data ("right to be forgotten"). Upon account deletion, all personal data is removed within 30 days, except where retention is required by law.
- Right to data portability — Receive your personal data in a structured, machine-readable format.
- Right to restriction — Request that we restrict processing of your personal data in certain circumstances.
- Right to object — Object to processing based on legitimate interest.
To exercise any of these rights, contact us at privacy@lexisaas.com. We will respond within 30 days as required by GDPR.
You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no.
9. Data Processing Agreement
Customers who require a formal Data Processing Agreement (DPA) under GDPR Article 28 can request one by contacting privacy@lexisaas.com. We provide DPAs at no additional cost for high-volume users and upon request for any customer.
10. Children's Privacy
LEXI Cloud is a business-to-business API service and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated via email to registered account holders and posted on this page with an updated revision date. Continued use of the service after changes constitutes acceptance of the updated policy.
12. Contact
For any questions about this privacy policy or your personal data: