LEXEMIN PROFESSIONAL SERVICES LLC - Privacy and Cookie Policy
Effective Date: 11 May 2026  |  Version 1.0


Part One — Global Privacy Notice

1.  Introduction and Who We Are

This Privacy Notice explains how Lexemin Professional Services LLC ("Lexemin", "we", "us", or "our") collects, uses, stores, shares, and protects personal data relating to individuals who interact with us — including visitors to our website, prospective clients, current clients, business contacts, and any other individuals whose personal data we process in connection with our business activities. Lexemin Professional Services LLC is a limited liability company incorporated in the State of Georgia, United States, with its principal place of business at 8735 Dunwoody Place Ste R, Atlanta, GA 30350, USA. We operate across the United Kingdom and the United States, providing advisory services in governance, compliance, HR, data protection, and cross-border business expansion. In connection with these activities, we process personal data as both a Data Controller (where we determine the purposes and means of processing) and as a Data Processor (where we process personal data on behalf of clients in connection with advisory engagements, including outsourced Data Protection Officer services). This Privacy Notice applies to our processing activities as a Data Controller. Where we act as a Data Processor for a client, the relevant terms are governed by the applicable data processing agreement between Lexemin and that client.

2.  Personal Data We Collect

We collect and process the following categories of personal data, depending on the nature of your interaction with us:

2.1  Identity and Contact Data

  • Full name and preferred name

  • Job title and professional role

  • Employer or organisation name

  • Business and personal email addresses

  • Telephone numbers

  • Business and postal addresses

  • LinkedIn profile and other professional social media profiles

2.2  Engagement and Transaction Data

  • Details of services enquired about or engaged

  • Correspondence and communications with us

  • Contract and retainer agreement details

  • Invoice and payment records

  • Notes and records arising from advisory engagements

2.3  Technical and Usage Data

  • IP address and device identifiers

  • Browser type and version

  • Operating system

  • Pages visited on our website and time spent

  • Referring website or source

  • Cookie identifiers (see Part Three — Cookie Policy)

2.4  Marketing and Communications Data

  • Communication preferences

  • Records of consent to receive marketing communications

  • Responses to and engagement with email communications

2.5  Special Categories of Data

We do not intentionally collect or process special categories of personal data (including data relating to health, race or ethnicity, religious beliefs, sexual orientation, political opinions, or biometric data) in connection with our standard business activities. Where special category data is incidentally disclosed in the course of an advisory engagement, it will be treated with the highest standard of care and processed only where a specific lawful basis applies.

3.  How We Collect Personal Data

We collect personal data through the following means:

  • Directly from you when you contact us by email, telephone, or via our website contact form

  • When you book a Discovery Call or advisory session through our online booking system

  • When you enter into a contractual or retainer arrangement with Lexemin

  • Through our website using cookies and similar tracking technologies

  • From publicly available sources including LinkedIn and other professional directories

  • From third parties including referrals, introducers, and business networking platforms

  • In the course of providing advisory services where personal data is shared with us by clients

4.  Lawful Basis for Processing — UK and EU GDPR

Where the UK GDPR or EU GDPR applies to our processing activities, we rely on the following lawful bases:

4.1  Contract

We process personal data where it is necessary for the performance of a contract with you or a client organisation, or to take steps at your request prior to entering into a contract. This includes processing necessary to deliver our advisory services, manage retainer engagements, and administer client relationships.

4.2  Legitimate Interests

We process personal data where it is necessary for our legitimate business interests, provided those interests are not overridden by your rights and interests. Our legitimate interests include operating and improving our business, developing new services, marketing our services to existing and prospective clients, maintaining and developing business relationships, and ensuring the security of our systems and information.

4.3  Legal Obligation

We process personal data where necessary to comply with a legal obligation to which we are subject, including obligations under applicable tax law, employment law, data protection law, and regulatory requirements.

