Xzist Digital
Book a call

Privacy Policy

Xzist Digital Limited
Last updated: 24 April 2026

1. Introduction

1.1 Xzist Digital Limited (“Xzist Digital”, “we”, “us”, “our”) is committed to protecting and respecting your privacy.

1.2 This Privacy Policy explains how we collect, use, disclose, store and otherwise process personal data about you when you visit our website at xzistdigital.com (the “Website”), contact us, engage with us as a prospective or actual client, subscribe to our communications, or otherwise interact with us.

1.3 Please read this Privacy Policy carefully, together with our Terms of Use and Cookie Policy, to understand our practices regarding your personal data.

2. Who we are

2.1 Xzist Digital Limited is the data controller responsible for the personal data we collect and process under this Privacy Policy.

2.2 Our details are:

  • Company name: Xzist Digital Limited
  • Company number: 16698221
  • Registered office: 20 Wenlock Road, London, England, N1 7GU
  • Email: hello@xzistdigital.com
  • ICO registration number: [Insert ICO registration number. Register at ico.org.uk if you have not already done so.]

2.3 We are registered with the UK Information Commissioner’s Office (ICO) as a data controller. You can search the ICO register at ico.org.uk/ESDWebPages/Search.

2.4 If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at hello@xzistdigital.com.

3. What is personal data?

3.1 “Personal data” means any information relating to an identified or identifiable living individual. “Processing” means anything we do with personal data, including collection, storage, use, disclosure and deletion.

3.2 The UK GDPR and Data Protection Act 2018 govern how we process personal data.

4. The personal data we collect

4.1 We may collect, use, store and transfer different kinds of personal data about you, which we have grouped as follows:

  1. Identity Data: first name, last name, job title, company name.
  2. Contact Data: email address, telephone number, postal address.
  3. Enquiry Data: the contents of any message you send us via our contact form, by email or by other means, and any supporting information you provide about your enquiry or project.
  4. Marketing and Communications Data: your preferences in receiving marketing from us, your communication preferences, and information about how you engage with our emails (such as whether you opened them or clicked on links).
  5. Technical Data: internet protocol (IP) address, browser type and version, time-zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Website.
  6. Usage Data: information about how you use the Website, including pages viewed, time spent on pages, navigation paths, referring URLs, and any downloads you make.
  7. Cookie Data: information collected through cookies and similar technologies, as described in our Cookie Policy.
  8. Client Data: where you become a client of Xzist Digital, we will collect additional personal data in accordance with the separate engagement contract between us. That data may include billing information, project-related correspondence, and details necessary to perform our services.

4.2 We do not knowingly collect special category personal data (such as data about racial or ethnic origin, religious beliefs, health, or sexual orientation) through the Website. Please do not submit such information to us unless it is necessary and we have asked for it.

4.3 We do not knowingly collect criminal offence data.

5. How we collect your data

5.1 We collect personal data about you in the following ways:

  1. Directly from you. You may give us your Identity, Contact, Enquiry, and Marketing and Communications Data by:
    1. submitting a contact form on the Website;
    2. emailing us or otherwise corresponding with us;
    3. requesting a proposal, meeting or quote;
    4. subscribing to our newsletter or marketing communications;
    5. engaging us to provide services; or
    6. giving us feedback or contacting us for support.
  2. Automatically through your use of the Website. When you visit the Website, we automatically collect Technical Data, Usage Data and Cookie Data about your equipment, browsing actions and patterns. See our Cookie Policy for more detail.
  3. From third parties and public sources. We may receive personal data about you from third parties and public sources, including:
    1. analytics providers (such as Google);
    2. advertising networks and search-information providers;
    3. publicly available sources such as Companies House or LinkedIn (in the context of business prospecting);
    4. referrals from existing clients or contacts.

6. How we use your personal data and our legal bases

6.1 We will only use your personal data when the law allows us to. The legal bases we rely on under the UK GDPR are:

  1. Consent: where you have given us clear consent to process your data for a specific purpose;
  2. Contract: where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract;
  3. Legitimate Interests: where processing is necessary for our (or a third party’s) legitimate interests and those interests are not overridden by your rights and interests;
  4. Legal Obligation: where processing is necessary to comply with a legal or regulatory obligation;
  5. Vital Interests: where processing is necessary to protect someone’s life (rarely applicable).

6.2 The table below sets out the purposes for which we process your personal data, the categories of data involved, and the legal basis we rely on:

Purpose Categories of data Legal basis
To respond to enquiries submitted via the contact form, email or other direct contact Identity, Contact, Enquiry Legitimate Interests (to engage with prospective clients and respond to enquiries); or Consent where a contact form requires a tick-box
To prepare, negotiate and deliver proposals and quotes Identity, Contact, Enquiry Contract (taking steps before entering into a contract at your request); Legitimate Interests
To deliver services to you under a signed engagement contract Identity, Contact, Client Contract
To invoice you and collect payment for services Identity, Contact, Client Contract; Legal Obligation (tax and accounting records)
To send you marketing communications (where you have opted in, or where an existing-customer “soft opt-in” applies) Identity, Contact, Marketing and Communications Consent (for prospective clients); Legitimate Interests (for existing clients under PECR soft opt-in)
To administer and protect our business and the Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) Identity, Contact, Technical Legitimate Interests (for running our business, provision of administration and IT services, network security, prevention of fraud)
To analyse how the Website is used so we can improve it Technical, Usage, Cookie Consent (for analytics cookies)
To measure or understand the effectiveness of advertising we serve to you and to deliver relevant advertising to you Technical, Usage, Cookie, Marketing and Communications Consent (for marketing cookies and similar technologies)
To comply with legal, regulatory or tax obligations All categories as relevant Legal Obligation
To establish, exercise or defend legal claims All categories as relevant Legitimate Interests (to protect our legal rights)

6.3 Legitimate Interests assessments. Where we rely on legitimate interests as our legal basis, we have considered and balanced any potential impact on you (both positive and negative) and your rights. We will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted by law). You can obtain further information about how we assess our legitimate interests by contacting us.

6.4 Change of purpose. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so.

7. Marketing communications

7.1 We may send you marketing communications about our services where:

  1. you have given us your consent to do so (for example, by subscribing to our newsletter); or
  2. you are an existing client, we are marketing similar services to those we provided, and we gave you a clear opportunity to opt out when we first collected your data (“soft opt-in” under PECR regulation 22).

7.2 You can unsubscribe at any time. Every marketing email we send contains an unsubscribe link. You can also opt out by emailing us at hello@xzistdigital.com.

7.3 Opting out of marketing communications does not affect any other communications we send you, such as those necessary to deliver services under a contract or to comply with legal obligations.

8. Who we share your data with

8.1 We may share your personal data with the following categories of recipients:

  1. Service providers (data processors) acting on our behalf, who process personal data under our instructions. These include:
    1. Website hosting and infrastructure providers [e.g. Vercel, AWS, Cloudflare. Update to reflect your actual providers.];
    2. Analytics providers [e.g. Google Analytics (Google LLC). Update to reflect your actual providers.];
    3. Email and marketing platforms [e.g. Mailchimp, HubSpot, ActiveCampaign. Update to reflect your actual providers.];
    4. Customer relationship management (CRM) systems [e.g. HubSpot, Pipedrive. Update to reflect your actual providers.];
    5. Communication and productivity tools [e.g. Google Workspace, Microsoft 365, Slack. Update to reflect your actual providers.];
    6. Payment processors (where applicable) [e.g. Stripe, GoCardless. Update to reflect your actual providers.];
    7. Accounting and invoicing software [e.g. Xero, QuickBooks, FreeAgent. Update to reflect your actual providers.].
  2. Professional advisers including lawyers, accountants, auditors, insurers and consultants, who provide consultancy, banking, legal, insurance and accounting services.
  3. Regulators, tax authorities and law-enforcement agencies that require reporting of processing activities in certain circumstances.
  4. Third parties involved in a corporate transaction, if we sell, transfer or merge parts of our business or assets, or if we acquire other businesses. In these circumstances, the new owners may use your personal data in the same way as set out in this Privacy Policy.

8.2 We require all third parties who process personal data on our behalf to respect the security of your personal data and to treat it in accordance with the law. Our data processors are only permitted to process your personal data for specified purposes and in accordance with our instructions.

8.3 We do not sell your personal data to third parties.

9. International transfers

9.1 Some of our service providers are based outside the United Kingdom, so processing your personal data will involve a transfer of data outside the UK.

9.2 Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  1. we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Government (an “adequacy decision”); or
  2. where we use certain service providers, we may use specific contracts approved for use in the UK, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, which give the transferred personal data the same protection as it has in the UK; or
  3. where we use providers based in the US, we may transfer personal data to them if they are certified under the UK Extension to the EU-US Data Privacy Framework.

