Privacy Policy

1. Data Controller Information

Xenveo acts as the data controller for personal data collected from clients, contributors, and website users in the context of its commercial and operational activities. For personal data collected within training datasets on behalf of clients, Xenveo operates as a data processor, with the client acting as the controller.

Contact: [email protected]· Data protection inquiries: [email protected].

2. Data We Collect

2.1 From Clients

• Business contact information: name, job title, company name, email address, phone number.
• Billing and invoicing data: company registration details, billing address, VAT/tax identification numbers.
• Project specifications, communications, and program documentation.
• Usage data from the Xenveo platform, including login records and feature interactions.

2.2 From Contributors & Domain Experts

• Identity verification data: full name, date of birth, nationality, government-issued ID (where required for payment or compliance purposes).
• Professional credentials: qualifications, certifications, employment history, language proficiency assessments.
• Bank or payment account details for compensation processing.
• Work product: annotation outputs, audio recordings, video submissions, responses, and rankings submitted during program participation.
• Device and connection data: IP address, browser type, operating system, session duration.

2.3 From Data Capture Programs

In field capture programs, Xenveo may collect audio recordings, images, video footage, and environmental data. All field capture is conducted under informed, documented consent protocols. Xenveo does not knowingly capture biometric identifiers without express written consent.

2.4 Automatically Collected Data

Xenveo’s platform automatically collects log data, usage analytics, and performance metrics. This data is used for platform security, service improvement, and quality assurance.

3. How We Use Data

• Service Delivery: To scope, manage, and deliver data programs under SOWs.
• Contributor Management: To onboard, verify, compensate, and communicate with contributors and experts.
• Quality Assurance: To evaluate annotation quality, manage performance metrics, and enforce program standards.
• Platform Operations: To maintain and improve platform security, reliability, and functionality.
• Legal & Compliance: To comply with applicable laws, respond to regulatory inquiries, and enforce contractual obligations.
• Communications: To send program updates, policy changes, and service notifications. Marketing communications are only sent with affirmative consent and are opt-out at any time.
• Analytics & Research: To develop internal benchmarks and improve service methodology using aggregated, anonymized data.

4. Legal Basis for Processing

Xenveo processes personal data under the following legal bases, applied on a context-specific basis:

• Contract Performance: Processing necessary to fulfil obligations under a Client SOW or Contributor Agreement.
• Legitimate Interests: Processing for fraud prevention, platform security, program quality assurance, and internal analytics, where such interests are not overridden by individual rights.
• Legal Obligation: Processing required by applicable law, regulation, or court order.
• Consent: For marketing communications, optional data capture activities, and any processing not covered by the above bases. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.

5. Data Sharing & Third Parties

5.1 Clients

Deliverables are provided to Clients as described in the applicable SOW. Xenveo does not provide Clients with personally identifiable information about contributors beyond what is necessary for credential verification in expert review programs.

5.2 Service Providers

Xenveo engages third-party vendors for cloud infrastructure, payment processing, communications, and analytics. All vendors are subject to data processing agreements that require equivalent data protection standards.

5.3 Legal Disclosure

Xenveo may disclose data to law enforcement, regulatory authorities, or courts where required by applicable law. Where legally permissible, Xenveo will notify affected individuals prior to disclosure.

5.4 Corporate Transactions

In the event of a merger, acquisition, or asset sale, personal data may be transferred to a successor entity. Xenveo will provide notice and, where required, obtain consent prior to any such transfer.

5.5 No Sale of Data

Xenveo does not sell, rent, or trade personal data to any third party for commercial or marketing purposes.

6. Cross-Border Data Transfers

Given Xenveo’s operations across eight countries, personal data may be transferred across international borders. All cross-border transfers are conducted under appropriate safeguards including:

• Standard Contractual Clauses (SCCs) or equivalent data transfer mechanisms where applicable.
• Binding Corporate Rules for intra-group transfers where Xenveo entities are involved.
• Adequacy decisions by competent regulatory authorities.
• Explicit consent for transfers to jurisdictions without formal adequacy determinations.

Clients engaged in programs with cross-jurisdictional data flows will receive disclosure of the relevant transfer mechanisms in the applicable SOW.

7. Data Retention

• Client business data is retained for the duration of the commercial relationship plus seven (7) years to satisfy legal and audit requirements.
• Contributor identity and payment data is retained for five (5) years following the last program participation, or as required by applicable tax law.
• Work product and annotation outputs delivered to Clients become the Client’s data responsibility upon delivery, subject to the terms of the SOW.
• Platform usage logs are retained for up to 24 months.
• Data subject to a legal hold is retained until the hold is lifted.

Upon expiry of applicable retention periods, data is securely deleted or irreversibly anonymized.

8. Individual Rights

Depending on the applicable jurisdiction, individuals may have the following rights with respect to their personal data:

• Access: The right to obtain a copy of personal data held by Xenveo.
• Rectification: The right to correct inaccurate or incomplete personal data.
• Erasure: The right to request deletion of personal data, subject to legal retention obligations.
• Restriction: The right to limit processing in certain circumstances.
• Portability: The right to receive personal data in a structured, machine-readable format.
• Objection: The right to object to processing based on legitimate interests or for direct marketing.
• Automated Decision-Making: The right not to be subject to decisions made solely by automated processing that produce significant legal or similar effects.
• Withdrawal of Consent: Where processing is based on consent, the right to withdraw it at any time.

Requests may be submitted to [email protected]. Xenveo will respond within 30 days, or as required by applicable law. Identity verification may be required before processing a request. Xenveo will not discriminate against individuals for exercising their privacy rights.

9. Security Measures

Xenveo implements a multi-layered security program designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. Key measures include:

• Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
• Role-based access controls limiting data access to personnel with a documented need.
• Vendor security assessments prior to onboarding any third-party data processor.
• Incident response procedures, including breach notification protocols consistent with applicable law.

In the event of a data breach affecting personal data, Xenveo will notify affected individuals and relevant authorities within the timeframes required by applicable law, generally 72 hours for regulatory notification where required.

10. Cookies & Tracking

Xenveo’s platform uses cookies and similar tracking technologies for the following purposes:

• Strictly Necessary:Session management, authentication, and security — these cannot be disabled.
• Functional: Remembering user preferences and platform settings.
• Analytics: Understanding platform usage patterns to improve service quality. Analytics data is aggregated and not used for individual profiling.

Users may manage cookie preferences through their browser settings or Xenveo’s cookie management interface. Disabling non-essential cookies does not affect access to core platform features.

11. Children’s Data

Xenveo’s services are not directed at individuals under the age of 18. Xenveo does not knowingly collect personal data from minors. If Xenveo becomes aware that personal data of a minor has been collected without appropriate consent, it will be deleted promptly. If you believe Xenveo has inadvertently collected data from a minor, please contact [email protected].

12. Changes to This Policy

Xenveo may update this Privacy Policy from time to time to reflect changes in law, technology, or business practices. Material changes will be communicated via email to registered users and posted on the Xenveo website with a revised effective date. Continued use of Xenveo’s services following notification of material changes constitutes acceptance of the updated Policy. The current version of this Policy is always accessible at xenveo.com/privacy.

13. Contact & Complaints

For any privacy-related inquiries, data subject requests, or complaints, contact the Xenveo Data Protection Team:

• Email: [email protected]
• General: [email protected]
• Response time: Within 5 business days for general inquiries; within 30 days for formal data subject requests.