How we look after personal data.

Lezly Limited ("Lezly", "we", "our") is a company registered in England and Wales with its principal place of business at 120 Blackwell Street, London EC2A, United Kingdom. We are registered with the UK Information Commissioner's Office (ICO).

This Privacy Policy explains how we handle personal data we receive about visitors to our website, prospective clients who contact us, and individuals whose personal data is processed on behalf of clients during an engagement.

From visitors to our website: technical data (IP address, device, browser, referring page) and, if you submit our intake form, the details you provide (name, work email, organisation, role, country, sector, urgency and the description of your situation).

From prospective and existing clients: the details exchanged in correspondence and meetings, billing details where invoices are raised, and signed agreements.

During an engagement: any data necessary to perform the Services, which may include URLs, accounts and other identifiers associated with detected infringement and the data subjects involved in such infringement.

To respond to enquiries and to provide the Services (lawful basis: contract performance, or steps preparatory to entering a contract). To meet legal and regulatory obligations, including the maintenance of evidence (lawful basis: legal obligation; legitimate interest in the integrity of the legal process). To improve our Services and operate our business (lawful basis: legitimate interest, balanced against your rights and freedoms).

We share personal data only with: (i) sub-processors that help us deliver the Services, all of which are listed in our sub-processor register and bound by data processing agreements; (ii) platforms, hosts, registrars and intermediaries to whom we file notices, where such sharing is necessary to enforce client rights; (iii) regulators, courts and law-enforcement bodies where required by law or court order; and (iv) professional advisors (lawyers, accountants, auditors) under duties of confidence.

Our primary processing locations are the United Kingdom (London), the European Union (Frankfurt) and Singapore. Where personal data is transferred outside the UK or the EEA, we rely on UK International Data Transfer Agreements, EU Standard Contractual Clauses and equivalent safeguards.

Enquiry data is retained for twelve (12) months unless an engagement begins. Client engagement data is retained for the duration of the engagement and for five (5) years thereafter — in line with statutory limitation periods and the integrity of the evidence record. We delete personal data sooner on request, where we are not under a legal obligation to retain it.

Subject to applicable law, you have the right to access, rectify, erase, restrict processing of, object to processing of, and port your personal data; and to withdraw consent at any time where processing is based on consent. To exercise any of these rights, please write to [email protected].

We hold ISO 27001 certification and SOC 2 Type II audit. All personal data is encrypted at rest with AES-256 and in transit with TLS 1.3. Access is granted by named role under principle of least privilege, audited weekly and reviewed quarterly by independent counsel. Our written incident response policy commits us to notifying clients without undue delay (and within 72 hours of awareness for personal-data breaches likely to result in risk to data subjects).

We review this Privacy Policy at least annually and update it as needed. Material changes will be notified to active clients in writing.

For any privacy question, please write to our Data Protection Officer at [email protected] or to Lezly Limited, 120 Blackwell Street, London EC2A, United Kingdom.