Legal

When you use the platform, the following categories of personal data within the meaning of Art. 4 No. 1 GDPR are processed:

• Account data: name, email address, password hash (bcrypt)
• Content data: the cases and legal analyses (Gutachten) you submit and the resulting analysis output
• Usage data: analysis history, quiz results, learning progress, feedback
• Billing and payment data for paid plans (handled by the payment service provider)
• Metadata: IP address, user agent, timestamps and request logs required to run the service

Processing takes place on the following legal bases under Art. 6 (1) GDPR; the assigned purposes are exhaustive:

• Art. 6 (1) lit. b GDPR — Performance of the user contract: providing the account, running the analysis of your Gutachten, generating practice questions.
• Art. 6 (1) lit. a GDPR — Consent: transmission of your content to the AI model used (Amazon Bedrock / Anthropic Claude). Consent can be withdrawn at any time with effect for the future (Art. 7 (3) GDPR).
• Art. 6 (1) lit. f GDPR — Legitimate interests: IT security, abuse prevention, reliable operation (logging, rate limiting). Our interest prevails because the data is stored only briefly and is not used for profiling.
• Art. 6 (1) lit. c GDPR — Compliance with legal obligations: retention and record-keeping duties, in particular under §§ 147 AO (German Fiscal Code) and 257 HGB (German Commercial Code).

For the technical operation of the platform we use the following data processors. Data processing agreements under Art. 28 GDPR are in place with every provider listed:

Authentication runs exclusively on our own infrastructure. Credentials are not transmitted to any external identity provider.

Third-country transfer: Neon, Inc. and the AWS parent company are based in the USA. Actual data processing, however, takes place exclusively within the EU. The transfer mechanism relied on is the EU Standard Contractual Clauses (Implementing Decision 2021/914) under Art. 46 (2) lit. c GDPR, supplemented by the additional safeguards documented in the respective DPA.

Only strictly necessary session cookies from our own authentication system are set. The legal basis is § 25 (2) No. 2 TDDDG (German Telecommunications Digital Services Data Protection Act). No third-party tracking, marketing or analytics cookies are used; consent under § 25 (1) TDDDG is therefore not required.

Personal data is stored only for as long as required for the purposes stated above or as mandated by statutory retention periods:

• Account and content data: until you delete your account; deletion then takes place within 30 days unless retention obligations apply.
• Invoices and payment records: 10 years (§ 147 (3) AO, § 257 (4) HGB).
• Server and security logs: at most 30 days, then automatically deleted or anonymized.

The AI-assisted analysis of Gutachten is purely a learning aid. There is no automated decision-making that produces legal effects or similarly significantly affects the data subject within the meaning of Art. 22 (1) GDPR. The results serve only your own self-assessment; no profiling or evaluation towards third parties (e.g. examination offices) takes place.

You have the following rights vis-à-vis the controller:

• Right of access to the data processed (Art. 15 GDPR)
• Right to rectification of inaccurate or incomplete data (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability in a structured, commonly used format (Art. 20 GDPR)
• Right to object to processing based on legitimate interests (Art. 21 GDPR)
• Right to withdraw consent with effect for the future (Art. 7 (3) GDPR)

An informal message to support@lexduvia.de is sufficient to exercise these rights. You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for us is the State Commissioner for Data Protection of Lower Saxony.