Privacy Policy

1. Data Controller

Xcession Limited is the data controller for personal data collected through the EMPAI Readiness Assessment platform. We are committed to protecting your privacy and handling your data in accordance with UK GDPR and the Data Protection Act 2018.

2. Purposes of Processing

We process your personal data for the following purposes:

• Account Management: To create and manage your account, authenticate your identity, and provide customer support
• Assessment Services: To conduct AI readiness assessments, calculate maturity scores, and generate personalised reports
• Service Improvement: To analyse usage patterns, improve our AI models, and enhance the overall service experience
• Communications: To send service-related notifications and, with your consent, marketing communications about product updates
• Legal Compliance: To comply with legal obligations and respond to lawful requests from authorities

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the assessment services you have requested
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our services and ensuring security
• Consent: Where you have given specific consent, such as for marketing communications or analytics cookies
• Legal Obligation: Processing necessary to comply with applicable laws

4. Categories of Personal Data

We collect and process:

• Account Information: Name, email address, password (encrypted), organisation name, job title, department
• Organisation Profile: Company size, industry sector, ESM platform used
• Assessment Data: Your responses to assessment questions and calculated maturity scores
• Technical Data: IP address, browser type, device information, access times
• Usage Data: Pages visited, features used, assessment progress

5. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected:

• Account Data: Retained while your account is active and for 2 years after account deletion
• Assessment Data: Retained for 3 years from completion to allow historical comparison
• Technical Logs: Retained for 12 months for security and debugging purposes
• Consent Records: Retained for 6 years to demonstrate compliance

6. Your Rights

Under UK GDPR, you have the following rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of how we use your data
• Right to Data Portability: Request transfer of your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at privacy@xcession.co.uk. We will respond to your request within one month.

7. Third Party Sharing

We may share your personal data with:

• Cloud Service Providers: For hosting and infrastructure (data centres within the UK/EEA)
• AI Service Providers: For processing assessment data and generating reports (with appropriate data processing agreements)
• Analytics Providers: With your consent, for website analytics
• Legal Authorities: When required by law or to protect our rights

We do not sell your personal data to third parties.

8. International Data Transfers

Your personal data may be transferred to and processed in countries outside the UK. Where such transfers occur, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the UK Information Commissioner's Office
• Adequacy decisions by the UK government
• Binding Corporate Rules where applicable

9. Cookies

We use the following types of cookies:

• Essential Cookies: Required for the website to function (e.g., authentication, security)
• Analytics Cookies: Help us understand how visitors interact with our website (optional, with your consent)
• Marketing Cookies: Used to deliver relevant advertisements (optional, with your consent)

You can manage your cookie preferences at any time through the Cookie Preferences link in the footer.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit and at rest
• Secure password hashing using industry-standard algorithms
• Regular security assessments and penetration testing
• Access controls and authentication requirements
• Employee training on data protection

11. Supervisory Authority

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at: