Privacy Policy

PRIVACY POLICY

Xelvo LTD Website: www.exozi.com
Last Updated: November 2025

1. Introduction

Xelvo LTD (“Xelvo”, “we”, “us”, “our”) is committed to protecting your privacy and ensuring transparency in how we collect, use, and safeguard your personal information. This Privacy Policy explains our practices regarding the collection, use, disclosure, and protection of personal data when you use our website (www.exozi.com) and services.

This Privacy Policy applies to all users of our website and services, regardless of location. We operate internationally and comply with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and where applicable, the EU General Data Protection Regulation (EU GDPR).

By using our website and services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.

2. Who We Are (Data Controller)

For the purposes of data protection law, the data controller responsible for your personal data is:

Xelvo LTD
124 City Road
London, EC1V 2NX
United Kingdom
Email: support@exozi.com
Website: www.exozi.com

If you have any questions about this Privacy Policy or our data practices, please contact us using the details above.

2A. Data Protection Officer & Representative

Data Protection Officer:
We do not appoint a dedicated Data Protection Officer. However, you may contact our privacy team at support@exozi.com for any data protection concerns or queries regarding our data protection practices.

EU Representative:
For users located in the European Economic Area (EEA), our appointed EU Representative under Article 27 GDPR is:
[To be appointed – please add representative details]

If you are located in the EEA, you have the right to contact our EU Representative for any data protection matters.

3. Information We Collect

We collect and process the following categories of personal data:

3.1 Information You Provide Directly

Identity Information: Full name, username, date of birth
Contact Information: Email address, telephone number, billing address, delivery address
Financial Information: Payment details are processed securely by our payment providers (Stripe, PayPal). We do NOT store full payment card details or bank account information. Only transaction confirmations and payment status are retained by us.
Account Information: Account credentials, preferences, service history
Social Media Information: Social media handles, channel URLs, platform usernames (via official delegate/manager access only)
Communication Data: Messages, enquiries, support requests, feedback, and any correspondence with us
User Content: Any content you provide for our services (videos, images, brand materials, scripts, posting schedules, account insights)

3.2 Information Collected Automatically

Technical Data: IP address, browser type and version, device type, operating system, time zone setting, browser plug-in types
Usage Data: Pages visited, time spent on pages, click patterns, navigation paths, access dates and times
Location Data: Approximate geographic location based on IP address
Cookie Data: Information collected through cookies and similar technologies (see Section 10)

3.3 Information from Third Parties

Payment Processors: Transaction confirmation and payment status from Stripe, PayPal, or other payment providers
Social Media Platforms: Profile information if you connect your social media accounts via official delegate access
Analytics Providers: Aggregated usage and performance data from services like Google Analytics
Referral Sources: Information about how you were referred to our services

4. How We Use Your Information

We use your personal data for the following purposes:

4.1 To Provide Our Services

Processing and fulfilling your orders
Delivering digital products and services
Managing your account and providing customer support
Communicating about your orders, services, and deliverables
Managing social media accounts and digital content (where you have delegated access)

4.2 To Improve Our Services

Analysing usage patterns to enhance user experience
Researching and developing new features and services
Conducting surveys and gathering feedback
Personalising content and recommendations

4.3 To Communicate With You

Sending service-related notifications and updates
Responding to your enquiries and support requests
Providing information about similar products or services (with your consent where required)
Sending marketing communications (where you have opted in)

4.4 For Business Operations

Processing payments and managing financial records
Preventing fraud and ensuring security
Complying with legal and regulatory obligations
Enforcing our terms and conditions

4.5 For Legal Purposes

Complying with applicable laws and regulations
Responding to lawful requests from public authorities
Protecting our legal rights and interests
Establishing, exercising, or defending legal claims

5. Legal Basis for Processing (UK GDPR/EU GDPR)

Under the UK GDPR and EU GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

5.1 Performance of a Contract (Article 6(1)(b))

Processing necessary for the performance of our contract with you, including:

