Last updated: 23 April 2026·Version 1.0·Xcademia Ltd
1. Introduction
This Privacy Policy explains how Xcademia Ltd ("Xcademia", "we", "us", or "our") collects, uses, stores, shares, and protects your personal data when you use the Xcademia X-Ray platform at xcademiaxray.com (the "Platform"). Xcademia Ltd is a company registered in England and Wales (Company No. 12322710) with its registered office at 60 Tottenham Court Road, London, W1T 2EW.
We are committed to protecting your privacy and handling your personal data in accordance with applicable data protection laws worldwide, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), Brazil's Lei Geral de Protecao de Dados (LGPD), India's Digital Personal Data Protection Act 2023 (DPDP Act), South Africa's Protection of Personal Information Act (POPIA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the UAE Personal Data Protection Law (PDPL), and other applicable privacy and data protection legislation.
2. Data Controller
Xcademia Ltd is the data controller responsible for your personal data processed through the Platform.
Contact details:
Email: info@xcademia.com
Address: 60 Tottenham Court Road, London, W1T 2EW
Phone: +44 20 8050 4999
3. Personal Data We Collect
3.1 Data You Provide Directly
Account information: name, email address, mobile phone number
CV/resume data: employment history, education, skills, qualifications (when you upload a CV for assessment)
Assessment responses: answers to diagnostic questions, including written and spoken responses
Payment information: processed securely by Stripe (our payment processor). We do not store your full card details.
Communications: messages you send us via email or support channels
3.2 Data We Collect Automatically
Device and browser information: IP address, browser type, operating system, device identifiers
Usage data: pages visited, features used, session duration, assessment progress
Cookies and similar technologies: as described in Section 10 below
3.3 Data Generated by the Platform
Assessment results and diagnostic reports
Capability scores and skills gap analysis
Learning pathway recommendations
Certification status (X-Ray Certified)
3.4 Special Categories of Data
We do not intentionally collect special category data (such as racial or ethnic origin, health data, political opinions, or biometric data). If your CV or assessment responses happen to contain such information, we process it only to the extent necessary to deliver the assessment service and on the basis of your explicit consent provided when you submit such information.
We use your personal data for the following purposes:
To create and manage your account on the Platform
To conduct capability assessments and generate diagnostic reports
To provide personalised learning pathway recommendations
To process payments and manage your subscription
To issue X-Ray Certified credentials
To communicate with you about your account, assessments, and our services
To send you marketing communications (only with your consent, and you may opt out at any time)
To improve and develop the Platform, including through anonymised and aggregated analytics
To detect, prevent, and address fraud, security issues, and technical problems
To comply with legal obligations and respond to lawful requests from authorities
5. Legal Basis for Processing (UK/EU GDPR)
Under the UK GDPR and EU GDPR, we rely on the following legal bases:
Contract: processing necessary to perform our contract with you (account management, assessments, reports, payments)
Consent: for marketing communications, cookies (non-essential), and processing of any special category data
Legitimate interests: for Platform improvement, analytics, fraud prevention, and security, where these interests are not overridden by your rights
Legal obligation: where processing is required to comply with applicable law
You may withdraw your consent at any time by contacting us or using the unsubscribe mechanism provided. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
6. AI-Powered Processing
The Platform uses artificial intelligence to deliver its core service. Specifically:
AI models analyse your CV to generate personalised assessment questions
AI models evaluate your written and spoken assessment responses
AI models generate capability diagnostic reports and learning pathway recommendations
Important: All AI-generated diagnostic reports undergo human specialist review and sign-off before delivery. No consequential decisions about you are made solely by automated means without human oversight.
We use third-party AI services (including Google Gemini, OpenAI, and Anthropic Claude) to process assessment data. These providers process data as our sub-processors under appropriate data processing agreements. Your personal data is not used to train these providers' AI models.
Under the UK GDPR and EU GDPR, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Given the human review built into our process, our assessments do not constitute solely automated decision-making. However, if you have concerns, you may contact us to request human intervention or to express your point of view.
7. Who We Share Your Personal Data With
We share your personal data with the following categories of recipients:
Payment processor: Stripe, Inc. (for payment processing)
Hosting provider: Vercel, Inc. (platform hosting) and Supabase (database, EU Ireland region)
AI service providers: as described in Section 6 above
Email service provider: Resend (transactional emails)
Analytics provider: PostHog (platform analytics, where enabled)
Your employer or organisation: only where you are assessed as part of an enterprise/team subscription, and only to the extent agreed in the relevant enterprise agreement
Legal and regulatory authorities: where required by law or to protect our legal rights
We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes.
8. International Data Transfers
Your personal data may be transferred to and processed in countries outside your country of residence, including the United Kingdom, the European Economic Area, and the United States.
Where we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place, including:
UK or EU adequacy decisions for the recipient country
Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO
The EU-US Data Privacy Framework (where the recipient is certified)
Other appropriate safeguards as required by applicable law
Our primary database is hosted in the EU (Supabase, Ireland region).
9. Data Retention
We retain your personal data for the following periods:
Account data: for as long as your account is active, plus 12 months after account closure
Assessment data and reports: for 3 years from the date of the assessment, or longer if required by an enterprise agreement
CV data: for 12 months from upload, or until you request deletion, whichever is earlier
Payment records: for 7 years to comply with UK tax and accounting obligations
Marketing consent records: for as long as the consent is valid, plus 12 months
Log and security data: for 12 months
When personal data is no longer required, we securely delete or anonymise it.
10. Cookies and Similar Technologies
The Platform uses cookies and similar technologies. We categorise these as:
Strictly necessary cookies: required for the Platform to function (e.g., session management, authentication). These do not require consent.
Analytics cookies: used to understand how visitors interact with the Platform (e.g., PostHog). These require your consent.
Marketing cookies: used for targeted advertising (e.g., Meta Pixel). These require your consent and are gated behind our consent management system.
You can manage your cookie preferences through the consent banner displayed on the Platform, or by adjusting your browser settings. Disabling certain cookies may affect Platform functionality.
11. Your Rights
11.1 Rights Under UK GDPR and EU GDPR
If you are located in the UK or EEA, you have the following rights:
Right of access: to obtain a copy of the personal data we hold about you
Right to rectification: to correct inaccurate or incomplete personal data
Right to erasure: to request deletion of your personal data in certain circumstances
Right to restriction: to request that we restrict the processing of your personal data
Right to data portability: to receive your personal data in a structured, commonly used, machine-readable format
Right to object: to object to processing based on legitimate interests or for direct marketing
Right to withdraw consent: where processing is based on consent
Right to lodge a complaint: with the Information Commissioner's Office (ICO) in the UK (ico.org.uk) or your local supervisory authority in the EEA
11.2 Rights Under CCPA/CPRA (California)
If you are a California resident, you have additional rights under the CCPA as amended by the CPRA:
Right to know: what personal information we collect, use, disclose, and sell
Right to delete: your personal information, subject to certain exceptions
Right to correct: inaccurate personal information
Right to opt out: of the sale or sharing of personal information (we do not sell your personal information)
Right to non-discrimination: for exercising your privacy rights
To exercise these rights, contact us at info@xcademia.com. We will respond within 45 days.
11.3 Rights Under LGPD (Brazil)
If you are located in Brazil, you have rights under the LGPD including access, correction, anonymisation, portability, deletion, information about sharing, and the right to revoke consent. Contact us at info@xcademia.com to exercise these rights.
11.4 Rights Under POPIA (South Africa)
If you are located in South Africa, you have rights under POPIA including access, correction, deletion, and the right to object to processing. You may also lodge a complaint with the Information Regulator.
11.5 Rights Under PIPEDA (Canada)
If you are located in Canada, you have rights under PIPEDA including access to your personal information, the right to challenge its accuracy, and the right to withdraw consent. You may also lodge a complaint with the Office of the Privacy Commissioner of Canada.
11.6 Rights Under DPDP Act (India)
If you are located in India, you have rights under the Digital Personal Data Protection Act 2023 including the right to access, correction, erasure, and grievance redressal. You may contact our Grievance Officer at info@xcademia.com.
11.7 Rights Under UAE PDPL
If you are located in the United Arab Emirates, you have rights under the UAE Personal Data Protection Law including access, rectification, erasure, restriction, and data portability. Contact us at info@xcademia.com to exercise these rights.
12. Children
The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us at info@xcademia.com.
13. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
Encryption of data in transit (TLS) and at rest
Access controls and authentication (including multi-factor authentication for internal systems)
Regular security assessments and vulnerability monitoring
Staff training on data protection and security
Incident response procedures
No system is completely secure. If you become aware of any security vulnerability or breach, please notify us immediately at info@xcademia.com.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email or by posting a prominent notice on the Platform. The "Last updated" date at the top of this policy indicates when it was last revised.
We encourage you to review this Privacy Policy periodically.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: info@xcademia.com
Address: Xcademia Ltd, 60 Tottenham Court Road, London, W1T 2EW
Phone: +44 20 8050 4999
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:
UK: Information Commissioner's Office (ICO), ico.org.uk
EU: Your local Data Protection Authority
California: California Attorney General, oag.ca.gov
Brazil: Autoridade Nacional de Protecao de Dados (ANPD)
South Africa: Information Regulator
Canada: Office of the Privacy Commissioner
India: Data Protection Board of India
UAE: UAE Data Office
Xcademia Ltd | Company No. 12322710 | 60 Tottenham Court Road, London, W1T 2EW
