Privacy Policy

This Privacy Policy explains how Lextractcollects, uses, shares, and protects personal data when you use our commercial lease abstraction service (the “Service”). Please read it alongside our Terms of Service.

1. Who we are and our role

The Service is operated by Ventora Labs, a Wyoming corporation (“we”, “us”, “our”), Sheridan, Wyoming. For personal data relating to your account and your use of the Service, we act as a data controller.

When you upload a lease document, that document may contain personal data about third parties (for example, individuals named in a lease). In many cases you act as the controller of that document data and we act as your processor, processing it on your instructions to produce your extraction results. You are responsible for ensuring you have the authority and lawful basis to upload any document you submit.

For data-protection questions, contact us at angel.campa@lextract.io.

2. What we collect

Account and contact data

• Email address, and (if you provide them) your full name, company, and professional role (for example: tenant representative, broker, attorney, landlord, investor).
• Authentication data managed by our authentication provider (Neon Auth), including session credentials.
• Payment records - we store your Stripe customer identifier, payment type, amount, currency, and payment status. Card details are collected and processed directly by Stripe; we do not store full card numbers.
• Your credit balance and an immutable record of credit transactions.

Uploaded documents and extraction data

• The lease PDF you upload (stored in private cloud object storage), its filename, and page count.
• The structured data extracted from the document (up to 126 fields), per-field confidence scores, detected “red flags”, and any edits you make to extracted values (kept as an edit history).
• For diagnostic and audit purposes, raw responses from the AI models for each extraction pass may be stored in object storage.

Anonymous (upload-first) sessions

You can begin an extraction before creating an account using a temporary anonymous session, identified by a session token with a limited lifetime. If you later create an account, the session can be linked to it.

Marketing and lead data

If you download a resource or submit a form on our marketing site, we collect your email and any details you provide (such as name and company), the source of the lead, and related marketing events. This data is stored in our marketing data store (Cloudflare D1) and may be associated with an Apollo contact identifier for outreach.

Technical and analytics data

We may collect standard technical data (such as IP address and request metadata) for security, rate limiting, and error monitoring. If enabled, we use PostHog for product analytics and Sentry for error tracking.

3. How and why we use your data (GDPR legal bases)

Where the EU or UK GDPR applies, we rely on the following legal bases under Article 6(1):

• Performance of a contract (Art. 6(1)(b)) - to create and manage your account, process your uploads, run the extraction pipeline, deliver results and exports, and process payments and credits.
• Legitimate interests (Art. 6(1)(f)) - to secure and improve the Service, prevent abuse and fraud, monitor errors, and (where permitted) carry out limited product analytics and marketing. We balance these interests against your rights.
• Consent (Art. 6(1)(a)) - for optional analytics or marketing communications where consent is required. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) - to keep records we are required to retain (for example, certain financial records).

4. AI processing transparency

Extraction is performed by large-language models. To produce your results, we transmit the full uploaded PDF to OpenRouter, which routes the request to one or more third-party model providers (for example, Google’s Gemini models and OpenAI models) across multiple validation passes. Our configuration restricts routing to a defined set of inference providers.

Each AI provider processes your document under its own terms and privacy policy. We do not use your documents or extraction results to train our own models. We do not currently have an independently verified contractual or technical guarantee that the downstream model providers do not retain or use submitted content for their own purposes (including training). Because uploaded documents may contain confidential or sensitive information, you should not upload material you are not authorized to disclose to third-party AI processors.

5. Sub-processors and third parties

We share data with the following service providers strictly to operate the Service. We do not sell your personal data.

• Neon - managed PostgreSQL database and authentication (Neon Auth).
• Cloudflare R2 - object storage for uploaded documents, exports, and diagnostic artifacts.
• Cloudflare (Workers / D1) - marketing data capture and storage.
• OpenRouter - AI request routing for the extraction pipeline, and the downstream model providers it routes to (such as Google and OpenAI).
• Stripe - payment processing.
• Resend - transactional email (e.g. receipts, notifications), where enabled.
• Sentry - error and performance monitoring, where enabled.
• PostHog - product analytics, where enabled.
• Apollo - marketing contact management for leads captured on our marketing site.

6. International data transfers

Some of our service providers are located in, or process data in, the United States and other countries outside the EEA and the UK. Where we transfer personal data internationally and the law requires it, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, or another lawful transfer mechanism.

7. Data retention

We keep your uploaded documents, extraction results, and account data for as long as your account is active and as needed to provide the Service. You can delete individual extractions from your dashboard at any time, which removes the stored document and related files from object storage and hides the record. When you ask us to close your account, we will delete or de-identify your associated personal data, except where we are required to retain certain records (for example, financial records) to comply with legal obligations. Deletion of backups and copies held by sub-processors occurs in line with their own retention cycles.

8. Security

We use technical and organizational measures designed to protect your data. Uploaded documents are kept in private object storage that is not publicly listable and is accessed only through short-lived, signed URLs or an authenticated proxy. Access to extractions is scoped to the owning account or anonymous session, and database access is governed by row-level security policies. Data is transmitted over encrypted (HTTPS/TLS) connections. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

9. Your rights

EEA / UK (GDPR)

Subject to applicable law, you have the right to access, rectify, erase, restrict, or object to the processing of your personal data; the right to data portability; and the right to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority.

California (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, use, and disclose; the right to request deletion and correction; and the right to opt out of the “sale” or “sharing” of personal information. We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We will not discriminate against you for exercising your rights.

To exercise any of these rights, contact us at angel.campa@lextract.io. We will verify your request as required by law before acting on it.

10. Children

The Service is intended for business use and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact us and we will delete it.

11. Cookies and analytics

We use cookies and similar technologies that are necessary for authentication and the secure operation of the Service. Where enabled, we also use product analytics (PostHog) and error monitoring (Sentry). You can control cookies through your browser settings.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will revise the effective date above and, for material changes, take reasonable steps to notify you (for example, by email to registered users).

13. Contact

Questions or requests about this policy or your personal data? Email angel.campa@lextract.io, or write to us at Ventora Labs, a Wyoming corporation, Sheridan, Wyoming.