Analytics Governance & Data Lifecycle

(Enterprise Master Policy – Tier 1)

Effective Date: 01 December 2025
Applicable Law: UK GDPR, Data Protection Act 2018, PECR 2003
Applies to: B2B, B2C, B2B2C, SaaS users, White-label partners, Free & Paid Services
Version: 1.0 (Master Governance Layer)

1. Purpose and Governance Role #

1.1 Purpose #

This Policy defines the Tier-1 governance framework for:

• analytics asset governance and lifecycle control

• tracking and behavioural analytics governance

• reporting, insights generation, and data exportability

• AI and automated processing governance

• termination, offboarding, and decommissioning rules

It is designed to protect:

• clients and end-users (lawful processing, transparency, minimisation)

• Xdemór Infrastructure (ownership, security, continuity, auditability)

• service delivery quality (repeatable rules across brands and partners)

1.2 Governance Hierarchy and Cross-References #

This Policy is a Tier-1 master policy and must be read together with:

• Data Insights & Reporting Policy (Tier 2): https://policies.zone/docs/data-insights-reporting/

• PPC Management Terms of Service: https://policies.zone/docs/ppc-management/

• SEO Management Terms of Service: https://policies.zone/docs/seo-management/

• Website Development Policy: https://policies.zone/docs/website-development/

• Service Execution Policy: https://policies.zone/docs/service-execution/

• Service Level Agreement (SLA): https://policies.zone/docs/service-level-agreement/

• Privacy Policy: https://policies.zone/docs/privacy-policy/

• Cookie Policy and PECR compliance references (where tracking technologies are used): ICO cookies guidance ICO – Cookies

Conflict rule (priority):

1. Access mechanics, credential handling, delegated administration: governed by the Access/Credentials policy (separate Tier-1 operational policy).

2. Ownership, retention, lifecycle, offboarding rules: governed by this Policy.

3. Execution methods, deliverables, SLA: governed by service-specific policies.

Governance basis: UK GDPR accountability and storage limitation principles. ICO – Storage Limitation

2. Definitions #

Analytics Property: Any account, container, profile, property, workspace, pixel, tag container, dataset, dashboard, report, or integration within analytics, advertising, tracking, attribution, monitoring, BI, or data platforms (third-party or Xdemór-controlled).

Xdemór Infrastructure: The collective technical environment, platforms, accounts, tools, licences, configurations, dashboards, and resources owned, licensed, or operated by Xdemór (including via brands, partners, or white-label frameworks).

Xdemór-Created Property: A property created inside Xdemór’s master accounts, licences, workspaces, tenant environments, or other Xdemór-controlled infrastructure.

Client-Owned Property: A property created and owned by the Client (or their organisation), to which Xdemór is granted delegated access for service delivery.

Service Account: A dedicated access identity used for service delivery and auditability (e.g., customer@services.support), including role-based permissions.

Data Export: Client-accessible extracts in portable formats (CSV, JSON, PDF, native container exports, or other commonly used formats).

Service Period: The period during which any service is active, including free monitoring, trials, subscriptions, ongoing support, reporting, or any dependency where assets are integrated with or routed through Xdemór Infrastructure.

3. Roles and Legal Capacity #

3.1 Xdemór Processing Roles (Context-dependent) #

Xdemór may act as one or more of the following, depending on the service and dataset:

1. Processor (Art. 28 UK GDPR)
   When processing identifiable client personal data strictly on documented instructions for service delivery.

2. Controller (Art. 4(7) UK GDPR)
   When Xdemór determines the purposes and means of processing for its own systems, compliance, security, audit trails, and operational telemetry.

3. Independent Controller for aggregated/anonymised insight outputs
   Where insight outputs are generated through aggregation/anonymisation and no longer constitute personal data.

Lawful basis must be selected per processing activity (contract, legitimate interest, legal obligation, consent where required for device access technologies). ICO – Data Protection Principles   

3.2 Client Roles #

The Client is typically:

• Controller of their own user/customer data and their own platform properties

• Authorising party for delegated access

• Data recipient for exports and delivered reports

4. Analytics Asset Ownership Model #

4.1 Core Principle #

Xdemór Infrastructure is a managed infrastructure service.
Where Xdemór creates or hosts properties inside Xdemór accounts/workspaces, those properties remain part of Xdemór Infrastructure.

