Privacy Policy

Lexendo is operated by Lexendo Ltd. We are committed to protecting your personal data and processing it in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For data protection purposes, Lexendo Ltd is the data controller in respect of your account and firm data. In respect of your clients' personal data that you process through Lexendo, we act as a data processor on your behalf.

Contact: support@lexendo.co.uk

Account data: When you register, we collect your firm name, email address, and password (stored as a secure hash). If you register via Google, we receive your name and email from Google.

Firm profile data: Information you add to your profile, including firm address, phone number, website, logo, and VAT/PAYE references.

Client data: Details of your employer clients that you enter into Lexendo to carry out assessments, including company information and employee benefit details.

Assessment data: The inputs and outputs of P11D, IR35, and other tax risk assessments you complete within the platform.

Billing data: Payment is handled by Stripe. We store your Stripe customer ID and subscription status, but we never see or store your card details.

Usage data: Technical information such as IP address, browser type, and pages visited, used for platform security and improvement.

We use your data to:

• Provide, operate, and improve the Lexendo platform
• Manage your subscription and process payments via Stripe
• Send transactional emails (account confirmation, billing receipts) via Resend
• Respond to support requests and account queries
• Comply with our legal and regulatory obligations

We process your personal data under the following lawful bases:

• Contract: Account data and billing data are processed to fulfil your subscription agreement with us.
• Legitimate interests: Usage and technical data are processed to maintain platform security and improve the service.
• Legal obligation: We may process data where required by law, including tax and financial record-keeping obligations.

When you enter your employer clients' data into Lexendo, you remain the data controller for that personal data. Lexendo Ltd processes it as your data processor, solely to provide the platform's assessment and reporting features.

Our full Data Processing Agreement (DPA) is incorporated into your subscription and governs how we process your clients' personal data. By creating an account, you agree to the DPA.

Certain features of Lexendo (including employment tax assessments and the Lex AI assistant) are powered by artificial intelligence provided by Anthropic, PBC via its API. To enable the Lex AI assistant to retrieve relevant HMRC guidance and case law for your queries, the text of your query is also sent to Voyage AI, Inc. for embedding (a privacy preserving mathematical representation used only to search Lexendo's knowledge base; never used to train Voyage's models or shared with any third party).

When you use these features, data you enter for that assessment is transmitted to Anthropic's API for processing. Neither Anthropic nor Voyage AI uses API data to train their models. Data is processed transiently and is not retained beyond the immediate request. Anthropic is SOC 2 Type II certified and is bound by a Data Processing Agreement with Lexendo Ltd. Voyage AI is bound by equivalent processing terms.

No client data is ever used to improve or train the underlying AI models. The Lexendo knowledge base (HMRC guidance and tribunal decisions) is entirely separate from your client data.

We use the following trusted sub-processors to operate the platform. Full details are set out in our Data Processing Agreement.

• Supabase Inc.:database and authentication (EU/Ireland data region)
• Anthropic, PBC:AI-assisted assessment and analysis features (USA; SCCs in place)
• Voyage AI, Inc.:text embeddings used to retrieve relevant HMRC guidance for the Lex AI assistant (USA; SCCs in place)
• Stripe, Inc.:payment processing and subscription management (USA/EU; SCCs in place)
• Resend Inc.:transactional email delivery (USA; SCCs in place)
• Vercel Inc.:platform hosting and deployment (USA; SCCs in place)

All sub-processors are bound by data processing agreements consistent with UK GDPR Article 28.

We retain your account and firm data for the duration of your subscription and for 12 months thereafter, to allow for reactivation and to meet financial record-keeping obligations.

If you request deletion of your account, we will delete your personal data within 30 days, subject to any legal retention obligations.

Your data is primarily processed within the UK and European Economic Area. Where sub-processors operate outside these regions, we ensure appropriate safeguards are in place (such as standard contractual clauses) in accordance with UK GDPR requirements.

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase your data (right to be forgotten), subject to legal obligations
• Restrict processing in certain circumstances
• Data portability:receive your data in a machine-readable format
• Object to processing based on legitimate interests

To exercise any of these rights, contact us at support@lexendo.co.uk. We will respond within 30 days.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We implement appropriate technical and organisational measures to protect your data, including encrypted connections (HTTPS), hashed password storage, row-level security on our database, and restricted access controls.

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email. The "last updated" date at the top of this page indicates when it was last revised.