Providing our services and fulfilling orders
Processing payments
Managing your account
Delivering customer support
Managing social media accounts via delegated access

5.2 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests, provided these do not override your fundamental rights, including:

Improving and developing our services
Marketing similar products and services to existing customers
Preventing fraud and ensuring security
Analysing website usage and performance
Securing and optimising delegated social media access

5.3 Consent (Article 6(1)(a))

Where you have given clear consent for us to process your personal data for specific purposes, including:

Sending marketing communications to non-customers
Using non-essential cookies
Processing special categories of data (where applicable)

5.4 Legal Obligation (Article 6(1)(c))

Processing necessary to comply with our legal obligations, including:

Tax and accounting requirements
Responding to lawful requests from authorities
Regulatory compliance

5.5 Soft Opt-In for Marketing Communications

As an existing customer, we may send you marketing communications about similar products and services to those you have already purchased from us, without obtaining prior explicit consent. This is known as “soft opt-in.” Under this approach:

We rely on our legitimate interest in marketing similar services to existing customers
You have the right to opt out of marketing communications at any time without restriction
Opting out does not affect service-related communications
To opt out, simply click the “unsubscribe” link in any marketing email or contact us at support@exozi.com

6. Social Media Account Access & User Content

Since our services include social media monetization, management, and growth services, we may process sensitive account data and user-generated content. Please note:

6.1 Delegated Access Only

When you provide us access to your social media accounts, this is strictly through official “delegate” or “manager” access features provided by social media platforms (such as TikTok, YouTube, Instagram, X/Twitter). We never request or collect your private login passwords. Access is granted via secure, platform-approved methods only.

6.2 Legal Basis for Social Media Access

We process your social media account data under:

Article 6(1)(b) – Performance of Contract: Providing the agreed monetization, management, and growth services
Article 6(1)(f) – Legitimate Interest: Ensuring security and optimisation of the delegated access we provide

6.3 User Content Processing

We may process content such as video scripts, thumbnails, analytics, posting schedules, account insights, engagement metrics, and other user-generated content strictly for service delivery, account optimisation, and eligibility assessments.

7. Who We Share Your Data With

We may share your personal data with the following categories of recipients:

7.1 Service Providers

We work with trusted third-party service providers who assist us in operating our business:

Payment Processors: Stripe, PayPal — to process payments securely
Cloud Hosting: To store and manage data securely
Email Services: To send transactional and marketing communications
Analytics Providers: Google Analytics — to analyse website usage
Customer Support Tools: To manage enquiries and support requests

These providers only process your data on our behalf and in accordance with our instructions. We require them to maintain appropriate security measures and not use your data for their own purposes.

7.2 Professional Advisers

We may share data with our legal, accounting, and other professional advisers where necessary for business purposes.

7.3 Authorities and Regulators

We may disclose your data to law enforcement agencies, regulatory bodies, courts and tribunals, and other governmental authorities when required by law or to protect our legal rights.

7.4 Business Transfers

In the event of a merger, acquisition, sale of assets, or business reorganisation, your personal data may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have.

7.5 With Your Consent

We may share your data with other third parties where you have given explicit consent.

We do not sell your personal data to third parties.

8. International Data Transfers

As Xelvo operates internationally and provides services to users globally (including the United States, UAE, and Asia), your personal data may be transferred to, stored, and processed in countries outside the United Kingdom and the European Economic Area (EEA).

By using our services, you acknowledge that data may be processed outside your local jurisdiction, including the United States, UAE, and Asia, under the safeguards outlined below.

8.1 Transfers to Adequate Countries

We may transfer personal data to countries that have been deemed to provide an adequate level of data protection by the UK Government (for transfers from the UK) or the European Commission (for transfers from the EEA).

Countries with UK/EU adequacy decisions include: Andorra, Argentina, Canada (commercial organisations under PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, Uruguay, and the United States (under the EU-US Data Privacy Framework for participating organisations).

