Privacy Policy
1. Introduction & Scope
Xelium Labs ("Xelium", "we", "our", or "us") is a global technology services company delivering consulting, digital transformation, managed services, Global Capability Center (GCC) solutions, cybersecurity, cloud engineering, staffing, and data-driven business solutions to clients across the world.
We are deeply committed to protecting the privacy, confidentiality, and security of personal information entrusted to us — by clients, business partners, job applicants, website visitors, employees, and service users.
This Global Privacy Policy ("Policy") applies to all personal information processed by Xelium Labs across all business functions, digital touchpoints, geographies, and service lines. It satisfies requirements under CCPA/CPRA, India DPDPA 2023, PDPA, PIPEDA, and other applicable laws.
This Policy governs personal information collected when you:
- Visit or interact with our website(s) and digital platforms
- Engage with or use our services as a client or prospective client
- Apply for employment or submit a professional profile
- Communicate, correspond, or participate in events with us
- Are identified as a data subject in connection with services we provide
2. Who We Are — Data Controller Information
For the purposes of applicable data protection legislation, Xelium Labs acts as a Data Controller for personal information it processes about individuals, and as a Data Processor for certain personal information it processes on behalf of its clients.
| Field | Details |
|---|---|
| Legal Entity | Xelium Labs |
| Registered Address | To be completed by Xelium Labs legal team |
| Privacy Contact | privacy@xeliumlabs.com |
| Website | https://xeliumlabs.com |
| Privacy Officer | privacy@xeliumlabs.com |
Where Xelium Labs operates through subsidiaries or affiliates, each entity may act as a co-controller or processor, and this Policy applies across all such entities unless a separate, supplementary notice is provided.
3. Information We Collect
We collect personal information from multiple sources to provide, improve, and secure our services:
3.1 Information You Provide Directly
- Identity Data: Full name, job title, employer, professional credentials
- Contact Data: Email address, phone number, postal address, country of residence
- Account & Authentication Data: Login credentials, account preferences, security settings
- Employment / Recruitment Data: CV, resume, cover letter, work history, education, references, interview notes
- Financial Data: Billing address, payment references, invoice details (no full card numbers stored)
- Communications Data: Messages, emails, meeting notes, support tickets, feedback, survey responses
- Contractual Data: Service agreements, statements of work, NDA details
3.2 Information Collected Automatically
- Technical Data: IP address, browser type and version, device type, operating system, screen resolution
- Usage Data: Pages visited, clicks, session duration, referrer URLs, feature usage, error logs
- Location Data: Approximate geographic location inferred from IP address
- Cookie & Tracking Data: Session cookies, analytics tags, advertising pixels (see Section 6)
3.3 Information Received From Third Parties
- Professional Networks: LinkedIn and similar platforms (where you share your profile publicly)
- Reference Providers: Background check agencies (with consent, where required by law)
- Business Partners: Contact information shared by clients or referral partners
- Public Sources: Company registries, court records, regulatory filings
- Analytics Providers: Aggregated behavioral and demographic data to improve services
3.4 Special Categories of Data
Xelium Labs does not routinely collect special categories of personal data (sensitive data such as health, biometric, racial/ethnic origin, religious beliefs, or political opinions). Where such data is exceptionally required — for example, for occupational health or equal opportunity monitoring — we will obtain explicit consent and implement enhanced safeguards.
4. How We Use Your Information
We use personal information only for purposes that are lawful, transparent, and proportionate. The primary purposes for which we process data include:
| Purpose | Examples | Legal Basis |
|---|---|---|
| Service Delivery | Fulfilling contracts, managing client engagements, delivering managed services | Contractual necessity |
| Business Operations | Invoicing, reporting, performance management, compliance audits | Legitimate interests / Legal obligation |
| Recruitment | Evaluating candidates, conducting interviews, onboarding employees | Consent / Pre-contractual steps |
| Marketing & Communications | Newsletters, event invitations, thought leadership (opt-in) | Consent / Legitimate interests |
| Security & Fraud Prevention | Access monitoring, threat detection, incident response | Legitimate interests / Legal obligation |
| Legal & Regulatory Compliance | Tax filings, audit responses, litigation support | Legal obligation |
| Product Improvement | Analytics, feature usage, user feedback | Legitimate interests / Consent |
We will not use your personal information for purposes incompatible with those listed above without providing a new privacy notice and, where required, seeking additional consent.
5. Legal Bases for Processing — Global Framework
Xelium Labs processes personal information based on one or more of the following legal grounds, depending on the applicable jurisdiction and purpose:
- Consent: You have freely given, specific, informed, and unambiguous consent. You may withdraw consent at any time without detriment, by contacting privacy@xeliumlabs.com.
- Contractual Necessity: Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract.
- Legal Obligation: Processing is required to comply with applicable laws and regulatory requirements.
- Legitimate Interests: Processing is necessary for our legitimate business interests — such as improving our services, ensuring IT security, and preventing fraud — provided those interests are not overridden by your rights and freedoms.
- Vital Interests: In rare cases, processing may be necessary to protect the vital interests of any person.
