Connexis.
Legal

Privacy Policy

Last updated: 1 March 2026·Version 1.0

This Privacy Policy explains how Connexis Group Ltd ("Connexis", "we", "our", "us"), a company registered in England and Wales with company number 17214446, registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom, collects and processes personal data when you visit our website at connex.is, use our platform, apply to become a Publisher or Affiliate, or are a financial-services business that purchases enquiries through our routing infrastructure.

1. Who we are and our role

Connexis operates a B2B routing infrastructure that connects financial-services consumer enquiries with FCA-aware buyers in real time. We act as a data controller for our website visitors, account holders, applicants and prospective customers. For consumer enquiries routed through our infrastructure to buyer endpoints, we act as a joint controller with the receiving buyer, and as a data processor with respect to subsequent storage on the buyer's behalf where applicable.

2. The data we collect

2.1 Account holder data

  • Identification: full name, business email address, company name, role.
  • Authentication: hashed password, two-factor codes, session tokens.
  • Communications: support tickets, in-portal chat, contracts you sign with us.
  • Billing: VAT number, billing address, payment-method tokens (handled by Stripe — we do not store full card numbers).

2.2 Lead / enquiry data

  • Contact details: first name, last name, email, mobile phone number, postal code.
  • Enquiry context: sector of interest, affordability band, intent text, consent token, TrustedForm certificate URL.
  • Technical metadata: IP address, user-agent, source publisher identifier, timestamp.

2.3 Website visitor data

  • Strictly necessary cookies (session, CSRF protection).
  • Analytics cookies (only after consent) — aggregate usage data.
  • Server logs: IP, page accessed, referrer (retained 30 days for security).

3. Lawful basis for processing

  • Contract (UK GDPR Art. 6(1)(b)): processing necessary to provide the platform to account holders and fulfil our agreements.
  • Consent (Art. 6(1)(a)): lead data is processed on the basis of explicit, recorded consent obtained at point of capture, evidenced by TrustedForm or equivalent consent infrastructure.
  • Legitimate interest (Art. 6(1)(f)): fraud prevention, security monitoring, B2B marketing to business contacts, platform analytics — balanced against your rights.
  • Legal obligation (Art. 6(1)(c)): AML/KYB checks, accounting record retention, FCA-related record-keeping.

4. How we use your data

  • Operating the routing infrastructure (matching enquiries to buyers in sub-second).
  • Providing access to your portal (buyer dashboard, publisher dashboard, affiliate dashboard).
  • Processing payments (Stripe), settling publisher payouts (Stripe Connect or bank transfer).
  • Sending transactional emails and SMS (account lifecycle, lead confirmations, contract signing).
  • Compliance, audit and dispute resolution.
  • Service improvement, security monitoring, fraud prevention.

5. Sharing & sub-processors

We share personal data with carefully selected sub-processors that are bound by Data Processing Agreements:

  • MongoDB Atlas — primary database (EU-West).
  • Stripe Payments UK Ltd — card payments + Connect payouts.
  • Anthropic, OpenAI, Google — AI inference for qualification and analytics (data minimised, no training).
  • Cloudflare — DDoS / WAF / CDN edge.

Operational vendors used for transactional email and SMS notifications are listed in our Data Processing Agreement and available to account holders on request to legal@connex.is.

We share enquiry data with a single matched buyer in real time at the point of routing. Each enquiry is delivered to exactly one buyer (exclusive, never resold). The buyer becomes joint controller of that enquiry data and is bound by their own privacy obligations.

6. International transfers

Some sub-processors are located outside the UK. Where this is the case, we rely on the UK International Data Transfer Agreement, UK Addendum to the EU SCCs, or adequacy decisions (e.g. EU/EEA). Specific transfer mechanisms per processor are listed in our Data Processing Agreement.

7. Retention

  • Account data: for the lifetime of your account, plus 7 years (UK Companies Act).
  • Lead data: 24 months from delivery, then purged or anonymised, unless your buyer retention agreement specifies a different window.
  • Server logs: 30 days.
  • Invoices & ledger: 7 years (HMRC).
  • Audit / compliance events: 6 years.

8. Your rights (UK GDPR)

You have the right to:

  • Access your personal data (subject access request).
  • Rectify inaccurate data.
  • Erasure ("right to be forgotten"), subject to legal-retention obligations.
  • Restrict or object to processing.
  • Data portability.
  • Withdraw consent at any time (without affecting prior lawful processing).
  • Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise these rights, email legal@connex.is. We respond within 30 days.

9. Security

We implement industry-standard technical and organisational measures: TLS 1.3 in transit, AES-256 at rest, principle-of-least-privilege access control, audited admin actions, secrets management via environment isolation, automated daily backups, and continuous vulnerability scanning. Detailed measures are documented in our Trust Center.

10. Changes to this policy

Material changes will be notified to account holders by email and SMS (where opted in) at least 14 days before they take effect. The version number and "last updated" date above always reflect the current version.

11. Contact

Data Protection contact: legal@connex.is
Postal: Connexis Group Ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom