How personal data is collected, used and protected across the Xertilox HR platform.
Last updated: April 2026
This Privacy Policy applies to the Xertilox HR platform, associated mobile applications, integrated wallet functionality, and related services. It explains how personal data is collected, used, and protected in accordance with applicable data protection law.
Xertilox Ltd ("Xertilox", "we", "us" or "our") provides the Xertilox HR platform and associated services for workforce management, onboarding, compliance, and verification.
This Privacy Policy explains how personal data is processed in connection with Xertilox HR, associated mobile applications, integrated wallet functionality, and related support services.
For most personal data processed through the Platform, Xertilox acts as a Data Processor on behalf of its customer, which is the Data Controller. The Controller determines the purposes of processing and remains responsible for providing privacy information to its workforce and other end users.
In limited circumstances, Xertilox may act as a Data Controller for its own business purposes, for example where we process contact details for customer account management, service communications, security, billing, legal compliance, and support.
This Policy applies to personal data processed through:
This Policy does not apply to third-party websites, products, or services that are not operated by Xertilox, even where they are linked to or integrated with the Platform.
We process only the personal data required to provide the Platform and only in accordance with the Data Controller's documented instructions, unless otherwise required by law.
Personal data processed through the Platform may include:
Where enabled by the Controller, special category data or biometric-related outputs may be processed strictly for verification or compliance purposes and subject to appropriate legal basis and safeguards.
Depending on the service configuration, personal data may be obtained from:
As Processor, Xertilox processes personal data only to deliver the Platform and related services, including to:
Where Xertilox acts as Processor, the legal basis for processing is determined by the Data Controller.
The Controller may rely on one or more lawful bases, including contractual necessity, compliance with a legal obligation, legitimate interests, or explicit consent where required.
Where Xertilox acts as Controller for its own limited business purposes, our legal bases may include contractual necessity, compliance with legal obligations, and our legitimate interests in operating, securing, and improving our services.
The Xertilox HR mobile applications may request access to device features only where required for Platform functionality. Depending on the features enabled, this may include camera access for document capture, photo library access for uploads, push notifications, and device-based authentication features.
These permissions are requested by the application or device operating system at the point of use. Users can manage permissions through their device settings. Refusing certain permissions may limit specific Platform functionality.
We do not access device data beyond what is reasonably necessary for the relevant feature.
We may disclose personal data only where necessary to provide the Platform, comply with law, or protect the security and integrity of the service.
Recipients may include:
Limited business contact data may be shared with selected third-party service providers for the purpose of facilitating business-to-business referrals via the Xertilox Trusted Network. Such functionality is not available to individual end users via mobile applications.
Xertilox uses carefully selected sub-processors to support delivery of the Platform.
Each sub-processor is subject to a written agreement requiring appropriate confidentiality, security, and data protection obligations.
A current list of sub-processors may be made available to customers in accordance with the applicable contract or data processing agreement.
Where personal data is transferred outside the United Kingdom, Xertilox will ensure that the transfer is subject to an appropriate safeguard, such as a UK adequacy regulation, the UK International Data Transfer Agreement, or another lawful transfer mechanism.
We take steps to ensure that transferred personal data receives a level of protection consistent with applicable data protection law.
As Processor, Xertilox retains personal data only for as long as necessary to provide the Platform and in accordance with the Controller's instructions, the parties' contract, and applicable law.
On termination or expiry of the services, personal data will be returned, deleted, or securely disposed of in accordance with the applicable agreement, except where retention is required by law or necessary for the establishment, exercise, or defence of legal claims.
Xertilox implements appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
These measures may include encryption in transit and at rest, access controls, role-based permissions, authentication controls, audit logging, system monitoring, backup processes, vulnerability management, and incident response procedures.
No system can be guaranteed to be completely secure. However, we maintain security controls proportionate to the nature of the data and the risks presented by processing.
Where Xertilox acts as Processor, individuals should direct requests relating to their personal data to the relevant Data Controller.
Such rights may include the right to request access, rectification, erasure, restriction, portability, and objection, subject to applicable law.
Xertilox will provide reasonable assistance to the Controller in responding to valid requests where required under applicable law or contract.
The Platform may use automated processing to support verification workflows, compliance alerts, or status outputs. Unless expressly stated by the Data Controller, Xertilox does not make solely automated decisions that produce legal effects or similarly significant effects on individuals on its own behalf.
Controllers remain responsible for ensuring that any automated decision-making they configure complies with applicable law.
The Platform is intended for business use and is not directed at children.
We do not knowingly collect or process personal data from children through the Platform unless expressly instructed by a Data Controller for a lawful and documented business purpose.
Where the Platform integrates with third-party products or services selected by the Controller, processing by those third parties is governed by their own terms and privacy documentation.
Xertilox is not responsible for the independent privacy practices of third-party services acting outside our role as Processor.
We may update this Privacy Policy from time to time to reflect changes in law, regulation, service functionality, or processing practices.
The latest version will be made available through the appropriate customer or application channel, and the Effective Date at the front of this document will be updated accordingly.
For privacy-related questions about Xertilox HR, contact:
Xertilox Ltd
Email: data@xertilox.com
Address: 48 Sutton Mill Road, Potton, SG19 2QB, UK
If you are dissatisfied with the way personal data has been handled, you should first contact the relevant Data Controller or Xertilox using the details above, as appropriate.
Individuals in the United Kingdom may also raise concerns with the Information Commissioner's Office.
This Policy should be read alongside the applicable customer contract, data processing agreement, and any supporting retention, security, or cookie notices.
