XaaS Privacy Policy

Table of Contents


This notice applies across all websites and products that we offer and all services we provide, as well as any other apps or services we may offer (for example training).  For the purpose of this notice, we’ll just call them our ‘Services’ or ‘Websites’.

When we say ‘Personally Identifiable Data’ we mean any piece of data or information that can be used to identify you, like your name, phone number, email or address, bank account details, payment information, support queries, community comments and so on.

If you can’t be identified (for example, when your Personally Identifiable Data has been aggregated and anonymised) then this notice doesn’t apply.  You should read our Terms of Use (https://xaas.co.uk/terms-of-use/) alongside our Privacy Policy for more information, including how we treat your other data.

We may update this notice from time to time. If a change is significant, we will let you know, usually by emailing you.  You can read the whole notice below or jump to the section you need using the navigation menu if you are reading this document on our Website.

This privacy policy was created on 06 January 2022.

Who are ‘we’?

“We” are XaaS Ltd, which also applies if we refer to “our” or “us”.  We are based in the UK, but our products may be used from anywhere in the world.  Our company is registered in England and Wales under number 13400578 and our registered office is at 71 – 75 Shelton Street, Covent Garden, WC2H 9JQ.

We provide an easy-to-use platform that allows you to find your cyber security maturity and we give you simple, focussed, step by step guidance to take your journey to improve your cyber-health.  If you want to find out more about what we do, see our About (https://xaas.co.uk/about/) page.

Definitions and interpretation

We’ve already explained a few terms, but, in this document we’ll probably use more.  So there are no questions, here is a list of definitions we may (or may not) use:


Collectively all information that you submit to XaaS Ltd via our Services.  This definition incorporates, where applicable, the definitions provided in the Data Protection Laws;


A small text file placed on your computer by a website when you visit certain parts of that website and/or when you use certain features of that website.  Details of the cookies used by our Services or Websites are set out in our Cookie Policy (https://xaas.co.uk/cookie-policy/);

Data Protection Laws

Collectively all information that you submit to XaaS Ltd via our Services. This definition incorporates, where applicable, the definitions provided in the Data Protection Laws;


The UK General Data Protection Regulation;

Personally Identifiable Data

Any piece of data or information that can be used to identify you, like your name, phone number, email or address, bank account details, payment information, support queries, community comments and so on;


Any websites and products that we offer and all services we provide, as well as any other apps or services we may offer (for example training);

XaaS Ltd,
we or us

XaaS Ltd, a company incorporated in England and Wales with registered number 13400578 whose registered office is at 71 – 75 Shelton Street, Covent Garden, London, WC2H 9JQ;

UK and EU Cookie Law

The Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 & the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2018;

User or you

Any third party that accesses our Services and is not either (i) employed by XaaS Ltd and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing consultancy to XaaS Ltd and accessing  our Services in connection with the provision of such consultancy; and


Any website operated by XaaS including www.xaas.co.uk, unless expressly excluded by their own Terms of Use.

Scope of our Privacy Policy

Our Privacy Policy applies only to our actions and Users with respect to our Services. It does not extend to any websites that can be accessed from this Website including, but not limited to, any links we may provide to social media websites.

For European Union data protection purposes, when we act as a controller in relation to your Personally Identifiable Data.

How we collect your data

When you visit our Websites or use our Services, we may collect your Data. The ways we collect it can be broadly categorised into the following:

Information you provide to us directly: When you visit or use some parts of our Websites and/or Services we might ask you to provide Data to us.  For example, we ask for your contact information when you sign up, take part in training and events or contact us with questions or request support.  If you don’t want to provide us with Data, you don’t have to, but it might mean you can’t use some parts of our Websites or Services.

Information we collect automatically: We collect some information about you automatically when you visit our Websites or use our Services, like your IP address and device type.  We also collect information when you navigate through our Websites and Services, including what pages you looked at and what links you clicked on.  This information is useful for us as it helps us get a better understanding of how our community use our Websites and Services so that we can continue to provide the best experience possible (e.g., by personalising the content you see).

In addition, we may collect your Data automatically via cookies, in line with the cookie settings on your browser. For more information about cookies, and how we use them on our Websites, see the section below, headed “Cookies“.

Information we get from third parties: The majority of information we collect is collected directly from you.

Sometimes we might collect Personally Identifiable Data about you from other sources, such as publicly available materials or trusted third parties like our marketing and research partners.  We use this information to supplement the Data we already hold about you, in order to better inform, personalise and improve our Services, and to validate the Data you provide.

Where we collect Personally Identifiable Data, we’ll only process it:

  • to perform a contract with you, or
  • where we have legitimate interests to process the Personally Identifiable Data and they’re not overridden by your rights, or
  • in accordance with a legal obligation, or
  • where we have your consent.