Clients receive, subject to plan/service scope:

• access to dashboards, reports, and insights

• exportability of their underlying data where feasible

• copies of agreed deliverables (reports, configurations, summaries) upon request

Clients do not receive, unless explicitly agreed in writing:

• ownership transfer of Xdemór-Created Properties

• rights to proprietary setups, templates, internal frameworks, or licensed tools

• perpetual access outside the Service Period

4.2 Ownership Matrix (Operational Rule) #

Scenario A: Xdemór Created Property
Owner: Xdemór Group
Client gets: role-based access + exports + deliverables
Termination: access may be revoked; export may be provided on request (subject to retention schedule and payment status)

Scenario B: Client-Owned Property with delegated access
Owner: Client
Xdemór gets: delegated access for service delivery
Termination: Xdemór removes/revokes its access identity and stops processing (subject to retention rules)

4.3 Platform and Data Transfer Reality #

Some platforms support partial administrative reassignment; others do not provide clean “ownership transfer” for certain assets or configurations. Therefore:

• Xdemór does not guarantee that any third-party platform will support a full ownership transfer of assets created under Xdemór accounts.

• Upon termination, the default remedy is data exports, configuration exports, and report copies, not “account transfer”.

Data portability applies to data, not infrastructure. ICO – Data Protection Principles 

5. Covered Platforms and Future Tools #

This Policy applies to current and future tools used for:

• analytics, tracking, attribution, BI

• ad platform reporting and campaign telemetry

• SEO intelligence tools

• website performance and monitoring

• heatmaps/session analytics

• dashboards and client reporting portals

The platform list is non-exhaustive and may include (examples):
GA4, GTM, Search Console, Looker Studio, Google Ads, Meta Ads, Facebook Ads, Instagram Ads, TikTok Ads, Microsoft Ads, Microsoft Clarity, Hotjar, Shopify analytics, WordPress telemetry, and third-party SEO/crawl tools such as: Screaming Frog, Semrush, Ahrefs, SE Ranking, Moz, SEO Power Suite  but not limited.

6. Lawful Basis, Consent, and Legitimate Interests Controls #

6.1 Contract (Art. 6(1)(b)) #

Used when processing is necessary to deliver a requested service (e.g., reporting, optimisation, troubleshooting, configured dashboards).

6.2 Legitimate Interests (Art. 6(1)(f)) #

Used for:

• infrastructure security and audit logs

• operational monitoring and service reliability

• aggregated trend analysis and service improvement

Operational requirement: Where Xdemór relies on legitimate interests, Xdemór maintains a documented Legitimate Interests Assessment (LIA) covering necessity, balance, and safeguards. ICO – Legitimate Interests 

6.3 PECR and cookie/device access consent #

Where technologies store/access information on a user device (cookies, pixels, SDKs, similar technologies), consent rules under PECR may apply unless an exception is valid. ICO – Cookies and Similar Technologies 
Clients remain responsible for user-facing consent collection on their websites/apps, unless the contract explicitly assigns that implementation to Xdemór.

7. Access Authorisation and Service Period Control #

7.1 Access mechanics #

Credential intake, temporary credential exchange tools, service accounts, and “no retention of client passwords” procedures are governed by the Access/Credentials policy (separate).

7.2 Service Period #

Processing and access rights under this Policy apply during the Service Period, including:

• paid services

• subscriptions

• free/trial monitoring and dashboards

• passive dependencies where assets route through Xdemór Infrastructure

7.3 Continuation and termination trigger #

Default: access and processing continue until:

1. client terminates service via https://policies.zone/submit-request/ and/or contractual channel, and

2. delegated access is revoked or removed (where Client-Owned Properties are used)

8. Data Subject Rights and Portability #

Requests are handled via https://policies.zone/submit-request/ and the DPO channel, in line with statutory timelines.

Portability scope: portable copies of relevant personal data and exports where feasible.
Not included: transfer of Xdemór infrastructure, licences, proprietary tooling, or internal methodologies.

