XDEVConnect ltd. CUSTOMER PRIVACY NOTICE

This privacy notice tells you what to expect us to do with your personal information.

· Contact details

· What information we collect, use, and why

· Lawful bases and data protection rights

· Where we get personal information from

· How long we keep information

· Who we share information with

· Sharing information outside the UK

· How to complain

Contact details:

Email vinny@xdevconnect.com

XDevConnect Ltd (Company No: SC828831)
Registered in Scotland

ICO Registration reference: ZB951388

What information we collect, use, and why:

We collect or use the following information to provide and improve products and services for clients:

· Names and contact details

· Transaction data (including details about payments to and from you and details of products and services you have purchased)

· Usage data (including information about how you interact with and use our website, products and services)

· Information relating to compliments or complaints

· Records of meetings and decisions

We collect or use the following personal information for information updates or marketing purposes:

· Names and contact details

· Marketing preferences

· Website and app user journey information

We collect or use the following personal information to comply with legal requirements:

· Name

· Contact information

· Any other personal information required to comply with legal obligations

We collect or use the following personal information for recruitment purposes:

· Contact details (eg name, address, telephone number or personal email address)

· Date of birth

· National Insurance number

· Copies of passports or other photo ID

· Employment history (eg job application, employment references or secondary employment)

· Education history (eg qualifications)

· Right to work information

We collect or use the following personal information for dealing with queries, complaints or claims:

· Names and contact details

· Purchase or service history

· Customer or client accounts and records

· Financial transaction information

· Correspondence

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

· Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.

· Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.

· Your right to erasure - You have the right to ask us to delete your personal information. Read more about the right to erasure.

· Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.

· Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.

· Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.

· Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information to provide and improve products and services for clients are:

· Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

· Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

· Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

· XDevConnect Ltd processes limited personal information under the lawful basis of legitimate interests in order to respond to enquiries, assess potential client needs, deliver professional consultancy services, and improve the quality and relevance of our services. The information processed typically includes names, contact details, business role information, and correspondence related to service delivery. This processing is necessary to evaluate whether our services are appropriate, to communicate effectively with clients, and to maintain accurate records of engagements. The legitimate interests pursued include enabling effective professional communication, delivering high-quality consultancy services, maintaining service standards, and improving our offerings based on client feedback and engagement outcomes. We consider this processing to be proportionate and low risk because: The data collected is limited to what is necessary for professional business engagement. The information relates primarily to individuals acting in a professional capacity. No special category data is intentionally collected. Individuals reasonably expect this processing when contacting a consultancy or entering into a professional relationship. Appropriate technical and organisational safeguards are in place to protect personal data. We balance our interests against the rights and freedoms of individuals and ensure that our processing does not override their interests. Individuals may object to processing where legitimate interests apply, and we will consider such objections in line with data protection law.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for information updates or marketing purposes are:

· Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

· XDevConnect Ltd processes limited personal information under the lawful basis of legitimate interests in order to provide relevant information about our services, respond to enquiries, and maintain professional communication with individuals and organisations who have expressed interest in our consultancy. This typically includes names, contact details, professional role information, and records of prior engagement or enquiry. The purpose of this processing is to share information that is relevant to an individual’s professional interests, including service updates, insights, or follow-up communications related to governance and external development advisory services. We consider this processing to be reasonable and proportionate because: The information relates primarily to individuals acting in a professional capacity. Communications are relevant to prior interactions or expressed interests. Individuals can opt out of marketing communications at any time. We limit communications to what is appropriate and do not engage in excessive or intrusive marketing practices. We balance our legitimate interests against the rights and freedoms of individuals and ensure that our processing does not override those rights. Individuals have the right to object to processing carried out under legitimate interests, and we will respect such requests in accordance with data protection law.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information to comply with legal requirements:

Our lawful bases for collecting or using personal information for recruitment purposes are:

· Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

· XDevConnect Ltd processes personal information relating to job applicants under the lawful basis of legitimate interests in order to assess suitability for employment or engagement opportunities and to manage our recruitment processes effectively and fairly. This processing typically includes reviewing contact details, employment history, qualifications, references, and other information provided as part of an application. We may also process information necessary to verify a candidate’s right to work in the UK and to comply with applicable employment and regulatory obligations where relevant. Our legitimate interests include identifying suitably qualified individuals, maintaining service quality standards, ensuring appropriate skill alignment with our consultancy work, and protecting the integrity and security of our organisation and clients. We consider this processing to be proportionate and low risk because: Information is collected directly from applicants or their referees with their knowledge. The data collected is limited to what is necessary to evaluate suitability for a role. Processing relates to individuals in a professional context. Appropriate technical and organisational measures are in place to safeguard personal information. We carefully balance our recruitment interests against the rights and freedoms of applicants and ensure that personal data is not retained longer than necessary. Applicants may contact us to exercise their data protection rights, including the right to object where applicable.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

· Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

· XDevConnect Ltd processes personal information under the lawful basis of legitimate interests in order to respond to enquiries, investigate complaints, resolve disputes, and manage potential claims in a fair and effective manner. This processing typically includes names, contact details, correspondence, service history, and relevant transaction information. In some cases, we may also refer to records of prior engagements or communications in order to understand the context of an issue and ensure a balanced and accurate response. Our legitimate interests include maintaining service standards, protecting the integrity of our consultancy engagements, addressing concerns raised by clients or other parties, and ensuring that contractual and professional obligations are properly managed. We consider this processing to be necessary and proportionate because: Individuals reasonably expect us to review and respond to their queries or complaints. The information processed is limited to what is relevant to the matter being addressed. Processing supports fair resolution and accountability. Appropriate technical and organisational safeguards are in place to protect personal data. Where applicable, processing may also be necessary to fulfil contractual obligations or comply with legal requirements, including record-keeping and dispute resolution obligations. We carefully balance our interests against the rights and freedoms of individuals and ensure that our handling of personal information does not override those rights. Individuals may exercise their data protection rights, including the right to object where legitimate interests apply.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Where we get personal information from:

· Directly from you

· Publicly available sources

· Suppliers and service providers

How long we keep information:

XDevConnect Ltd retains personal information only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

· Client contracts, engagement records and financial records: up to 6 years after the end of the engagement.

· Enquiries that do not result in engagement: up to 12 months.

· Marketing data: until consent is withdrawn or no longer relevant.

· Recruitment data (unsuccessful applicants): up to 12 months.

· Complaint or dispute records: up to 6 years where relevant to contractual or legal obligations.

We periodically review stored data and securely delete or anonymise information when no longer required.

For more information on how long we store your personal information or the criteria we use to determine this please contact us using the details provided above.

Who we share information with:

Data processors

Website hosting and content management providers (SaaS website platform, UK\/US based)

This data processor does the following activities for us: We use a cloud-based website hosting and content management platform to operate our website and manage online contact forms. This provider processes personal information on our behalf in order to store website data, deliver web pages to visitors, and securely transmit information submitted through enquiry forms. The personal information processed may include names, contact details, and other information voluntarily submitted through our website. The provider acts as a data processor under our instructions and is contractually required to implement appropriate technical and organisational measures to protect personal information. Where processing involves data transfers outside the UK, appropriate safeguards are applied in accordance with UK data protection law.

Cloud storage and business productivity providers (secure cloud software providers, UK\/US based)

This data processor does the following activities for us: We use secure cloud-based storage and business productivity software to manage professional communications, maintain client records, store engagement documentation, and support day-to-day operational activities. These providers process personal information on our behalf in order to securely store emails, documents, and other business records that may contain names, contact details, and engagement-related information. The providers act strictly under our instructions as data processors and are contractually required to implement appropriate technical and organisational safeguards to protect personal information from unauthorised access, loss, or misuse. Where applicable, appropriate safeguards are in place for any international data transfers in accordance with UK data protection law.

We only permit our data processors to process personal information for specified purposes and in accordance with our written instructions.

Others we share personal information with:

· Professional or legal advisors

· Organisations we’re legally obliged to share personal information with

· Professional consultants

Sharing information outside the UK:

Where necessary, we may transfer personal information outside of the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place.

For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.

Organisation name: Cloud-based website hosting and infrastructure providers

Category of recipient: Data processor

Country the personal information is sent to: United States and other countries where servers are located