Privacy Policy
Last updated: March 2026
1. Who We Are
LexDictate is a dictation and document management service for law firms, operated by IT WORKHOUSE LTD. In data protection terms:
- Data Controller — your law firm (the Account) determines the purposes and means of processing personal data within LexDictate.
- Data Processor — IT WORKHOUSE LTD processes personal data on behalf of your firm in accordance with this policy and your instructions.
For questions about this policy, contact us at: privacy@itw.ltd
2. What Personal Data We Hold
| Category | Data held |
|---|---|
| Account | Firm name, logo, export template settings |
| Users | First name, last name, email address, hashed password, role |
| Dictations | Audio recordings (deleted immediately after transcription), text transcripts, formatted documents, client name, matter reference |
| Sessions | IP address, browser user agent, login timestamp |
We do not collect payment card details. Billing is handled separately by our payment processor.
3. How We Use Your Data
- Providing the dictation transcription and document management service
- Authenticating users and maintaining secure sessions
- Generating PDF and Word document exports
- Responding to support requests
- Complying with legal obligations
Legal basis: Legitimate interests (providing the contracted service) and Contract performance.
4. Third-Party Processors
We use the following sub-processors to deliver the service. Each is bound by a data processing agreement.
| Processor | Purpose | Data transferred |
|---|---|---|
| Groq, Inc. | Audio transcription (Whisper large-v3 model) | Audio recording transmitted for transcription only. Zero Data Retention (ZDR) is enabled — Groq does not log or retain any inputs or outputs. Groq does not use your data to train AI models. A signed Data Processing Agreement is in place. |
| OpenAI, LLC | Letterhead image analysis (optional AI template detection) | Letterhead image only, processed and discarded |
Both processors are US-based. Transfers are made under Standard Contractual Clauses (SCCs) as incorporated in each processor's Data Processing Agreement.
5. Data Retention
- Audio recordings — deleted immediately after transcription is complete
- Transcripts and documents — retained for the lifetime of the account
- Sessions — expired and deleted after 30 days
- Account data — retained while the account is active; permanently deleted within 30 days of account closure
6. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of your personal data
- Right to rectification — correct inaccurate data (via My Profile)
- Right to erasure — request deletion of your data (account owners can delete the entire account from Account Settings)
- Right to data portability — download your personal data as JSON from My Profile → Your Data
- Right to object — object to processing based on legitimate interests
- Right to restrict processing — request we limit how we use your data
To exercise any right, email privacy@itw.ltd. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
7. Security
We protect your data using industry-standard measures including encrypted connections (TLS), hashed passwords (bcrypt), and access controls. Audio files are stored in a private object store and purged immediately after transcription.
8. Changes to This Policy
We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of LexDictate after changes constitutes acceptance of the updated policy.