Data Breach Notification Policy

Overview

Limelai Limited, which operates LimeProspect, treats personal data breaches with the seriousness they deserve. This policy sets out how we detect, assess and respond to security incidents involving personal data, and how we meet our obligations under UK GDPR Articles 33 and 34.

A personal data breach means any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data we hold or process.

Detection and Assessment

We operate continuous monitoring across our application, infrastructure and sub-processor integrations. Suspected incidents are triaged within 24 hours of detection. Our incident response team determines whether personal data is involved, the categories of data affected, the approximate number of data subjects and the likely consequences for those individuals.

ICO Notification (Article 33)

Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, no later than 72 hours after becoming aware of it.

Our notification to the ICO will include the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, the measures taken or proposed to address the breach and the name and contact details of our Data Protection Contact.

User Notification (Article 34)

Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify those individuals without undue delay. Notifications will use clear, plain language and will describe:

• The nature of the breach
• The likely consequences, including any risks to your accounts or personal data
• The measures we have taken or propose to take in response
• Practical steps you can take to protect yourself, such as resetting passwords or reviewing connected integrations
• How to contact our Data Protection Contact for more detail

Notifications will be sent by email to the address on file for your account. If individual notification would involve disproportionate effort, we will make a public communication through our website, status page and product surfaces.

Internal Escalation

Suspected breaches are escalated immediately through the following chain:

• On-call engineer: Receives the alert, validates the signal and opens an incident ticket.
• Security lead: Coordinates technical investigation, containment and forensic preservation.
• Data Protection Contact: Assesses GDPR implications, manages regulator notifications and drafts user communications.
• Company directors: Briefed at the point of confirmation and approve external statements.

Containment and Recovery

Once a breach is confirmed, the response team works to:

• Contain the incident by revoking credentials, rotating secrets, isolating affected systems and disabling compromised integrations
• Preserve forensic evidence, including logs and snapshots, for investigation
• Coordinate with affected sub-processors where their systems are involved
• Restore services from clean backups and validate integrity before resuming normal operation
• Apply remediation measures, including patches, configuration changes and access control updates

Post-Incident Review

Within 14 days of resolution we conduct a post-incident review. The review documents the timeline, root cause, contributing factors, customer impact and the lessons learned. Findings feed directly into our security roadmap and any required updates to policies, training and controls. A summary of significant incidents is recorded in our internal breach register, in line with Article 33(5) UK GDPR.

How We'll Contact You

In the event of a breach that affects you, we will contact you using the email address associated with your LimeProspect account. We will never ask for your password, payment card details or full bank details in a breach notification. If you receive a suspicious message claiming to be from LimeProspect, forward it to security@limeprospect.com and do not click any links.

Report a Suspected Breach

If you believe you've discovered a security issue or suspected data breach involving LimeProspect, please report it to us straight away:

• Email: security@limeprospect.com
• Data Protection Contact: privacy@limeprospect.com

For more on our data protection commitments, see our Privacy Policy and GDPR Compliance pages.