This document outlines the personal data processed by xpath, explaining how and where it is used, the protective measures in place, access to it, sharing practices, and correction procedures in compliance with EU Regulation 2016/679 (GDPR).
As xpath.global operates as a B2B Platform, the majority of the data processed is company-related. However, personal data of employees of the parties, affiliates, commercial partners, consultants, etc., may also be used on the Platform by the Beneficiaries. In strict compliance with GDPR, xpath.global treats all information that may identify a physical person as personal data and ensures appropriate protection.
This Privacy Policy applies to the personal data processed by xpath.global as a data controller on its website and Platform for its clients. This document does not cover:
• Any personal data exchanged between the Beneficiary and the Provider for the provision of Services or the fulfillment of Orders on the xpath.global marketplace;
• Any personal data processed by the Platform Beneficiaries as data controller (or a data processor, in which case xpath.global is a sub-processor). Such data processing is governed by the Data Processing Agreement in Annex 1 (Data Protection Annex) to the Terms and Conditions for the Use of xpath. Platform
All definitions found in the Terms and Conditions are applicable to this document and are supplemented with definitions from GDPR Regulation.
1. Data Collection
When clients register on the Platform, whether as a Beneficiary, or a Provider or another type of Platform user, xpath.global requests representative company data. This may include basic personal data of the company, such as name, telephone number, or email address.
Beneficiaries may also create accounts on the xpath Platform for any of their expatriates, assignees, remote workers, foreign recruits and business travelers irrespective of their specific contractual relationship with the Client, such as employees of the parties, affiliates, commercial partners, consultants, etc. In these cases, data similar to the one mentioned above may be required, and additional relevant information for using the Platform may also be requested.
Data may also be collected from xpath Platform users when using interactive website tools like customer reviews, posts, or other materials, or during contact through email, telephone, postal mail, or any other communication method, including online communication tools and social media.
For website visitors, technical data necessary for proper website usage is collected, unless specific consent is given for other services (e.g., subscribing to the newsletter or contacting xpath.global).
2. Data Use
The data collected, as described above, is used for the following purposes:
2.1. Providing Platform Services
xpath.global manages a multi-service provider marketplace, listing services from various Providers . As a marketplace, xpath.global provides a platform for Beneficiaries representatives and other Platform users to purchase services from Providers and the mobile app xpath.one – Expatriate Mobile app, which provides an easy mobile access for expats to the services included in the xpath.global marketplace.
2.2. Contact and Support
Platform users may be contacted via phone or email to resolve or process a technical issue, request feedback, or discuss any review, post, or similar communication made on the site. If a user has inquired about a particular service or added it to My Favorites or their Cart, xpath.global may send relevant information about that particular service via email or another mode of contact. For instance, if a Platform user showed interest in a specific product and a new similar product is listed on the website, xpath.global may email to inform about the new product. Users who have previously “opted out” of receiving emails will not receive any. Userswill always have an opportunity to opt out of such emails before they are sent.
2.3. Newsletter
Any persons who subscribes to the newsletter or blog updates will receive regular updated information via email. Of course, the persons may unsubscribe at any time.
2.4. Technical Data
3. Legal Basis
Below is a summary of the legal basis for each activity. A “Legitimate Interests Assessment” has been conducted for any process where Legitimate Interests are listed as the legal basis for
processing such data.
Type of Activity
•Receiving data as a user of the Platform, Beneficiaries, Providers or other type of platform Users– the legal basis for this action is Legitimate Interest, and individuals have the right to object to this processing based on legitimate interests. In the exceptional case when the Platform user is a physical person, the legal basis is the contract with the data subject.
• Sending emails about similar products and services to your professional email address provided at registration – the legal basis for this action is Legitimate Interest, and individuals have the right to object to this processing based on legitimate interests, including objecting to direct marketing.
• Subscribing to the newsletter or other updates – the legal basis for this action is consent, and individuals have the right to withdraw their consent, for example, using the unsubscribe option.
• Processing technical data (including IP addresses) – the legal basis for this action is Legitimate Interests in order to prevent fraud.
Additionally, no data is used for decisions based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects individuals.