4.4  Consent

Where we rely on consent as the lawful basis for processing — including in relation to marketing communications and non-essential cookies — we will obtain your consent clearly and separately, and you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

5.  Purposes for Which We Use Personal Data

We use personal data for the following purposes:

  • To provide, administer, and improve our advisory services

  • To manage client relationships and retainer engagements

  • To communicate with you in connection with services you have enquired about or engaged

  • To process and manage invoices and payments

  • To send you marketing communications where you have consented or where we have a legitimate interest in doing so

  • To operate, maintain, and improve our website

  • To comply with our legal and regulatory obligations

  • To protect our legitimate business interests and legal rights

  • To prevent and detect fraud, unauthorised access, and other unlawful activity

  • To respond to legal claims or regulatory enquiries

  • To conduct research and analysis to develop and improve our services

6.  How We Share Personal Data

We do not sell personal data. We share personal data only in the following circumstances:

6.1  Service Providers and Processors

We engage third-party service providers who process personal data on our behalf, including providers of IT infrastructure, email and communication services, website hosting, accounting and invoicing software, and online scheduling tools. All such providers are subject to appropriate data processing agreements and are required to process personal data only in accordance with our instructions.

6.2  Professional Advisers

We may share personal data with our professional advisers, including legal advisers, accountants, and insurers, where necessary in connection with professional advice sought or received.

6.3  Regulatory and Law Enforcement Authorities

We may disclose personal data to regulatory authorities, law enforcement agencies, courts, and other public bodies where required or permitted by applicable law, including in connection with our obligations as an outsourced Data Protection Officer.

6.4  Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or part of our business, personal data may be transferred as part of that transaction. We will notify affected individuals of any such transfer and the applicable privacy terms in advance.

7.  International Transfers of Personal Data

Lexemin operates across the United Kingdom and the United States. Personal data collected in the United Kingdom may be transferred to and processed in the United States, and vice versa. Where personal data is transferred from the United Kingdom to the United States, we ensure that appropriate safeguards are in place in accordance with Chapter V of the UK GDPR. These safeguards may include reliance on the UK-US Data Bridge (where applicable), the use of International Data Transfer Agreements (IDTAs), or the application of UK Addenda to EU Standard Contractual Clauses. Where personal data is transferred from the European Union to the United States, we rely on the EU-US Data Privacy Framework (where applicable) or the EU Standard Contractual Clauses approved by the European Commission. You may request further information about the specific safeguards in place for any international transfer by contacting us at data-service@lexemin.com.

8.  How Long We Retain Personal Data

  • We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, and in accordance with our legal obligations. Our standard retention periods are as follows:

  • Client engagement records and contractual documentation: 7 years from the end of the engagement, in line with standard commercial limitation periods

  • Financial and invoicing records: 7 years from the end of the relevant financial year, in compliance with applicable tax law obligations in both the UK and US

  • Marketing and communications records: Until consent is withdrawn or an objection is received, and for a further 12 months thereafter

  • Website usage and technical data: 12 months from collection, unless a longer period is required for security or legal purposes

  • Correspondence and general communications: 3 years from the date of the last communication, unless the subject matter requires a longer retention period

At the end of the applicable retention period, personal data is securely deleted or anonymized. Where anonymization is not possible, data is deleted in a manner that prevents reconstruction.

9.  Your Rights Under UK and EU GDPR

Where the UK GDPR or EU GDPR applies, you have the following rights in relation to your personal data:

9.1  Right of Access

You have the right to request a copy of the personal data we hold about you, together with information about how it is processed. We will respond to verified access requests within one calendar month.

9.2  Right to Rectification

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. We will action verified rectification requests without undue delay.

9.3  Right to Erasure

You have the right to request that we delete your personal data in certain circumstances, including where it is no longer necessary for the purposes for which it was collected, where consent has been withdrawn, or where it has been unlawfully processed. This right is subject to applicable legal obligations requiring us to retain data.

9.4  Right to Restrict Processing‍ ‍

You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest its accuracy, where processing is unlawful, or where you have objected to processing pending verification of legitimate grounds.

9.5  Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that it be transmitted to another controller where technically feasible.

9.6  Right to Object

You have the right to object to processing based on our legitimate interests, including processing for direct marketing purposes. Where you object to direct marketing, we will cease such processing immediately. Where you object to other processing based on legitimate interests, we will assess whether our legitimate interests override your rights and interests.

9.7  Rights Related to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. Lexemin does not currently engage in automated decision-making of this nature.

9.8  Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time without detriment. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to withdrawal.

