GDPR COMPLIANCE

INTRODUCTION

This page provides detailed information about your rights under the General Data Protection Regulation (GDPR) and equivalent data protection laws in the United Kingdom and Switzerland.

If you are a resident of the European Economic Area (EEA), United Kingdom, or Switzerland, this page explains your rights and how to exercise them.

SCOPE

This GDPR Compliance page applies to all websites and services operated by Xponential7 Ltd and its brands:

• Xponential7 (www.xponential7.com)
• Demand7 (www.demand7.ai)
• GTM7 (www.gtm7.ai)
• Automation7 (www.automation7.ai)
• Podcast7 (www.podcast7.ai)

For our main privacy notice, see our Privacy Policy.

DATA CONTROLLER INFORMATION

Xponential7 Ltd is the data controller responsible for your personal information.

Company Details:
Xponential7 Ltd
43 Tournay Road
London SW6 7UQ
United Kingdom
Company Number: 10717815

ICO Registration:
We are registered with the UK Information Commissioner's Office (ICO).
ICO Registration Number: ZB837691

You can verify our registration at: https://ico.org.uk/ESDWebPages/Entry/ZB837691

YOUR GDPR RIGHTS

Under the GDPR and UK GDPR, you have the following rights regarding your personal data:

1. RIGHT TO BE INFORMED

You have the right to clear, transparent information about how we collect and use your personal data. This is provided in our Privacy Policy.

2. RIGHT OF ACCESS (Subject Access Request)

You have the right to request a copy of the personal data we hold about you.

What we will provide:

• Confirmation that we are processing your data
• A copy of your personal data
• Information about how and why we are processing it
• Information about how long we will keep it
• Information about your rights

How to request: Email privacy@xponential7.com with subject line "Subject Access Request"
Response time: We will respond within 30 days (may be extended by 2 months for complex requests)
Cost: Free (unless the request is manifestly unfounded or excessive)

3. RIGHT TO RECTIFICATION

You have the right to correct inaccurate or incomplete personal data we hold about you.

How to request: Email privacy@xponential7.com with the correct information
Response time: We will respond within 30 days

4. RIGHT TO ERASURE ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent (where processing was based on consent)
• You object to processing (and there are no overriding legitimate grounds)
• The data has been unlawfully processed
• The data must be erased to comply with a legal obligation

Note: We may refuse deletion if we have a legal obligation to retain the data (e.g., tax records for 7 years).

How to request: Email privacy@xponential7.com with subject line "Erasure Request"
Response time: We will respond within 30 days

5. RIGHT TO RESTRICT PROCESSING

You have the right to request that we limit how we use your data in certain circumstances:

• You contest the accuracy of the data (while we verify it)
• The processing is unlawful, but you don't want it erased
• We no longer need the data, but you need it for legal claims
• You have objected to processing (while we verify our legitimate grounds)

How to request: Email privacy@xponential7.com with subject line "Restriction Request"
Response time: We will respond within 30 days

6. RIGHT TO DATA PORTABILITY

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., CSV file) and to transfer it to another organization.

Conditions:

• The processing is based on consent or contract
• The processing is carried out by automated means

How to request: Email privacy@xponential7.com with subject line "Data Portability Request"
Response time: We will respond within 30 days

7. RIGHT TO OBJECT

You have the right to object to processing of your personal data in certain circumstances:

Direct Marketing: You can object to direct marketing at any time (including profiling for marketing purposes). We will stop processing your data for marketing immediately.

Legitimate Interests: You can object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

How to request: Email privacy@xponential7.com with subject line "Objection Request"
Response time: We will respond within 30 days

8. RIGHTS RELATED TO AUTOMATED DECISION-MAKING AND PROFILING

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects on you.

Our position: We do not engage in automated decision-making or profiling that produces legal or similarly significant effects. All enquiries, career applications, and business decisions involve human review.

LEGAL BASIS FOR PROCESSING

Under GDPR, we must have a legal basis to process your personal data. We rely on the following legal bases:

Consent
We process data based on your explicit consent when you:

• Subscribe to newsletters or marketing emails
• Accept cookies via our cookie consent banner
• Provide consent during telemarketing calls
• Opt in to data collection on landing pages or forms

Your right: You can withdraw consent at any time by clicking "unsubscribe" in emails or contacting privacy@xponential7.com.

Contractual Necessity
We process data when necessary to:

• Respond to your enquiries via contact forms
• Process your career applications
• Provide services you have requested
• Fulfil contractual obligations with our business clients

Legitimate Interests
We process data based on our legitimate business interests when:

• Conducting business-to-business (B2B) marketing (GDPR Recital 47)
• Analyzing website usage via Google Analytics to improve our services
• Preventing fraud and ensuring security
• Managing business operations and client relationships

Note: We conduct Legitimate Interest Assessments (LIAs) to ensure our interests do not override your rights and freedoms.

Legal Obligation
We process data when required to comply with legal obligations, such as:

• Tax and accounting requirements (7-year retention)
• Employment law requirements
• Responding to legal requests from authorities

INTERNATIONAL DATA TRANSFERS

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), United Kingdom, and Switzerland.

How we protect your data:

Standard Contractual Clauses (SCCs)
We use European Commission-approved Standard Contractual Clauses with service providers to ensure appropriate safeguards when transferring data internationally.

Main international transfers:

• Google Workspace (email, productivity): Data may be transferred to the United States. Google provides SCCs and adheres to the EU-U.S. Data Privacy Framework.
• Google Analytics: Data may be transferred to the United States. Google provides SCCs.

For more information about Google's data protection practices: https://policies.google.com/privacy

Adequacy Decisions
Where possible, we transfer data only to countries that the UK or EU has deemed to provide adequate data protection.

Request more information: If you would like details about the specific safeguards we use for international transfers, email privacy@xponential7.com.

DATA RETENTION

We retain your personal data only as long as necessary for the purposes outlined in our Privacy Policy or as required by law.

Typical retention periods:

• Contact form enquiries: 3 years from last contact
• Career applications (unsuccessful): 12 months
• Career applications (successful): 6 years post-employment (UK legal requirement)
• Newsletter subscribers: Until unsubscribe + 30 days
• Google Analytics data: 26 months
• Legal/compliance data: 7 years (UK tax law)
• B2B marketing data: For our Demand7 and GTM7 brands, business contact data is retained as long as it remains accurate and relevant, subject to regular validation (every 60 days) and immediate removal upon opt-out request.

Deletion requests: You can request deletion at any time by contacting privacy@xponential7.com. We will comply unless legally required to retain the data.

DATA SECURITY

We implement appropriate technical and organizational measures to protect your personal data, including:

Technical measures:

• Encryption of data in transit and at rest
• Secure servers with access controls
• Regular security reviews and updates
• Firewalls and intrusion detection systems

Organizational measures:

• Staff data protection training (twice per year)
• Information Security Management System (ISMS)
• Data Processing Agreements with all processors
• Access to personal data limited to authorized personnel only

Data breach procedures: If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will:

1. Notify the ICO within 72 hours of becoming aware of the breach
2. Notify affected individuals without undue delay if the breach poses a high risk
3. Document the breach and our response in accordance with GDPR Article 33-34

SUPERVISORY AUTHORITY

If you have concerns about how we handle your personal data, you have the right to lodge a complaint with your local supervisory authority.

For UK residents:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
United Kingdom
Tel: 0303 123 1113
Website: https://ico.org.uk/make-a-complaint

For EEA residents:
Find your local Data Protection Authority: https://edpb.europa.eu/about-edpb/about-edpb/members_en

For Swiss residents:
Federal Data Protection and Information Commissioner (FDPIC)
Website: https://www.edoeb.admin.ch/edoeb/en/home.html

Note: We encourage you to contact us first at privacy@xponential7.com so we can try to resolve your concerns directly.

HOW TO EXERCISE YOUR RIGHTS

To exercise any of your GDPR rights, please contact us:

Email: privacy@xponential7.com
(Include the relevant subject line from the rights descriptions above)

Postal Address:
Xponential7 Ltd
Attn: Privacy Team
43 Tournay Road
London SW6 7UQ
United Kingdom

What to include in your request:

• Your full name
• Your email address
• Your company name (if relevant)
• Description of your request
• Proof of identity (if we cannot verify you from the information provided)

Automated confirmation: When you submit a privacy request to privacy@xponential7.com, you will receive an automated confirmation email with a case reference number. We aim to respond to all requests within 30 days as required by law.

Verification: To protect your privacy, we may ask for additional information to verify your identity before processing your request. We verify requests by matching the email address you contact us from with our records.

No fee: Exercising your GDPR rights is free, unless the request is manifestly unfounded or excessive.

CHILDREN'S PRIVACY

Our services are not directed at individuals under the age of 16 (the age of digital consent under GDPR). We do not knowingly collect personal data from children.

If we become aware that we have inadvertently collected data from a child without appropriate consent, we will delete it immediately.

If you believe we have collected data from a child, please contact us at privacy@xponential7.com.

UPDATES TO THIS PAGE

We may update this GDPR Compliance page from time to time to reflect changes in law or our practices.

The "Last Updated" date at the top of this page will be revised when changes are made. We encourage you to review this page periodically.

RELATED POLICIES

For more information, please see:

• Privacy Policy – Our main privacy notice
• Terms of Use – Terms governing use of our websites
• Cookie Policy – How we use cookies
• CCPA Compliance – Rights for California residents