Demandez une démo

Protection of Personal Data Policy (for Users From the UK)

All questions, comments and requests concerning the present policy should be sent to Lexum’s Data Protection Officer, Frédéric Pelletier (the DPO), using the Contact Us form.

Preamble

  1. Lexum processes personal data in the course of its activities, including that of its customers, website visitors, employees and job applicants. As such, Lexum recognizes the importance of respecting privacy and protecting the personal data it holds, whether it is hosted by Lexum or with a third party.
  2. This policy is designed to comply with the UK General Data Protection Regulation (UK GDPR) as retained in UK law under the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, the Data (Use and Access) Act 2025, and the Privacy and Electronic Communications Regulations 2003 (PECR), as amended.
  3. Lexum has adopted this privacy policy in order to fulfil its obligations in this area. It sets out the framework principles applicable to the protection of personal data held by Lexum throughout its life cycle as well as the roles and responsibilities of stakeholders in the protection of personal data and the exercise of the rights of the individuals concerned.
  4. The protection of personal data held by Lexum is the responsibility of any person who processes such personal data, within its staff and any service provider mandated to process such information.
  5. This privacy notice is overseen by the DPO. If you have any queries, complaints or requests relating to any entities within Lexum, please contact the DPO at info@lexum.com. You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). In certain circumstances you might also have the right to bring a complaint to other regulators or in the Courts although we would hope that you give us the chance to deal with any concerns you might have first by contacting our DPO.

Purpose

  1. This policy:
    1. sets out Lexum’s governance principles with respect to personal data throughout its life cycle;
    2. provides a framework for the exercise of the rights of individuals concerned;
    3. provides for the process for handling privacy complaints; and
    4. Defines Lexum’s privacy roles and responsibilities.

Scope

  1. This policy applies to personal data held by Lexum and to anyone who processes personal data on behalf of Lexum.
  2. This website is not intended for children and we do not knowingly collect data relating to children.

Purpose

  1. Personal data means any information about an individual from which that person can be identified.
  2. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
    • Identity Data includes first name, last name, and username or similar identifier;
    • Contact Data includes address, email address and telephone numbers;
    • Financial Data includes bank account and payment card details;
    • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us;
    • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website;
    • Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses;
    • Usage Data includes information about how you interact with and use our website, products and services;
      Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
  3. We also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals’ Usage Data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with our website to help improve the website and our service offering.This policy applies to personal information held by Lexum and to anyone who processes personal information on behalf of Lexum.

Lawful Basis for Processing

  1. Lexum processes personal data only where it has a valid lawful basis to do so. The lawful bases upon which Lexum relies include:
    1. Consent: The data subject has given consent to the processing of their personal data for one or more specific purposes;
    2. Contract: Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract;
    3. Legal obligation: Processing is necessary for compliance with a legal obligation to which Lexum is subject under UK law;
    4. Vital interests: Processing is necessary to protect the vital interests of the data subject or of another natural person;
    5. Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Lexum;
    6. Legitimate interests: Processing is necessary for the purposes of the legitimate interests pursued by Lexum or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (particularly where the data subject is a child).
  2. Where Lexum processes special category data, it shall identify both a lawful basis under Article 6 UK GDPR and a separate condition for processing under Article 9 UK GDPR or Schedule 1 of the Data Protection Act 2018.
  3. Where processing involves criminal offence data, Lexum ensures compliance with Article 10 UK GDPR and processes such data only:
    1. Under the control of official authority; or
    2. When authorised by UK law providing appropriate safeguards.

Purposes for which we will use your personal data

  1. Lexum only collects the personal data necessary for the conduct of its activities. Before collecting personal data, Lexum determines the purposes of its processing and identifies the applicable lawful basis, which must be documented prior to processing.
  2. Lexum’s primary processing activities and their lawful bases include:
Processing ActivityType of DataLegal Basis
Receiving customer information and providing the servicesIdentity Data, Contact Data, Financial DataContract; Legitimate interests (to provide and improve our services)
Receiving enquiries and marketing the servicesIdentity Data, Contact Data, Transaction Data, Profile DataLegitimate interests (to manage our customer relationships); Consent (for electronic direct marketing communications)
Administering and protecting our website, including troubleshooting, data analysis, testing and system maintenanceTechnical Data, Usage DataLegitimate interests (to run our business, for administration and IT services, network security, and to prevent fraud); Legal obligation
  1. Where consent is the lawful basis for processing, such consent must be freely given, specific, informed and unambiguous. Consent is requested for each purpose separately, in clear and plain language. Consent may be withdrawn at any time, and withdrawal shall be as easy as giving consent. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Disclosures of your personal data

  1. We may share your personal data where necessary with the parties set out below for the purposes set out in the table above. This includes:
    1. Internal Third Parties, such as:
      1. Canadian Legal Information Institute (CanLII)
    2. External Third Parties, such as:
      1. Amazon Web Services (AWS) EMEA SARL
      2. Bot management software such as Datadome
      3. Zoho Corporation Private Limited
    3. Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
  2. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