8.2 Transfers to Other Countries (Including UK-US Data Bridge)

Where we transfer personal data to countries without an adequacy decision, we implement appropriate safeguards, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
UK-US Data Bridge for transfers from the UK to the United States
UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
Binding Corporate Rules where applicable
Ensuring the recipient is certified under an approved framework (e.g., Privacy Shield or equivalent)

8.3 Your Rights Regarding International Transfers

You have the right to request information about the safeguards we have in place for international transfers. Contact us at support@exozi.com for more information.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required by law.

9.1 Retention Periods

Data Category	Retention Period
Account information	Duration of your account plus 6 years
Transaction records	7 years (UK tax/accounting requirements)
Customer communications	6 years from last contact
Marketing preferences	Until you withdraw consent
Website analytics	26 months (anonymised thereafter)
Cookies	See Cookie Policy for specific durations
Legal claims data	Duration of limitation period plus 1 year
Social media content & insights	Duration of service engagement plus 2 years

9.2 Deletion and Anonymisation

When personal data is no longer required, we will:

Securely delete or destroy the data; or
Anonymise the data so it can no longer identify you (anonymised data may be retained indefinitely for analytical purposes)

10. Your Rights

Under the UK GDPR, EU GDPR, and other applicable data protection laws, you have the following rights regarding your personal data:

10.1 Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you and information about how we process it.

10.2 Right to Rectification (Article 16)

You have the right to request correction of any inaccurate or incomplete personal data we hold about you.

10.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data in certain circumstances, including:

When the data is no longer necessary for its original purpose
When you withdraw consent (where consent was the basis for processing)
When you object to processing and there are no overriding legitimate grounds

10.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or object to processing.

10.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

10.6 Right to Object (Article 21)

You have the right to object to:

Processing based on legitimate interests
Processing for direct marketing purposes (you can opt out at any time)
Processing for research or statistical purposes

10.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

We may analyse engagement metrics and account data using automated tools to assess monetization eligibility and provide service recommendations. However, no such decision has a legal or similarly significant effect on you, and you retain the right to request human review of any automated assessment.

10.8 Right to Withdraw Consent

Where we process your data based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

10.9 How to Exercise Your Rights

To exercise any of these rights, please contact us:

Email: support@exozi.com
Address: Xelvo LTD, 124 City Road, London, EC1V 2NX, UK

We will respond to your request within one month of receipt. This period may be extended by a further two months for complex requests, in which case we will inform you within the first month. We may request verification of your identity before processing your request.

10.10 Right to Lodge a Complaint

If you are not satisfied with how we handle your request or have concerns about our data practices, you have the right to lodge a complaint with a supervisory authority:

UK Information Commissioner’s Office (ICO)

Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
United Kingdom
Website: www.ico.org.uk
Telephone: 0303 123 1113

For users in the EU/EEA, you may also contact your local data protection authority.

11. Cookies and Tracking Technologies

11.1 What Are Cookies?

Cookies are small text files placed on your device when you visit our website. They help us provide functionality, improve performance, and personalise your experience.

11.2 Types of Cookies We Use

Strictly Necessary Cookies: Essential for the website to function. These cannot be disabled.

Session management
Security features
Load balancing

Performance/Analytics Cookies: Help us understand how visitors use our website.

Google Analytics (anonymised IP)
Page view tracking
Error monitoring

Functionality Cookies: Enable enhanced features and personalisation.

Language preferences
User preferences
Previously entered information

Marketing/Targeting Cookies: Used to deliver relevant advertisements and track campaign performance.

Advertising partners
Social media pixels
Conversion tracking

11.3 Your Cookie Choices

When you first visit our website, you will be presented with a cookie consent banner allowing you to:

Accept all cookies
Reject non-essential cookies
Customise your preferences

You can change your cookie preferences at any time by:

Clicking the “Cookie Settings” link in our website footer
Adjusting your browser settings to block or delete cookies

Note: Disabling certain cookies may affect website functionality.

11.4 Third-Party Cookies

Some cookies are placed by third-party services that appear on our pages. We do not control these cookies. Please refer to the relevant third party’s privacy policy for more information.

For more details, please see our separate Cookie Policy: https://www.exozi.com/cookie-policy

12. Data Security

12.1 Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:

Encryption: SSL/TLS encryption for data in transit; encryption at rest for sensitive data
Access Controls: Role-based access, strong authentication, least-privilege principles
Network Security: Firewalls, intrusion detection, regular security monitoring
Physical Security: Secure data centres with appropriate access controls
Staff Training: Regular data protection and security training for all staff
Incident Response: Procedures for detecting, reporting, and responding to data breaches
Regular Audits: Periodic security assessments and vulnerability testing

12.2 Payment Security

We do not store full payment card details or bank account information. All payments are processed securely by our payment providers (Stripe, PayPal) who are PCI-DSS compliant. Payment card information is never collected, stored, or retained by us.

12.3 Social Media Access Security

When you grant us delegated access to your social media accounts, we employ industry-standard security protocols to protect this access. We never request or store your private login passwords. Access is managed exclusively through official platform delegate/manager features.

12.4 Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

Notify the ICO within 72 hours of becoming aware of the breach
Notify affected individuals without undue delay where the breach is likely to result in high risk

13. Children's Privacy

Our services are not directed at children under the age of 13 (or higher minimum age as required in your jurisdiction). We do not knowingly collect personal data from children under 13.

For users aged 13-17: Parental or guardian consent is required for paid services. In EU jurisdictions where the minimum age is 16 or higher, users must meet that country’s minimum age requirement.

If you believe we have inadvertently collected data from a child under the applicable minimum age, please contact us immediately at support@exozi.com, and we will take steps to delete the information.

14. Special Category Data Disclaimer

We do not intentionally collect special category data (also known as sensitive personal data), which includes information about race, ethnicity, religion, political opinions, trade union membership, genetic data, biometric data, health data, or sexual orientation.

If you voluntarily provide such data to us as part of your user content or service communications, you consent to its processing strictly for service delivery purposes. We encourage you to avoid sharing such sensitive information unless absolutely necessary.

15. Third-Party Links

Our website may contain links to third-party websites, services, or applications. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices.

We encourage you to review the privacy policies of any third-party services before providing your personal data.

16. Marketing Communications

16.1 Marketing Preferences

We may send you marketing communications about our products and services where:

You have given your explicit consent; or
You are an existing customer and we are marketing similar products/services (soft opt-in under Article 6(1)(f))

16.2 Opting Out

You can opt out of marketing communications at any time by:

Clicking the “unsubscribe” link in any marketing email
Contacting us at support@exozi.com
Updating your account preferences

Opting out of marketing will not affect service-related communications (e.g., order confirmations, important updates, account alerts).

17. Refund & Digital Services Policy

For terms applicable to digital goods and services, including refund policies and service cancellation, please see our separate Refund Policy.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

18.1 Notification of Changes

Material changes will be notified via email or prominent notice on our website
The “Last Updated” date at the top of this policy indicates when it was last revised
We encourage you to review this policy periodically

18.2 Continued Use

Your continued use of our services after any changes constitutes acceptance of the updated Privacy Policy.

19. International Users

19.1 Users in the European Economic Area (EEA)

If you are located in the EEA, your personal data is processed in accordance with the EU GDPR. You have all the rights outlined in Section 10 of this policy, and our EU Representative (Section 2A) is available to assist you.

19.2 Users in the United States

We comply with applicable US privacy laws. California residents may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt out of the sale of personal information. We do not sell personal information. Where we transfer data to the US, we do so under the UK-US Data Bridge and EU-US Data Privacy Framework.

19.3 Users in Other Jurisdictions

We comply with applicable data protection laws in the jurisdictions where we operate. If you have questions about how your local laws apply, please contact us at support@exozi.com.

20. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Xelvo LTD
124 City Road
London, EC1V 2NX
United Kingdom

Email: support@exozi.com
Website: www.exozi.com

We aim to respond to all enquiries within 2 working days.