PRIVACY POLICY

Last Updated: January 2026

INTRODUCTION

At Xponential7, we are committed to protecting your privacy and handling your personal data with transparency and care. This Privacy Policy explains how we collect, use, share, and protect your information when you interact with our services.

SCOPE

This Privacy Policy applies to all websites and services operated by Xponential7 Ltd and its brands:

When we refer to "we," "us," or "our" in this policy, we mean Xponential7 Ltd and its brands. References to "you" or "your" mean any individual whose personal data we process.

QUICK SUMMARY

  • Website Contact Data: If you contact us through our website, your data is NOT sold.
  • B2B Marketing Data: Our Demand7/GTM7 brands provide B2B lead generation services using business contact data from first-party and third-party sources.
  • Your Rights: You have full rights to access, delete, and opt out of any data we hold.
  • Questions? Contact privacy@xponential7.com

TABLE OF CONTENTS

  1. Data Controller Information
  2. Information We Collect
  3. How We Use Your Data
  4. Legal Basis for Processing
  5. Cookies and Tracking Technologies
  6. Third-Party Service Providers
  7. Distinction Between Website Visitor Data And B2B Marketing Data
  8. International Data Transfers
  9. Data Retention
  10. Data Security
  11. Your Rights
  12. Rights for EU/UK/Switzerland Residents
  13. Rights for California Residents
  14. Children's Privacy
  15. Automated Decision-Making
  16. Marketing Communications
  17. Do Not Track Signals
  18. Business Transfers
  19. Changes to This Privacy Policy
  20. Contact Us
  21. Related Policies

1. DATA CONTROLLER INFORMATION

Xponential7 Ltd is the data controller responsible for your personal information.

Company Details:
Xponential7 Ltd
43 Tournay Road
London SW6 7UQ
United Kingdom
Company Number: 10717815

ICO Registration:
We are registered with the UK Information Commissioner's Office (ICO).
ICO Registration Number: ZB837691

You can verify our registration at: https://ico.org.uk/ESDWebPages/Entry/ZB837691

If you have concerns about how we handle your data, you have the right to lodge a complaint with the ICO:
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
United Kingdom
Tel: 0303 123 1113
Website: https://ico.org.uk/make-a-complaint

2. INFORMATION WE COLLECT

We collect personal information in the following ways:

Information You Provide Directly
When you interact with our websites or services, you may provide:

  • Contact Information: Name, email address, phone number, company name, job title, LinkedIn profile.
  • Enquiry Details: Messages, questions, or requests submitted through contact forms.
  • Career Applications: CV/resume, cover letter, employment history, references.
  • Event Registration: Information provided when registering for webinars, events, or trade shows.
  • Marketing Preferences: Email subscription preferences and communication choices.

Information Collected Automatically
When you visit our websites, we automatically collect:

  • Device Information: IP address, browser type, operating system, device identifiers.
  • Usage Data: Pages visited, time spent on pages, referral sources, clickstream data.
  • Location Data: General geographic location based on IP address.
  • Cookies and Similar Technologies: See our Cookie Policy for details.

Information from Third Parties
We may receive information about you from:

  • Business Partners: Companies we work with for events, campaigns, GTM projects, or lead generation services.
  • Public Sources: Publicly available business information, such as LinkedIn profiles.
  • Analytics Providers: Aggregated data from Google Analytics and similar services.
  • Data Providers: For our Demand7 and GTM7 brands, we may acquire business contact information from third-party data providers, commercial databases, and publicly accessible sources (such as LinkedIn, company websites, and industry directories). This data is enriched, validated, and provided to our business clients for legitimate business-to-business marketing purposes.

3. HOW WE USE YOUR DATA

We use your personal information for the following purposes:

Responding to Enquiries
To respond to your questions, requests, or contact form submissions and provide information about our services.

Processing Career Applications
To evaluate your suitability for employment, conduct interviews, and manage the recruitment process.