International Data Transfers

  1. We share your personal data within the Lexum Group. This will involve transferring your data outside the UK to our overseas offices in Canada.
  2. Whenever we transfer your personal data out of the UK to countries which have laws that do not provide the same level of data protection as the UK law, we always ensure that a similar degree of protection is afforded to it by ensuring that the following safeguards are implemented.
  3. For transfers within the Lexum Group from the UK to Canada, we rely on the partial adequacy decision between the UK and Canada set out (set out in Commission Decision 2002/2/EC and adopted under UK transitional provisions: sections 4 and 5, Part 3, Schedule 21, Data Protection Act 2018).
  4. We may transfer your personal data to service providers that carry out certain functions on our behalf. This may involve transferring personal data outside the UK to countries which have laws that do not provide the same level of data protection as the UK law.
  5. Whenever we transfer your personal data out of the UK to service providers, we ensure a similar degree of protection is afforded to it by ensuring an appropriate safeguard is in place. For transfers from the UK to Canada, we will rely on the partial adequacy decision between the UK and Canada as set out above.
  6. We may use specific standard contractual terms approved for use in the UK which give the transferred personal data the same protection as it has in the UK, namely the International Data Transfer Agreement. To obtain a copy of these contractual safeguards, please contact us at info@lexum.com.

Retention, Anonymization and Destruction

  1. Lexum takes all reasonable steps to ensure that the personal data it holds is up-to-date, accurate, and complete for the purposes for which it is collected or used.
  2. Lexum retains personal data as long as necessary to conduct its activities, subject to applicable retention periods.
  3. When the purposes for which the personal data was collected are fulfilled, this information is destroyed or anonymized, in accordance with Lexum’s retention periods.

Data Protection Impact Assessment (DPIA)

  1. Lexum conducts a DPIA before implementing processing that is likely to result in high risk to data subjects’ rights and freedoms, particularly:
    a. Systematic and extensive evaluation based on automated processing (including profiling) with legal or similarly significant effects;
    b. Large-scale processing of special category data or criminal offence data;
    c. Systematic monitoring of publicly accessible areas on a large scale;
    d. Use of new technologies;
    e. Processing that prevents data subjects from exercising rights or using services;
    f. Large-scale profiling or matching/cross-referencing of datasets;
    g. Processing of children’s data or other vulnerable individuals;
    h. Innovative technological or organisational solutions.
  2. A DPIA includes:
    a. Systematic description of processing and purposes;
    b. Assessment of necessity and proportionality;
    c. Assessment of risks to data subjects;
    d. Measures to address risks (safeguards, security, compliance mechanisms).
  3. Where a DPIA indicates high risk that cannot be mitigated, Lexum shall consult the ICO before commencing processing (Article 36 UK GDPR).

Rights of Individuals Concerned

  1. Under certain circumstances, you have rights under data protection law in relation to your personal data. You have the right to:
    • Request access to your personal data (commonly known as a data subject access request). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
    • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
    • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
    • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
    • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
      • if you want us to establish the data’s accuracy;
      • where our use of the data is unlawful but you do not want us to erase it;
      • where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
      • you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
    • Request the transfer of your personal data to you or, where technically feasible, another data controller where you have provided it in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
    • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us at info@lexum.com.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

Time limit to respond

We try to respond to all legitimate requests within one month. It could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

What we ask of you:

  • Keeping your information accurate and up to date: please inform us if there is a change in your contact details or any other information that you have provided to us so that we can ensure our records are kept accurate and up to date.
  • Third party personal data: If you provide us with personal data about another person please make sure that you have informed them of our identity, the purposes for which their personal data will be processed; and obtained their permission and/or complied with any other data protection requirements. If you are unsure whether their personal data can be shared with us, please contact us before providing us the data.

Automated-decision making

  1. Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We do not use any automated decision-making.

Complaints handling

  1. You have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). However, before doing so please make sure you have first made your complaint to us or asked us for clarification if there is something you do not understand. The ICO will expect you to have done this before reviewing your complaint. You can find our complaints form here: https://lexum.com/en/contact-us. Please see below the contact details for the ICO:
    Information Commissioner’s Office
    Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
    Telephone: 0303 123 1113
    Website: www.ico.org.uk
    Email: casework@ico.org.uk
  2. Any complaint regarding Lexum’s personal data protection practices or its compliance with legal requirements concerning personal data is forwarded to the DPO, who responds within 30 days.

Security

  1. Lexum implements appropriate technical and organisational measures to ensure the privacy, integrity, and availability of personal data collected, used, disclosed, retained, or destroyed. These measures take into account the sensitivity of the personal data, the purpose of its collection, the volume of data, and medium.
  2. Lexum manages the access rights of its personnel so that only those who need access to personal data as part of their duties have access to it.

Update

  1. This policy is updated in accordance with developments in applicable personal data protection laws and Lexum’s practices.
  2. Any amendments made to this policy come into force as of the last update date stated at the beginning of the policy.

Approval and Coming into Force

  1. This policy was approved by the DPO and comes into effect on 2026-04-09.

Prêt à mettre Norma au travail?

Demandez une démonstration dès aujourd’hui et découvrez comment nous pouvons vous aider à simplifier vos processus de publication et à mieux servir vos utilisateurs.

Demander une démo