LexisClick Privacy Notice

Quick links

Data for which Lexis Information System Ltd T/A LexisClick is the Data Controller

How we use your information

This privacy notice tells you what to expect when LexisClick collects personal information. It applies to information we collect about:

  • Visitors to our websites;
  • People who contact us via social media;
  • People who call our phone numbers;
  • People who email us;
  • People who use our services, e.g. customers who engage us to manage their marketing or marketing related services;
  • Job applicants and our current and former employees

Visitors to our websites

By providing personal information to LexisClick in any of the ways described in this policy, by instructing or authorising another party to provide such information, or by entering into a contract with LexisClick that requires such processing, you agree that you are authorised to provide the information, that you accept this privacy policy and that LexisClick is authorised to process it.

LexisClick will collect a range of information on you, either via activity via our website or emails, ticketing systems, telephone, in person or at trade shows. This information includes:

  • Name
  • Organisation
  • Job title
  • Address of employment
  • Phone number
  • Email address
  • IP address
  • Username
  • Payment details in the case of ordering a service from us

We will not collect sensitive categories of personal data without your explicit consent.

LexisClick will not collect data relating to minors as defined under UK law. Minors as defined by UK law are not permitted to use LexisClick Services or interact with us as a corporate entity.

LexisClick may from time to time contact customers via email regarding service related matters such as billing, account management and maintenance. These emails are an important part of our service to you.

For business contacts who are not currently customers, LexisClick may contact you via email and other electronic means to promote our services to you. If you do not wish to receive these communications you can unsubscribe at any time. All email communications that we send contain a clear link to manage your subscription preferences.

We only store personal contact details for contacts who have given these to us, by signing up for information communications from us, applying for a role with us, or have provided us these details as their preferred address.

Data retention

We will keep your personal information for as long as you are a customer of LexisClick or a relevant marketing contact.

After you stop being a relevant marketing contact or unsubscribe from our communications, we will remove your data as part of our annual data reviews. Where a contact has been removed from our system, because the information is out of date or the contact has unsubscribed, we may retain a small amount of information relevant to controlling marketing activities. These details typically include email address, subscription preferences and reasons to not contact.

After you stop being a customer, we may keep your data for up to 10 years for the following reasons:

  • To respond to any questions or complaints.
  • To comply with legal requirements.

Data transfers and the use of Data Sub Processors

LexisClick will not share your data with a third party not directly associated with the provision of services without your explicit consent. LexisClick will also not transfer Subject data to a third party country outside of the UK or EEA that is not compliant with the applicable data protection laws via adequacy agreement, Binding Corporate Rules or other legally appropriate means as defined by the Information Commissioners Office without your explicit consent.

LexisClick makes use of a number of third party organisations for the purposes of delivery of Services to the Customer.

Whilst the following list is not intended to be exhaustive, LexisClick typically only transfers the personal data relating to our customers, where required for the activities set out below, to the following third parties or Data Processors:

  • Hubspot Inc – Customer Relationship Management and marketing activities
  • Memset Ltd – Server and data centre hosting
  • Fasthosts Ltd – Domain names and email hosting
  • Microsoft Ltd – Email and internal document management
  • Dropbox Inc – data storage
  • Xero Ltd – Accounting and job management

LexisClick will update this list from time to time as our systems and operations evolve and inform you accordingly.

By interacting with LexisClick as defined in this policy, you provide your consent for this transfer and use of our Data Processors and their Data Sub-Processors, and for transfer to any other appropriate third-party Data Processor for the purposes of delivery of the Services and customer relationship management activities. No data transfer will be undertaken that is outside of the strict scope of the purposes stated in this policy, or that will materially degrade the security of your data or your rights.

The Data Processors and Sub Processors we use will be contractually bound to process only in accordance with our instructions and to maintain technical and organisational controls in compliance with our security policy and the requirements of the GDPR.

Commitment to confidentiality and security of processing

LexisClick will use appropriate technical and organisational security measures within our sphere of responsibility to ensure an appropriate level of confidentiality, integrity and, where LexisClick is the Data Controller, availability of your data and to ensure its availability in the event of a business continuity incident.

LexisClick will undertake security and data protection assessments of any third parties we elect to use prior to transfer of any Customer Data and regularly thereafter.

