PRIVACY POLICY
Effective date: 05 June 2026
1. Scope of this Privacy Policy
This Privacy Policy (the “Policy”) sets out how XYZ Reality Limited (“we”, “our”, “us”, “XYZ”) collects, uses, discloses, and otherwise processes information from data subjects (“you”, “your”), and what choices you have regarding that information. The Policy applies to (i) XYZ’s customer products and services, including the XYZ Platform, the Atom headset, and any updates (collectively, the “Services”); (ii) xyzreality.com and any other XYZ websites (the “Websites”); and (iii) other interactions XYZ may have with your personal information (e.g. customer enquiries, attendance at conferences, or when other businesses provide us with your information).
Where XYZ determines the purposes and means of processing, XYZ acts as a “controller” for the purposes of applicable data privacy laws. This Policy does not apply where XYZ processes personal information as a “processor” on behalf of a customer or other entity acting as the data controller; in that case, the controller’s privacy policy and our agreement with that entity govern the processing. In certain circumstances more than one data controller may process your information; XYZ is not responsible for the processing activities of other data controllers. If you do not agree with the terms of this Policy, you should not access or use the Services, Websites, or any other aspects of XYZ’s business.
2. Information we receive and collect
We may collect, store, and use the following categories of personal information about you: name, email address, contact number, account information, financial transaction information, correspondence, customer accounts and records, and job title — received via opt-in or consent forms, or directly from you when communicating with us by phone, post, email, live chat, or social media. Where we rely on legitimate interests, we have carried out a Legitimate Interests Assessment (LIA); you may request a summary by contacting privacy@xyzreality.com.
Contact Information
We collect contact information such as your name, organisation, email address, job title, role, addresses, and marketing preferences. We may also collect location data, IP addresses, website and app user-journey information, records of consent, identification documents, financial transaction information, health and safety information, or other relevant information.
Health Information
Health data is special category personal data under UK GDPR Article 9.
We may process information about your health — including medical conditions and health and sickness records — to make appropriate adjustments during the recruitment process and to fulfil our legal obligation to document workplace incident records. We process health data on the basis of Article 9(2)(b) UK GDPR (processing necessary for employment law obligations). For further information, contact privacy@xyzreality.com.
Technical Information
The following technical information may be automatically collected depending on device consents: for Website users, IP address, location derived from IP address, browser type, operating system and version, and network information; for Service users, the device information above plus Services metadata (such as third-party service connections). We may also collect names and contact details, addresses, website user information (cookie tracking — see our Cookie Policy), photographs or video recordings, call recordings, records of meetings and decisions, information relating to compliments or complaints, and information relating to sponsorship.
Usage Information
Our Websites may use cookies and similar tracking technologies to collect information such as how you navigate our Websites, how long interactions take, and whether you opened an email or clicked a link (see our Cookie Policy). When using our Services we may also collect usernames, email addresses, and non-personal aggregated data such as action histories.
Information from Third Parties and Other Sources
We may receive information about you or your business from third-party sources to improve or supplement our records — for example, data linking IP addresses to locations, or marketing campaign performance data. We also allow customers to provide ideas and feedback about the Services via a third-party platform, and we collect information you voluntarily provide through interviews, contests, support requests, job applications, social media interactions, or other communications. For job applicants, please also consult our Candidate Privacy Notice.
Age Restrictions
The Services and Websites are not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16, and will delete it if we learn we have. Parents or legal guardians who believe their child has provided us with personal information should contact us using the details in Section 9.
3. How we use information
Information we collect is used in accordance with applicable contractual agreements, to provide and maintain XYZ’s Services and Websites, and as required by law. Specifically, we use information to fulfil contractual and pre-contractual obligations; to provide, maintain, improve, and protect our Services, Websites, and business (for example, using product feedback to update the Services and resolving technical issues); to send relevant information (service-related communications that cannot be opted out of, and marketing communications sent only with consent or, where applicable, on the basis of legitimate interests); for billing and account management; as required by applicable law; and to investigate and prevent security issues and abuse.
4. Legal basis for processing information
Data protection laws require us to process personal data only where we have a lawful basis. The legal bases relevant to our processing activities are:
- Performing a contract (Article 6(1)(b)): a large proportion of our processing is undertaken to fulfil contractual obligations, for example using authorised user data to provide access to the Services;
- Legitimate interests (Article 6(1)(f)): where necessary to meet our legitimate business interests in a manner that minimises privacy impact — for example developing and improving our Services, marketing, understanding customer needs, preventing unauthorised use, and network and information security. We carry out LIAs and apply measures such as access controls, aggregation, and de-identification;
- Complying with law (Article 6(1)(c)): for example anti-money-laundering and sanctions compliance, or responding to court orders; and
- Consent (Article 6(1)(a)): for example for marketing. You may withdraw consent at any time using the details in Section 9; withdrawal does not affect the lawfulness of prior processing.
