Privacy Policy

Effective: January 13, 2026
We process your personal data exclusively in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the Telecommunications Telemedia Data Protection Act (TTDSG) and all other applicable provisions.

Important Note Upfront – Our Data Protection Principles

We do not sell your data. We do not use it for third-party advertising. We process personal data exclusively to operate a secure, fair and trustworthy review platform – in strict compliance with the principles of Art. 5 GDPR (lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality).

1. Controller & Contact Details

Controller pursuant to Art. 4 No. 7 GDPR:
XOMYX LTD
128 City Road
London EC1V 2NX
United Kingdom

Email: privacy@xomyx.com

2. Data Protection Officer

You can contact our designated Data Protection Officer at:
Email: dsb@xomyx.com

3. Personal Data Collected & Categories

3.1 Data You Actively Provide (Art. 13(1)(c) GDPR)

• Identification data: first and last name, username, date of birth (only for verification)
• Contact data: email address, telephone number (optional)
• Company data (business profiles): company name, legal form, address, commercial register number, VAT ID, proof of representation
• User-generated content: review texts, star ratings, uploaded photos/videos, replies to reviews
• Payment data: billing address, payment method (no card details stored – processed by Stripe)
• Verification data: identity documents, commercial register extract, power of attorney (only for one-time verification, then deleted)

3.2 Automatically Collected / Generated Data

• Technical metadata: IP address (anonymized after 7 days), browser type/version, operating system, device type, screen resolution, language settings
• Access & log data: date/time of access, visited pages/URLs, referrer URL, HTTP status, session duration (server log files)
• Cookies & local/session storage: session ID, CSRF token, language preference (technically necessary – Art. 25 TTDSG)
• Location data: rough geolocation (only with active consent, e.g. for regional filters – Art. 6(1)(a))
• Usage & interaction metadata: search queries, click behavior, review interactions (anonymized or pseudonymized)

3.3 Special Processing Situations

• Call/video recordings: only with prior information & consent (Art. 6(1)(a)) – max. 24 months
• Chrome extension: browser/device information if linked to account (Art. 6(1)(b) & (f))
• Social login (e.g. Facebook): name/username, profile picture (only with consent – Art. 6(1)(a))

4. Purposes & Legal Bases of Processing (Art. 13(1)(c) GDPR)

Purpose	Legal Basis	Legitimate Interest (if Art. 6(1)(f))
Registration, authentication, account management	Art. 6(1)(b) GDPR (contract performance)	—
Publication, display & moderation of user content	Art. 6(1)(b) & (f) GDPR	Platform operation, transparency, abuse prevention
Company verification & identity check	Art. 6(1)(c) & (f) GDPR	Prevention of fake profiles & deception
Sending review invitations & system messages	Art. 6(1)(f) GDPR	Platform functionality & review quality
Detection & defense against spam, fake reviews, abuse	Art. 6(1)(f) GDPR	Platform integrity & security
Analysis & platform improvement (anonymized)	Art. 6(1)(f) GDPR	Optimize user experience, bug fixing
Payment processing & invoicing	Art. 6(1)(b) & (c) GDPR	—
Compliance with legal obligations & defense against claims	Art. 6(1)(c) & (f) GDPR	Authority requests, statute of limitations, legal defense

5. Storage Periods & Deletion Deadlines (Art. 5(1)(e) GDPR)

User account & private data: duration of the contractual relationship + **6 months** after deletion (traceability)
Public reviews & company profiles: **permanently** (as long as profile exists – legitimate interest in transparency)
Verification documents: **10 years** (§ 257(1) HGB, § 147 AO)
Payment receipts & invoices: **10 years** (§ 147 AO, § 257 HGB)
Server log files & access data: **max. 90 days** (IT security – Art. 6(1)(f))
Anonymized usage statistics: **indefinitely** (no longer personal data – Art. 5(1)(e))
Call/video recordings: **max. 24 months** (quality & training – legitimate interest)
Cookie data (technically necessary): **up to 1 year** or until withdrawal (Art. 25 TTDSG)
Data after objection / erasure request: **immediate blocking**, erasure within **30 days** (Art. 12(3) GDPR), unless exceptions apply

After expiry of the storage period, we delete or anonymize the data unless a statutory retention obligation exists. Upon erasure request, we delete within **30 days** (Art. 12(3) GDPR), unless exceptions (e.g. statutory retention) apply.

6. Recipients & Categories of Recipients (Art. 13(1)(e) GDPR)

We do **not** pass on data for advertising purposes.

