Skip to main content
thexis
Request access
Legal

Privacy Policy

Last updated: 22 May 2026

1. Introduction

Thexis Intelligence Ltd ("Thexis", "we", "us", "our") is committed to protecting the privacy of those who interact with us. This Privacy Policy explains how we collect, use, share, and otherwise process personal data when you visit our website at www.thexis.ai (the "Site") or use our platform (the "Service").

Thexis provides software that helps UK law firms and litigation funders identify, evaluate, and prepare potential legal matters. The Service is intended for professional use by qualified legal practitioners and regulated funders.

This Privacy Policy applies when you visit the Site, register for or use the Service, communicate with us, attend our events or briefings, or are the subject of personal data that we process in the course of our business. It does not apply to personal data processed by our customers within the Service, for which the relevant customer is the data controller.

By visiting the Site or using the Service, you confirm that you have read and understood this Privacy Policy.

2. Information we collect

We collect the following categories of personal data.

  • Identity and contact data, including your name, title, employer, professional role, business email address, business telephone number, and business postal address.
  • Account and authentication data, including your username, encrypted password, multifactor authentication credentials, role and permission settings, and access logs.
  • Communications data, including the content of your correspondence with us, support tickets, feedback, and meeting notes where applicable.
  • Commercial and transactional data, including subscription details, order history, billing information, and tax identifiers.
  • Technical data, including IP address, device identifiers, browser type and version, operating system, time zone, language preferences, referral source and session identifiers.
  • Usage data, including the pages and features you access, the queries you submit, the content you view and the time you spend in the Site or Service.
  • Marketing and preferences data, including your marketing consents, communication preferences and event attendance.

We collect this data:

(i) directly from you, when you submit it through the Site, the Service, or in correspondence with us;

(ii) automatically, through cookies and similar technologies (see Section 11);

(iii) from your employer, where your firm procures the Service or nominates you as a user;

(iv) from publicly available sources, including professional registers, regulatory publications, court records, company filings, and news media, for lawful business research and outreach; and

(v) from third party service providers, such as identity verification, business contact data, authentication, and analytics providers.

Special category and criminal offence data

We do not request special category personal data (Article 9 UK GDPR) or data relating to criminal convictions and offences from website visitors or prospective customers. Where such data is incidentally present in content that customers upload to the Service, we process it as a processor on the customer's instructions, in accordance with the relevant Data Processing Agreement.

Customer uploaded content

The Service permits customers and their authorised users to upload content that may include personal data of third parties, such as individuals affected by a potential legal matter ("Customer Content"). The customer is the data controller for Customer Content and Thexis is the data processor. A Data Processing Agreement between us and the customer governs that processing.

3. How we use your information

We use your personal data to:

  • operate the Service, including registering and managing accounts, authenticating users, hosting and processing content, and providing customer support;
  • communicate with you, including sending service announcements, maintenance notices, billing communications, and updates to this Privacy Policy and our other policies;
  • respond to your enquiries, including requests for early access, demonstrations, and other business communications;
  • send marketing communications about our products and services to professional contacts at law firms, litigation funders, and other organisations operating in the legal sector. You may unsubscribe at any time using the link in any marketing email or by contacting privacy@thexis.ai;
  • operate, monitor, secure, and improve the Service, including analysing usage patterns, diagnosing issues, developing new features, and managing performance;
  • detect and prevent fraud, misuse, security incidents, and breaches of our Terms of Use or Acceptable Use Policy;
  • comply with our legal, regulatory, tax, accounting, and audit obligations, including responding to lawful requests from public authorities and complying with court orders;
  • establish, exercise, or defend legal claims, including managing disputes and protecting our rights and the rights of others;
  • carry out corporate transactions, including due diligence, mergers, acquisitions, financings, and reorganisations; and
  • provide artificial intelligence features. The Service uses artificial intelligence, including large language models supplied by third party providers, to help users identify and evaluate potential legal matters. AI is used to support, not replace, human professional judgement. We do not make decisions producing legal or similarly significant effects on individuals solely by automated means within the meaning of Article 22 UK GDPR. We apply contractual and technical controls to prevent Customer Content from being used to train third party foundation models. Further information is set out in our AI Transparency Statement.