9.3 Please contact us at hello@xzistdigital.com if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

10. Data security

10.1 We have put in place appropriate technical and organisational measures to prevent your personal data from being accidentally lost, used, accessed, altered or disclosed in an unauthorised way. These include, without limitation:

  1. access controls and authentication measures;
  2. encryption of data in transit (TLS/SSL);
  3. encryption of data at rest where appropriate;
  4. regular backups;
  5. restrictions on physical and logical access to systems;
  6. staff training on data protection.

10.2 We also limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and are subject to a duty of confidentiality.

10.3 We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator (the ICO) of a breach where we are legally required to do so.

10.4 Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of data transmitted to the Website; any transmission is at your own risk.

11. How long we keep your data

11.1 We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

11.2 The following are our standard retention periods. In certain circumstances we may extend these (for example, where we are under a legal obligation to retain data for a longer period, or where we need it to establish, exercise or defend a legal claim):

Category Retention period
Enquiry data from prospective clients who do not become clients Up to 24 months from the last contact, then deleted
Contact data for marketing subscribers Until you unsubscribe, and then retained on a suppression list to ensure we do not re-contact you
Client data (identity, contact, project, contractual) For the duration of the engagement and 7 years after the end of the engagement (to meet tax, accounting, and contract-limitation requirements)
Financial and tax records 7 years from the end of the financial year to which they relate
Website analytics and cookie data As set out in our Cookie Policy
Server and security logs 12 months

11.3 In some circumstances you can ask us to delete your data. See clause 12 (Your Rights).

11.4 When personal data is no longer needed, we will securely delete or anonymise it. Anonymised data (which can no longer be associated with you) may be used indefinitely for analysis and research purposes.

12. Your rights

12.1 Under UK data protection law, you have the following rights in relation to your personal data:

  1. Right to be informed: to be told how we use your personal data (this Privacy Policy fulfils that right).
  2. Right of access: to request a copy of the personal data we hold about you (known as a “subject access request”).
  3. Right to rectification: to ask us to correct inaccurate or incomplete personal data we hold about you.
  4. Right to erasure (“right to be forgotten”): to ask us to delete personal data where there is no good reason for us to continue processing it, or where you have successfully exercised your right to object (see below).
  5. Right to restrict processing: to ask us to suspend processing of your personal data in certain circumstances.
  6. Right to data portability: to receive the personal data you provided to us in a structured, commonly used, machine-readable format, and to transmit it to another controller (applies where we rely on consent or contract as the legal basis).
  7. Right to object: to object to our processing of your personal data where we rely on legitimate interests (including profiling) or for direct marketing.
  8. Right to withdraw consent: where we rely on your consent, you can withdraw it at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
  9. Rights in relation to automated decision-making: see clause 14.

12.2 How to exercise your rights. To exercise any of your rights, please contact us at hello@xzistdigital.com. We will respond within one month of receiving your request (extendable by a further two months for complex requests, in which case we will let you know).

12.3 No fee usually required. You will not have to pay a fee to access your personal data or to exercise any of your other rights. However, we may charge a reasonable fee, or refuse to comply with your request, if your request is clearly unfounded, repetitive or excessive.

12.4 What we may need from you. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

13. Complaints

13.1 If you have a complaint about how we have handled your personal data, please contact us first at hello@xzistdigital.com so we have an opportunity to address your concerns.

13.2 You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

13.3 We would, however, appreciate the chance to deal with your concerns before you approach the ICO.

14. Automated decision-making

14.1 We do not use your personal data to carry out any automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you.

15. Children

15.1 The Website is not directed at children, and we do not knowingly collect personal data from children under the age of 13.

15.2 If you believe that a child has provided us with personal data, please contact us at hello@xzistdigital.com and we will take steps to delete that information.

16. Third-party links

16.1 The Website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.

16.2 We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Website, we encourage you to read the privacy policy of every website you visit.

17. Cookies

17.1 Our use of cookies and similar technologies on the Website is described in our separate Cookie Policy, available at xzistdigital.com/cookies.

18. Changes to this Privacy Policy

18.1 We may update this Privacy Policy from time to time. The updated version will be indicated by an updated “Last updated” date and the updated version will be effective as soon as it is accessible.

18.2 If we make material changes, we will notify you either by prominently posting a notice of such changes or, where we have your email address, by sending you a notification.

18.3 We encourage you to review this Privacy Policy frequently to stay informed of how we protect your personal data.

19. How to contact us

Any questions about this Privacy Policy or our data protection practices should be addressed to:

Xzist Digital Limited
20 Wenlock Road, London, England, N1 7GU
Email: hello@xzistdigital.com

© Xzist Digital Limited. All rights reserved.