Visitors to our website

When someone visits www.lexisclick.com we use a small number of third-party services, including Google Analytics, Hubspot and Hotjar to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site, understand how the website is being used, personalise areas of the website and understand how marketing channels are performing. Where consent has not been requested and provided, this information is only processed in a way which does not personally identify anyone.

We use standard software to collect information for the strict purpose of tracking activity on our site. This allows us to understand how many people use our site and which pages and features are most popular. The information we normally collect and store is

  • The name of your Internet service provider
  • The web site that referred you to us (if any)
  • The date and time the pages were accessed
  • The page or pages you requested.
  • Your approximate (nearest city) geographic location

You never transmit personally identifying information that you do not enter yourself, and this is always your option. This information cannot be collected unless you specifically elect to send it to us. This information is used internally only for the purpose of fulfilling the request or for contacting you directly and is not sold to any other organisation. Your information is transmitted directly to LexisClick and is stored securely in the services that we use for this purpose.

Use of cookies by LexisClick

You can read more about how we use cookies here.

Job applicants, current and former LexisClick employees

We have outlined below details about the type of information that LexisClick keeps about job applicants, current and former employees and the purposes for which it keeps them. You can read more about this here.

Your rights

Under the Data Protection Act 1998, you have rights as an individual which you can exercise in relation to the information we hold about you. You can read more about these rights here.

Complaints or queries

LexisClick tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of LexisClick’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.

If you want to make a complaint about the way we have processed your personal information, you can either email data@lexisclick.com or write to the Data Department at LexisClick, 76 Shelley Road East, Bournemouth, BH7 6HB.

If you are not satisfied with our response you can contact the statutory body which oversees data protection law – www.ico.org.uk/concerns.

Access to personal information

LexisClick tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a data request to us. If we do hold information about you we will:

  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to;
  • let you have a copy of the information in an intelligible form: and
  • Provide it to you within one month from the date of the ‘subject access request’.

To make a request to LexisClick for any personal information we may hold you need to put the request in writing addressing it to our Data Department, or writing to the address provided below.

If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Data Department.

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 21st May 2018.

We reserve the right to change our privacy policy. A revised policy statement will only apply to data collected subsequent to its effective date. Any revisions will be posted at least 30 days prior to its effective date.

How to contact us

If you want to request information about our privacy policy you can email us at data@lexisclick.com or write to:

Data Department
LexisClick
76 Shelley Road East
Bournemouth
BH7 6HB

Privacy Addendum for Lexis Information Systems Ltd T/A LexisClick

Purpose and Scope of LexisClick’s Data Processing on behalf of Data Controllers

For the purpose of providing the Services, LexisClick will process Customer Provided Data. To the extent that Customer Provided Data is comprised of Personal Data, the parties acknowledge that LexisClick acts as a Data Processor for all Customer Provided Data supplied to LexisClick by the Customer as well as the Customer’s own customers or agents.

The Services are provided on the basis that either:

  • the Customer is the Data Controller for all Customer Provided Data supplied to LexisClick under the Services and has complied with its obligations under the applicable Data Protection Laws, including but not limited to obtaining the required consents (“Data Protection Consents”); or
  • where the Customer is a Data Processor on behalf of a Data Controller, that LexisClick is a sub-Data Processor and that the Customer has:
    1. ensured that all necessary Data Protection Consents have been obtained or other lawful grounds for Processing have been correctly established;
    2. entered into the required contractual arrangements, including arrangements with the relevant Data Controller for LexisClick to act as sub-processor legally;
    3. has complied with its obligations as Data Processor under the applicable Data Protection Laws; and
    4. shall be liable to the Data Controller for LexisClick’s acts and omissions as a sub-Data Processor.

By accepting this addendum, the Customer indicates their acceptance of the provisions below and warrants that the basis of the Services set out in this Data Processing Addendum is accurate.

Nature of the Processing

LexisClick undertakes a range of Processing as defined by the Services, i.e. the provision of marketing and website hosting services to the Customer, the choice of which is determined by the Customer.

LexisClick provides marketing services to support the Customer’s or Customer’s agents’ processing of data to that end.