Automated tools may form a proportionate part of our recruitment process and may be used for targeted marketing and content personalisation (Article 22). If you believe a decision affecting you has been made solely by automated means, you have the right to request human review, express your point of view, and contest the outcome — contact privacy@xyzreality.com. You will only receive marketing communications if you have opted in, and we will never share your information with third-party partners for their own marketing purposes.
5. How we share and disclose information
We do not sell personal data to third parties. We may share personal data in accordance with the law and as required to deliver our Services or operate our business, and we require all recipients to respect the security of your data.
- Affiliates, subsidiaries, and business transfers: personal data may be shared among XYZ group entities for reporting, system maintenance, and service delivery, and may be disclosed or transferred in the context of a merger, restructuring, reorganisation, divestiture, dissolution, or other sale or transfer of XYZ assets;
- Third-party service providers: including web hosting, email, video conferencing, CRM, cloud hosting, professional advisers, social media platforms, and marketing and web analytics tools — permitted to process your data only for specified purposes in accordance with our instructions; and
- Third parties in exceptional circumstances: regulators, government agencies, or others where reasonably necessary to comply with the law, protect the security of our Services, enforce our agreements, protect individuals or the public from harm, or address an emergency.
Where possible, we share only anonymised data. If a recipient is located outside the EEA, or stores your data on servers outside the EEA, we will ensure adequate protection as required by law — which may include European Commission Standard Contractual Clauses and an equivalent UK International Data Transfer Agreement issued by the ICO.
6. How do we store your data?
Your personal data may be stored electronically on our secure servers, electronically on a third-party provider’s secure servers, or in hard-copy form in access-restricted, locked filing cabinets. We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed. Access is limited to those with a business need to know, who are subject to a duty of confidentiality. We have procedures to deal with any suspected or actual data security breach and will notify you and the ICO where legally required. Whenever we propose using new technologies, or where processing is “high risk”, we carry out a Data Protection Impact Assessment (DPIA).
7. How long do we keep information?
We only retain personal information for as long as necessary to fulfil the purposes for which it was collected, considering the amount, nature, and sensitivity of the data; the potential risk of harm; the purposes of processing; and applicable legal requirements. In some circumstances we may anonymise personal information so it can no longer be associated with you. A summary of our key retention periods is set out below; for full details, see our Data Retention Policy or contact privacy@xyzreality.com.
Data Category | Retention Period |
Website / cookie data | See Cookie Policy |
Customer account data | Duration of relationship + 6 years |
Marketing data | Until opt-out or 6 years from last contact |
General correspondence | 6 years |
Employee personnel records | Duration of employment + 6 years post-termination |
Unsuccessful candidate data | Up to 2 years after recruitment process ends |
8. Your rights
Under UK data protection law, we must have a lawful basis for collecting and using personal information, and it is important that the information we hold about you is accurate and current — please keep us informed of any changes using the details in Section 9. To exercise any right, contact us using those details; we must respond without undue delay and within one month.
Your Right | What It Means |
Right of Access (DSAR) | Receive a copy of personal data we hold and verify it is lawfully processed. |
Right to Rectification | Have inaccurate or incomplete personal data corrected. |
Right to Erasure | Ask us to delete personal data where there is no good reason to continue processing it, or where you have successfully objected. |
Right to Withdraw Consent | Where processing is based on consent, withdraw at any time via privacy@xyzreality.com or the ‘Unsubscribe’ link in marketing emails. Withdrawal does not affect prior processing. |
Right to Object | Object to processing based on legitimate interests or for direct marketing. The right to object to direct marketing is absolute. |
Right to Restrict Processing | Ask us to suspend processing — for example while accuracy is established or an objection is considered. |
Right to Data Portability | Where processing is based on consent or contract, receive your data in a structured, machine-readable format and ask us to transmit it to another provider where technically possible. |
Right re Automated Decisions | Not to be subject to solely automated decisions with significant effects. Contact privacy@xyzreality.com to request human review. |
You have the right to lodge a complaint at any time with the ICO (website: ico.org.uk/make-a-complaint; phone: 0303 123 1113; address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF). We would appreciate the opportunity to address your concerns first — please contact us at privacy@xyzreality.com in the first instance.
9. Contact
If you have any questions about this Policy or wish to exercise any of your data protection rights, please contact us by writing to the VP of Legal / Head of Privacy, XYZ Reality Limited (company no. 10660835), G0.G02, 338–346 Goswell Road, London EC1V 7LQ, or by email at privacy@xyzreality.com.
XYZ Reality has assessed its processing activities and determined that formal appointment of a Data Protection Officer (DPO) is not mandatory at this time. Privacy enquiries are handled by the VP of Legal / Head of Privacy. This assessment will be reviewed periodically and upon any material change to our processing activities.
