Privacy and Cookie Policy

This Policy provides you with information about how we use your personal data, which we might receive in connection with your use of LexasCMS, our website lexascms.com or its subdomains (the Site), or otherwise in connection with our business. When we refer to you we mean any individual outside our business – you could be one of our users, a supplier, a referrer or anyone else.

We or us means Status200 Ltd (company registration no. 11019310), a limited company whose offices are at 113 Manchester Road, Warrington, England WA1 4AP.

This Policy only covers personal data of which we are the data controller. Sometimes we handle personal data on behalf of our users as their data processor: that’s dealt with separately in the terms we’ve agreed with our users. To clarify:

• a data controller determines the purposes for which personal data is to be collected and used, and the means of handling of that personal data. When we hold your data for our own purposes, we act as a data controller;

• a data processor handles personal data on the instructions of and for the purposes of a data controller. When we host data for users in our content management system LexasCMS, we are acting for their purposes as a data processor.

Summary

Full details are set out in the relevant sections of this Policy below, but keeping it brief:

• we normally receive your personal data from you;
• we use your personal data to conduct our business, keep appropriate records and meet our legal obligations;
• we only provide your personal data to third parties for our business purposes or as permitted by law. We don’t share your data with third party advertisers;
• we store personal data for specified periods for our limited business purposes;
• you have legal rights in relation to your personal data which you can exercise on request;
• the Site uses cookies; and
• you can contact us to enquire about any of the contents of this Policy.

1. Our use of personal data

1.1 Service data
If you are a registered user of LexasCMS, we may handle personal data such as your name, contact details, information about your business, and documents and correspondence relating to the services provided by us (such as emails to and from you). We call all of this service data, and we use it for the purposes of providing our services and for record-keeping and user management purposes.

1.2 Communication data
When you communicate with us, or vice versa, and whether by letter, email, through the Site, through social media, or otherwise, we may handle personal data contained in or relating to that communication. This may include content and metadata associated with the communication, as well as any contact details you provide to us such as your name, email address, phone number, job title, address or social media username. We call all of this communication data, and we use it for the purposes of communicating with you and record-keeping. If you are a user or prospective user, then we may also use communication data to provide you with occasional news about our business and services: you can opt out of receiving further news at any time.

1.3 Transaction data
We may handle personal data relating to transactions, such as bank account details, contact details, transaction data or associated documents (POs, bills, invoices) in relation to payments made by us to you or by you to us (transaction data). We use this to make and receive payments and to keep proper records of the relevant transactions. We do not collect or process your credit or debit card details when you make payments through the Site. We use Stripe as a payment processing service provider in connection with LexasCMS and it is Stripe who will collect and process your card details. For more information, see https://stripe.com/gb/privacy.

1.4 Account data
We will receive and handle certain personal data in order to open, maintain and administer your LexasCMS account, such as your login details. We call this account data, and we process it for the purposes of administering your account.

1.5 Usage data
We may collect data about your use of the Site (usage data). This may include your geographical location, browser type and version, IP address, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use. This data is obtained through Google Analytics and GoSquared. We process usage data for the purpose of improving our Site and analysing how it is visited and used. Generally usage data is anonymised and does not constitute personal data.

1.6 Metric data
In relation to register users of LexasCMS we may collect user metrics, which might include (for example, and as a non-exhaustive list) data about subscription and revenue data, which LexasCMS features are being used by particular organisations or users, how often users are active, whether users are completing or dropping from particular flows (like sign-up or configuration flows), how long it takes users to adopt new features or how quickly features are abandoned. We call all of this metric data, and it is used by us to improve LexasCMS and our business processes.

1.7 Personal data we obtain from others
Your personal data may be provided to us by someone other than you: for example if your employer has a corporate LexasCMS account then they might input your personal information in connection with their use of that account. Normally this data will be communication data or service data as described above and will be processed by us for the purposes described above.

2. Our legal basis of processing

2.1
We’re required by law to identify the “legal basis” on which we handle personal data. These legal bases are set out in Article 6 of the General Data Protection Regulation (GDPR).