LexisClick has access to process and manipulate Customer Provided Data under the Customer’s written instruction for the purposes of their marketing activities and customer communications.

Any processing by LexisClick of Customer Provided Data (which may comprise Processing of Personal Data) is determined by the Customer insofar as it is the Customer that ultimately determines what the Services will be and, therefore, what data processing occurs.

LexisClick classifies all Customer Provided Data as the same type of data and does not maintain visibility of different types of Customer Provided Data or categories of Personal Data within this set. LexisClick applies the same level of generic security controls to all Customer Provided Data.

LexisClick provides a service which constitutes among other things the provision of websites, hosting, storage, networking and dedicated servers to Customers. Whilst we will try to ensure the compliance of those underlying services with the applicable Data Protection Laws, we do not maintain reliable access to the Operating Systems, applications or data that Customers upload to their Customer Hosted Solution, so the Customer is responsible for all data protection issues not related to the underlying services.

Duration of Processing

The Customer is responsible for the duration of the processing of any Personal Data comprising Customer Provided Data. While the Agreement is in force, LexisClick will Process all such Personal Data in accordance with the Customer’s written instructions.

LexisClick’s Responsibilities

SECURITY AND COMPLIANCE OF THE UNDERLYING HOSTING INFRASTRUCTURE

LexisClick along with its third party suppliers will be responsible for maintaining the GDPR compliance of the underlying hosting infrastructure, within the scope of the services provided to the customer.  LexisClick’s personnel are subject to a duty of confidence that is compliant with the applicable Data Protection Laws.

LexisClick has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.

A non-exhaustive list of technical and organisational measures are as set out below. By entering into this addendum, the Customer confirms that it has reviewed and approved the following measures:

SECURITY MANAGEMENT & POLICY

  • Use of third party hosting providers that have in place an information security management system based on an industry international standard (currently ISO27001:2013)

HR & ACCESS CONTROL

  • Vetting of all LexisClick personnel prior to commencement of employment
  • Appropriate on-hire, role change and termination activities related to LexisClick access and asset management
  • Restriction of LexisClick access to customer data or Customer Provided Data to those personnel with a business need for access
  • The ability to audit all LexisClick personnel access to Customer Provided Data and/or Customer Hosted Data

OPERATIONAL SECURITY

  • Appropriate availability, performance and security logging, monitoring and audit controls for the underlying infrastructure
  • Vulnerability management systems to help ensure the patch and configuration levels of the underlying infrastructure appropriate to LexisClick’s scale and policies
  • Hardening of underlying infrastructure devices to levels that are materially in accordance with good industry practice
  • Appropriate encryption in transit and at rest for sensitive operational data such as API calls, control panel access, customer credentials and key material managed by LexisClick
  • Backups and infrastructure redundancy within the underlying hosting infrastructure appropriate to our Terms and Conditions and SLAs
  • Appropriate security of all LexisClick end-user devices used by LexisClick to access the underlying hosting infrastructure, Customer Hosted Data and Customer Hosted Solutions

INCIDENT MANAGEMENT & COMMUNICATION

  • Sufficient internal incident management procedures including the commitment to escalate relevant security incident to impacted Customers without undue delay

AVAILABILITY OF CUSTOMER HOSTED SOLUTIONS AND SERVICES

Temporary loss of Availability or Integrity related to an Emergency Maintenance or Scheduled Maintenance is not considered to be a loss of Availability under the applicable Data Protection Laws.

In accordance with the Services being provided, LexisClick is not able to decide how Personal Data comprising Customer Provided Data is processed, as it is processing data under the written instruction of the Customer

As the Data Controller the Customer has the following responsibilities under GDPR:

  1. Maintain appropriate technical controls to secure and monitor for security
  2. Where the above is included within the scope of a Customer SLA, LexisClick will undertake the work based on instructions from the Customer, but the Customer remains responsible for the efficacy of the controls implemented.
  3. Undertaking all organisational measures required to ensure compliance with the basic principles for processing (articles 5, 6, 7 and 9 of the GDPR) and Subject’s rights (Articles 12-22 of the GDPR) at point of collection of data, and be aware of the technical and organisational security controls put in place by LexisClick, maintain additional technical and organisational controls to ensure compliance during processing, storage and removal
  4. Undertake and manage all communication with Data Subjects
  5. Maintain any required relationship with the Information Commissioner’s Office on behalf of the Data Controller

LexisClick’s use of Data Sub-Processors

By entering into this Data Protection Addendum, the Customer hereby permits LexisClick to appoint sub-processors of Personal Data and, for the term that the Data Protection Addendum is in force, shall have a general right to appoint sub-processors of Personal Data. LexisClick shall provide the Customer with prior notification before appointing any sub-processors of any Personal Data that are in addition to those noted in this Data Processing Addendum.