9.9  Right to Lodge a Complaint

You have the right to lodge a complaint with the relevant supervisory authority. In the United Kingdom, the relevant authority is the Information Commissioner's Office (ICO), which can be contacted at www.ico.org.uk. In the European Union, the relevant authority is the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. To exercise any of the above rights, please contact us at data-services@lexemin.com. We will respond to all verified requests within the timeframes required by applicable law and will not charge a fee for reasonable requests.

10.  Lexemin as Data Processor

Where Lexemin provides Data Protection Officer services or other advisory services that involve the processing of personal data on behalf of a client, Lexemin acts as a Data Processor and the client acts as the Data Controller. In these circumstances, Lexemin processes personal data only in accordance with the documented instructions of the client, as set out in the applicable data processing agreement. Lexemin implements appropriate technical and organizational measures to ensure the security of personal data processed on behalf of clients and will not process such data for any purpose other than that specified by the client. Data subjects whose personal data is processed by Lexemin in its capacity as a Data Processor should direct any requests to exercise their rights to the relevant Data Controller (i.e., the client organization), who is responsible for responding to such requests.

11.  Security of Personal Data

We implement appropriate technical and organizational security measures to protect personal data against unauthorized access, accidental loss, destruction, alteration, or disclosure. These measures include:

  • Encryption of data in transit and at rest

  • Access controls and authentication measures

  • Regular security reviews and assessments

  • Staff awareness and confidentiality obligations

  • Secure disposal procedures for personal data no longer required

  • Incident response procedures for data breaches

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach and will notify affected individuals without undue delay where required by applicable law.

12.  Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance. We will notify you of any material changes by posting the updated notice on our website and, where appropriate, by direct communication. The effective date at the top of this notice indicates when it was last updated.

13.  Contact Us

If you have any questions about this Privacy Notice, wish to exercise your rights, or wish to make a complaint about our processing of your personal data, please contact us:

  • By email:  info@lexemin.com‍ ‍

  • By post:  Lexemin Professional Services LLC, 8735 Dunwoody Place Ste R, Atlanta, GA 30350, USA

  • Via web:  www.lexemin.com‍ ‍


Part Two — United States Privacy Rights

This Part Two supplements the Global Privacy Notice above and applies to residents of US states with applicable comprehensive data privacy legislation. In the event of any conflict between this Part Two and Part One in relation to US residents, this Part Two prevails. As of the effective date of this notice, comprehensive state privacy laws are in force in the following states: California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Indiana, Iowa, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, Nebraska, Rhode Island, and Tennessee. Where you are a resident of any of these states, the relevant provisions below apply to you. California Residents — CCPA and CPRA This section applies to residents of California and is provided pursuant to the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (together, "CCPA/CPRA"). Categories of Personal Information Collected In the preceding twelve months, we may collect or have collected the following categories of personal information as defined by the CCPA/CPRA:

  • Identifiers — including name, email address, telephone number, IP address, and business address

  • Commercial information — including records of services purchased or enquired about

  • Internet or other electronic network activity — including website browsing activity and cookie data

  • Professional or employment-related information — including job title, employer, and professional background

  • Inferences drawn from other personal information — to create a profile about preferences and interests relevant to our services

We do not collect sensitive personal information as defined by the CCPA/CPRA, including Social Security numbers, financial account details, precise geolocation data, racial or ethnic origin, religious beliefs, health data, or biometric data, in the ordinary course of our business.

Sources of Personal Information

We collect personal information directly from you, from your use of our website, from publicly available professional sources, and from third parties including referrals and business networking platforms. Business or Commercial Purposes for Collection We collect personal information for the business and commercial purposes described in Clause 5 of Part One of this notice, including providing advisory services, managing client relationships, marketing our services, and improving our website and operations. Disclosure of Personal Information We may disclose personal information to the categories of third parties described in Clause 6 of Part One, including service providers, professional advisers, and regulatory authorities. We do not sell personal information. We do not share personal information for cross-context behavioral advertising purposes.

