Privacy Policy
Loxmetis is built specifically for personal injury attorneys. We understand that case documents contain your clients' most sensitive information — medical records, financial details, and litigation strategy. This policy explains exactly how we handle that data.
1. What We Collect
When you use Loxmetis, we collect the following categories of data:
- Case documents — PDFs, images, and other files you upload (medical bills, police reports, depositions, etc.)
- Chat conversations — Messages between you and Loxmetis's AI personas within each case
- Usage metadata — Timestamps, page views, feature usage, and error logs for platform improvement and debugging
- Account information — Your email address, name, and firm name provided at registration
- Financial inputs — Medical specials, wages, and settlement figures you enter into calculators (stored per-case, per-organization)
Your Loxmetis account itself does not require sensitive identifiers such as Social Security numbers, and we never store credit-card numbers — payments are processed by our billing provider (Stripe), which collects card details directly. The case documents you upload, however, may contain sensitive personal information about your clients (for example, a Social Security number printed on a medical bill). When our document processor detects identifiers like these, it replaces them with reversible tokens and keeps the mapping in a short-lived, access-controlled cache, so the underlying values are shown only to authorized members of that case. We collect no personal data beyond what is necessary to provide the service.
2. How We Use Your Data
Your data is used exclusively to provide the Loxmetis service to you and your organization:
- Document retrieval and analysis within your active cases (RAG pipeline)
- Generating AI-assisted chat responses using your uploaded case documents as context
- Running settlement calculations and financial projections
- Storing your case history for reference and continuity
We do not train AI models on your clients' confidential information, and we never let a third party train its models on your data. Your case documents, chat conversations, and client data are attorney-client privileged materials, and we never use one organization's data in a way that could expose it to another.
We use your data to deliver the service to you and your organization, which can include learning from your feedback and corrections to improve answers within your own cases. When we use customer data to improve Loxmetis more broadly — including to develop our own models, retrieval, or analytics — we do so only with data that has been de-identified (stripped of client- and matter-identifying details) and/or aggregated, never in a way that reveals one organization's information to another. We will not use your identifiable client documents to train shared models.
3. Organization Isolation
Loxmetis uses a strict multi-tenant architecture. Each law firm's data is completely isolated from every other firm's data at the database level.
- Every database query is filtered by
organization_id— there is no query that can return data across organizations - Your cases, documents, chat conversations, and financial data are never visible to users from other firms
- Requests that attempt cross-organization access are rejected with HTTP 403 Forbidden
- No Loxmetis administrative interface or query exposes one firm's case content to another firm — cross-organization access is rejected at the application layer before any database query runs
This isolation is enforced at the application layer and verified through automated testing. As with any hosted service, a small number of operations staff can access the underlying infrastructure when strictly necessary to run, debug, or support the platform; such access is limited, logged, and covered by confidentiality obligations — it is not used to browse client case content.
4. AI Provider & Subprocessors
Loxmetis uses Google Gemini for AI processing:
- Chat and analysis — Google Gemini 2.5 Flash processes your prompts and case context to generate responses
- Document search — Google Gemini embedding-001 converts document text into search vectors stored in your organization's database
When you send a message or upload a document, the relevant text is sent to Google's API for processing. Per Google's API Terms of Service, data sent via API calls is not used to train or improve Google's AI models. Google processes your data as a data processor on our behalf, subject to their data processing agreement.
Google Gemini is our large-language-model provider; we do not send your data to consumer AI products, and we do not share it with any AI vendor for model training. To operate the service, Loxmetis also relies on a small set of infrastructure and service providers — for hosting, document storage, email, and billing. We list every one of them, and exactly what data each receives, on our Subprocessors page.
5. Data Retention
- Active cases — Retained for the duration of your subscription
- Closed cases — Auto-archived 90 days after you mark a case as closed
- Archived data — Restricted from access; currently slated for manual hard deletion within 30 days of archiving while our automated data-destruction pipeline is finalized
- Account data — Retained until you request deletion or your account is terminated
- Data deletion — You can request deletion of your data at any time by contacting privacy@loxmetis.com
6. Encryption
- Data in transit — All connections use TLS 1.2 or higher. There is no unencrypted HTTP access to your data.