Recipients / categories of recipients (all GDPR/UK compliant):

Hosting & cloud service providers (server location EU/Germany – Art. 28 GDPR)
Payment service provider: Stripe (only payment data – Art. 28 GDPR processor)
Email delivery service (e.g. Brevo – only system emails)
IT service providers (maintenance, monitoring, security audits – Art. 28 GDPR)
Authorities & courts (upon legal obligation or request – Art. 6(1)(c))
External data protection officers & auditors (in the context of audits – Art. 28 GDPR)

7. International Data Transfers (Art. 44–50 GDPR)

Some of our processors (e.g. Stripe, Cloudflare) have servers outside the EEA. We ensure an adequate level of protection through:

EU Standard Contractual Clauses (SCCs) – Art. 46(2)(c) GDPR
UK International Data Transfer Addendum (for UK-related transfers)
Adequacy decision of the European Commission (if applicable)
Binding Corporate Rules (for intra-group transfers)

You can request a copy of the safeguards at privacy@xomyx.com. We regularly conduct Transfer Impact Assessments (TIA).

8. Automated Decision-Making & Profiling (Art. 22 GDPR)

We do **not** carry out solely automated decisions that produce legal effects concerning you or similarly significantly affect you (Art. 22(1) GDPR).

We do use profiling (Art. 4(4) GDPR) to detect fake reviews, spam and abuse patterns – solely to protect legitimate interests (Art. 6(1)(f)). You have the right to object to this profiling (Art. 21(1) GDPR). We will then weigh your particular interest against ours.

9. Your Rights in Detail (Art. 15–22 GDPR) – Deadlines & Procedure

Right of Access (Art. 15 GDPR)

You can request confirmation whether we process your data and access it (including purposes, categories, recipients, storage period, origin, automated decision-making, profiling, copy of data – Art. 15(3)).
Deadline: We respond **within 1 month** (extendable by 2 months in complex cases – Art. 12(3)). First copy free of charge.

Right to Rectification (Art. 16 GDPR)

You can have inaccurate or incomplete data rectified without undue delay.
Deadline: We act **within 1 month** (extendable by 2 months – Art. 12(3)).

Right to Erasure (“Right to be Forgotten” – Art. 17 GDPR)

You can request erasure if the data is no longer necessary, consent is withdrawn, you object, or processing is unlawful (unless exceptions apply, e.g. legal obligation, defense of claims).
Deadline: We erase **within 1 month** (extendable by 2 months – Art. 12(3)).

Right to Restriction of Processing (Art. 18 GDPR)

You can restrict processing (e.g. while verifying accuracy or during objection).
Deadline: We restrict **without undue delay** and notify you within **1 month** (extendable by 2 months – Art. 12(3)).

Right to Object (Art. 21 GDPR)

You can object at any time to processing based on legitimate interests (Art. 6(1)(f)) or direct marketing (Art. 21(2)). We stop processing unless we demonstrate compelling legitimate grounds that override your interests.
Deadline: We respond **within 1 month** (extendable by 2 months – Art. 12(3)).

Right to Data Portability (Art. 20 GDPR)

You can receive your data in a structured, commonly used and machine-readable format and transmit it to another controller.
Deadline: We provide it **within 1 month** (extendable by 2 months – Art. 12(3)).

Right to Withdraw Consent

Any consent given can be withdrawn at any time with effect for the future (Art. 7(3) GDPR).
Deadline: We stop processing **without undue delay** and notify you within **1 month** (extendable by 2 months – Art. 12(3)). Lawfulness of processing before withdrawal remains unaffected.

10. SSL Encryption & Technical and Organizational Measures (Art. 32 GDPR)

Our entire website uses HTTPS (TLS 1.3) – recognizable by the green padlock in your browser. We implement the following TOM (technical and organizational measures):

Encryption of data at rest and in transit
Role-Based Access Control (RBAC) & least-privilege principle
Firewalls, Web Application Firewall (WAF), intrusion detection/prevention
Regular penetration tests & security audits (at least annually)
Pseudonymization & anonymization where possible
Annual data protection training for all employees
Data processing agreements (Art. 28 GDPR) with all processors
Backup & disaster recovery concepts
Incident response & breach notification plan (Art. 33/34 GDPR)

11. Cookies & Similar Technologies

We use **only technically necessary cookies** (session management, CSRF protection, language preference – Art. 25 TTDSG). There is **no** advertising tracking, no Google Analytics, no Facebook Pixel, no third-party tracking. Details in our Cookie Policy.

12. Changes to This Privacy Policy

We may update this policy due to legal, technical or organizational changes. The current version is always available here. Significant changes will be notified to you by email or prominently on the platform (at least **30 days** in advance). Continued use after changes constitutes acceptance of the updated terms.

Start for Free Now – Secure & Transparent

Please wait a moment!

Become visible on Xomyx today!