Your California Privacy Rights

As a California resident, you have the following rights under the CCPA/CPRA:

  • Right to Know — the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share personal information

  • Right to Delete — the right to request deletion of personal information we have collected from you, subject to certain exceptions

  • Right to Correct — the right to request correction of inaccurate personal information we maintain about you Right to Opt-Out of Sale or Sharing — the right to opt out of the sale of your personal information or its sharing for cross-context behavioral advertising. Lexemin does not sell or share personal information for these purposes

  • Right to Limit Use of Sensitive Personal Information — the right to limit our use of sensitive personal information to that which is necessary for the provision of our services. We do not use sensitive personal information for purposes beyond those permitted by the CCPA/CPRA

  • Right to Non-Discrimination — the right not to receive discriminatory treatment for exercising your privacy rights

To exercise any of your California privacy rights, please submit a verifiable consumer request to data-services@lexemin.com. We will acknowledge your request within 10 business days and respond within 45 calendar days. If we require additional time, we will notify you of the extension and the reason for it. You may authorize an agent to submit requests on your behalf. We may require verification of the agent's authority and your identity before processing such requests.

Virginia Residents — VCDPA

This section applies to residents of Virginia pursuant to the Virginia Consumer Data Protection Act ("VCDPA"). Virginia residents have the right to access, correct, delete, and obtain a portable copy of their personal data. You also have the right to opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. Lexemin does not engage in targeted advertising, sale of personal data, or profiling of this nature. To exercise your rights, please contact data-services@lexemin.com.

Colorado Residents — CPA

This section applies to residents of Colorado pursuant to the Colorado Privacy Act ("CPA"). Colorado residents have the right to access, correct, delete, and obtain a portable copy of their personal data. You also have the right to opt out of the processing of personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions with legal or similarly significant effects. You have the right to appeal any decision we make in response to your privacy request. Lexemin does not engage in targeted advertising, sale of personal data, or such profiling. To exercise your rights or submit an appeal, please contact data-services@lexemin.com.

Connecticut Residents — CTDPA

This section applies to residents of Connecticut pursuant to the Connecticut Data Privacy Act ("CTDPA"). Connecticut residents have the right to access, correct, delete, and obtain a portable copy of their personal data. You also have the right to opt out of the processing of personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions with legal or similarly significant effects. You have the right to appeal any decision we make in response to your privacy request within 45 days. Lexemin does not engage in targeted advertising, sale of personal data, or such profiling. To exercise your rights or submit an appeal, please contact data-services@lexemin.com.

Texas Residents — TDPSA

This section applies to residents of Texas pursuant to the Texas Data Privacy and Security Act ("TDPSA"). Texas residents have the right to access, correct, delete, and obtain a portable copy of their personal data. You also have the right to opt out of the processing of personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions with legal or similarly significant effects. You have the right to appeal any decision we make in response to your privacy request. Lexemin does not engage in targeted advertising, sale of personal data, or such profiling. To exercise your rights or submit an appeal, please contact data-services@lexemin.com‍ ‍

Utah Residents — UCPA

This section applies to residents of Utah pursuant to the Utah Consumer Privacy Act ("UCPA"). Utah residents have the right to access, delete, and obtain a portable copy of their personal data. You also have the right to opt out of the processing of personal data for targeted advertising and the sale of personal data. Lexemin does not engage in targeted advertising or sale of personal data. To exercise your rights, please contact data-services@lexemin.com.

Residents of Other States with Applicable Privacy Laws Residents of Oregon, Montana, Delaware, Indiana, Iowa, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, Nebraska, Rhode Island, and Tennessee are also afforded privacy rights under their respective state laws. While the specific rights and thresholds under each law vary, Lexemin is committed to honoring verifiable privacy requests from residents of all states with applicable comprehensive data privacy legislation. In general, residents of these states have the right to access, correct, and delete personal data we hold about them, and to opt out of targeted advertising and the sale of personal data. Lexemin does not engage in targeted advertising or the sale of personal data. To exercise any privacy right under your state's law, or to submit an appeal of a decision we have made in response to a previous request, please contact us at data-services@lexemin.com.

We will respond in accordance with the timeframes and requirements of the applicable state law. California Shine the Light Law California Civil Code Section 1798.83 (the "Shine the Light" law) permits California residents to request information regarding our disclosure of personal information to third parties for their direct marketing purposes. Lexemin does not disclose personal information to third parties for their direct marketing purposes.