- Public Task: Where we process data in connection with a public interest or official authority.
Jurisdiction-Specific Notes: Under India’s DPDPA 2023, we rely on consent and legitimate uses as defined in the Act. Under CCPA/CPRA, we honor opt-out rights and do not sell or share personal information for cross-context behavioral advertising without consent.
6. Cookies & Similar Technologies
Our websites and digital platforms use cookies, web beacons, pixel tags, and similar technologies. We use these to:
- Ensure website functionality and security: (essential cookies — always active)
- Analyze traffic patterns and usage behavior: (analytics cookies — with consent)
- Personalize content and improve user experience: (preference cookies — with consent)
- Support marketing measurement and re-engagement: (marketing cookies — with consent)
You may manage cookie preferences at any time via our Cookie Preference Centre (accessible in the website footer). Withdrawing non-essential cookies will not affect your ability to use our core services. We honor Global Privacy Control (GPC) signals where applicable.
For a full list of cookies, their purpose, duration, and the third parties involved, please refer to our Cookie Policy available at https://xeliumlabs.com/cookie-policy.
7. Information Sharing & Disclosure
Xelium Labs does not sell, rent, or trade personal information. We may share information with the following categories of recipients, strictly on a need-to-know basis and subject to appropriate contractual and legal safeguards:
7.1 Within Xelium Group
Personal information may be shared with Xelium Labs subsidiaries, affiliates, and global capability centers for service delivery, support, and business operations. All intra-group transfers are governed by binding intra-group data sharing agreements.
7.2 Service Providers & Processors
We engage trusted third-party processors — such as cloud hosting providers, payment processors, background verification agencies, and marketing platforms — solely to support our operations. All processors are bound by Data Processing Agreements (DPAs) meeting applicable legal standards.
7.3 Clients & Business Partners
In the context of service delivery, information about our personnel or subcontractors may be shared with clients. Such sharing is governed by contractual obligations and applicable data protection law.
7.4 Legal & Regulatory Authorities
We may disclose information where required by law, court order, regulatory authority, or governmental body. We will notify you of such disclosures where legally permissible.
7.5 Corporate Transactions
In the event of a merger, acquisition, divestiture, or other corporate transaction, personal information may be transferred to the relevant parties. Data subjects will be notified as required under applicable law.
8. International Data Transfers & Safeguards
As a global organization, Xelium Labs may transfer personal information across borders. We ensure all international transfers are protected by appropriate safeguards, including:
- APEC Cross-Border Privacy Rules (CBPR): Applied for cross-border transfers within Asia-Pacific jurisdictions, ensuring consistent data protection standards.
- Adequacy Determinations: Transfers to countries recognized as providing an adequate level of data protection by the applicable regulatory authority.
- Contractual Safeguards: Data transfer agreements with recipients that impose equivalent data protection obligations.
- Binding Corporate Rules (BCRs): Under evaluation for adoption across the Xelium Group to govern intra-group international transfers.
- Consent: Where no other mechanism applies, explicit consent is obtained from the data subject prior to transfer.
You may request details of the applicable transfer safeguards for your specific data by contacting privacy@xeliumlabs.com.
9. Information Security
We implement a robust, multi-layered security framework commensurate with the risk to personal information and aligned with internationally recognized standards (ISO/IEC 27001, NIST CSF, SOC 2):
Technical Safeguards
- End-to-end encryption: Data in transit (TLS 1.2/1.3) and at rest (AES-256)
- Multi-factor authentication (MFA): Across all critical systems
- Role-based access controls (RBAC): With least-privilege principles
- Intrusion detection and prevention systems (IDS/IPS)
- Regular penetration testing and vulnerability assessments
- Secure cloud infrastructure: With leading providers (AWS, Azure, GCP)
Organizational Safeguards
- Mandatory privacy and security training: For all staff (annual refresh)
- Confidentiality obligations: Embedded in all employment and vendor contracts
- Formal Data Protection Impact Assessments (DPIAs): For high-risk processing activities
- Privacy-by-design and privacy-by-default: Embedded in product and service development
- Dedicated Security Operations Center (SOC): Continuous monitoring
No system can guarantee absolute security. In the event of a security incident affecting your personal information, we will notify you in accordance with applicable law (see Section 15).
10. Data Retention
We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, or as required by applicable law, regulation, or legitimate business need. Retention periods vary by category:
| Data Category | Retention Period |
|---|---|
| Client & Contract Data | Duration of engagement + 7 years (legal/regulatory) |
| Recruitment Data (unsuccessful) | 12 months from decision, or as required by local law |
| Employee Data | Duration of employment + 7 years |
| Website Analytics & Cookies | Up to 24 months (or as set in cookie settings) |
| Marketing & Contact Data | Until opt-out or 3 years of inactivity |
| Incident & Security Logs | Up to 3 years (security investigation purposes) |
| Financial & Billing Records | 7–10 years (tax and audit obligations) |
Upon expiry of the applicable retention period, personal information is securely deleted, anonymized, or pseudonymized in accordance with our Data Retention & Disposal Standard.