LexisClick utilises a small number of Data Sub-Processors in order to provide Services to the Customer. The following list of Data Sub Processors used to provide Services will be updated from time to time to reflect the current operational position:

  1. Memset Ltd  – Provision of hosting services
  2. Fasthost Ltd – Provision of hosting services
  3. Microsoft Ltd – Provision of LexisClick email used for communications with the customer, email and hosting services for customers
  4. Hubspot Inc – Provision of LexisClick website, marketing and customer relationship. Marketing and website hosting for some customers.
  5. MailChimp (The Rocket Science Group) – Provision of email marketing services
  6. Xero Ltd – Provision of accounting and work management systems
  7. Dropbox Inc – Provision of data storage

LexisClick will update the Customer of the use of any new Data Sub-Processor prior to adoption of the Sub-Processor and transfer of Customer Provided Data or provision of any form of access to Customer Hosted Solutions by support ticket or email, and the Customer must ensure that all necessary Data Protection Consents are obtained or other legitimate grounds for processing the Personal Data are established. The Customer’s continued use of the Services constitutes approval for the use of this new Data Sub-Processor and a repeated warranty by the Customer that the use of all sub-processors is lawful under the applicable Data Protection Laws subject to LexisClick complying with its obligations under the applicable Data Protection Laws in respect of appointing sub-processors. LexisClick will perform appropriate due diligence on the Data Sub-Processor, as we will on any security-impacting supplier.

 

LexisClick will maintain written contracts with all LexisClick Sub-Processors including any relevant GDPR-related compliance requirements and will conduct regular checks to confirm their continuing conformance with Data Protection Laws.

 

Transfer to non GDPR-aligned locations or Sub-Processors

LexisClick will not transfer Customer Hosted Data to any Data Sub-Processor located outside of the EEA or to any other third-party location not deemed appropriate by Binding Corporate Rules, Privacy Shield or other adequacy decision defined on a continuing basis by the Information Commissioner’s Office without explicit written permission from the Customer.

 

Processing in accordance with written instructions

LexisClick will only process Customer Provided Data (which may or may not include data for which the Customer is the Data Controller) in accordance with the Data Controller’s written instructions, which for the purposes of data protection and this addendum are taken to be in whole contained within the section ‘Purpose and scope of LexisClick’s Data Processing on behalf of Data Controllers.’ No other written instructions can be accepted as they will fall outside of the scope of our services.

 

Assistance with Customer data protection obligations

Insofar as LexisClick provides data processing services to the Customer, LexisClick will assist the Data Controller in meeting their data protection obligations including:

  1. Carry out internal Data Privacy Impact Assessments as the Data Processor for all Services and provide summaries of these as required to the Customer
  2. To inform the Customer of the possibility of a material security breach to their Customer Provided Data if detected by our systems without undue delay.
  3. Keep a record of all Processing of Personal Data performed in relation to the Services.
  4. Notify the Customer of any Security Incident resulting in a data breach affecting their Customer Provided Data, that has occurred or has been suspected to one of our sub-processors and where we have been notified by the sub-processor without undue delay
  5. For termination of contract for reasons other than breach of Acceptable Use Policy or non-payment of fees, provide a reasonable period in which the Customer can use standard tools to extract the data themselves provided that such extraction by the Customer does not prejudice LexisClick or its systems. In all cases LexisClick will delete all Customer Provided Data on our infrastructure as part of decommissioning a Customer service.
  6. LexisClick shall assist the Customer in complying with its obligations under applicable Data Protection Laws in particular in relation to implementing appropriate security measures, to carrying out a data protection impact assessment, and to consulting the competent data protection authority.