Select Page
View Categories

Client Data Usage Policy

4 min read

Effective Date: 20 August 2025

Data Usage & Insights Disclosure #

Xdemór Infrastructure provides data-driven insight and reporting services based on platform-compliant practices and applicable data protection regulations, including the UK GDPR and the Data Protection Act 2018. These services are available under Xdemór’s own brands, through licensed brands operating within the Xdemór Infrastructure, and via third-party businesses using Xdemór’s brands under a white-label framework.

The processing and analysis of data are conducted for the legitimate purpose of delivering performance reports, operational diagnostics, strategic guidance, and the improvement of our systems and services. Xdemór acts as the Data Controller for the insights generated through its systems, applying aggregation, pseudonymisation, and platform-grade safeguards.

This includes, but is not limited to:

  • Aggregated product, sales, and order data

  • Campaign attribution and behavioural patterns

  • Funnel breakdowns and conversion diagnostics

  • Cross-platform traffic performance (e.g. GA4, Meta, TikTok)

  • Session analytics, heatmaps, and user flow mapping

  • UTM, device, and location-based segmentation

  • Anonymised benchmarking and market trend extraction

  • Chatbot interaction logs (messages, timestamps, response metadata) when engaging with automated assistants within the Xdemór Infrastructure, including information used for analytics, service improvement, and AI training where anonymised or pseudonymised.

All processing is governed by the Client Data Usage Policy and Data Insights & Reporting Policy. Data is never sold and is only accessed under documented and legitimate operational purposes.

1. Scope #

This policy applies to all services, dashboards, platforms, and environments operated or maintained by The Xdemór Group Limited (“Xdemór”), where client business data is accessed, processed, or visualised for analytics, marketing, development, or reporting purposes.

2. Nature of Data Processed #

Xdemór processes the following client-authorised data:

  • Aggregated sales and product performance

  • Behavioural data (e.g. traffic, conversions, clickstreams)

  • Marketing data (e.g. UTM, campaigns, source attribution)

  • Email and account identifiers

  • IP, geolocation, and device-level data

  • Platform identifiers (e.g. GA4, Meta, TikTok, Shopify)

3. Data Controller Role #

Xdemór Group acts as an independent Data Controller for aggregated, anonymised, or pseudonymised insights generated through its systems, determining the purposes and lawful basis for such processing, similar to platforms such as Meta, Google, TikTok, LinkedIn, Youtube, Ahrefs, Semrush, Shopify, WordPress and others. For identifiable client data processed for service delivery, Xdemór acts as a Data Processor in accordance with the relevant Data Processing Agreement.

4. Usage of Data #

Client data is used for:

  • Providing account-level reports and dashboards

  • Performance tracking and decision-making

  • Generating anonymous benchmarks and trend analysis

  • Internal service optimisation (excluding profiling or resale)

  • Processing anonymised or pseudonymised data to develop, train, test, and optimise algorithms, including artificial intelligence (AI) models, for the legitimate purpose of improving the accuracy, efficiency, and quality of our services

  • Processing user interactions with automated chatbots and virtual assistants for the purposes of delivering requested information, providing customer support, and improving the accuracy, efficiency, and quality of chatbot responses through anonymised or pseudonymised data analysis.
  • This includes the processing of chatbot interactions for the purposes of providing support, improving response accuracy, analysing service demand, and training AI models using anonymised or pseudonymised data.

Such AI-related processing is conducted under the principles of data minimisation, purpose limitation, and proportionality, and excludes any activity that would identify individual data subjects without additional information kept separately and securely.

Where third-party processors (e.g. AI API providers) are engaged for AI-related processing, they are bound by contractual obligations and data protection agreements, ensuring compliance with the UK Data Protection Act 2018, the UK GDPR, and other applicable laws.

No data is sold. All uses follow the principles of purpose limitation and proportionality under GDPR.

5. Data Retention for AI-Related Processing #

Data uploaded for testing, automation, or AI may be retained for up to 180 days in its original identifiable form, unless otherwise agreed in writing, for the legitimate purpose of developing, testing, and validating automated systems and AI models. Anonymised or aggregated derivatives may be retained indefinitely, provided they contain no personal data as defined under applicable data protection laws.

Chatbot interaction logs are retained for up to 180 days in their original identifiable form, unless otherwise agreed, after which they are anonymised or deleted. Anonymised interaction data may be retained indefinitely for service improvement and AI model training.

6. Third-Party Access & Transfers #

Xdemór uses subprocessors listed at: Subprocessors International Transfer ↗

All subprocessors are bound by Standard Contractual Clauses (SCCs), DPA terms, or adequacy mechanisms as applicable.

Major update effective 20 August 2025: Added explicit AI processing purpose, extended retention period for testing/automation/AI data from 30 to 180 days, and clarified handling of anonymised derivatives.