If we don’t collect Personally Identifiable Data, we may be unable to provide you with all our Services, and some functions and features on our Websites may not be available to you.

If you’re someone who doesn’t have a relationship with us, but believe that one of our users has entered your Personally Identifiable Data into our Websites or Services, you’ll need to contact that user for any questions you have about your Personally Identifiable Data (including where you want to access, correct, amend, or request that the user delete, your Personally Identifiable Data).

How we use your data

First and foremost, we use your Data to operate our websites and provide you with any Services you’ve requested, and to manage our relationship with you. We also use your Personally Identifiable Data for other purposes, which may include the following:

To communicate with you:

This may include:

  • providing you with information you’ve requested from us (like training or education materials) or information we are required to send to you;
  • operational communications, like changes to our Websites and Services, security updates, or assistance with using our Websites and Services;
  • marketing communications (about XaaS or another product or service we think you might be interested in) in accordance with your marketing preferences; and

asking you for feedback or to take part in any research we are conducting (which we may engage a third party to assist with);

To support you:

This could include internal record keeping or assisting with the resolution of a technical support issue or other issues relating to our Websites or Services, whether by email, in-app support or otherwise;

To enhance our Websites and Services and develop new ones:

We may track and monitor your use of our Websites and Services to enable us to improve them, or carry out technical analysis of our Websites and Services so that we can optimise your user experience and provide you with more efficient tools;

To protect:

So that we can detect and prevent any fraudulent or malicious activity, and make sure that everyone is using our Websites and Services fairly and in accordance with our Terms of Use (https://xaas.co.uk/terms-of-use/);

To market to you:

In addition to sending you marketing communications, we may also use your Data to display targeted advertising to you online – through our own Websites and Services or through third party websites and their platforms; and

To analyse, aggregate and report:

We may use the Data we collect about you and other users of our Websites and Services (whether obtained directly or from third parties) to produce aggregated and anonymised analytics such as  trend analysis based on maturity to assist in improving our Website and Services content or to produce reports, which we may share publicly or with third parties.

We may use your Data for the above purposes if we believe it necessary to do so for our legitimate interests.  If you are not satisfied with this, you have the right to object in certain circumstances (see the section headed “Your rights” below).

When you register with us and set up an account to receive our Services, the legal basis for the handling of your Data is for the performance of the contract between you and us and/or taking steps, at your request, to enter into a contract with us.

How we can share your data

There will be times when we need to share your Personally Identifiable Data with our own people or third parties. We will only disclose your Personally Identifiable Data to the following groups of people for the following reasons:

  • our employees, agents and/or professional advisors. Information will be shared with employees to enable them to perform any analysis or administrative functions for you or someone you elect to represent you;
  • third party service providers and partners who assist and enable us to use Personally Identifiable Data to, for example, support delivery of or provide functionality on our Websites or Services, or to market or promote our Services to you;
  • regulators, law enforcement bodies, government agencies, courts or other third parties where we think it’s necessary to comply with applicable laws or regulations, or to exercise, establish or defend our legal rights.

Where possible and appropriate, we will notify you of these types of disclosure:

  • an actual or potential buyer (and its agents and advisors) in connection with an actual or proposed purchase, merger or acquisition of any part of our business;
  • other people where we have your consent.

Choosing to share your data with other users

You may receive a request to share the Data you hold on our Websites or Services with other XaaS users, via our Oversight product.  If you choose to accept, your Data will visible to that user.  You will be in control of accepting, rejecting or removing their ability to access your Data at any time, as such, we do not accept responsibility for that user’s treatment of your Data and the terms of our Privacy Policy do not apply.

International Data Transfers

When we share Data, it may be transferred to, and processed in, countries other than the country you live in – such as to the Republic of Ireland, where our data hosting provider’s servers are located.  These countries may have laws different to what you’re used to.  Rest assured, where we disclose your Data to a third party in another country, we put safeguards in place to ensure your Data remains protected.

For individuals in the European Economic Area (EEA), should your Data be transferred outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data (like the United Kingdom), or to a third party where we have approved transfer mechanisms in place to protect your Data – i.e., by entering into the European Commission’s Standard Contractual Clauses. For further information, please contact us using the details set out in the How to contact us section below.


Security is a priority for us when it comes to your Data. We’re committed to protecting your Data and have appropriate technical and organisational measures in place to make sure that happens.  For example, access to your account is controlled by a password and a user name that is unique to you and we store your Data on secure servers.

Our technical and organisational measures include measures to deal with any suspected data breach. If you suspect any misuse or loss or unauthorised access to your Data, please let us know immediately by either visiting our Contact page or emailing us on xaasifyme@xaas.co.uk.


The length of time we keep your Personally Identifiable Data depends on what it is and whether we have an ongoing business need to retain it (for example, to provide you with a Service you’ve requested or to comply with applicable legal, tax or regulatory requirements).

