Effective Date: 20 August 2025
Applicable To: All clients, partners, licensees, and white-label operators under the Xdemór Infrastructure
1. Our Commitment to Data Protection #
At The Xdemór Group, we treat your data with the same level of integrity and protection as our own. Whether we’re generating strategic insights, powering client dashboards, operating chatbots, or providing services under white‑label frameworks, all data is handled in accordance with the UK GDPR, the Data Protection Act 2018, and applicable international safeguards.
We act as an independent Data Controller for aggregated, anonymised, or pseudonymised insights generated within our infrastructure, and as a Data Processor for identifiable client data processed for service delivery, in line with our Data Processing Agreement (DPA). Our practices are aligned with those of global platforms such as Google, Meta, TikTok, and Shopify.
2. What Data We Use – And Why #
We use only the data necessary to deliver actionable insights, improve service performance, support your business strategy, and develop or optimise algorithms, including AI models. This includes:
-
Aggregated product, sales, and revenue data
-
UTM parameters and traffic attribution
-
Behavioural analytics (clicks, scrolls, sessions, bounce)
-
Chatbot interaction logs (messages, timestamps, response metadata) for support delivery, service optimisation, and AI training (anonymised or pseudonymised where applicable)
-
Conversion funnels and landing page diagnostics
-
IP and device information for geo‑segmentation
-
Platform-specific identifiers (e.g., GA4, TikTok Pixel)
No sensitive personal data (special category data under GDPR) is processed unless explicitly authorised and separately documented.
3. How We Protect It #
We implement a multi-layered data security protocol that includes:
-
Role-based access controls and user-level isolation
-
End-to-end encryption (TLS/SSL)
-
Enforced pseudonymisation and aggregation for AI and analytics
-
Limited data retention and lifecycle policies (see section 5)
-
Daily off-site backups and internal audit logging
-
ISO 27001-aligned subprocessors and secured APIs
-
Consent enforcement for identifiable submissions
Our systems and subprocessors are selected and audited based on compliance with Standard Contractual Clauses (SCCs), UK Addendum, and regional data protection rules.
See full list: Subprocessors & International Transfers
4. Who Can Access It #
-
Your team (via secure portals, dashboards, or chatbot interfaces)
-
Xdemór staff strictly on a need‑to‑know basis
-
Licensed brands or partners (only under contractual alignment)
-
Agencies, freelancers, and partners are required to notify and obtain consent from their own clients, employers, or downstream data subjects before using our services, and bear full responsibility for failure to do so
-
Verified subprocessors (e.g., hosting, analytics, CRM), as published in our DPA
We do not sell your data. We do not profile individuals. We do not allow external use of your reports without your explicit permission.
5. Retention & Disposal #
-
Operational data: retained up to 26 months
-
Account records: up to 6 years (for tax/regulatory compliance)
-
Report exports: deleted automatically within 30 days unless agreed otherwise
-
Data uploaded for testing, automation, or AI (including chatbot logs): retained up to 180 days in its original identifiable form unless otherwise agreed in writing; anonymised or aggregated derivatives may be retained indefinitely
-
Data used for benchmarking is anonymised and excluded from any identifiers
Upon request or contract termination, we will delete or return all client data, except where legally required to retain.
6. Legal References #
This safeguarding framework is enforced by the following official policies:
-
Client Data Usage Policy
-
Data Insights & Reporting Policy
-
Data Processing Agreement (DPA)
-
Privacy Policy
For audit rights, breach notifications, or subject access requests, please contact:
dpo@xdemor.com | privacy@xdemor.com