Skip to main content


Privacy Policy | GDPR | Cookies | Security

This Privacy Policy explains how Xi, WE or US (‘We Are Xi Limited’) uses, secures and protects your personal data.

Company address and contact details:
Full company name
: We Are Xi Limited
Full address: ‍Unit 25, Riverside Business Park, Lyon Road, SW19 2RL, United Kingdom
Company number: 13055716 (registered in England & Wales)

Companies using the ‘Platform’, Xi’s technology platform and handling European user data may need to sign a Data Processing Agreement (DPA). If we need this from you then we will notify you via email or phone.


  • Account means a unique account created for You to access our platform or parts of our platform.
  • Platform is our (‘Xi’) technology platform used for all services or most of our services.
  • Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to We Are Xi Limited, Unit 25, Riverside Business Park, Lyon Road, SW19 2RL.
  • Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
  • Country refers to: United Kingdom
  • Personal Data is any information that relates to an identified or identifiable individual.
  • Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
  • Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
  • Website refers to We Are Xi Limited , accessible from
  • You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

Privacy Policy

The pages on the website (“the website”) are published by We Are Xi Limited (“us” or “we”). We Are Xi Limited (“us” or “we”) will not collect any information about individuals, except where it is specifically and knowingly provided by them.

Examples of such information are:
– Your full name including first name and last name
– Your mobile/ telephone number
– Your email address

The information collected will be used to send you the information you have requested and to provide information that may be useful to you. We may share non-personal aggregate statistics (group) data about our site visitors’ traffic patterns with partners or other parties. However, we do not sell or share any information about individual users.

By using our sites you consent to the use of cookies in accordance with our Cookies Policy. You will have seen a pop up to this effect on your first visit to this website; although it will not usually appear on subsequent visits you may withdraw your consent at any time by following the instructions on this page. See our cookie page for more information on the types of Cookies we use.

In addition to the company’s safeguards, your personal data is protected in the EU by UK GDPR (‘Data Protection and Compliance’). This states that the data we hold about you will be processed lawfully and fairly. It should be accurate, relevant and not excessive. The information should be kept up to date, where necessary, and not retained for longer than is necessary. It should be kept securely to prevent unauthorised access by other people. You have the right to see what is held about you and correct any inaccuracies online. You can do this by using the “contact us” link on any page located in the navigation bar or footer of the website.

Please note that some of the rights outlined in this document are subject to exceptions. We may be required to refuse or not comply with a request.

Your rights include:

Your right to complain – You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues ( We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Your right to access your data – You have the right to request a copy of the data which we hold about you. This includes other information related to you which has been used in an interaction with our service. Also including any consented content on behalf of anyone aged 16-18 which has been agreed to on behalf of a parent or guardian. To do so we will request and require proof of identity and authority from which the person must comply in order to receive access. This includes authorisation and proof of anyone else’s data you are attempting to request. We will then ensure only information provided is personal and correct to only you. If you believe that we have personal information on you however this is no longer stored due to destroyed data inline with our retention policy we ask that you please check our policy before requesting access. All of our customers have the ability to access their data through our web application, known as our platform.

Your right to withdraw consent to direct marketing – Consent can be withdrawn at any time and you have the right to request an update to your preferences. Any and all marketing information we or our partners send you will have an unsubscribe section whereby you can exercise your right to opt out, the same way you originally opted in. If this is not the case, get in touch via our contact page. In the instances where you opt in while using our products and services which involve one of our partners/ clients in which our services are white labelled but outlined explicitly in the terms and conditions on the application you can withdraw consent however this is not actively updated without requesting unsubscribing from the end contact, this being the business you have given permission to via optional consents.

Your right to data deletion – our customers and users of our services may Contact Us with any erasure queries. In the circumstances where you have explicitly requested and we have no legal requirement to store your personal data may be erased and destroyed. This includes such items as identifying information, contact data, usage and interaction data and any all media content where this is applicable.

Your right to restrict processing – our customers have the right, under certain circumstances, to restrict the processing of their data. In this case, we will not process their data for any purpose other than storing it.

