Lex Agentica ("Lex Agentica", "we", "us") is operated by Maria del Pilar Berrio Muñoz, based in Munich, Germany. We are committed to protecting your personal data and handling it in accordance with the General Data Protection Regulation (GDPR) and applicable German data protection law.

Section 01

Data Controller

Lex Agentica

Maria del Pilar Berrio Muñoz
Dom Pedro Str. 9
80637 Munich, Germany

Email: [email protected]

Lex Agentica is the data controller within the meaning of Art. 4(7) GDPR.

Section 02

What Personal Data We Process

We only process data that is necessary for:

  • Responding to enquiries
  • Scheduling and conducting meetings
  • Delivering consulting services
  • Improving website performance (anonymised analytics)

2.1 Contact & Enquiry Data

When you submit the contact form or email us, we process:

Data collected

Full name, work email address, company name, role/title, message content

Purpose & Legal basis
To assess strategic fit and respond to your enquiry

Art. 6(1)(b) GDPR — pre-contractual measures
Art. 6(1)(f) GDPR — legitimate interest in business communication

2.2 Scheduling Data (Microsoft Bookings)

If you book an Intro Strategy Call, we process:

Data collected

Name, email, selected time slot, optional notes

Purpose & Legal basis
To schedule and conduct meetings

Bookings are managed through Microsoft 365 Bookings.
Art. 6(1)(b) GDPR

2.3 Email Communication (Microsoft 365)

Business emails are hosted via Microsoft 365 (Exchange Online). When you contact us, your email address and message content are processed and stored.

Microsoft may process data in EU data centres and, where applicable, under appropriate safeguards for international transfers.

Legal basis: Art. 6(1)(b) and (f) GDPR

2.4 Website Analytics (Plausible Analytics)

We use Plausible Analytics, a privacy-focused, cookie-free analytics provider based in the EU. Plausible collects anonymised, aggregated data only:

  • Page views and referral sources
  • Country-level location (not city or IP)
  • Browser and device type

No personal profiles are created. IP addresses are not stored.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in website optimisation

Because Plausible operates without cookies or personal tracking, no cookie consent banner is required.

2.5 Future: LinkedIn Insight Tag

We may implement the LinkedIn Insight Tag in the future to measure campaign effectiveness. If activated:

  • It will only operate after explicit user consent
  • A consent banner will be implemented
  • Data may be transferred to LinkedIn Ireland and potentially to the United States under appropriate safeguards

Until implemented, no LinkedIn tracking occurs.

Section 02.6

Lexa Diagnostic Tool

The Lexa diagnostic tool allows users to analyse how publicly available ecommerce and data signals may affect AI-based product recommendation and visibility. This section describes how data is processed when you use this tool.

What data is processed

When you use the Lexa diagnostic tool, you may provide a website URL (for example, your brand or ecommerce domain). We process:

  • The submitted website URL
  • Derived domain-level information — for example, publicly available product, entity, and structured data signals associated with the submitted domain

The diagnostic is designed to operate without requiring personal data. Users are advised not to submit personal data through the tool.

How the data is used

The submitted URL is used solely to generate the requested diagnostic. The analysis evaluates publicly available information associated with the domain, including machine-readable data, entity signals, and compliance-related indicators.

The output is an automated, indicative assessment intended for informational and advisory purposes only.

Processing and storage

The submitted URL is processed transiently through Lex Agentica's infrastructure to generate the diagnostic.

  • The URL is not stored after processing is complete
  • No persistent user profiles are created
  • No tracking of individual usage behaviour is performed within the diagnostic itself

We do not access private systems, login-protected environments, or non-public data associated with the submitted domain.

Use of third-party AI service providers

To generate the diagnostic, Lex Agentica uses authorised third-party AI model providers acting under our instructions. These providers process limited input data — such as the submitted domain or derived signals — for the sole purpose of generating the diagnostic output.

Lex Agentica acts as the controller of this processing. Third-party providers act as processors and are bound by applicable data processing agreements, including Art. 28 GDPR. Under Anthropic's commercial API terms, submitted input data is not used to train AI models.

No personal data is intentionally shared with these providers as part of the diagnostic.

Legal basis
Art. 6(1)(b) GDPR

Processing necessary to provide the requested service

Secondary basis
Art. 6(1)(f) GDPR

Legitimate interest in providing and improving diagnostic insights for ecommerce visibility and AI governance

Data retention

No input data from the Lexa diagnostic is retained after the response is generated, except where strictly necessary for:

  • Security monitoring
  • Prevention of misuse
  • Compliance with legal obligations

Any such data is minimised and retained only for the period strictly necessary for its purpose.

Nature of the output

The Lexa diagnostic provides an indicative, automated assessment based on publicly available signals at the time of analysis. It does not:

  • Constitute legal advice
  • Represent a formal compliance assessment under the EU AI Act or any other regulation
  • Guarantee specific commercial outcomes or AI system behaviour

Users should interpret results in context and seek tailored professional advice where required.

Section 03

Data Transfers Outside the EU

Where service providers process data outside the EU/EEA (e.g. Microsoft, Anthropic), transfers occur only under:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • EU-US Data Privacy Framework (where applicable)

We do not transfer data without appropriate safeguards.

Section 04

Data Retention

We retain personal data only as long as necessary for the purpose it was collected:

Data type Retention period
Responding to enquiries Up to 6 months after last contact if no contract is formed
Active client data Duration of the engagement plus 3 years
Invoices and financial records 10 years (German commercial law requirement)
Booking and meeting records 12 months after the last meeting
Lexa diagnostic input (submitted URL) Not retained — deleted upon response generation, except where required for security monitoring, misuse prevention, or legal compliance

After retention periods expire, data is securely deleted.

Section 05

Third-Party Service Providers

We do not sell or rent personal data. Data is shared only with:

Hosting provider
Netlify

Website hosting and delivery. Netlify operates under standard DPA terms.

Email & scheduling
Microsoft 365

Email communication and Bookings

Analytics
Plausible Analytics

Anonymised, cookie-free website analytics

AI model provider (Lexa tool)
Anthropic

Powers the Lexa diagnostic tool. Processes submitted domain signals transiently under Lex Agentica's instructions as a data processor under Anthropic's commercial API terms. Submitted input data is not used to train AI models. No personal data is intentionally shared. Data transfers outside the EU/EEA occur under Anthropic's standard data processing agreement, including EU Standard Contractual Clauses where applicable. See Anthropic Trust Centre and Anthropic Privacy Policy.

Future (not active)
LinkedIn

Campaign measurement (consent required before activation)

All providers act under data processing agreements compliant with Art. 28 GDPR.

Section 06

Your Rights Under GDPR

You have the right to:

Art. 15 GDPR

Access your data

Art. 16 GDPR

Rectify inaccurate data

Art. 17 GDPR

Erasure ("right to be forgotten")

Art. 18 GDPR

Restrict processing

Art. 20 GDPR

Data portability

Art. 21 GDPR

Object to processing based on legitimate interests

To exercise your rights, contact: [email protected]

You also have the right to lodge a complaint with a supervisory authority. In Bavaria: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).

Section 07

Security

We implement appropriate technical and organisational measures to protect your data, including:

  • HTTPS encryption
  • Restricted system access
  • Secure Microsoft 365 configuration
  • Regular review of data handling practices

No transmission over the internet is completely secure. We take reasonable steps to protect your data but cannot guarantee absolute security.

Section 08

Cookies

This website does not use tracking cookies or advertising cookies. Plausible Analytics operates without any cookies. No cookie consent banner is required.

If the LinkedIn Insight Tag is activated in future, a consent mechanism will be implemented prior to activation.

Section 09

Changes to This Policy

We may update this Privacy Policy to reflect changes in services, tools, or legal requirements. The current version is always available on this website.

Contact

Questions About This Policy

If you have any questions, concerns, or requests regarding this Privacy Policy or how Lex Agentica handles your personal data, please contact us.

Get in touch

Lex Agentica
Operated by Maria del Pilar Berrio Muñoz
Munich, Germany

Email: [email protected]