Privacy & Data Policy

This Privacy & Data Policy ("Policy") sets out how Exenai Limited ("Exenai", "we", "our") collects, uses, stores, and protects personal data in the course of providing our services. It also includes our role as a data processor for our customers, and our compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable laws. This Policy forms part of the contractual agreement between Exenai and our customers and should be read in conjunction with the Master Services Agreement.

1. Scope

This Policy applies to:

 

• All personal data we collect from users, customers, or visitors through our website, applications, platforms, or in the course of our business activities;

• Personal data processed on behalf of our customers as part of providing services including the Exenai Platform, Candidate Experience Platform, and Automation-as-a-Service offerings.

This Policy applies to Exenai as both:

 

• A data controller: when we collect personal data for our own purposes (e.g. website analytics, support contact);

• A data processor: when we process personal data on behalf of our customers (e.g. candidate records or CRM data).
   

2. Definitions

"Personal data" means any information that relates to an identified or identifiable individual.

"Customer Data" means the data input, uploaded, or shared by our customers or their users, including Community Users (e.g. candidates and client representatives).

"Services" refers to our software, platforms, APIs, applications, integrations, portals, support, and any associated professional or automation services provided to customers.

"Community Users" means individuals who are authorised by our customers to access Exenai portals or interfaces, including candidates, clients, or other CRM-related users.

"Data Protection Law" means UK GDPR, the Data Protection Act 2018, and any applicable privacy regulations in the jurisdictions where we operate.

"Processor", "Controller", "Data Subject", "Supervisory Authority" and other relevant terms shall have the meanings given in UK GDPR.

3. How We Process Personal Data

3.1 As a Data Controller

We collect and process personal data for our own legitimate business purposes, including:

 

• Managing customer accounts and subscriptions;

• Responding to support enquiries or demo requests;

• Sending updates about our services and policies;

• Monitoring website usage and improving user experience;

• Maintaining system security and preventing fraud.

​

The legal bases for processing include:

 

• Performance of a contract (e.g. user registration and account access);

• Legitimate interests (e.g. business analytics, service improvement);

• Legal obligation (e.g. complying with regulatory or tax requirements);

• Consent, where required for marketing or cookies (see Section 10).
   

3.2 As a Data Processor

When our customers use our services, they may upload or input personal data (e.g. candidate records, CRM or ATS data) into the Exenai Platform. In such cases:

 

• The customer acts as the controller;

• Exenai acts as the processor, processing such data strictly on the customer’s written instructions.

We process Customer Data to:

 

• Provide and operate the Exenai Platform, including Community User portals;

• Support user access, permissions, and record updates;

• Enable automation, analytics, and integrations with other systems;

• Maintain backups, monitor performance, and ensure data integrity.

Where we act as a processor, we do not:

 

• Access or use Customer Data for our own purposes;

• Share Customer Data with third parties, except as necessary for service provision and under contractual safeguards;

• Retain Customer Data beyond the term of service (see Section 8: Retention).

4. Categories of Personal Data

We process the following categories of personal data, depending on the nature of the Services and the user’s interaction with our platform:

4.1 Data We Collect as Controller

 

• Contact details: name, job title, company, email address, phone number

• Account information: usernames, access logs, support tickets

• Marketing preferences and communication history

• Website usage data (e.g. IP address, browser, device type, location data)

• Financial and billing details (e.g. invoicing contact, bank/payment information)

4.2 Data Processed on Behalf of Customers (as Processor)

 

• Candidate data: CV/resume, contact details, work history, interview notes

• Client contact data: names, emails, communication history, job order details

• CRM data: status, tags, notes, compliance documentation, and interaction logs

• Community User portal activity: login timestamps, form submissions, data updates

• Optional integrations: LinkedIn data, job board interactions, or third-party service data (as configured by the customer)

We do not intentionally collect or process special categories of personal data (e.g. health, political views, biometric data) unless explicitly instructed by the customer and subject to appropriate safeguards under the customer’s responsibility.

5. Data Sharing and Subprocessors

We do not sell personal data. However, we may share personal data with third parties as follows:

5.1 Subprocessors and Service Providers

We use trusted third-party providers (subprocessors) to help us deliver and support our services. These include providers of:

 

• Hosting infrastructure (e.g. Hetzner, Microsoft Azure);

• Communication and email delivery platforms;

• Analytics, monitoring, and security tools;

• Identity and access management systems;

• Integrations, plug-ins, and automation services.

Each subprocessor is contractually bound to only process data in accordance with Exenai’s written instructions, and subject to appropriate confidentiality, security, and data protection obligations.

​

A current list of subprocessors is provided in Schedule A to this Privacy & Data Policy and is also available upon request.

5.2 Legal and Regulatory Disclosures

We may disclose personal data to courts, regulators, law enforcement, or other authorities:

 

• When required by applicable law or regulation;

• To comply with legal process or respond to valid requests;

• To enforce our legal rights or investigate potential violations of our terms.