Your right to object – our customers may Contact Us with any objections.

Your right not to be subject to automated decision – including profiling; we don’t do this and have no plans to do this.

Yes. And we can help you with getting consent to use user-generated content in your marketing materials. Just get in touch.
We Are Xi Limited treats all the data held with the utmost care and security. Any details you give will remain completely confidential.

(General Data Protection Regulation)

Whilst our Privacy/ Terms covers all aspects of UK GDPR we wanted to provide a clear document detailing the 12 points of GDPR. For the purposes of this document SERVICE means We Are Xi Limited. WE means the company providing the SERVICE as per point 12. We Are Xi Limited’s data is stored in the United States, in situations where it is transferred and stored in the EU sub-processors are on the certified EU-US Privacy Shield framework.

We use a number of sub-processors all of which have confirmed their GDPR compliance. While not every sub-processor is listed in our privacy policy, for clarity we have included the main current list of main sub-processors:

Sub-processor: SendGrid | Office Location: USA | Purpose: Email Notifications
Sub-processor: Twilio | Location: USA | Purpose: SMS/MMS Notifications
Sub-processor: Azure | Office Location: USA | Purpose: Hosting Provider
Sub-processor: Amazon AWS | Office Location: USA | Purpose: Hosting Provider
Sub-processor: Xero | Office Location: USA | Purpose: Accounting Software
Sub-processor: Scoro | Office Location: London | Purpose: Newsletter Marketing
Sub-processor: Google Analytics | Office Location: USA | Purpose: Website usage tracking


Our employees, responsible for infrastructure, software development and support are fully aware of the concepts and principles of UK GDPR.

User data (the users of our products)

: ‍Personal data or personal information is also known as PII data which means information regarding any individual whereby the person can be identified.

How: We collect personal information from users which interact with our site and or our applications/ platform. This information includes by is not limited to the following as this can change on a case-by-case basis. Our basic product collects the following information:

2.1: How we identify you – Identifying Data such as first name, last name and date of birth.
2.2: How we contact you – Contact Data such as full residential address, email address and phone number.
2.3: Usage data such as information about your interactions with our website or other services which involve the use of our applications or platform. Products and services offered by us can change on a case by case basis.
2.4: Marketing and communications data from which your preferences allow for the receiving of marketing information by us which can be granted through our services by an optional opt-in process.

All of this information will be provided by you from using our products or services. Everytime we collect information about you; you will be explicitly informed and an opt-in process and terms & conditions will be used.

WE and our clients use different methods to collect data from and about you; these methods include:

3.1 Direct interactions such as you using our services, which are often through a partner agency, brand or client. We provide technology solutions which are used across various platforms and industries including but not limited to Retail, Events (experiential) and Attractions.

– Consent: subscribe to our services or our clients services through interfacing with our technologies, in which to do so consent and terms must be agreed to.
– Partners: information a partner already holds on you for the purpose of accessing relevant services all of which have been outlined in their terms and privacy policy. All of which is subject to agreement with you the user before this is obtained or collected.
– Competition: register to take part in a competition with a chance to win; all are subject to conditions and these change on a case by case basis. For explicit details for each competition these are outlined through the product or service you are accessing/ interfacing with.
– Contact us: get in touch with us via our website.
We reply to all access requests within 4 weeks (the legal limit from GDPR is 1 month).
All access requests are free of charge.

Definition: Data Retention – the duration for which we can keep your personal data.

We will only retain your personal data for as long as necessary to fulfil its purpose that it was collected for; including the requirements for reporting or accounting.

Identification data, contact data – This data is kept for the minimum amount of time possible before being deleted from our system (mostly within 12 weeks, depending on needs). It is only used for the purposes for which the user has given consent. This is inline with the ICO UK GDPR lawful basis for processing all data. We cannot use the data or pass it on to anyone without the explicit consent from the user.  Consent purposes vary on a case-by-case basis however such consent can include marketing, newsletter sign ups, competitions and order processing. All consent is optional and based on a straight opt-in policy. Which the user can withdraw at any time. Processing of data is based on a purpose to solely benefit the user.

