Privacy & Data Protection Policy

1. Who We Are

X-Eagle is a trading name of Xeagle Ltd (Company No. 15823876), registered in England & Wales. Registered address: Bradford, England.

We are registered with the Information Commissioner's Office (ICO) as a data controller. ICO Registration Number: ZB764076.

For any data protection queries, contact our Data Protection Lead:

2. Data We Collect

We collect the following categories of personal data:

• Account data: Name, email address, phone number, company name
• Booking data: Collection/delivery addresses, delivery instructions, parcel details, recipient information
• Payment data: Billing address, payment method details (processed securely by our payment provider)
• Communications: Emails, messages, and call records when you contact us
• Technical data: IP address, browser type, device information, pages visited (collected via essential cookies only)
• Driver data: Driving licence, vehicle details, insurance documents, right-to-work information

3. How We Use Your Data

We use your personal data for:

• Service delivery: Processing bookings, dispatching couriers, tracking deliveries, sending confirmations
• Customer support: Responding to enquiries and resolving issues
• Account management: Managing your account, invoicing, and payment processing
• Security: Fraud prevention, protecting our services and users
• Legal compliance: Meeting our obligations under UK law
• Marketing: Sending promotional communications (only with your explicit consent)
• Service improvement: Analysing usage patterns to improve our website and services

4. Legal Basis for Processing (UK GDPR Article 6)

We process your personal data under the following lawful bases:

• Contract: Processing necessary to fulfil our courier service contract with you
• Legitimate interest: Service improvement, fraud prevention, business analytics
• Legal obligation: Tax records, regulatory requirements, law enforcement requests
• Consent: Marketing communications, non-essential cookies (you may withdraw consent at any time)

5. Data Sharing

We do not sell your personal data. We may share data with the following trusted third parties who process data on our behalf under strict contractual obligations:

• Supabase (database hosting & authentication)
• Vercel (website hosting)
• Resend (transactional email delivery)
• Google Analytics (website analytics, only with your cookie consent)
• Payment processors (secure payment handling)
• Sub-contracted couriers (delivery fulfilment, limited to delivery details only)

We may also disclose data to law enforcement or regulatory bodies when required by law.

6. Data Retention

We retain your personal data only as long as necessary:

• Booking records: 7 years (HMRC tax requirements)
• Account data: Duration of your account plus 12 months after closure
• Marketing consent: Until you withdraw consent
• Driver documents: Duration of engagement plus 2 years
• Website analytics: 26 months (anonymised)

After the retention period, data is securely deleted or anonymised.

7. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of access: Request a copy of the data we hold about you
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your data ("right to be forgotten")
• Right to restrict processing: Request we limit how we use your data
• Right to data portability: Receive your data in a machine-readable format
• Right to object: Object to processing based on legitimate interest or direct marketing
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent
• Rights related to automated decision-making: Not be subject to solely automated decisions that significantly affect you

To exercise any of these rights, email privacy@xeagle.co.uk. We will respond within 30 calendar days.

8. Cookies

Our website uses essential cookies only by default. Analytics cookies (Google Analytics) are only loaded after you give explicit consent via our cookie banner.

We do not use advertising or tracking cookies. For full details, see our Cookie Policy.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

• HTTPS/TLS encryption on all pages
• Encrypted database with row-level security (RLS) policies
• Rate limiting and security headers
• Regular security reviews
• Access controls limiting staff access to personal data

10. International Data Transfers

Some of our third-party processors (Supabase, Vercel) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including adequacy decisions or standard contractual clauses, in compliance with UK GDPR.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the ICO within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay where there is a high risk
• Document all breaches and remedial actions taken

12. Children's Privacy

Our services are not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. Rewards programme data

When you participate in our cashback and loyalty programme and choose to redeem points as a shopping voucher or gift card, we share limited personal data with Tremendous, Inc. (a US-based reward fulfilment service) as a third-party data processor acting on our behalf under standard contractual clauses.

The data shared with Tremendous for each redemption is limited to:

• Your name
• Your email address
• The GBP redemption amount

We retain rewards-programme records for 6 years in line with HMRC record-keeping requirements. For full programme terms, including the right to a human review of your tier, see our Cashback & Loyalty Terms.

14. Complaints

If you are unhappy with how we handle your data, please contact us first at privacy@xeagle.co.uk.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

15. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or a notice on our website. We encourage you to review this page periodically.