XProduct
Login

Privacy Policy

Website: www.xproduct.co.uk — Company: Kuzi Design Ltd trading as xProduct ("we", "us", "our")

Effective date: 15 April 2025  |  Last updated: 11 May 2026

1. Introduction

We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use and protect personal data when you use our website and platform.

It applies to users in the United Kingdom and the European Economic Area (EEA), and is designed to comply with both the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR). Where laws differ, the stricter standard generally applies.

By using our services you acknowledge this policy in addition to our Terms & Conditions.

2. Who We Are

Kuzi Design Ltd operates the xProduct platform (registered in England & Wales). Depending on context, we act as:

  • Data Controller — for account, billing and website data
  • Data Processor — where we process data on behalf of our business customers (e.g. data submitted to Digital Product Passports or Public Pages)
  • Company Registration No:12003499
  • VAT No: --
  • Email: app@xproduct.co.uk
  • Phone: 07487 566557
  • Address: Cradley Enterprise Centre, Maypole Fields, Halesowen, B63 2QB, UK

3. Data We Collect

3.1 Account & Contact Data

  • Name, email address, company details
  • Login credentials (passwords stored hashed)
  • Support requests and feedback

3.2 Billing & Payment Data

  • Billing address and subscription details
  • Payment status and transaction history
  • Payments processed by Stripe — we do not store full card details

3.3 Usage & Technical Data

  • IP address, browser type and device information
  • Log data (access times, actions within the platform)
  • QR code scan events for DPP analytics (time, UA, coarse geo)
  • Cookies (see section 5)

3.4 Customer Content (Processor Data)

  • Product data uploaded to create Digital Product Passports
  • Data submitted to Public Pages
  • AI feature inputs (processed transiently — not retained)
  • We process this on behalf of Customers and do not control its content

5. Cookies & Analytics

We use cookies and similar technologies to operate the platform, analyse usage, and support marketing. Some cookies are strictly necessary to deliver the service; others require your consent where required by law (UK PECR / EU ePrivacy Directive).

Cookie / Provider Purpose Type
Session cookie (xProduct) Maintains your login session and platform state Strictly necessary
Stripe Fraud prevention and payment processing security Strictly necessary / functional
LinkedIn Insight Tag Conversion tracking and B2B audience analytics via LinkedIn Analytics / marketing (consent required)

You can manage or withdraw consent for non-essential cookies via your browser settings at any time. Please note that disabling certain cookies may affect platform functionality.

6. Customer Data (Processor Role)

Where Customers upload data to the platform:

  • We act as a data processor; the Customer is the data controller
  • We process data only on the Customer's documented instructions
  • We do not verify the accuracy of Customer data
  • We do not control how Customers use personal data on their Public Pages

Data Processing Agreement (DPA). Our processing of Customer data on your behalf is governed by a Data Processing Agreement in accordance with UK/EU GDPR Art. 28. Business customers may request a copy of our standard DPA by emailing app@xproduct.co.uk.

Customers are responsible for ensuring their use of the platform complies with applicable data protection laws, including providing any required notices to their own end users.

7. Sharing & Processors

We never sell personal data. We share it with trusted processors only where necessary to operate the service:

  • Stripe — payment processing and invoicing (Stripe Privacy Policy)
  • Microsoft Azure — cloud hosting, storage and infrastructure
  • Anthropic — AI feature processing where AI features are used (Anthropic Privacy Policy)
  • LinkedIn — conversion tracking and analytics via the LinkedIn Insight Tag (LinkedIn Privacy Policy)
  • Email providers — transactional communications

A current list of sub-processors is available on request by emailing app@xproduct.co.uk.

We may also disclose information where required by law, to protect rights, or in connection with a business transfer.

8. International Transfers

Your data may be transferred outside the UK or EEA (for example, to the United States where some of our third-party providers are based). Where this occurs, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO
  • Transfers to countries with a valid adequacy decision
  • Reliance on provider certifications or binding corporate rules where applicable

You can request details of the specific safeguards in place by contacting us at app@xproduct.co.uk.

9. Data Retention

We retain personal data only for as long as necessary to provide services, meet legal and regulatory requirements, and resolve disputes.

Data Retention Period
Account profile For the life of the account and 30 days after deletion
DPP content you create Until you delete it or the account is closed; QR codes become inactive after account deletion
Billing records 6 years (UK tax compliance)
Server logs / security Up to 12 months unless needed for an investigation
AI feature inputs/outputs Not retained beyond the immediate session unless explicitly saved by you

Customer Content may be deleted after account termination, subject to reasonable retention periods.

10. Security & Breach Notification

We implement appropriate technical and organisational measures to protect personal data, including TLS encryption in transit, role-based access controls, hashed passwords, least-privilege principles and regular backups. No internet service can be 100% secure, and we cannot guarantee absolute security.

Breach notification. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware, and notify affected individuals without undue delay where required by law.

If you believe your data has been compromised, please contact us immediately at app@xproduct.co.uk.

11. Your Rights (UK & EU GDPR)

Under UK and EU data protection laws, you have the right to:

  • Access your personal data (Subject Access Request)
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Restriction — ask us to restrict processing of your data
  • Portability — receive your data in a structured, portable format
  • Object — object to processing based on legitimate interests (Art. 21 GDPR), including profiling for direct marketing; we will comply unless we can demonstrate compelling legitimate grounds that override your interests
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing
  • Lodge a complaint with your local data protection authority (see §Complaints below)

To exercise your rights, email app@xproduct.co.uk. We will respond within one month (extendable by two further months for complex requests, with notice).

From your dashboard you can delete products, disable QR codes, or close your account. Closing your account permanently deletes associated data after 30 days.

12. Children

Our services are not directed to children under 16 and we do not knowingly collect or process their personal data. If you believe we have inadvertently collected data from a child, please contact us immediately at app@xproduct.co.uk.

13. Automated Decision-Making & AI

We do not carry out decisions producing legal or similarly significant effects solely by automated means (Art. 22 GDPR).

AI features. Where you use AI-assisted content generation, your inputs are processed by a third-party AI provider (currently Anthropic) to generate outputs. These outputs are suggestions only — no automated decisions with legal or similarly significant effect are made based solely on AI outputs. We do not use AI-generated data to profile you or make automated decisions about your account or subscription.

AI inputs are processed transiently and are not retained by us beyond what is necessary to deliver the feature. Please review Anthropic's privacy policy for how they handle prompt data.

15. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in law or our services. We will notify users where appropriate via email or by posting a notice on the Site. Continued use of the platform after notice of material changes indicates acceptance of the updated policy for contractual purposes. Where changes affect consent-based processing, we will seek fresh consent as required by law.

16. Contact Us

If you have any questions or wish to exercise your rights, please contact:

  • Company: Kuzi Design Ltd trading as xProduct
  • Company Registration No: [INSERT COMPANY REG NO]
  • VAT No: [INSERT VAT NO — or remove if not VAT registered]
  • Address: Cradley Enterprise Centre, Maypole Fields, Halesowen, B63 2QB, United Kingdom
  • Email: app@xproduct.co.uk
  • Phone: 07487 566557

You can also contact us through the feedback form on our Site.

Complaints & ICO

If you have concerns, please contact us first and we will aim to resolve them promptly. You also have the right to complain to the UK Information Commissioner's Office (ICO):

  • ICO website: ico.org.uk
  • ICO helpline: 0303 123 1113

EU residents may also contact their local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.

© 2026 xProduct.co.uk (Kuzi Design Ltd). All rights reserved.