9. Retention and Storage Limitation #

9.1 Storage limitation principle #

Xdemór retains personal data no longer than necessary for the purposes and applies safeguards for longer retention where justified.  ICO – Storage Limitation

9.2 Xdemór-  controlled retention (baseline) #

• Active service data: for the Service Period (contract)

• Post-termination transition backups: up to 6 months (legitimate interest, orderly transition)

• Billing/tax records: 6 years (UK statutory practice baseline; subject to applicable finance/legal obligations)

• Incident/support logs: up to 3 years (quality, dispute defence, security)

• Aggregated/anonymised analytics: may be retained longer where it is no longer personal data

9.3 Platform-determined retention #

Third-party platforms may impose their own retention and deletion constraints outside Xdemór control.

10. Offboarding and Decommissioning #

10.1 Offboarding steps (default) #

1. termination request received (submit-request form)

2. acknowledgment issued

3. export requests confirmed (if any)

4. access revocation/removal executed (per asset type)

5. deletion request processed (if submitted and applicable)

6. final confirmation issued

10.2 Completion rule #

Termination is operationally complete when:

• access has been revoked/removed as applicable, and

• requested exports have been delivered (if requested), and

• deletion has been processed (if requested and not legally exempt), and

• outstanding invoices are settled (where relevant to deliverables/export scope)

11. Behavioural Analytics and Session Recording Governance #

11.1 Scope #

Heatmaps, session recordings, click/scroll tracking, funnel diagnostics, user flow mapping.

11.2 Controls #

• masking of inputs/PII enabled by default where the platform provides it

• minimisation by design (collect what you need, not what you can) ICO – Data Minimisation

• retention aligned with platform caps and Xdemór retention policy

11.3 Client obligations (where Client is Controller) #

Clients must provide valid user notices and cookie/device consent mechanisms where required under PECR and UK GDPR transparency. ICO – Cookies and Similar Technologies  

12. AI Processing and Automation Governance #

12.1 Scope #

AI-enabled workflows used for:

• summarisation, reporting, insight generation

• anomaly detection and operational diagnostics

• chatbot and automated support interactions

12.2 Safeguards #

• data minimisation and purpose limitation

• anonymisation/pseudonymisation where feasible

• retention controls aligned with the Client Data Usage Policy and Privacy Policy

12.3 Objection/opt-out #

Clients may object to certain AI processing under Art. 21, via dpo@xdemor.com or submit-request, subject to service feature limitations. ICO – Legitimate Interests

13. Liability and Accountability #

13.1 Xdemór exclusions (standard) #

Xdemór is not liable for:

• the client’s failure to revoke access on Client-Owned Properties

• third-party platform limitations, retention rules, outages, or policy changes

• client non-compliance with PECR cookie/device consent requirements

• client-side configuration errors

13.2 Client accountability #

Client remains responsible for: #

• lawful basis and transparency towards their end-users as Controller

• consent implementation where required

• timely revocation of access and submission of termination/deletion requests

14. Updates and Version Control #

Latest version is published at https://policies.zone/
Material changes may be communicated via notice/email. Continued use after updates indicates acceptance.

15. Contact #

DPO: dpo@xdemor.com
Customer Services: customer@services.support
Privacy: privacy@xdemor.com
Legal: legal@xdemor.com
Requests/DSAR: https://policies.zone/submit-request/
Supervisory Authority: ICO https://ico.org.uk/

Appendix A: Ownership Decision Matrix – Plain Rule #

• If created inside Xdemór accounts/workspaces: Xdemór owns, client receives access + exports/deliverables.

• If client owns and grants delegated access: client owns, Xdemór operates during Service Period, then removes access.

Appendix B: Retention Summary – Baseline #

Storage limitation must be purpose-linked and justified; keep no longer than necessary. ICO – Storage Limitation

• active service: service period

• post-termination transition: up to 6 months

• billing/tax: 6 years (baseline)

• incident/support logs: up to 3 years

• anonymised/aggregated: longer where not personal data

Appendix C: Offboarding Checklist – Operational #

• termination request received

• acknowledgment sent

• export scope confirmed

• exports delivered (if requested)

• access revoked/removed

• deletion processed (if requested and not exempt)

• final confirmation sent

• internal systems updated