11. Your Privacy Rights by Jurisdiction
Depending on your country of residence and applicable law, you may have some or all of the following rights regarding your personal information:
| Right | Description |
|---|---|
| Access | Obtain a copy of personal information we hold about you and information about how it is processed. |
| Rectification / Correction | Request correction of inaccurate or incomplete personal information. |
| Erasure / Deletion | Request deletion of your personal information where it is no longer necessary or lawfully held. |
| Restriction of Processing | Request that we temporarily restrict how we use your data in certain circumstances. |
| Data Portability | Receive your personal information in a structured, machine-readable format (where technically feasible). |
| Object to Processing | Object to processing based on legitimate interests or for direct marketing purposes at any time. |
| Withdraw Consent | Withdraw consent at any time where processing is consent-based, without affecting the lawfulness of prior processing. |
| Non-Discrimination (CCPA) | Exercise your privacy rights without receiving discriminatory treatment in services or pricing. |
| Opt-Out of Sale/Sharing (CCPA/CPRA) | Opt out of the sale or sharing of personal information for cross-context behavioral advertising. |
| Grievance Redressal (DPDPA) | Submit a complaint to the Data Protection Board of India if your rights under the DPDPA 2023 are violated. |
| Automated Decision-Making | Not be subject to decisions based solely on automated processing that produce significant legal effects, without human review. |
To exercise any of these rights, submit a verifiable request to privacy@xeliumlabs.com. We will respond within the timeframe required by applicable law (typically 30 days; up to 45 days where permitted with notice). We may ask you to verify your identity before processing your request.
12. Children’s Privacy
Xelium Labs’ services and platforms are designed for and directed to business professionals and enterprises. We do not knowingly collect, solicit, or process personal information from individuals under the age of 18 (or the applicable age of digital consent in the relevant jurisdiction).
If we become aware that we have inadvertently collected personal information from a minor, we will delete it promptly. If you believe we may have information from or about a minor, please contact privacy@xeliumlabs.com.
13. Third-Party Websites & Integrations
Our website and platforms may contain links to third-party websites, social media channels, or integrated tools. Xelium Labs is not responsible for the privacy practices, content, or security of those third-party sites and services.
We encourage you to review the privacy policies of any third-party services before providing your personal information. The inclusion of a link does not imply our endorsement of the linked site or its privacy practices.
14. Automated Decision-Making & Profiling
Xelium Labs may use automated tools for limited operational purposes (e.g., spam filtering, fraud detection, recruitment pre-screening). Where any automated processing produces decisions with legal or significant effects on individuals, we ensure that:
- A human review is available upon request
- The logic involved is explainable and documented
- You are notified before such processing occurs
- You have the right to contest the decision
We do not engage in high-risk automated profiling that could result in discriminatory treatment or significant harm.
15. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Xelium Labs will:
- Notify the applicable supervisory authority within the timeframe required under applicable law
- Notify affected individuals without undue delay where the breach is likely to result in high risk to their rights
- Document all breaches in our internal Breach Register, regardless of whether notification is required
- Take immediate steps to contain, remediate, and prevent recurrence of the breach
To report a potential security incident or breach, contact our Security team at security@xeliumlabs.com.
16. Grievance & Complaints Process
We take privacy complaints seriously. If you have a concern about how we handle your personal information:
- Step 1 — Contact Us Directly: Email privacy@xeliumlabs.com with details of your concern. We will acknowledge within 5 business days and aim to resolve within 30 days.
- Step 2 — Escalate to Privacy Officer: If unresolved, escalate to our Privacy Officer at privacy@xeliumlabs.com.
- Step 3 — Supervisory Authority: You retain the right to lodge a complaint with your local data protection authority at any time.
| Jurisdiction | Supervisory Authority |
|---|---|
| United States | Federal Trade Commission (FTC); State Attorneys General for CCPA/CPRA matters |
| India | Data Protection Board of India (under DPDPA 2023) |
| Canada | Office of the Privacy Commissioner of Canada (OPC) — https://www.priv.gc.ca |
| Singapore | Personal Data Protection Commission (PDPC) — https://www.pdpc.gov.sg |
17. Changes to This Privacy Policy
We may update this Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:
- Update the effective date at the top of this Policy
- Post the revised Policy prominently on our website at https://xeliumlabs.com/privacy
- Notify registered users or affected data subjects by email (where required)
- Obtain fresh consent where required by applicable law
We encourage you to review this Policy periodically. Your continued use of our services after an update constitutes acceptance of the revised Policy, to the extent permitted by applicable law.
18. Contact Us & Privacy Officer
For any privacy-related queries, rights requests, or concerns, please contact us:
| Channel | Details |
|---|---|
| Privacy Team Email | privacy@xeliumlabs.com |
| Privacy Officer | privacy@xeliumlabs.com |
| Security Incidents | security@xeliumlabs.com |
| Website | https://xeliumlabs.com |
| Postal Address | Xelium Labs, [Registered Address — to be completed] |
We are committed to resolving your privacy concerns promptly and transparently. Our Privacy Team will acknowledge your request within 5 business days and provide a substantive response within the timeframe required by law.