We’ll retain your Personally Identifiable Data for as long as we have a relationship with you and for a period of time afterwards where we have an ongoing business need to retain it, in accordance with our data retention policies and practices.

Following that period, we’ll make sure it’s deleted or anonymised.


Please see our Cookie Policy (https://xaas.co.uk/cookie_policy/) for details of any Cookies we use and the reasons why we use them.  In terms of your privacy, we would also suggest you read on to understand the terms in which we may use Cookies.

Our Services may place and access certain Cookies on your computer.  We may use Cookies to improve your experience when using our Services.  In this event, we have carefully chosen any Cookies we use and have taken steps to ensure that your privacy is protected and respected at all times.

All Cookies used by this Website are used in accordance with current UK and EU Cookie Law.

If and when we use Cookies, before any of our Services store Cookies on your computer, you will be presented with a message bar requesting your consent to set those Cookies. By giving your consent to the placing of Cookies, you are enabling us to provide a better experience and service to you. You may, if you wish, deny consent to the placing of Cookies; however certain features of the Website may not function fully or as intended.

You can always choose to enable or disable Cookies in your internet browser. By default, most internet browsers accept Cookies but this can be changed. For further details, please see the help menu in your internet browser. You can switch off Cookies at any time, however, you may lose any information that enables you to access our Services more quickly and efficiently.

You can choose to delete Cookies at any time; but again, you may lose any information that enables you to access our Services more quickly and efficiently.

It is always good practice to ensure that your internet browser is up-to-date and that you consult the help and guidance provided by the developer of your internet browser if you are unsure about adjusting your privacy settings.

For more information generally on cookies, including how to disable them, why not take a look at aboutcookies.org. There you will also find details on how to delete cookies from your computer.

Your rights

You have the following rights in relation to your Data:

Right to access

You have the right to request (i) copies of the information we hold about you at any time, or (ii) that we modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this, unless your request is “manifestly unfounded or excessive.”  Where we are legally permitted to do so, we may refuse your request.  If we refuse your request, we will tell you the reasons why;

Right to correct

You have the right to have your Data rectified if it is inaccurate or incomplete;

Right to erase

You have the right to request that we delete or remove your Data from our systems;

Right to restrict our use of your Data

You have the right to “block” us from using your Data or limit the way in which we can use it;

Right to data portability

You have the right to request that we move, copy or transfer your Data; and

Right to object

You have the right to object to our use of your Data including where we use it for our legitimate interests.

To understand how to exercise any of your rights set out above or withdraw your consent to our processing of your Data (where consent is our legal basis for processing your Data), please contact us by either visiting our Contact (https://xaas.co.uk/contact/) page or emailing us on xaasifyme@xaas.co.uk.

If you have made a complaint in relation to how your Data is handled by us and you are not satisfied with the way we have handled it, you may be able to refer to the relevant data protection authority. For the UK, this is the Information Commissioner’s Office (ICO). The ICO’s contact details can be found on their website at https://ico.org.uk/.

It is important that the Data we hold about you is accurate and current. Please keep us informed if your Data changes during the period for which we hold it.

Links to other websites

From time to time, we may provide links from our Services to other websites. We have no control over these external websites and are not responsible for the content of these websites. Our Privacy Policy does not extend to your use of these websites. You are advised to read the privacy policy or statement of other websites prior to using them.

Changes of business ownership and control

From time to time, we might expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of XaaS Ltd.  If we were to transfer ownership of any Services where you have provided Data, that Data would be transferred along with those Services and the new owner or newly controlling party will, under the terms of this Privacy Policy, be permitted to use the Data for the purposes for which it was originally supplied to us.

We may also disclose Data to a prospective purchaser of our business or any part of it.

In the above instances, we will take steps with the aim of ensuring your privacy is protected.

The legal bit

Our agreement is with you, so you may not transfer any of your rights under our Privacy Policy to any other person. We may transfer our rights under this privacy policy where we reasonably believe your rights will not be affected.

If any court or competent authority finds that any provision of our Privacy Policy (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of our Privacy Policy will not be affected.

Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.

Since we are headquartered in the United Kingdom, our Privacy Policy will be governed by and interpreted according to the law of England and Wales. Any disputes arising under our Privacy Policy will be subject to the exclusive jurisdiction of the English and Welsh courts.

How to contact us

We are always happy to hear feedback, so please don’t hesitate to get in touch. If you’re curious about what Personally Identifiable Data we hold about you or you have a question or feedback for us on this notice, our Websites or Services, please get in touch.

As a technology company, we prefer to communicate with you by email to ensure that you’re put in contact with the right person.  To contact us, either visit our Contact page (https://xaas.co.uk/contact/) or email us on xaasifyme@xaas.co.uk.