- Data at rest — Case documents are stored in object storage encrypted with AES-256 (encryption keys are managed by the storage provider, not customer-managed). Database contents are encrypted at rest by our infrastructure provider.
- Authentication tokens — Session tokens are stored in httpOnly cookies, not accessible to JavaScript, reducing XSS risk.
7. ABA Rule 1.6 Compliance
Loxmetis is designed specifically to meet the "reasonable efforts" standard under ABA Model Rule 1.6(c), which requires attorneys to make reasonable efforts to prevent unauthorized disclosure of client information.
Our implemented safeguards include:
- Encryption — TLS 1.2+ in transit, AES-256 at rest
- Organization isolation — Strict data silo enforcement at the database and application layers
- Access controls — Role-based permissions within your firm (owner, member roles on each case)
- Audit logging — All user actions are logged with timestamps, user identity, and affected resources
- Authentication hardening — Account lockout after failed login attempts, httpOnly session cookies
- Vendor security — Google's API data processing agreement and Cloudflare's security infrastructure
We recommend that you consult your state bar's ethics guidance on cloud-based client data storage when evaluating any practice management software, including Loxmetis. Most state bars have issued guidance consistent with ABA Formal Opinion 477R (2017), which permits cloud storage when reasonable security measures are in place.
8. Where Your Data Is Stored
Loxmetis is operated from cloud infrastructure located in the United States. Your case documents, database records, and backups are stored in US data centers. If you access Loxmetis from outside the US, your data is transferred to and processed in the US.
9. Cookies, Analytics & Email
Loxmetis uses strictly necessary cookies to keep you signed in (an httpOnly session cookie and a refresh cookie) and to protect public forms from abuse. We do not use advertising cookies and we do not sell tracking data. If product analytics is enabled for your environment, it records non-identifying usage events (which features are used, errors encountered) and is configured to exclude personal information.
If you join our waitlist or opt in to product updates, we store your email address with our email provider to send those messages; every marketing email includes an unsubscribe link. The services involved are listed on our Subprocessors page.
10. Selling, Sharing & Disclosure
We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are used under the California Consumer Privacy Act (CCPA/CPRA) and similar US state privacy laws. We use your data only to provide the service, as described above. Depending on your state of residence, you may have the right to know what personal information we hold, to request its deletion, and to not be discriminated against for exercising these rights. To make a request, contact privacy@loxmetis.com.
We may, however, disclose your information in limited circumstances: to the service providers listed on our Subprocessors page who help us operate Loxmetis; when required by law or valid legal process (such as a subpoena or court order); to protect the rights, safety, or property of Loxmetis, our users, or others; or in connection with a merger, acquisition, or sale of assets (in which case we will provide notice). We do not otherwise share your case data with third parties without your consent.
11. Children's Privacy
Loxmetis is a professional tool for attorneys and is not directed to children. We do not knowingly collect personal information from anyone under 18 as an account holder. Case documents may, of course, contain information about minors who are parties to a matter; that information is handled the same way as any other sensitive case data described above.
12. Your Rights
You have the following rights with respect to your data:
- Access — Request a copy of data we hold about your account and organization
- Export — Export your case documents and conversation history at any time
- Correction — Update incorrect account information
- Deletion — Request deletion of your data. On account deletion, access is removed immediately and your data is permanently purged after a 30-day recovery grace period.
To exercise any of these rights, contact privacy@loxmetis.com.
13. Changes to This Policy
If we make material changes to this privacy policy, we will notify all registered users by email at least 14 days before the changes take effect. Non-material changes (such as clarifications that do not reduce your rights) may be made without notice. The "Last updated" date at the top of this page reflects the most recent version.
Continued use of Loxmetis after the effective date of a revised policy constitutes acceptance of the updated terms.
Questions? Contact us at privacy@loxmetis.com.