Privacy policy.

1. Data controller & legal entity

The Site is operated by Costa Consulting Group, LLC (DBA Lexora Labs), located in San Mateo, California. For privacy questions or to exercise rights, contact [email protected].

2. Scope & applicability

This Policy applies to visitors of the Site, registered users, paid subscribers, and individuals who otherwise communicate with us. It does not apply to websites or services operated by others, even where we link to them. Our handling of cookies is described in Section 7.

3. Personal information we collect

3.1 Information you provide

• name, email address, and any company or title information you supply;
• account credentials and authentication identifiers;
• billing information processed by our payment provider (we do not store full card details);
• messages, support requests, and other content you send us;
• inputs or content you provide that may be processed by AI systems (see Section 6).

3.2 Automatically collected / technical data

• IP address, device, operating system, and browser data;
• page views, session duration, referrer, and other usage analytics;
• cookies and similar tracking identifiers;
• language and other preferences, and basic performance metrics.

3.3 From third parties & integrations

We may receive data from service providers we use to run the Site, including authentication, hosting, analytics, AI/model providers, mailing systems, and payment processors. If you sign in with a third-party identity provider (such as Google), we receive the basic profile information that provider shares with us.

3.4 Categories under California law

Under the CCPA/CPRA, the personal information described above falls within the following statutory categories: identifiers; customer-records information (e.g., name, email, billing); commercial information (e.g., subscription status); internet or network activity (e.g., usage and browsing data); geolocation (general, IP-based); audio/electronic information (support messages); and inferences drawn from the above.

4. How we use personal information

We process personal information to:

• operate, maintain, and improve the Site and our services;
• provision and bill paid subscriptions;
• authenticate users and protect against abuse, fraud, or unauthorized access;
• send service communications and, with consent where required, marketing;
• analyze usage and performance and personalize the experience;
• generate, evaluate, and improve scores, rationales, and reports;
• comply with legal obligations and enforce our Terms.

Where the GDPR or UK GDPR applies, our legal bases are: performance of a contract (account, subscription, billing), legitimate interests (running, securing, and improving the Site, and preventing abuse — balanced against your rights), consent (non-essential cookies and marketing, where required), and compliance with legal obligations.

5. How we share personal information

5.1 Service providers

We share personal information with vendors that process data on our behalf under written agreements that limit use to providing services to us. Categories and representative providers include:

• Authentication & database: Supabase (and, if you choose Google sign-in, Google).
• Payments: Stripe (we do not store full card numbers).
• AI / model providers: Anthropic (for Claude-based scoring and analysis).
• Email delivery: Resend.
• Hosting & infrastructure: cloud hosting and CDN providers used to deliver the Site.

This list reflects our current providers and may change as we update our stack.

5.2 Legal & safety

We may disclose personal information to legal, tax, and accounting advisors; governmental or judicial authorities in response to lawful requests; and others where necessary to comply with law, enforce our Terms, prevent fraud or abuse, or protect the rights, property, or safety of any person.

5.3 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality protections and to this Policy or a successor policy with comparable protections.

5.4 No sale of personal information

We do not sell personal information, and we do not “share” personal information for cross-context behavioral advertising as those terms are defined under California law. We have not done so in the past 12 months.

6. AI processing

The Site uses large language models, including those provided by Anthropic, to score and summarize publicly available news and documents. If you submit content to us (for example, support messages or any free-text inputs in account features), that content may be processed by these models for the purpose of providing or improving the Site. We instruct our AI providers, by contract, not to use customer inputs to train their general-purpose models. Do not submit sensitive personal information, confidential information, or third-party data you are not authorized to share.

7. Cookies & similar tracking

We use cookies and similar technologies for essential site functionality (authentication, session management), analytics, and storing preferences. You can control cookies through your browser settings; disabling some cookies may affect Site functionality.

Do Not Track / Global Privacy Control. Browsers may offer a Do Not Track (DNT) signal. There is no industry consensus on how DNT should be handled, so we do not currently respond to it. Where required by law, we treat a Global Privacy Control (GPC) signal from your browser as a valid request to opt out of any sale or sharing of personal information for that browser.

8. Data retention

• account and subscription records: for the life of the account and for a reasonable period after closure to meet legal, tax, and audit requirements;
• billing records: as required by applicable financial and tax law (typically 7 years);
• leads and prospect data: up to three years from last activity;
• analytics: in aggregated or de-identified form;
• communications: as needed to handle and follow up on the matter, then deleted or archived.

9. Security

We use technical and organizational measures appropriate to the risk, including encryption in transit, access controls, vendor diligence, and breach-notification procedures. No system is perfectly secure; we cannot guarantee absolute security of your data.

10. International transfers

We are based in the United States, and our service providers may process personal information in the United States and other countries. Where required by law, transfers of personal information from the European Economic Area, the United Kingdom, Switzerland, or other restricted jurisdictions are protected by appropriate safeguards such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism.

11. California privacy rights (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, the sources, the purposes, and the categories of recipients;
• Access a copy of the specific pieces of personal information we hold about you;
• Correct inaccurate personal information;
• Delete personal information we hold about you, subject to legal exceptions;
• Limit our use and disclosure of any sensitive personal information (we do not use sensitive personal information for purposes that would trigger this right);
• Opt out of sale or sharing of personal information (as noted, we do not sell or share personal information);
• Non-discrimination for exercising any of these rights.

To exercise these rights, email [email protected] from the address associated with your account, or with enough detail for us to verify your identity. You may use an authorized agent acting on your behalf, subject to verification. We will respond within the time required by law (generally 45 days, with one extension permitted).

Shine the Light. California Civil Code § 1798.83 permits California residents to request information about disclosures of personal information to third parties for those parties’ direct-marketing purposes. We do not make such disclosures.

12. European & UK privacy rights (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate or incomplete data;
• request erasure (the “right to be forgotten”), subject to legal exceptions;
• request restriction of processing in certain circumstances;
• object to processing based on our legitimate interests, including direct marketing;
• request data portability for data you provided to us;
• withdraw consent at any time where processing is based on consent (without affecting prior processing);
• lodge a complaint with your local data-protection authority.

The legal bases on which we rely are described in Section 4. Cross-border transfers are addressed in Section 10. To exercise any of these rights, email [email protected].

13. Children’s privacy

The Site is not directed to children, and we do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided us with personal information, contact us and we will delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of this page. For material changes, we will use reasonable efforts to provide additional notice (for example, by email or an in-product notice). Continued use of the Site after changes are posted constitutes acceptance of the updated policy.

15. Contact

Privacy questions and data-protection correspondence: [email protected].