Marketing and Communications
To send you relevant information about our services, industry insights, webinars, podcasts, and events. You can opt out at any time (see Marketing Communications).

Analytics and Site Improvement
To understand how visitors use our websites, improve user experience, and optimize our services. We use Google Analytics for this purpose.

Legal Compliance
To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

Business Operations
To manage our business relationships, process contracts, maintain records, and provide customer support.

Business-to-Business Data Services (Demand7 and GTM7)
For our Demand7 and GTM7 brands, we provide business-to-business lead generation and GTM Engineering services. This may involve:

  • Acquiring business contact information from third-party data providers and public sources.
  • Enriching and validating this data.
  • Providing this data to our business clients for legitimate marketing purposes.

IMPORTANT: If you submit information through our website contact forms, career applications, or newsletter subscriptions, that data is classified as 'Website Visitor Data' and is never included in our B2B marketing databases or sold to third parties. See Section 7 below for the distinction between "Website Visitor Data" and "B2B Marketing Data."

4. LEGAL BASIS FOR PROCESSING

We process your personal data on the following legal grounds under the General Data Protection Regulation (GDPR):

  • Consent: When you provide explicit consent (e.g., subscribing to newsletters, accepting cookies).
  • Contractual Necessity: When processing is necessary to fulfil a contract with you or take steps at your request before entering a contract.
  • Legitimate Interests: When we have a legitimate business interest (e.g., analytics, fraud prevention, improving services) that does not override your rights.
  • Legal Obligation: When we must process data to comply with legal requirements (e.g., tax, employment law).

You have the right to withdraw consent or object to processing based on legitimate interests at any time.

5. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies to enhance your browsing experience, analyse website traffic, and understand user behaviour.

Cookie Consent: When you first visit our website, you will see a cookie consent banner allowing you to accept or decline non-essential cookies. You can change your preferences at any time through your browser settings or the cookie management tool on our website.

Google Analytics: We use Google Analytics to collect aggregated, anonymized data about website usage. Google Analytics sets cookies to help us understand visitor patterns. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

For detailed information about the types of cookies we use and how to manage them, please see our Cookie Policy.

6. THIRD-PARTY SERVICE PROVIDERS

We share data with trusted third-party service providers who assist us with email delivery, website analytics, providing our services, and hosting. These providers process data only under our instructions and maintain appropriate security measures. We ensure that all third-party processors are bound by data processing agreements that comply with applicable data protection laws, including GDPR.

Categories of Third-Party Providers:

  • Email service providers
  • Website analytics providers (e.g., Google Analytics)
  • Hosting and infrastructure providers
  • Customer relationship management (CRM) platforms
  • Freelancers or Business Partners

We do not sell Website Visitor Data: Information you submit directly to us through contact forms, newsletter subscriptions, or career applications is never sold, rented, or shared with third parties for their marketing purposes. This data is used solely for the purposes stated in Section 3.

For information about our B2B marketing data services provided by Demand7 and GTM7 (which may involve business contact data acquired from third-party sources), see Section 7.

7. DISTINCTION BETWEEN WEBSITE VISITOR DATA AND B2B MARKETING DATA

We process two distinct categories of personal data with different purposes and legal bases:

WEBSITE VISITOR DATA
This includes information submitted directly to us through our website contact forms, newsletter subscriptions, career applications, and website analytics.

