CXO Lanes

GDPR Policy

General Data Protection Regulation Compliance

Last Updated: October 8, 2025

CXO Lanes is committed to protecting your personal data and respecting your privacy rights under the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR). This policy explains how we comply with data protection laws and your rights as a data subject.

Data Controller Information

CXO Lanes acts as the data controller for the personal information we collect and process.

Organization: CXO Lanes (UK & Europe)

Email: hi@cxolanes.co.uk

Website: cxolanes.co.uk

Legal Basis for Processing

Under the GDPR, we must have a legal basis to process your personal data. We process your data based on the following legal grounds:

1. Consent

When you provide explicit consent for us to process your data for specific purposes, such as receiving marketing communications or participating in our communities.

You can withdraw consent at any time.

2. Legitimate Interests

When we have a legitimate business interest, such as improving our services, fraud prevention, or network security, provided this does not override your rights and interests.

3. Contractual Necessity

When processing is necessary to fulfill a contract with you or to take steps at your request before entering into a contract.

4. Legal Obligation

When we need to process your data to comply with legal obligations, such as tax laws or legal proceedings.

Your Data Protection Rights

Under the GDPR, you have the following rights regarding your personal data:

1. Right of Access

You have the right to request a copy of the personal data we hold about you. This is also known as a "subject access request."

How to exercise: Email us at hi@cxolanes.co.uk with "Subject Access Request" in the subject line.

2. Right to Rectification

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

Response time: We will respond within one month of receiving your request.

3. Right to Erasure (Right to be Forgotten)

You have the right to request that we delete your personal data in certain circumstances, such as when it's no longer necessary for the purpose it was collected.

Note: This right is not absolute and may not apply if we have a legal obligation to retain the data.

4. Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

5. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

Format: We will provide data in CSV or JSON format.

6. Right to Object

You have the right to object to our processing of your personal data in certain circumstances, particularly when we process data based on legitimate interests or for direct marketing purposes.

Marketing: You can opt out of marketing communications at any time.

7. Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you.

Note: We do not currently use automated decision-making processes.

Data Retention

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Retention Periods

  • Contact form submissions: 2 years from submission
  • Email communications: 3 years from last contact
  • Marketing consent records: Duration of consent plus 3 years
  • Website analytics data: 26 months (Google Analytics default)
  • Cookie consent records: 1 year from last update

International Data Transfers

We primarily store and process data within the UK and European Economic Area (EEA). When we transfer data outside the UK/EEA, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Binding Corporate Rules

Some of our service providers may be based outside the UK/EEA:

  • Supabase (Database): US-based with EU data centers available
  • Google Analytics: US-based with Standard Contractual Clauses
  • LinkedIn: US-based with appropriate safeguards

Data Security

We have implemented appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication mechanisms
  • Regular staff training on data protection
  • Incident response and breach notification procedures
  • Regular backups and disaster recovery plans

Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. We will also report any notifiable breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach.

Children's Privacy

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information as quickly as possible.

Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with a supervisory authority.

UK Supervisory Authority

Information Commissioner's Office (ICO)

Website: ico.org.uk

Telephone: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Changes to This Policy

We may update this GDPR Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the updated policy on our website and updating the "Last Updated" date. We encourage you to review this policy periodically.

Related Policies

For more information about how we handle your personal data, please see our:

How to Exercise Your Rights

To exercise any of your GDPR rights or if you have any questions about this policy, please contact us at:

Email: hi@cxolanes.co.uk

Please include "GDPR Request" in the subject line and provide sufficient information to verify your identity. We will respond to your request within one month.

We Value Your Privacy

We use cookies to enhance your browsing experience, analyze site traffic, and personalize content. By clicking "Accept All", you consent to our use of cookies. You can customize your preferences or learn more in our Cookie Policy and Privacy Policy.