The purpose of which data has been obtained and processed can dictate the length or the retention period. Some of the data is kept for a very short time whereas other information may be retained for longer periods. Retention periods can be changed to a case by case basis but are always outlinted explicitly in all terms and conditions that agree with the customer and user.

In-line with Article 6 of the UK GDPR act we ensure user consent is the lawful basis for processing all personal data.

Definition – Consent: the individual has given clear consent to process their personal data for a specific purpose.

The legal basis for processing personal data largely depends on the type of information, the purpose and the relationship/ nature of how it is processed. We request and service; data processing and service level agreement which are contractual obligations to which are entered into on a legal basis with our customer.

Our users will enter into agreements with us for the processing of their data based solely on a consent basis in which each consent is processed separately and opted into individually.There are a large number of legal bases for our use of personal data such as to enable us to comply with our legal responsibilities (for example a contract we have with a customer or which the law imposes on us) or that the processing is in our legitimate interests.

7.1 Our customers:
Consent is provided by our customers when signing up for the service and logged by us. This consent can be used in some of the following ways:

– Showing media content created on our experiences on large screens during the event.
– Opt in to a competition with clear guidelines on how to enter and subject clauses.
– Newsletter and marketing are subject to agreement of the exact purpose; which must and is always agreed before use by the users of the products.

7.2 Users of our products:
Consent is provided by our users when using the products. Consent can be withdrawn at any time. Our services operate under a strict opt-in policy where the user has the choice and opportunity to choose for themselves.

8.1 Our customers:
This service is not available to Children (under the age of 16).
Our product is strictly B2B (business-to-business).

8.2 Our users:
Photos and data of under 16s will only be processed with the express consent of their parent or guardian. In cases of B2C (business-to-consumer) data and content is only processed with the appropriate consent provided.

Please see frequently asked questions rregarding We Are Xi’s information security below.

We only use third party service providers where we are satisfied that they provide adequate security for your personal data.

Primarily hosted in North Europe in the Ireland region (Dublin), as well as some hosting in the East U.S Virginia region. They provide physical security protection measures and adhere to high quality standards.

Application security:
Security in our software is very important, we are frequently scanning for vulnerabilities using Azure Application Inspector. We also do the following:

– Encrypt all your data in transit using TLS.
– Use transparent data encryption for SQL Database and backups.
– Rate limits IPs abusing the service.
– Strong password rules for username and password accounts (2FA coming soon).

Disaster recovery / business continuity:
Our services are provided by Azure based in Ireland & Virginia U.S with a near 100% up time. We can also scale resources automatically based on demand to avoid any performance issues.

Team security practices:
Security is the responsibility of each and every one of our employees, we provide training so that they can identify security risks.
– Our systems and user data is restricted to only employees who absolutely require access, which can vary between projects.
– Use of 2-Factor-Authentication on all our 3rd party accounts (eg. Azure, Google, Sendgrid, etc & more).
– We never sell your data or your user’s data.
– Security and Data Privacy always comes first when implementing new features.

In the unlikely event of a security breach, we will notify customers and the relevant supervisory authority within 24 hours.

Security and Data Privacy always comes first when implementing new features, our Data Protection Officer is involved at every stage of development.
For the purposes of We Are Xi Limited and related services our Data Protection Officer is:
– Henry Boydell / Technical Director
We operate and are established in the UK (England), our supervisory authority is the ICO (Information Commissioner’s Office) based in the UK.

This website uses cookies. We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. Cookies are small text files that can be used by websites to make a user’s experience more efficient.

The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission.

This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages. Your consent applies to the following domains:

Cookie declaration last updated on 08/09/2020 by Cookiebot.

Q1. How long do we keep your data?
We keep customer data for 13 months. We keep users of our product’s data for 12 weeks.

Q2. How can I report a security issue?
Contact our DPO at

Q3. Have you had an incident that resulted in a data breach?
No, however if such an incident ever occurs we will post a full incident report (in public) and notify all customers.