  • Purpose: Respond to your enquiries, process applications, improve our websites
  • Legal Basis: Consent, Contractual Necessity, Legitimate Interests (analytics)
  • Usage: This data is NOT sold, rented, or shared with third parties for their marketing purposes
  • Your Rights: Full rights under GDPR/CCPA to access, delete, and restrict processing

B2B MARKETING DATA (Demand7 and GTM7 Services)
Our Demand7 and GTM7 brands provide business-to-business lead generation and go-to-market services. For these services, we:

  • Acquire business contact information from third-party data providers, public sources, and commercial databases
  • Enrich, validate, and organize this data
  • Provide this data to our business clients for legitimate B2B marketing purposes

This activity is conducted under the following principles:

  • Legal Basis: Legitimate Interests for B2B marketing (GDPR Recital 47). We process business contact data where we have a legitimate interest in providing lead generation services to our clients, balanced against individuals' rights and expectations.
  • Consent: In certain circumstances (e.g., when required by law, or when required by the source database terms, or when individuals explicitly opt in at events), we obtain consent before including data in our marketing databases.
  • Transparency: We provide clear information about how business contact data will be used when we collect it from events, webinars, or other direct sources.
  • Opt-Out: You can opt out of our B2B marketing databases at any time (see Section 10).
  • Your Rights: You have full rights to access, delete, object to, and restrict processing of your data, regardless of how it was collected.

To opt out of Demand7 or GTM7 marketing databases: If your business contact information appears in our B2B marketing databases and you wish to be removed, email privacy@xponential7.com with subject line "B2B Data Opt-Out Request". Please include your full name, email address, and company name. We will process your request within 30 days and confirm removal.

Note: This opt-out applies to our B2B marketing databases only. If you have separately submitted information through our website contact forms or subscribed to newsletters, those are managed independently.

8. INTERNATIONAL DATA TRANSFERS

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), United Kingdom, and Switzerland, including the United States.

When we transfer data internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses with our service providers to ensure your data is protected when transferred outside the EEA/UK.
  • Adequacy Decisions: We may transfer data to countries that the UK or EU has deemed to provide adequate data protection.

For example, we use Google Workspace, which may involve data transfers to the United States. Google provides appropriate safeguards for such transfers.

If you would like more information about the safeguards we use for international data transfers, please contact us at privacy@xponential7.com.

9. DATA RETENTION

We retain your personal data only as long as necessary to fulfil the purposes outlined in this Privacy Policy or as required by law.

Retention Periods by Data Type:

Contact Form Enquiries
Purpose: Respond to enquiries and maintain potential business relationships
Retention: 3 years from last contact
Rationale: Allows follow-up on business opportunities and maintains communication history

Career Applications
Purpose: Recruitment process
Retention:
• Successful candidates: Employment records retained for 6 years post-employment (UK legal requirement)
• Unsuccessful candidates: 12 months (allows reconsideration for future roles)

Newsletter Subscribers
Purpose: Marketing communications
Retention: Until unsubscribe + 30 days for processing

Analytics Data (Google Analytics)
Purpose: Website improvement and user experience
Retention: 26 months (Google's default retention period)

Legal and Compliance Data
Purpose: Legal obligations (tax records, contracts, disputes)
Retention: 7 years from transaction (UK tax law requirement)

Deletion Requests: We may retain data for longer periods where required by law, for legal claims, or with your explicit consent. You may request deletion at any time by contacting privacy@xponential7.com, and we will comply unless legally required to retain the data.

10. DATA SECURITY

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse. These measures include encryption, secure servers, access controls, and regular security reviews.

While we strive to protect your data, no method of transmission over the internet is completely secure, and we cannot guarantee absolute security. If you have any concerns about the security of your data, please contact us immediately.

11. YOUR RIGHTS

Under data protection law, you have the following rights regarding your personal data:

  • RIGHT TO ACCESS – Request a copy of your personal data we hold
  • RIGHT TO RECTIFICATION – Correct inaccurate or incomplete data
  • RIGHT TO ERASURE ("Right to be forgotten") – Request deletion of your data
  • RIGHT TO RESTRICT PROCESSING – Limit how we use your data
  • RIGHT TO DATA PORTABILITY – Receive your data in a portable format
  • RIGHT TO OBJECT – Object to processing based on legitimate interests
  • RIGHT TO WITHDRAW CONSENT – Withdraw consent where processing is consent-based

How to Exercise Your Rights:
To exercise any of these rights, email privacy@xponential7.com with your request. Please include your name, contact details, and a description of your request.