Part Three - Cookie Policy

1.  Introduction

This Cookie Policy explains how Lexemin Professional Services LLC uses cookies and similar tracking technologies on our website at www.lexemin.com ("the Website"). It should be read alongside our Global Privacy Notice in Part One. By using our website, you consent to our use of cookies in accordance with this Cookie Policy. You can withdraw or manage your consent at any time using the cookie management options described below.

2.  What Are Cookies

Cookies are small text files that are placed on your device when you visit a website. They are widely used to make websites function efficiently, to provide information to website operators, and to enhance the user experience. Cookies can be "session cookies" (which are deleted when you close your browser) or "persistent cookies" (which remain on your device for a specified period or until deleted).

3.  Types of Cookies We Use

3.1  Strictly Necessary Cookies

These cookies are essential for the operation of our website and cannot be switched off. They are set in response to actions you take, such as completing a form or setting privacy preferences. These cookies do not store any personally identifiable information and do not require your consent.

  • Session management cookies — to maintain your session while navigating the Website

  • Security cookies — to protect against cross-site request forgery and other security threats

  • Load balancing cookies — to ensure optimal Website performance

3.2  Performance and Analytics Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our website. They help us to know which pages are the most and least popular and to understand how visitors navigate the Website. All information collected by these cookies is aggregated and therefore anonymous. These cookies require your consent.

Google Analytics — used to collect information about how visitors use our website, including pages visited, time spent on pages, and sources of traffic. Data is anonymized and aggregated. Google's privacy policy is available at https://policies.google.com/privacy

Squarespace Analytics — our website platform's built-in analytics tools, used to measure website performance and visitor behaviour

3.3  Functional Cookies

These cookies enable the Website to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. These cookies require your consent.

  • Calendly — used to enable online appointment booking functionality. Calendly's privacy policy is available at https://calendly.com/privacy

  • Preference cookies — to remember your cookie preferences and settings

3.4  Marketing and Targeting Cookies

Lexemin does not currently use marketing or targeting cookies and does not engage in cross-site behavioral advertising. If this changes in the future, this Cookie Policy will be updated accordingly, and your consent will be sought before any such cookies are placed.

4.  Third-Party Cookies

Some cookies on our website are placed by third parties, including analytics providers and embedded functionality providers. We do not control these third-party cookies, and they are subject to the privacy policies of the relevant third parties. We take reasonable steps to ensure that any third-party cookies used on our website are appropriate and that the relevant third parties maintain adequate privacy standards.

5.  Managing and Withdrawing Consent

You can manage your cookie preferences at any time using the following methods:

5.1  Cookie Consent Tool

When you first visit our website, you will be presented with a cookie consent banner that allows you to accept or decline non-essential cookies. You can revisit and update your preferences at any time by accessing the cookie settings link in the footer of our website.

5.2  Browser Settings

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse cookies, delete existing cookies, or alert you when cookies are being placed. Please note that disabling certain cookies may affect the functionality of our website. For further information on managing cookies through your browser, visit www.allaboutcookies.org.

5.3  Opt-Out Tools

You can opt out of Google Analytics tracking at any time by installing the Google Analytics Opt-out Browser Add-on, available at https://tools.google.com/dlpage/gaoptout.

6.  Cookies and UK GDPR

The use of cookies that are not strictly necessary requires your consent under the UK Privacy and Electronic Communications Regulations 2003 ("PECR") and the UK GDPR. We obtain your consent through our cookie consent tool before placing any non-essential cookies on your device. You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

7.  Cookies and US State Privacy Laws

Certain cookies used on our website may constitute "sale" or "sharing" of personal information under applicable US state privacy laws, including the CCPA/CPRA. As stated in Part Two of this document, Lexemin does not sell personal information or share it for cross-context behavioral advertising purposes. If you are a resident of a US state with applicable data privacy legislation and wish to exercise your opt-out rights in relation to cookies, please contact us at data-services@lexemin.com.

8.  Changes to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in the cookies we use, applicable law, or regulatory guidance. Any changes will be posted on our website with an updated effective date. Where changes are material, we will seek fresh consent where required.

9.  Contact Us

If you have any questions about our use of cookies, please contact us:

Lexemin Professional Services LLC  |  Privacy Notice, California Privacy Notice and Cookie Policy Effective Date: 11 May 2026  |  Version 1.0 © 2026 Lexemin Professional Services LLC. All rights reserved.