We do not sell your personal data.

4. Legal basis for processing

Under the UK GDPR, we rely on the following lawful bases to process your personal data. Where multiple bases are available, we rely on the most appropriate basis in the circumstances.

PurposeLawful basis under the UK GDPR
Operating and administering the ServicePerformance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f))
Authenticating users and securing accountsPerformance of a contract; legitimate interests in security
Sending service related communicationsPerformance of a contract; legal obligation (Art. 6(1)(c))
Responding to enquiries and early access requestsLegitimate interests in responding to prospective customers
Sending marketing communications to professional contactsConsent (Art. 6(1)(a)) where required; legitimate interests, including the soft opt in under PECR
Hosting and processing Customer ContentActing as processor on the customer's documented instructions
Monitoring, securing, and improving the ServiceLegitimate interests
Detecting and preventing fraud, misuse, and security incidentsLegitimate interests; legal obligation
Compliance with legal, tax, regulatory, and accounting obligationsLegal obligation
Establishing, exercising, or defending legal claimsLegitimate interests; legal obligation; in respect of special category data, Article 9(2)(f) UK GDPR and Schedule 1, Part 1, paragraph 33 of the Data Protection Act 2018
Conducting corporate transactionsLegitimate interests
Operating analytics and functional cookiesConsent under PECR; legitimate interests where lawful without consent

Where we rely on legitimate interests, we have carried out (or will carry out) a Legitimate Interests Assessment to balance our interests against your rights and freedoms. You may request a summary by contacting privacy@thexis.ai.

You may withdraw consent at any time where consent is the lawful basis. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

5. Information sharing and disclosure

We share personal data only as necessary for the purposes set out in this Privacy Policy, with the following categories of recipients:

  • Service providers acting as processors, including providers of cloud hosting, authentication, communications, customer relationship management, analytics, customer support, payment processing, security monitoring, and artificial intelligence model inference. All processors are bound by written contracts that meet the requirements of Article 28 UK GDPR.
  • Professional advisers, including lawyers, accountants, auditors, insurers, and tax advisers, under duties of confidentiality.
  • Regulators, courts, and public authorities, where required by law or where reasonably necessary to protect our rights or the rights of third parties.
  • Prospective or actual acquirers, investors, and financing counterparties, in connection with corporate transactions, financings, restructurings, or the sale of assets, subject to confidentiality protections.

A current list of material subprocessors is available on request and, where applicable, under the Data Processing Agreement.

We apply appropriate technical and organisational measures to protect personal data shared with third parties, including encryption in transit and at rest, role based access controls, multifactor authentication, security logging, secure development practices, vulnerability management, supplier security reviews, and incident response procedures.

We will notify the Information Commissioner's Office of personal data breaches without undue delay, and where feasible within 72 hours of becoming aware of them, as required by law. We will notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.

6. Data retention

We keep personal data only for as long as necessary for the purposes for which it was collected, including to satisfy any legal, tax, regulatory, accounting, or reporting obligations, and to establish, exercise, or defend legal claims.

Data categoryRetention period
Account dataTerm of the account plus six years
Billing and financial recordsSix years (UK statutory)
Marketing and prospect dataUntil you unsubscribe, or after 24 months of inactivity
Website analyticsUp to 26 months
Support correspondenceUp to six years
Security logsUp to 12 months, except during an active investigation
Customer ContentAs set out in the Data Processing Agreement

Where deletion is technically infeasible we isolate and protect the data until deletion is possible.

