GDPR Compliance

Lemma, Inc. is committed to protecting the privacy and security of personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation. This page explains how we comply with our obligations under these regulations and how we support our users in exercising their data rights. Regardless of where you are located, we apply the same high standard of data protection to all users of the Service. We believe privacy is a fundamental right and have designed our systems with privacy by design and by default.

We process personal data under the following legal bases as defined by Article 6 of the GDPR: Contractual Necessity (Art. 6(1)(b)): Processing necessary to perform our contract with you, including account management, session facilitation, skill verification, and payment processing. Legitimate Interest (Art. 6(1)(f)): Processing necessary for our legitimate interests, such as improving the Service, preventing fraud, and ensuring platform security, where those interests are not overridden by your data protection rights. Consent (Art. 6(1)(a)): Where we rely on your consent, such as for optional analytics cookies or marketing communications. You may withdraw consent at any time. Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with a legal obligation, such as tax reporting or responding to valid legal requests.

Under the GDPR, you have the following rights with respect to your personal data: Right of Access: You may request a copy of the personal data we hold about you. Right to Rectification: You may request correction of inaccurate or incomplete personal data. Right to Erasure: You may request deletion of your personal data, subject to legal retention requirements. Right to Restriction: You may request that we restrict the processing of your personal data. Right to Portability: You may request a copy of your data in a structured, machine-readable format. Right to Object: You may object to processing based on legitimate interests or direct marketing. To exercise any of these rights, contact us at privacy@getlemma.io. We will respond to your request within 30 days.

Lemma, Inc. is based in the United States. When we transfer personal data from the European Economic Area (EEA) or the United Kingdom to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission. We ensure that all subprocessors involved in international data transfers are bound by equivalent contractual obligations. For a current list of our subprocessors and their locations, please refer to our List of Subprocessors page.

For any questions or concerns about our data protection practices, you may contact our data protection team at dpo@getlemma.io. We take all privacy inquiries seriously and will respond promptly to your concerns. If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. A list of supervisory authorities is available at the European Data Protection Board website.