Privacy Policy

Xertilox Ltd (“Xertilox”, “we”, “us” or “our”) provides the Xertilox HR platform and associated services for workforce management, onboarding, compliance, and verification.

This Privacy Policy explains how personal data is processed in connection with Xertilox HR, associated mobile applications, integrated wallet functionality, and related support services.

For most personal data processed through the Platform, Xertilox acts as a Data Processor on behalf of its customer, which is the Data Controller. The Controller determines the purposes of processing and remains responsible for providing privacy information to its workforce and other end users.

In limited circumstances, Xertilox may act as a Data Controller for its own business purposes, for example where we process contact details for customer account management, service communications, security, billing, legal compliance, and support.

This Policy applies to personal data processed through:

• the Xertilox HR web platform;
• the Xertilox HR iOS and Android mobile applications;
• integrated identity wallet and verification features;
• customer support, account administration, and related service operations; and
• APIs and technical services used to deliver the Platform.

This Policy does not apply to third-party websites, products, or services that are not operated by Xertilox, even where they are linked to or integrated with the Platform.

We process only the personal data required to provide the Platform and only in accordance with the Data Controller's documented instructions, unless otherwise required by law.

Personal data processed through the Platform may include:

• Identity and profile data, such as full name, date of birth, work contact details, employee number, user ID, organisation details, and job role.
• Employment data, such as start date, employment status, contract type, working pattern, tenure, notice period, absence records, and holiday information.
• Compliance and verification data, such as Right to Work results, passport details, driving licence information, driving endorsement data, training records, competency records, and other credentials uploaded or verified through the service.
• Task and workflow data, such as onboarding tasks, HR actions, compliance tasks, approvals, reminders, and completion history.
• Technical and usage data, such as IP address, device identifiers, operating system, browser type, authentication events, audit logs, session information, and activity logs.
• Support and communications data, such as business contact details and records of correspondence with administrators or customer representatives.

Where enabled by the Controller, special category data or biometric-related outputs may be processed strictly for verification or compliance purposes and subject to appropriate legal basis and safeguards.

Depending on the service configuration, personal data may be obtained from:

• the Data Controller and its authorised administrators;
• employees, workers, contractors, or applicants using the Platform;
• official or trusted data sources used for verification purposes;
• integrated third-party systems selected by the Controller; and
• technical logs generated through use of the Platform.

As Processor, Xertilox processes personal data only to deliver the Platform and related services, including to:

• create and manage user accounts;
• support onboarding, HR administration, and workforce record management;
• carry out compliance and verification checks configured by the Controller;
• maintain audit trails, reporting, and workflow history;
• monitor service performance, availability, and security;
• prevent misuse, fraud, unauthorised access, and other security incidents; and
• provide customer support and technical assistance.

Where Xertilox acts as Processor, the legal basis for processing is determined by the Data Controller.

The Controller may rely on one or more lawful bases, including contractual necessity, compliance with a legal obligation, legitimate interests, or explicit consent where required.

Where Xertilox acts as Controller for its own limited business purposes, our legal bases may include contractual necessity, compliance with legal obligations, and our legitimate interests in operating, securing, and improving our services.

The Xertilox HR mobile applications may request access to device features only where required for Platform functionality. Depending on the features enabled, this may include camera access for document capture, photo library access for uploads, push notifications, and device-based authentication features.

These permissions are requested by the application or device operating system at the point of use. Users can manage permissions through their device settings. Refusing certain permissions may limit specific Platform functionality.

We do not access device data beyond what is reasonably necessary for the relevant feature.

We may disclose personal data only where necessary to provide the Platform, comply with law, or protect the security and integrity of the service.

Recipients may include:

• the relevant Data Controller and its authorised users;
• sub-processors engaged to provide infrastructure, hosting, communications, identity verification, support, analytics limited to service operation, or other technical services;
• official data sources or verification providers where the Controller has enabled those checks; and
• regulators, courts, law enforcement agencies, or other authorities where disclosure is legally required.

Limited business contact data may be shared with selected third-party service providers for the purpose of facilitating business-to-business referrals via the Xertilox Trusted Network. Such functionality is not available to individual end users via mobile applications.

Xertilox uses carefully selected sub-processors to support delivery of the Platform.

Each sub-processor is subject to a written agreement requiring appropriate confidentiality, security, and data protection obligations.

A current list of sub-processors may be made available to customers in accordance with the applicable contract or data processing agreement.

Where personal data is transferred outside the United Kingdom, Xertilox will ensure that the transfer is subject to an appropriate safeguard, such as a UK adequacy regulation, the UK International Data Transfer Agreement, or another lawful transfer mechanism.

We take steps to ensure that transferred personal data receives a level of protection consistent with applicable data protection law.

As Processor, Xertilox retains personal data only for as long as necessary to provide the Platform and in accordance with the Controller's instructions, the parties' contract, and applicable law.

On termination or expiry of the services, personal data will be returned, deleted, or securely disposed of in accordance with the applicable agreement, except where retention is required by law or necessary for the establishment, exercise, or defence of legal claims.

Xertilox implements appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

These measures may include encryption in transit and at rest, access controls, role-based permissions, authentication controls, audit logging, system monitoring, backup processes, vulnerability management, and incident response procedures.

No system can be guaranteed to be completely secure. However, we maintain security controls proportionate to the nature of the data and the risks presented by processing.

Where Xertilox acts as Processor, individuals should direct requests relating to their personal data to the relevant Data Controller.

Such rights may include the right to request access, rectification, erasure, restriction, portability, and objection, subject to applicable law.

Xertilox will provide reasonable assistance to the Controller in responding to valid requests where required under applicable law or contract.

The Platform may use automated processing to support verification workflows, compliance alerts, or status outputs. Unless expressly stated by the Data Controller, Xertilox does not make solely automated decisions that produce legal effects or similarly significant effects on individuals on its own behalf.

Controllers remain responsible for ensuring that any automated decision-making they configure complies with applicable law.

The Platform is intended for business use and is not directed at children.

We do not knowingly collect or process personal data from children through the Platform unless expressly instructed by a Data Controller for a lawful and documented business purpose.

Where the Platform integrates with third-party products or services selected by the Controller, processing by those third parties is governed by their own terms and privacy documentation.

Xertilox is not responsible for the independent privacy practices of third-party services acting outside our role as Processor.

We may update this Privacy Policy from time to time to reflect changes in law, regulation, service functionality, or processing practices.

The latest version will be made available through the appropriate customer or application channel, and the Effective Date at the front of this document will be updated accordingly.

For privacy-related questions about Xertilox HR, contact:

If you are dissatisfied with the way personal data has been handled, you should first contact the relevant Data Controller or Xertilox using the details above, as appropriate.

Individuals in the United Kingdom may also raise concerns with the Information Commissioner's Office.