Sharing your data 

We may also disclose your information to third parties in connection with other purposes set out in this policy. These third parties may include: 

• business partners, suppliers and sub-contractors who may process information on our behalf; 

• individuals and/or organisations who hold information related to your reference or application to work with us (e.g. current, past or prospective employers, educators and examining bodies and employment and recruitment agencies); 

• advertisers, social media platforms, and advertising networks; 

• analytics and search engine providers; 

• IT service providers. 

Where we are under a legal or regulatory duty to do so, we may disclose your details to the police, regulatory bodies or legal advisors, and/or, where we consider necessary to protect the rights, property or safety of XM.WORKS, its personnel, users or others.  

We do not sell or share personal information to another business or third party for monetary or other valuable consideration. 

If XM.WORKS merges with or is acquired by another business or company in the future, (or is in meaningful discussions about such a possibility) we may share your personal data with the (prospective) new owners of the business or company. 

International Transfers 

Your Personal Data may be processed outside of the European Economic Area (EEA) as the organisations we use to provide our service to you may be based outside of the EU or UK (Client Relationship Management – Monday.com for example).  

We have taken appropriate steps to ensure that any Personal Data processed outside the EEA has an essentially equivalent level of protection to that guaranteed in the EU or UK. We do this by ensuring that:  

• Your Personal Data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation); 

• We enter into an International Data Transfer Agreement (“IDTA”) with the receiving organization and adopt supplementary measures, where necessary. (A copy of the IDTA can be found here) or; 

• We enter into Standard Contractual Clauses (“SCCs”) with the receiving organizations and adopt supplementary measures, where necessary. (A copy of the SCCs can be found here Standard Contractual Clauses (SCCs)). 

We may also utilise the services of providers who have chosen to certify themselves under the EU/US Data Privacy Framework (with UK extension).  

In terms of end user data (“Customer Data”), we can confirm that this information is only ever stored within our Microsoft 365 environment within the UK, with our back-ups also being hosted on UK servers.  

There may be times when we need to share Customer Data with colleagues/ workers who are located in other parts of the world. These individuals are an extension of our internal staff, working within our established security and data protection framework. Therefore, any transfer of Customer Data under these circumstances will not be considered as restricted under the data protection legislation. 

How long we keep your data 

We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints and claims.  

At the end of the retention period, your personal data will be securely deleted or anonymised, for example by aggregation with other data, so that it can be used in a non-identifiable way for statistical analysis and business planning. 

How we protect your data 

We take every possible measure to ensure that your information is not compromised in any way. We implement appropriate technical and organisational measures to protect data that we process from unauthorised disclosure, use, alteration or destruction.  Our privacy promise is in place in respect of our website only. Other online services will be serviced by their own privacy policies. 

Some of the controls we have in place are: 

• We ensure active SSL certification on all of our websites (using https:// rather than http://); 

• We use technology controls for our information systems, such as firewalls, user verification, data encryption, and separation of roles, systems & data management; 

• We use password encryption and password management tools; 

• We enforce a “need to know” policy, for access to any data or systems. 

 In addition to the technical and organisational measures we have put in place, there are a number of simple things you can do to further protect your personal information;  

• Never share a One Time Passcode (OTP). 

• Never enter your details after clicking on a link in an email or text message. 

• Always send confidential information by encrypted email where possible this reduces the risk of interception. 

• If you are logged into any online service do not leave your computer unattended. 

• Close your internet browser once you have logged off. 

• Never download software or let anyone log on to your computer or devices remotely, during or after a cold call. 

Your data protection rights 

There are certain fundamental rights that you have in respect of your Personal Data: 

In addition to the above, you also have the following rights: 

Exercising your data protection rights 

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. 

Contact us 

If you would like to exercise your statutory data protection rights, or if you have any concerns or questions about how we handle Personal Data, please complete the complaints form provided here. 

Raising a complaint with the Information Commissioner’s Office 

If you believe you have exhausted all possible avenues for resolving your data protection concerns, you may lodge a complaint with the ICO by calling their Helpline on 0303 123 1113. 

You can also send your postal correspondence to: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. 

Alternatively, you can contact them at https://ico.org.uk/make-a-complaint/. 

Cookie Policy

Last updated: 22nd December 2025 

1. Introduction 

XM.WORKS Ltd (“XM.WORKS”, “we”, “us”, “our”) use cookies on our website. This Cookies Notice explains more about cookies and why we use them. It also explains how you can control and opt out of receiving them. 

This policy should be read together with our Privacy Notice which sets out how and why we collect, store, use and share personal information generally, as well as your rights in relation to your personal information and details of how to contact us and the supervisory authorities if you have a complaint. 

We update this Cookies Notice from time to time in response to changes in applicable laws and regulations, changes to our processing practices and to the products and services we offer. When changes are made, we will update the ‘last updated’ date at the top of this notice. Please review this Cookies Notice periodically to check for updates. 

2. About Cookies  

A cookie is a small text file which may be downloaded to your device when you visit our website. We use cookies to allow our website to function correctly, remember your preferences and to track visitors to our website. 

The cookies we use on our website fall into the following categories: 

• Strictly Necessary / Essential - Strictly necessary, or essential, cookies are vital for a website to perform its basic functions and provide a service explicitly requested by the user. Without them, the website would not work correctly. 

• Statistics or Analytics Cookies - We use cookies to collect information about the use of our website by visitors, such as the pages they visit most often, how they arrived at our website and associated information. These do not collect any directly identifiable personal information about visitors.  We use these cookies to learn more about how our website is used to identify problems and areas for improvement. 

• Functional Cookies - Functional cookies remember the choices you make when you visit our website. This includes, for example, your consent to the use of cookies on our website. 

• Marketing or Targeting Cookies - These are cookies placed by third parties on our website which record your visit to our website, the pages you have visited and the links you have followed. They use this information for advertising purposes. 

• Learn More About Cookies - For further information on our use of cookies, including a detailed list of your information which we and others may collect through cookies, please see details in the table below. For further information on cookies generally, including how to control and manage them, please visit www.aboutcookies.org or www.allaboutcookies.org.  

3. Cookies Used by XM.WORKS 

The cookies we use on our website and their purposes are as set out in the following table:  

4. Cookie Sharing with Third Parties 

We do not share the information collected by the cookies with third parties for the purposes of targeted advertising.  

5. Changing Your Cookies Preferences 

You can allow or block cookies by activating the setting on your browser that permits you to change the setting of all or some cookies. Please note that disabling cookies may affect the availability or functionality of our website. Most of the website will function normally, however, functions that rely on cookies may be disabled. 

If you would like more information on how to manage cookies on some popular browsers, please click on the links below. 

• Internet Explorer 

• Google Chrome  

• Apple Safari 

• Microsoft Edge  

• Mozilla Firefox 

6. Contact Us 

Please contact us using the details set out in our Privacy Notice if you have any questions about this Cookies Notice or the information we hold about you.