5.3 Business Transfers

If we are involved in a merger, acquisition, restructuring or sale of assets, personal data may be transferred as part of that transaction, subject to confidentiality and continued protection under this Policy.

6. Security Measures

We are committed to protecting the confidentiality, integrity, and availability of personal data. We implement appropriate technical and organisational measures, including:

 

• Data encryption in transit and at rest;

• Role-based access controls and user authentication;

• Regular vulnerability scans and security patching;

• Independent security audits and testing;

• Use of secure, certified data centres (see Schedule 2);

• Staff training and internal access governance.

Access to personal data is strictly limited to authorised personnel and subprocessors with a legitimate operational need. All access is logged and monitored for suspicious activity.

Where required under applicable law, we will notify customers of any personal data breach without undue delay.

7. International Data Transfers

We may process and store personal data outside of the country in which it was collected, including outside the UK or European Economic Area (EEA), particularly when using trusted hosting providers or subprocessors.

Whenever we transfer personal data internationally, we ensure that appropriate safeguards are in place in compliance with Data Protection Law, such as:

 

• Transfers to countries deemed to have adequate protection by the UK government or European Commission;

• Use of Standard Contractual Clauses (SCCs) approved by the UK ICO or EU Commission;

• Additional contractual, technical, or organisational measures as necessary to ensure protection.

​

Details of specific international transfers and the safeguards applied can be requested by contacting us using the details provided in Section 12.

8. Data Retention

We retain personal data only for as long as is necessary for the purposes outlined in this Policy, or as required by law.

8.1 Data We Control

Data collected by Exenai as a controller (e.g. contact, account, billing, or support data) is retained:

 

• For the duration of the customer relationship;

• For up to 7 years thereafter, where required for legal, regulatory, or contractual reasons;

• Or until a valid request for erasure is received, subject to our legal obligations.
   

8.2 Customer Data (Processed on Behalf of Customers)

Where we act as a processor, we retain Customer Data:

 

• Only for the duration of the agreement with the customer;

• For up to 60 days following termination, to allow for secure export and recovery (unless otherwise agreed);

• After which, Customer Data is securely deleted from all systems and backups.

Retention periods may vary depending on the nature of the data and our contractual commitments to customers.

9. Data Subject Rights

We respect the rights of individuals over their personal data. Where we act as a controller, individuals may exercise the following rights under UK GDPR:

 

• Access: to request a copy of personal data held about them;

• Rectification: to correct inaccurate or incomplete data;

• Erasure: to request deletion of personal data, subject to legal grounds for retention;

• Restriction: to limit how we use their personal data in certain circumstances;

• Objection: to object to processing based on our legitimate interests;

• Portability: to receive a copy of their data in a structured, commonly used, and machine-readable format where applicable.

Requests may be submitted to privacy@exenai.com or using our contact details in Section 12. We will respond within the timeframes required by applicable law.

Where we act as a processor, data subjects should direct their requests to the relevant customer (the data controller). Exenai will support its customers in responding to such requests as required under our agreement and applicable law.

10. Cookies and Website Tracking

We use cookies and similar tracking technologies on our websites and applications to improve user experience, analyse site traffic, and deliver relevant marketing.

10.1 Types of Cookies We Use

 

• Essential cookies – necessary for core website functionality;

• Analytics cookies – help us understand website performance and user behaviour (e.g. Google Analytics);

• Functionality cookies – enhance features such as saved preferences;

• Marketing cookies – used to deliver targeted advertising based on browsing behaviour.

10.2 Cookie Consent and Control

Where required by law, we seek user consent before placing non-essential cookies. Users can manage or withdraw consent at any time using our cookie consent tool or browser settings.

We honour Do Not Track signals where technically feasible.

More detailed information is available in our Cookie Policy.

11. AI Usage and Automated Processing

Some of our Services include features powered by artificial intelligence (AI) and machine learning (ML), such as predictive insights, data enrichment, automated messaging, and workflow automation.

Where these features involve the processing of personal data:

 

• The outputs are based on patterns and statistical inference, and should not be treated as definitive or conclusive;

• The Customer is responsible for reviewing and validating AI-generated insights before using them in any hiring, outreach, or business decision-making;

• Customers must not use Exenai’s Services to make solely automated decisions that produce legal or similarly significant effects on individuals unless compliant with Article 22 of UK GDPR or equivalent laws.

We do not use personal data to train generic third-party AI models. Any training, tuning or fine-tuning of our models is limited to anonymised and aggregated data where legally permissible.

Customers remain responsible for their use of AI features within our platform and must ensure that such use complies with applicable laws, ethics, and fairness obligations.

12. Contact and Complaints

If you have any questions about this Privacy & Data Policy, or if you would like to make a request or raise a concern about how your data is being handled, you can contact us at:

 

• Email: privacy@exenai.com

• Post: Data Protection Officer, Exenai Limited, 85 Great Portland Street, London, W1W 7LT, United Kingdom

We aim to respond to all requests within the timeframes required by law.

If you are not satisfied with our response or believe that your data has not been processed in accordance with applicable data protection laws, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK or your local supervisory authority.