This Policy provides you with information about how we use your personal data, which we might receive in connection with your use of LexasCMS, our website lexascms.com or its subdomains (the Site), or otherwise in connection with our business. When we refer to you we mean any individual outside our business – you could be one of our users, a supplier, a referrer or anyone else.
We or us means Status200 Ltd (company registration no. 11019310), a limited company whose offices are at 113 Manchester Road, Warrington, England WA1 4AP.
This Policy only covers personal data of which we are the data controller. Sometimes we handle personal data on behalf of our users as their data processor: that’s dealt with separately in the terms we’ve agreed with our users. To clarify:
a data controller determines the purposes for which personal data is to be collected and used, and the means of handling of that personal data. When we hold your data for our own purposes, we act as a data controller;
a data processor handles personal data on the instructions of and for the purposes of a data controller. When we host data for users in our content management system LexasCMS, we are acting for their purposes as a data processor.
Full details are set out in the relevant sections of this Policy below, but keeping it brief:
1.1 Service data
If you are a registered user of LexasCMS, we may handle personal data such as your name, contact details, information about your business, and documents and correspondence relating to the services provided by us (such as emails to and from you). We call all of this service data, and we use it for the purposes of providing our services and for record-keeping and user management purposes.
1.2 Communication data
When you communicate with us, or vice versa, and whether by letter, email, through the Site, through social media, or otherwise, we may handle personal data contained in or relating to that communication. This may include content and metadata associated with the communication, as well as any contact details you provide to us such as your name, email address, phone number, job title, address or social media username. We call all of this communication data, and we use it for the purposes of communicating with you and record-keeping. If you are a user or prospective user, then we may also use communication data to provide you with occasional news about our business and services: you can opt out of receiving further news at any time.
1.3 Transaction data
We may handle personal data relating to transactions, such as bank account details, contact details, transaction data or associated documents (POs, bills, invoices) in relation to payments made by us to you or by you to us (transaction data). We use this to make and receive payments and to keep proper records of the relevant transactions. We do not collect or process your credit or debit card details when you make payments through the Site. We use Stripe as a payment processing service provider in connection with LexasCMS and it is Stripe who will collect and process your card details. For more information, see https://stripe.com/gb/privacy.
1.4 Account data
We will receive and handle certain personal data in order to open, maintain and administer your LexasCMS account, such as your login details. We call this account data, and we process it for the purposes of administering your account.
1.5 Usage data
We may collect data about your use of the Site (usage data). This may include your geographical location, browser type and version, IP address, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use. This data is obtained through Google Analytics and GoSquared. We process usage data for the purpose of improving our Site and analysing how it is visited and used. Generally usage data is anonymised and does not constitute personal data.
1.6 Metric data
In relation to register users of LexasCMS we may collect user metrics, which might include (for example, and as a non-exhaustive list) data about subscription and revenue data, which LexasCMS features are being used by particular organisations or users, how often users are active, whether users are completing or dropping from particular flows (like sign-up or configuration flows), how long it takes users to adopt new features or how quickly features are abandoned. We call all of this metric data, and it is used by us to improve LexasCMS and our business processes.
1.7 Personal data we obtain from others
Your personal data may be provided to us by someone other than you: for example if your employer has a corporate LexasCMS account then they might input your personal information in connection with their use of that account. Normally this data will be communication data or service data as described above and will be processed by us for the purposes described above.
We’re required by law to identify the “legal basis” on which we handle personal data. These legal bases are set out in Article 6 of the General Data Protection Regulation (GDPR).
We process personal data on the following lawful bases identified in Article 6 GDPR:
We may also handle your personal data to comply with legal obligations (for example, we have to keep records for tax purposes).
We may disclose your personal data to our insurers and/or professional advisers to take professional advice and manage legal disputes.
We may disclose personal data to our suppliers or subcontractors in connection with the uses we’ve described above. For example, we may disclose:
We do not allow our data processors to use your personal data for their own purposes. We only permit them to use your personal data for specified purposes, in accordance with our instructions and applicable law.
We may also disclose your personal data where necessary to comply with law.
If any part of our business is sold or transferred, your personal data may be disclosed to the new owner.
Some of the service providers discussed above may be located outside the EEA or may transfer your personal data to their own service providers located outside the EEA. We will ensure that transfers made by our data processors will only be made in accordance with law using appropriate safeguards, such as Privacy Shield or the use of standard data protection clauses approved by the European Commission. You may contact us if you would like further information.
We may also transfer personal data outside the EEA from time to time:
We have put in place appropriate security measures to protect your personal data. We also have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where required by law.
We will delete personal data when it’s no longer needed, and in particular:
We maintain system backups for disaster recovery purposes and may retain those backups for up to two years. That means that information which is deleted from our live systems may still remain in backup for up to two years.
We may retain your personal data longer where necessary to comply with law or in connection with any legal claim.
You have rights under data protection law – they are complex, and subject to exemptions, and you can read guidance from the Information Commissioner’s Office at www.ico.gov.uk for a fuller explanation of your rights. In summary, though:
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
We use these kinds of cookies:
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can obtain up-to-date information about blocking and deleting cookies via the support pages made available by your browser operator.
The Site may contain links to third party sites and refer to third party service providers and other entities. If you follow a link to any third party website or deal with any third party entity referred to on the Site, then they may have their own privacy and cookie policies, and we are not responsible for their use of any personal data which you may provide to them.
We do our best to ensure the security of personal data provided to us (and to use only reputable service providers), any transmission of data via the Internet is by its nature insecure and we cannot guarantee the security of any personal data you provide to us.
We may update this Policy from time to time by publishing a new version on the Site. You should check occasionally to ensure you are happy with any changes to this Policy, although we may notify you of material changes to this Policy using the contact details you have given us.
Last updated: 23.04.20