2.2
We process personal data on the following lawful bases identified in Article 6 GDPR:

1. for the performance of a contract with you, or to take steps at your request prior to entering into a contract with you (Article 6(1)(b) GDPR). This may be our basis for processing communication data, service data, account data and transaction data;
2. for our legitimate interests (Article 6(1)(f) GDPR). This may be our basis for processing:
   1. communication, service and account data (as we have an interest in properly administering our business and communications and in developing our business with interested parties);
   2. usage and metric data (as we have an interest in improving our products, processes and Site);
   3. transaction data (as we have an interest in making and receiving payments promptly and in recovering debts);
   4. any personal data in connection with legal claims (as we have an interest in being able to bring and defend claims to protect our rights and the rights of others); and
   5. any personal data in connection with backups of our IT systems or databases containing that personal data (as we have an interest in ensuring the resilience of our IT systems and the integrity and recoverability of our data).

2.3
We may also handle your personal data to comply with legal obligations (for example, we have to keep records for tax purposes).

3. Providing your personal data to others

3.1
We may disclose your personal data to our insurers and/or professional advisers to take professional advice and manage legal disputes.

3.2
We may disclose personal data to our suppliers or subcontractors in connection with the uses we’ve described above. For example, we may disclose:

1. any personal data in our possession to suppliers which host the servers on which our data is stored (such as Amazon Web Services, Inc. and Digital Ocean, Inc.);
2. communication data to providers of email or email marketing services (such as Fastmail Pty Ltd, Avenue 81 Inc. d/b/a Leadpages, or Mailgun Technologies, Inc.);
3. communication data relating to help desk enquiries to providers of help desk services (such as Help Scout, Inc.);
4. transaction data to our payment processing service providers such as Stripe or providers of tax calculation services (such as Quaderno, provided by Recrea Systems, SLU);
5. metric data to providers of user or revenue insight services (such as ChartMogul Ltd); and
6. transaction data and other relevant personal data to third parties for the purposes of fraud protection, credit risk reduction and debt recovery.

3.3
We do not allow our data processors to use your personal data for their own purposes. We only permit them to use your personal data for specified purposes, in accordance with our instructions and applicable law.

3.4
We may also disclose your personal data where necessary to comply with law.

3.5
If any part of our business is sold or transferred, your personal data may be disclosed to the new owner.

4. International transfers of your personal data

4.1
Some of the service providers discussed above may be located outside the EEA or may transfer your personal data to their own service providers located outside the EEA. We will ensure that transfers made by our data processors will only be made in accordance with law using appropriate safeguards, such as the standard data protection clauses approved by the European Commission. You may contact us if you would like further information.

4.2
We may also transfer personal data outside the EEA from time to time:

1. with your consent;
2. where required by your instructions (for example, if we are supporting you on a project based outside the EEA); or
3. if we take our mobile devices with us when travelling overseas to ensure continuity of service.

5. Data security

We have put in place appropriate security measures to protect your personal data. We also have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where required by law.

6. Retaining and deleting personal data

6.1
We will delete personal data when it’s no longer needed, and in particular:

1. service and transaction data will be retained for seven years after the end of the relevant contractual relationship;
2. communication data will be retained for the period of the enquiry or chain of correspondence and then deleted after twelve months. If communication data relates to a contractual relationship with you then it will be retained for a period of seven years after the end of the relevant contractual relationship;
3. account data will be retained for as long as your account is open, and will be deleted on account closure;
4. usage data or metric which is anonymised, and therefore not personal data, may be retained by us indefinitely. Any usage data or metric data which is associated with your account will be retained for as long as your account is open, and if will be anonymized on or shortly after account closure.

6.2
We maintain system backups for disaster recovery purposes and may retain those backups for up to two years. That means that information which is deleted from our live systems may still remain in backup for up to two years.

