Privacy Policy
How Xperion collects, uses, protects, and shares personal data, written in plain English.
Who this policy covers
This policy explains how Xperion (operating as Xperion AI) handles personal data when you visit xperion.ai, contact us, become a client, or interact with people on our team. It applies to website visitors, prospects, clients, client personnel we work with on engagements, candidates who apply for roles, and partners. If you act on behalf of an organisation, references to "you" cover both you and that organisation.
What data we collect
We try to collect as little as possible, only what we need to operate, secure, and improve the service.
Information you give us
- Account and contact information: name, work email, company, role, phone, mailing address when relevant.
- Engagement records: contracts, statements of work, briefs, deliverables, and the messages exchanged with our team during a project.
- Support communications: the contents of emails, tickets, and call recordings you send us, including any attachments.
- Recruiting data: CVs, portfolios, and assessments submitted by candidates.
- Billing data: invoicing details processed through our finance system. Card numbers are handled directly by our payment processor and never touch our servers.
Information we collect automatically
- Usage data: pages viewed, referrers, approximate location derived from IP, device type, browser, and timestamps. We use this to keep the site working and to spot abuse.
- Server logs: standard request logs retained for 30 days for security and debugging.
- Cookies: only strictly necessary cookies. See our Cookie Policy for the full list.
Information we receive from third parties
If you engage with us through a partner, a sales platform, or a referral, we may receive your contact details and the context of the introduction from that source. We treat this data under the same rules as data you give us directly.
How we use your data
- Deliver our services: scoping, contracting, project execution, billing, and ongoing support.
- Operate the website: serve pages, maintain sessions, and prevent abuse.
- Improve the product and service: aggregate analytics on what works and what does not, with no profiling of individuals.
- Security: detect, investigate, and respond to threats, fraud, and policy violations.
- Legal and compliance: meet tax, audit, and regulatory obligations, and enforce our agreements.
- Communications you opted into: respond to inquiries and send the occasional update you signed up for. You can unsubscribe from any non-essential message at any time.
We do not sell personal data. We do not share personal data with advertising networks. We do not use personal data to train third-party AI models.
Legal bases for processing (GDPR)
Where European data protection law applies, we rely on the following bases:
- Contract: to provide services you or your organisation contracted us for.
- Legitimate interests: to secure the site, prevent fraud, and improve our service, balanced against your rights.
- Legal obligation: where law requires us to keep or share certain records.
- Consent: where you explicitly opt in, for example to receive marketing email. You can withdraw consent at any time.
Data sharing and subprocessors
We share personal data only with vetted subprocessors that help us run the business, and only the minimum each needs to perform its function. Current categories include:
- Cloud infrastructure and hosting.
- Email, calendar, and document collaboration platforms.
- Customer relationship management and helpdesk tools.
- Payment processing and accounting.
- Code repositories and engineering tooling required to deliver work products.
The current subprocessor list is available on request from legal@xperion.ai. Subprocessors are bound by written contracts that include confidentiality, security, and onward-transfer restrictions consistent with this policy.
We may also disclose data when required by law, court order, or to protect our rights, our clients, or the safety of others. When permitted, we will notify you before doing so.
International transfers
Xperion operates across multiple jurisdictions. Personal data may be transferred to and processed in countries outside your home country, including the United States, the United Kingdom, the European Union, and Pakistan. Where the destination country is not deemed adequate by the relevant authority, we use Standard Contractual Clauses or equivalent safeguards. A copy of the relevant transfer mechanism is available on request.
Data retention
We keep personal data only as long as we need it for the purpose we collected it, then we delete or anonymise it. Typical retention windows:
- Prospect contact records: up to 24 months from last interaction, unless you ask us to delete sooner.
- Active client engagement records: for the life of the contract plus 7 years for tax and audit purposes.
- Server logs: 30 days, except where extended to investigate a security incident.
- Candidate records: 12 months from the close of a hiring process, unless you ask us to keep them on file longer.
Your rights
Depending on where you live, you may have some or all of the following rights:
- Access: ask for a copy of the personal data we hold about you.
- Correction: ask us to fix inaccurate or incomplete data.
- Deletion: ask us to delete data we no longer have a lawful basis to hold.
- Portability: ask for a structured copy of data you provided to us.
- Restriction or objection: ask us to stop or limit certain processing.
- Opt out of sale or sharing: under CCPA and similar US state laws. We do not sell or share personal data for cross-context behavioural advertising, so there is nothing to opt out of, but you can confirm this in writing.
- Complaint to a regulator: in the EU, the UK, or your local jurisdiction.
To exercise any of these rights, email legal@xperion.ai. We will respond within 30 days, or sooner if local law requires.
Security
We protect personal data with encryption at rest and in transit, role-based access controls, single sign-on with multi-factor authentication for our team, vendor reviews, and a documented incident response plan. Full details are on our Security & Compliance page. No system is perfectly secure, but we work hard to make ours close.
Children's privacy
Our services are not directed at children under 16, and we do not knowingly collect data from them. If you believe a child has provided us with personal data, contact us and we will delete it.
Automated decision-making
We do not make decisions that produce legal or similarly significant effects about you using fully automated processing.
Changes to this policy
We will update this page when our practices change. Material changes will be flagged at the top of the page and, where appropriate, communicated by email to active clients. The "Last updated" date at the top always reflects the current version.
Contact us
Questions, requests, or complaints about this policy go to legal@xperion.ai. For general enquiries, write to info@xperion.ai.