Overview
Lenavix Inc. (“Lenavix”, “we”) operates the Lenavix platform (the “Service”), an AI-powered regulatory legal due diligence workspace for corporate counsel, venture capital and private equity legal teams, and law firms. This policy describes how we collect, use, store, and protect data when you use the Service or visit lenavix.com.
What we collect
- Account data — name, work email, company, and role.
- Workspace inputs — documents, vendor questionnaires, portfolio metadata, and other materials customers upload for regulatory review.
- Output data — findings, citations, jurisdictional analyses, and audit trails the Service generates from those inputs.
- Usage telemetry — pages visited, features used, error events. Used to operate, secure, and improve the Service.
How we use customer data
- To deliver the contracted Service: run vendor reviews, portfolio reviews, and ongoing regulatory monitoring on customer-uploaded data.
- To support customers: respond to requests, troubleshoot, and improve the accuracy of findings.
- To improve the Service: in aggregate, de-identified form only. Customer documents and workspace contents are not used to train third-party foundation models, and are not used to train Lenavix’s own models without an explicit, written opt-in from the customer.
- Access, collection, and processing are limited to what is needed for these legitimate business purposes.
Retention and deletion
Customer data is retained for the duration of the contract and for the period required by contractual, operational, and legal obligations. On termination or written request, customer workspace contents are securely deleted or anonymized, subject to records we are legally required to retain (for example, audit logs and billing records).
Sub-processors and service providers
We rely on a small number of vetted infrastructure and AI providers (hosting, model inference, observability, email). All sub-processors operate under contractual confidentiality and security obligations consistent with this policy. A current list is available under NDA on request.
Data security
- Data in transit is protected with TLS 1.2 or higher.
- Data at rest is encrypted with industry-standard controls.
- Customer workspaces are logically segregated; access is enforced at the tenant boundary.
- System and data access is restricted to authorized Lenavix personnel with a legitimate business need.
- Role-based access controls and multi-factor authentication are required for privileged access.
- Access to critical systems is logged, monitored, and periodically reviewed.
- Personnel receive recurring security and privacy awareness training.
Certifications and compliance
Lenavix’s SOC 2 Type I/II audit is in progress; ISO 27001 and GDPR readiness work are also underway. Current documentation is available under NDA on request. See the security roadmap in the site footer for status.
Incident response
We maintain procedures to identify, escalate, contain, and remediate security events. If an incident affects customer data, we will notify affected customers in accordance with our contractual and legal obligations.
Your choices
You can request access to, correction of, or deletion of personal data we hold about you by emailing the contact below. We honor applicable rights under PIPEDA, the GDPR, and other privacy laws that apply to you.
Changes to this policy
We may update this policy from time to time. The “Effective” date at the top reflects the most recent revision. Material changes will be communicated to active customers via email or in-product notice.
Contact
Questions about this policy or your data? Email michael@lenavix.com.