7. Your privacy rights

Under the UK GDPR, you have the following rights:

  • the right to be informed about how we process your personal data, which this Privacy Policy is intended to satisfy;
  • the right of access to your personal data (a subject access request);
  • the right to rectification of inaccurate or incomplete personal data;
  • the right to erasure of your personal data, in defined circumstances;
  • the right to restrict the processing of your personal data, in defined circumstances;
  • the right to object to processing based on legitimate interests, and to object at any time to direct marketing;
  • the right to data portability, in defined circumstances;
  • the right to withdraw consent at any time where consent is the lawful basis, without affecting the lawfulness of processing carried out before the withdrawal; and
  • the right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects, subject to the exceptions in Article 22 UK GDPR.

To exercise any of these rights, contact us at privacy@thexis.ai. We may request information reasonably necessary to verify your identity. We will respond within one month of receipt of your request. For complex or numerous requests we may extend this by a further two months, in which case we will explain the reason.

Where the personal data is held on the Service by a customer, please address your request to that customer in the first instance. We will assist the customer in responding under the Data Processing Agreement.

You also have the right to lodge a complaint with the Information Commissioner's Office. See Section 14 for details.

8. International data transfer

Thexis is established in the United Kingdom and processes personal data primarily within the United Kingdom. Some of our service providers operate from outside the UK, including in the European Economic Area and the United States.

Where we transfer personal data to a country covered by UK adequacy regulations (including the EEA), we rely on those regulations as the basis for the transfer.

Where we transfer personal data to a country not covered by UK adequacy regulations, we apply appropriate safeguards under Article 46 UK GDPR, including:

  • the UK International Data Transfer Agreement;
  • the European Commission Standard Contractual Clauses together with the UK International Data Transfer Addendum; or
  • where the recipient is located in the United States and is certified, the UK Extension to the Data Privacy Framework.

Where required, we carry out a Transfer Risk Assessment. A copy of the safeguards applicable to a specific transfer is available on request to privacy@thexis.ai.

9. Children's privacy

The Service is intended exclusively for legal and professional users and is not directed at children. We do not knowingly collect personal data from any individual under the age of 18.

If we become aware that we have collected personal data from a child, we will take steps to delete it as soon as reasonably practicable. If you believe that a child has provided personal data to us, please contact us at privacy@thexis.ai.

10. Third-party links and services

The Site and the Service may contain links to third party websites, applications, plug ins, or services that are not operated or controlled by us.

We do not own, operate, or endorse the content, products, or practices of these third parties. Accessing or using a third party website or service is at your own risk. We are not responsible for the privacy practices of any third party and we encourage you to read the privacy policy of every website you visit or service you use.

The presence of trade marks, names, logos, or links on the Site does not imply any affiliation with, sponsorship by, or endorsement of the relevant third party.

11. Cookie and tracking technologies

We use cookies and similar technologies on the Site and in the Service, including for the purposes of authentication, security, performance, analytics, and functionality. Where consent is required under PECR, we obtain it through our cookie banner.

Our Cookie Policy provides detailed information about the cookies we use, their purposes, their duration, and how you can manage your preferences.

You can adjust your cookie preferences at any time by clicking "Cookie settings" in the footer of the Site, or by changing your browser settings.

12. Changes to this privacy policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law. The "Last updated" date at the top of this Privacy Policy reflects the date of the most recent revision.

Where the changes are material, we will notify you by appropriate means, including by email or by a prominent notice on the Site, before the changes take effect. We encourage you to review this Privacy Policy periodically.

13. Compliance with privacy laws

This Privacy Policy and our processing of personal data are designed to comply with applicable UK privacy and data protection laws, including:

  • the UK General Data Protection Regulation (UK GDPR);
  • the Data Protection Act 2018;
  • the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR); and
  • any guidance and codes of practice issued by the Information Commissioner's Office (ICO).

We apply principles of lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability in our processing of personal data.

14. Contact us

If you have questions, requests, or complaints about this Privacy Policy or our handling of personal data, please contact us:

Thexis Intelligence Ltd
Address: Bartle House, Oxford Court, Manchester, M2 3WQ, England
Email: privacy@thexis.ai

Thexis Intelligence Ltd is registered in England and Wales under company number: 17199998