6.3
We may retain your personal data longer where necessary to comply with law or in connection with any legal claim.

7. Your rights

You have rights under data protection law – they are complex, and subject to exemptions, and you can read guidance from the Information Commissioner’s Office at www.ico.gov.uk for a fuller explanation of your rights. In summary, though:

1. the right to access: you have the right to confirmation as to whether or not we process your personal data and, where we do, to access to the personal data, together with certain additional information;
2. the right to rectification: you have the right to have any inaccurate or incomplete personal data about you rectified or completed;
3. the right to erasure: in some circumstances you have the right to the erasure of your personal data (for example, if the personal data are no longer needed for the purposes for which they were processed or if the processing is for direct marketing purposes);
4. the right to restrict processing: you have the right to restrict the processing of your personal data to limit its use. Where processing has been restricted, we may continue to store your personal data and will observe the restrictions on processing except to the extent permitted by law;
5. the right to object to processing: you have the right to object to our processing of your personal data on the basis of legitimate interests (discussed above) or for direct marketing purposes and if you do so we will stop processing your personal data except to the extent permitted by law;
6. the right to data portability: you have the right to receive your personal data from us if the legal basis for our processing is the performance of a contract with you, and such processing is carried out by automated means; and
7. the right to complain to a supervisory authority: if you consider that our processing of your personal data is unlawful, you have a legal right to lodge a complaint with the ICO.

8. About cookies

8.1
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

8.2
Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

8.3
Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

8.4
We use these kinds of cookies:

1. Strictly Necessary Cookies: These are required for the operation of the Site and allow you, for instance, to log into your account or make use of e-payment services.
2. Analytical/Performance Cookies: These allow us to recognise and count visitors to the Site and analyse their actions and movements on the Site. This helps us improve the Site (for instance by ensuring that users can find key functions easily).
3. Functionality Cookies: These are used to remember visitors to our Site and choices they have made, allowing us to remember your preferences.
4. Targeting Cookies: These cookies record your visit to the Site, pages you have visited and links you have followed. We use this information to make the Site (and any advertising on the Site) more relevant to your interests.
5. Google Analytics: The Site use Google Analytics (an analytical/performance cookie) to help analyse how users use the Site, collecting standard internet log information and visitor behaviour information in an anonymised form from which no user is identifiable. This information is transmitted to Google and processed to compile statistical reports on activity on the Site. These reports allow us to optimise our user experience. Google provide a browser add-on for users who wish to prevent their data from being used by Google Analytics. Further information is available at https://tools.google.com/dlpage/gaoptout/.
6. Go Squared Ltd: The Site use Go Squared Ltd’s web analytics services, which involve the use of analytical/performance cookies. The information generated by the cookie about your use of this website (including your IP address) are transmitted to GoSquared (which may use data repositories outside of the European Economic Area (EEA) such as the United States of America), where it is then stored for us. We control how the information collected about you is used. GoSquared will use it on our behalf to evaluate your use of this website and report to us about this website’s operations. GoSquared may provide it to third parties if needs be, for example, in order to comply with the law or to third parties processing that information on behalf of GoSquared. For more information on GoSquared’s practices, please see http://www.gosquared.com/legal/.
7. Third Parties: Third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.

8.5
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can obtain up-to-date information about blocking and deleting cookies via the support pages made available by your browser operator.

9. Further information

If you have any questions in relation to the contents of this Privacy Policy you can contact us using the contact form or support page on the Site or at info@status200.co.uk.

10. Third Parties and Security

10.1
The Site may contain links to third party sites and refer to third party service providers and other entities. If you follow a link to any third party website or deal with any third party entity referred to on the Site, then they may have their own privacy and cookie policies, and we are not responsible for their use of any personal data which you may provide to them.

10.2
We do our best to ensure the security of personal data provided to us (and to use only reputable service providers), any transmission of data via the Internet is by its nature insecure and we cannot guarantee the security of any personal data you provide to us.

11. Amendments

We may update this Policy from time to time by publishing a new version on the Site. You should check occasionally to ensure you are happy with any changes to this Policy, although we may notify you of material changes to this Policy using the contact details you have given us.

12. Contact Us

If you have any questions, comments or requests regarding this Privacy and Cookie Policy or our use of any personal data you provide to us, please contact us at Status200 Ltd, at 113 Manchester Road, Warrington, England WA1 4AP or at info@status200.co.uk.

Last updated: 23.04.20