4. Transferring Your Data
In providing the xpath Platform and services, xpath.global cooperates with third-party service providers who act as data processors to assist in providing marketplace services. These service providers are in principle Amazon Web Services (for hosting services) and Stripe (only in case of online payments) . All necessary contracts and agreements are in place with these providers to ensure compliance with legal and privacy protection requirements.
Essentially, xpath.global will not reveal any personal data about its users to third parties, except as mentioned in the exceptions below.
Exceptions include disclosure of personal data to competent authorities upon their legal request and in accordance with applicable laws, or whenever necessary to protect the rights and interests of clients and xpath.global.
Please note that there is a possibility of the transfer of data outside the EEA (European Economic Area), primarily when using a Provider from the marketplace located outside the EEA. Some countries offer similar privacy protection to EEA countries, while others do not. We recommend that the Beneficiary, Provider make their own analysis of the applicable data protection legislation in those specific transfers.
As far as xpath.global is concerned as a data controller in cases where data needs to be transferred to a country without similar protection, reasonable efforts will be made to ensure the recipient of the data complies with the highest international privacy standards. This may include being located in a country offering an adequate level of personal data protection according to European Union standards (art 45 GDPR) or other appropriate safeguards, including Standard Contractual Clauses (art 46.2 GDPR).
5. Storing Data
Data will be retained only for as long as necessary for its intended purpose and/or as legally required.
• Account-related personal data will be retained for the entire period while the Beneficiary, or user account is open and for 3 (three) years after its closure. This is to ensure proper fulfillment of the contract between the involved companies or for the establishment, exercise, or defense of legal claims between the parties.
• Other data, such as support activities, will be kept for a period of up to 5 (five) years from the date and time the support activities were provided, unless the conditions mentioned in the preceding paragraph apply.
• Legitimate interest-based communication data will be stored until an objection is raised or interest is no longer shown in the products and services, unless the conditions mentioned in the first paragraph of this section apply.
• If data is collected based on consent, it will be kept until consent is withdrawn or interest is no longer shown in the products and services.
In all the aforementioned cases, log data and other metadata might be retained for unsubscribing or data deletion, in the event a complaint is received or for the establishment, exercise, or defense of legal claims.
If an individual is provided with a username, a password, or any other piece of information as part of the security procedures, they must treat such information as confidential and not disclose it to any other person.
6. Rights of the Client Under GDPR
The General Data Protection Regulation (GDPR) provides the data subjects with various privacy rights, many of which have been outlined in previous sections. Here are the data protection rights explained in detail.
• Right of Access: The data subject, holds the right to request a copy of the personal information held by xpath.global at any time. This includes verifying the lawful processing of this data.
• Right of Rectification: Should the personal information held by xpath.global be inaccurate, outdated, or incomplete, the data subject has the right to request rectification or completion.
• Right of Erasure: Under specific circumstances (e.g., when the information is no longer necessary for the purposes for which it was collected or processed or when consent was the legal basis), the data subject can request the erasure of personal information held by xpath.global .
• Right to Object or Restrict Processing: In certain situations, the data subject may object to xpath.global’s processing of their personal information. For example, if xpath.global processes the data subject’s information based on legitimate interests and there are no compelling legitimate grounds that override the data subject’s rights and interests.
• Right of Data Portability: In certain instances, the data subject is entitled to receive any personal information held by xpath.global in a structured, commonly used, and machine-readable format.
• Right to Withdraw Consent: In limited circumstances (e.g., newsletter subscription) where the data subject provided consent for the collection, processing, and transfer of their personal information for a specific purpose, they have the right to withdraw their consent for that specific processing at any time. To exercise this right, the client should contact xpath.global at office@xpath.global.
Exercising These Rights
The data subject can exercise their right to withdraw consent and any other rights granted by GDPR by notifying xpath.global via email at office@xpath.global. Alternatively, the client can write to xpath.global at the provided postal address or inform xpath.global if they prefer to communicate via telephone or other means.
The data subject also has the right to file a complaint with a competent supervisory authority or lodge a complaint in a competent court of law.
This Privacy Policy was adopted on the date indicated in the document’s title and will be revised whenever necessary without prior or subsequent notice of the changes. The new version will take effect upon publication on the website and will be appropriately marked. The current document is accessible at https://xpath.global/privacy-policy/