GDPR and Data Privacy at Lexplore Analytics

At Lexplore Analytics we have standardised policies and procedures to ensure that the data we process is protected. Our team also have an inherent knowledge and experience working within education and data protection; we conduct regular policy reviews to ensure all procedures are kept up to date and our policies are also maintained through our ICO registration. As an organisation, we also implement training for staff to ensure our policies and knowledge of data protection and UK cyber security law is kept up to date.


The following information on how data is handled at Lexplore Analytics relates to users of our Results Portal and Screening and Analysis Services (together, our “Services”). Within the attached information references to “we” “us” “our” and refer to the following entities:

(a)   Lexplore AB (559069-1811, Tegelbacken 4A, 111 52, Stockholm)

(b)   Lexplore Analytics Limited (11121766 of Suite 8 Bowden Hall, Marple, Stockport, SK6 6ND)

(c)   Lexplore Nordic AB (559091-9212, Tegelbacken 4A, 111 52, Stockholm)

What is personal data?

Personal data is any information that relates to an identified or identifiable individual. This can be as simple as names, addresses and numbers, but even pictures and voice recordings are regarded as personal data, even if names are not mentioned. Personal data also includes other identifiers, like IP addresses or cookies.

Data controllers and processors

Controllers are the main decision makers when it comes to handling personal data. They shoulder the highest level of compliance responsibility to all principles of GDPR. Processors act on behalf of and under the instruction of Controllers. Processors do not have the same obligations as Controllers and do not have to pay a data protection fee. If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes. At Lexplore Analytics, ‘the customer’ and school is the data controller. They determine what data is extracted, what purpose it is used for and who is allowed to process the data. Lexplore Analytics is the data processor of the data made available by schools in our assessment software. Lexplore is trusted with such personal data but does not control it.

With whom might we share personal data?

We may transfer your personal data to providers of various accounting systems, if you are a contact person for the Customer. The data which we process about you as a user of the Results Portal is processed on Microsoft’s servers. Such recipients are only entitled to process your personal data on our behalf in connection with their performance of a service for us as stated in this privacy policy. We take all reasonable legal, technical and organisational measures to ensure that your data is processed safely and with an adequate protection level in conjunction with transfer to, or sharing with, such selected third parties. Your data may also be shared with companies within the same group as us and with the distributor with whom the Customer entered into an agreement.

All the system data is hosted and stored at the Microsoft Azure data centre in Northern Europe, which is located in Ireland. Microsoft Azure apply a number of robust techniques to ensure the data is kept safe. You can find out more – HERE

All personal data about Pupils is encrypted when stored or processed by all the Lexplore Companies, using either Always Encryption (AE) and or Transparent Data Encryption (TDE). All data is transferred in accordance to HTTPS protocol.

The data we use for marketing purposes may be shared with providers of various mailout systems. We may also provide your personal data to public authorities if we are obliged to do so by law. Upon a sale of all or parts of our business, we may transfer your personal data to a potential purchaser of the business.

Where do we process your personal data?

Your personal data will be processed only within the EU/EEA, subject to the exceptions below.

The processing of your email address for marketing purposes is conducted by a provider located in the US. The company has taken appropriate safety measures to protect your personal data by means of the recipient of the personal data having signed up to Privacy Shield regulations which include a number of obligations concerning the processing of personal data that have been approved by the EU Commission.

Your rights

You have certain statutory rights which you are entitled to assert against us. A summary of those rights is presented below.

  • Right of access/register extract. You are entitled to receive a reply as to whether we process your personal data. If such is the case, you are entitled to information as to which personal data is processed, the purposes of the processing, which external recipients receive your personal data and how long we store your personal data.
  • Rectification of incorrect data. You are entitled to request that we rectify incorrect or incomplete data about you.
  • Deletion of certain data. You are entitled to request that we delete your personal data under certain conditions, e.g. if the personal data is no longer necessary for the purpose for which we have compiled the personal data.
  • Right to object to our processing of personal data. Under certain conditions you are entitled to object to our processing of your personal data.
  • Right to restrict processing of personal data. In certain cases you are entitled to request a restriction on our processing of your personal data. For example, if you have contested that your personal data is correct, you may request restriction of the processing during a period of time which allows us to check that the personal data is correct.
  • Complaints. If you have any complaint regarding our processing of your personal data, you are entitled to submit a complaint to your local Privacy Protection Authority, which in the UK, is the Information Commissioner’s Office.

If you wish to submit a request for a register extract, rectification, deletion, objection or restriction, kindly contact us on hello@lexplore.com. More Information about your individual rights can be found by visiting the Information Commissioner’s Office (ICO) Website – HERE

Privacy by design

Data Protection Regulation has acted as a guiding principle during the process of developing Lexplore Analytic’s assessment and IT systems. At each step of the process, many considerations have been made to ensure personal data is protected.

Encrypt and separate

A basic principle of Lexplore Analytic’s data protection strategy is to separate and encrypt the information we collect as much as possible. Eye movement recordings and voice recordings from the assessment are stored in separate, encrypted databases for each organisation. These are stored without names or any identification numbers. This data is only combined within the Result’s Portal using an encryption key. Your eligibility level and role within the portal will then determine which results you have access to within this Portal. This can only be accessed through a secure authentication process.

All databases and blob storage are backed up for 35 days. For this backup, Lexplore Analytics uses Azure read-access geo-redundant storage and LRS for Blob storage. This means that data stays within Europe. The databases will save a backup of the personal data in the Western European Data Centre, located in the Netherlands.

Our full Data Protection policy can be found in the Lexplore Analytics Terms of Business, Privacy Policy, Cookie Policy and our ICO Registration. You can also find out more by downloading our Data Protection Guide or get in touch by emailing data.privacy@lexplore.com.

Download the Guide

Lexplore Analytics Full Terms of Business

ICO Registration Privacy Policy Cookie Policy