Effective Date: 20 August 2025
This notice outlines the subprocessors engaged by The Xdemor Group Limited, Company No. 14456444, with its registered office at 86-90 Paul St., London, EC2A 4NE, United Kingdom (“Xdemor”, “We”, “Us”), and describes how and where personal data may be transferred and processed outside of the United Kingdom and the European Economic Area (EEA).
1. What is a Subprocessor? #
A subprocessor is a third-party service provider contracted by Xdemor to process personal data on our behalf. These subprocessors support the delivery of our digital infrastructure, client platforms, analytics systems, chatbot services, and hosting environments.
Each subprocessor is contractually bound by a Data Processing Agreement (DPA) and must implement appropriate technical and organisational security measures in accordance with Article 28 GDPR and the UK Data Protection Act 2018.
2. Data Transfer Mechanisms #
Where data is transferred outside the UK or EEA, we ensure adequate protection using one or more of the following mechanisms:
-
Standard Contractual Clauses (SCCs) approved by the European Commission
-
UK Addendum to SCCs or International Data Transfer Agreements (IDTAs)
-
Binding Corporate Rules (where applicable)
-
Adequacy Decisions by the UK Government or European Commission
3. List of Subprocessors #
A. Standard Infrastructure Subprocessors #
| Subprocessor | Purpose / Service Area | Country of Processing | Safeguards |
|---|---|---|---|
| Meta Platforms, Inc. | Advertising, analytics, pixel tracking (US users) | United States | SCCs, EU–US DPF, UK Addendum |
| Meta Platforms Ireland Limited | Advertising, analytics, pixel tracking (EU/EEA users) | Ireland | GDPR compliance |
| Google Ireland Limited | Advertising, analytics, Tag Manager, tracking, reCAPTCHA (EU users) | Ireland | GDPR compliance |
| Google LLC | Email routing, analytics, Tag Manager, tracking, reCAPTCHA | United States / EU | SCCs, EU–US DPF*, UK Addendum |
| Microsoft Corporation | Email routing, identity authentication, telemetry, analytics, tracking | EU / United States | SCCs + DPA |
| SER Acquisition Inc. | Tracking, analytics, statistics, reporting | EU / United States / India | SCCs + Regional Isolation |
| InterServer LLC | Cloud hosting, infrastructure backend | United States | SCCs + UK Addendum |
| The Constant Company, LLC | Cloud hosting infrastructure, email hosting | United States | SCCs + UK Addendum |
| Nominet UK / Hostinger UK | Domain registry, DNS, email services | United Kingdom | UK GDPR compliance |
| QUIC.cloud Inc. | DNS, performance optimisation, security (WAF, CDN) | Global (EU preference) | SCCs + ISO 27001 certification |
| Tawk.to Inc. | Live chat platform and widget integrations | United States | SCCs + Anonymisation Options |
| Poptin Ltd. | Live chat platform and widget integrations | Israel | SCCs + Anonymisation Options |
B. AI & Automation Subprocessors #
| Subprocessor | Purpose / Service Area | Country of Processing | Safeguards |
|---|---|---|---|
| OpenAI, L.L.C. | AI model processing, NLP, chatbot automation | United States | SCCs + UK Addendum |
| Google Cloud AI / Vertex AI | AI model training, automation, analytics | United States / EU | SCCs, EU–US DPF*, UK Addendum |
| Microsoft Azure AI Services | AI model training, automation, analytics | EU / United States | SCCs + DPA |
| Celonis, Inc. | Workflow automation, process mining, task orchestration | United States / Germany | SCCs + Regional Safeguards |
C. Payment Processing Subprocessors #
| Subprocessor | Purpose / Service Area | Country of Processing | Safeguards |
|---|---|---|---|
| Stripe, Inc. | Payment processing, fraud prevention (US) | United States | SCCs + UK Addendum |
| Stripe Payments Europe, Ltd. | Payment processing (EU) | Ireland | GDPR compliance |
| Wise Payments Limited | Payment processing, international transfers (UK) | United Kingdom | UK GDPR compliance |
| Wise Europe SA | Payment processing, international transfers (EU) | Belgium | GDPR compliance |
*Google LLC and Meta Platforms, Inc. are certified under the EU–US Data Privacy Framework (DPF).
4. Onward Transfers by Our Clients or Partners #
If you access Xdemor’s Infrastructure through a third-party agency, integrator, or service provider, they may further transfer or process your data outside the UK or EEA. In such cases:
-
They are the primary Data Controller
-
Xdemor acts only as their Data Processor or Subprocessor
-
You should consult their privacy and transfer policies
5. Data Categories Affected by Transfers #
Depending on your use of our services, the following categories of personal data may be processed by subprocessors:
-
User account and contact information (e.g. name, email)
-
Session data and activity logs
-
Chatbot interaction logs (messages, timestamps, metadata)
-
Support tickets and chat communications
-
Analytics metadata (browser, IP, UTM, device)
-
Uploaded documents or form entries
-
Consent preferences and cookie settings
6. Your Rights and Controls #
You have the right to:
-
Request details about data transfers affecting your information
-
Object to transfers in certain circumstances
-
Request a copy of relevant transfer safeguards (e.g. SCCs)
To make a request, contact us at: privacy@xdemor.com or submit via the Online Data Request Form.
7. Changes to Subprocessor Engagements #
We maintain an up-to-date list of all active subprocessors. You can request to be notified in advance of material changes to this list if you are a registered client.
Clients under DPA agreements will be notified of any onboarding of new subprocessors with 15 days’ prior notice.
8. Contact Us #
If you have questions, concerns, or wish to exercise any of your rights under applicable data protection laws, you may contact us as follows:
The Xdemor Group Limited
Compliance & Legal
86-90 Paul St., London, EC2A 4NE, United Kingdom
Email: enquiries@xdemor.com
Data Protection Officer
Email: dpo@xdemor.com
You may also reach out via the following dedicated addresses:
- privacy@xdemor.com – for inquiries related to your personal information, including access, correction, deletion, or objection under GDPR or UK Data Protection Act 2018
- legal@xdemor.com – for formal legal correspondence, such as contractual matters, claims, or regulatory notices
To submit a data subject request (DSAR):
- Submit Online Data Request Form ↗
- Include your full name, contact details, and a clear description of the request. For verification purposes, we may request additional identification.
Postal Mail:
Data Protection Officer
The Xdemor Group Limited
86-90 Paul St., London, EC2A 4NE, United Kingdom
You may also file a complaint with the relevant data protection authority:
- UK Information Commissioner’s Office (ICO)
- If you are resident in the EEA, you may contact your local data protection authority.
9. Changes to This Policy #
We may update this Cookie Policy periodically. If significant changes are made, we will notify you via email or prominent notice. You are responsible for reviewing the latest version.