Automated Confirmation: When you submit a privacy request to privacy@xponential7.com, you will receive an automated confirmation email with a case reference number. We aim to respond to all requests within 30 days as required by applicable law.

For residents of the EU/UK/Switzerland, see our full GDPR Compliance page for additional details.
For California residents, see our CCPA Compliance page.

12. RIGHTS FOR EU/UK/SWITZERLAND RESIDENTS

If you are a resident of the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and equivalent laws.

Key GDPR Rights:

  • Right to lodge a complaint with your local supervisory authority
  • Right to object to processing for direct marketing purposes
  • Right to request information about automated decision-making (see section below)
  • Right to restriction of processing in certain circumstances

UK Supervisory Authority: Information Commissioner's Office (ICO) – Contact details provided in Section 1.

For comprehensive information about your GDPR rights and how to exercise them, please visit our GDPR Compliance page.

13. RIGHTS FOR CALIFORNIA RESIDENTS

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA), including:

  • Right to know what personal information we collect and how it is used
  • Right to delete personal information
  • Right to opt out of the "sale" of personal information
  • Right to non-discrimination for exercising your CCPA rights

Opt-Out of Sale: We do not "sell" personal information in the traditional sense. However, certain data-sharing activities may be considered a "sale" under CCPA. To opt out, visit our Do Not Sell My Information page or email privacy@xponential7.com.

For full details on your California privacy rights, please visit our CCPA Compliance page.

14. CHILDREN'S PRIVACY

Our services are not directed at individuals under the age of 18 (or 16 in some jurisdictions, such as the EU). We do not knowingly collect personal data from children.

If we become aware that we have inadvertently collected personal information from a child without appropriate parental consent, we will take steps to delete that information as quickly as possible. If you believe we have collected information from a child, please contact us immediately at privacy@xponential7.com.

15. AUTOMATED DECISION-MAKING

We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals.

All enquiries, career applications, and business decisions involve human review. While artificial intelligence supports us, we do not use algorithms or artificial intelligence to fully make decisions that materially affect you without human oversight (“human in the loop” principle).

16. MARKETING COMMUNICATIONS

If you receive marketing emails from us and wish to unsubscribe, click the "unsubscribe" link in any email or contact privacy@xponential7.com.

We do not sell or rent email lists collected through our websites (newsletter subscriptions, contact forms) to third parties. For information about business contact data provided through our Demand7 and GTM7 services, see Section 7.

17. DO NOT TRACK SIGNALS

Our website does not currently respond to "Do Not Track" (DNT) browser signals, as there is no industry-standard interpretation of DNT.

You can manage cookies and tracking through our cookie consent banner and your browser settings. For more information, see our Cookie Policy.

18. BUSINESS TRANSFERS

In the event of a merger, acquisition, sale of all or a portion of our assets, or bankruptcy, your personal data may be transferred to the acquiring entity or successor organization.

If such a transfer occurs, we will notify you via email or a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy. You will have the opportunity to opt out or request deletion of your data if you do not wish for it to be transferred.

19. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations.

How We Notify You:

  • The "Last Updated" date at the top of this page will be revised
  • If we make material changes that significantly affect your rights, we will notify you by email (if we have your email address) or by displaying a prominent notice on our website
  • We encourage you to review this Privacy Policy periodically

Continued use of our services after changes are posted constitutes your acceptance of the updated Privacy Policy.

20. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@xponential7.com

Postal Address:
Xponential7 Ltd
Attn: Privacy Team
43 Tournay Road
London SW6 7UQ
United Kingdom

Contact Form: You may also submit privacy enquiries through the contact form on our Contact Us page.

When you contact us, you will receive an automated confirmation email with a case reference number. We aim to respond to all enquiries within 30 days.

21. RELATED POLICIES

For additional information about how we handle your data, please review our related policies: