X-on Health Ltd Privacy Notice
X-on Health Ltd (“X-on Health”, “we”, “our”, “us”) is committed to protecting the privacy and security of all personal data we process in the course of our business operations.
This notice explains what data we collect, how we use it, the lawful bases under which we process it, how long we retain it, and your rights under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 & the Data Use & Access Act 2025
Data
X-on Health Ltd ensures that all personal data acquired during any interaction with individuals — including people who enquire via our website or by any other means, customers, suppliers, affiliates, and employees — is completely protected and, when necessary, stored securely within our encrypted network environment.
We collect and process only the data necessary to engage and communicate with the above contacts, such as:
- Name, job title, organisation, address, email, and telephone number
- Account, billing, or service information
- Call recordings and caller identification (CLI) data
- Technical information such as IP addresses, device or browser details, and usage logs
- Recruitment information (CVs, cover letters, interview notes)
- Employment records for current and former staff
Data is collected directly from individuals or from authorised representatives (for example, through contracts or forms).
Enquirers and customers provide required data willingly but retain ownership and control of their data.
Lawful Bases for Processing
X-on Health processes personal data only where one or more lawful bases under the UK GDPR apply.
The table below identifies each lawful basis and the relevant Article:
| Lawful Basis | Description and Typical Use Cases | UK GDPR Article |
|---|---|---|
| Contract | To perform or enter into a contract with an individual or organisation, e.g. providing or receiving services, maintaining customer or supplier relationships, and managing employment relationships. | Article 6(1)(b) |
| Legal Obligation | To comply with legal, regulatory, or statutory duties such as financial record-keeping, NHS or sector regulations, and employment law obligations. | Article 6(1)(c) |
| Legitimate Interests | For our legitimate business interests, including service improvement, security, quality management, business continuity, and internal administration, provided these do not override individuals’ rights and freedoms. | Article 6(1)(f) |
| Consent | Where the individual has given clear consent for a specific purpose, e.g. receiving marketing communications or accepting optional website cookies. | Article 6(1)(a) |
| Vital Interests (rare) | To protect someone’s life or wellbeing in an emergency (for example, an on-site health incident). | Article 6(1)(d) |
| Public Task (if applicable) | When performing tasks carried out in the public interest or under official authority, for example, supporting NHS Digital requirements. | Article 6(1)(e) |
Control
X-on Health controls the personal data we hold for the purposes of running our business (e.g. customer, supplier, and employee details).
Where we process customer data on behalf of a client as part of a hosted service, that customer remains the data controller and X-on Health acts as a data processor, following their instructions under a written agreement compliant with Article 28 UK GDPR.
Review
Personally identifiable data held by X-on Health can be reviewed or updated at any time by contacting our Data Protection Officer.
Before granting access or making changes, we will verify the requester’s identity to protect confidentiality.
Removal and Retention
Individuals have the right to request deletion of their data (“right to be forgotten”) subject to any legal or contractual obligations.
Typical retention periods:
- Customers & suppliers – 6 years after contract end
- Employees – period of employment + 6 years
- Job applicants – up to 6 months from application
- Marketing contacts – until consent is withdrawn
- System logs – typically 90–180 days
Requests for erasure or access can be made by emailing privacy@x-on.co.uk.
Security
X-on Health maintains rigorous data-security measures, supported by regular audits and certifications including:
ISO 9001 (Quality Management), ISO 14001 (Environmental Management), ISO 22301 (Business Continuity), ISO 27001 (Information Security), ISO 42001 (AI Management), Cyber Essentials Plus, DSPT (Standards Exceeded), IGT (NHS Digital Access), and PCI-DSS Level 4.
We are registered with the Information Commissioner’s Office (ICO) and are a Crown Commercial Service Supplier.
All personal data is stored securely within encrypted UK-based environments and is not transferred outside the UK unless contractually required and protected by approved safeguards.
Website
The X-on Health website itself does not automatically collect personal information.
We retain only details voluntarily supplied via the contact form or by telephone, and these are used solely to respond to your enquiry.
We do not disclose such information to any unauthorised third party.
Cookies
Cookies are small text files stored in your web browser to enhance website functionality.
We use only analytical cookies to gather anonymous statistics (e.g. page visits, time on site, visitor region).
These analytics contain no personal identifiers and are used solely to improve website design and content.
You may block or delete cookies via your browser settings.
Customers
X-on Health uses Autotask (Datto Inc.) CRM to manage customer records and service desk operations.
Their privacy policy is available here.
We also use Google Business Services for internal operations; customer data is not generally stored in this environment.
Google’s Privacy Policy can be found here.
All third-party processors are contractually required to meet UK GDPR standards.
Marketing
With your consent, we may contact you occasionally regarding our services via email or telephone.
You may unsubscribe at any time using the link in our emails or by calling 0333 332 0000.
We do not sell, rent, or share marketing contact lists with third parties.
Callers
X-on Health records Calling Line Identification (CLI) details to improve service efficiency and to provide functionality such as on-screen customer identification.
Recordings and CLI information are processed under our legitimate interests and retained only as long as necessary for business or legal requirements.
Content
If content provided to X-on Health is intended for public release (e.g. blogs, case studies, press releases), X-on Health is not responsible for any third-party use or dissemination once published with consent.
Affiliates and Resellers
Information held as part of affiliate or reseller relationships is used solely for business purposes and handled in accordance with this policy.
We expect the same level of confidentiality and data protection from our partners.
Lawful Disclosure
If required by relevant legal authorities and with proper authorisation (e.g. a court order or warrant), X-on Health may be obliged to disclose personal data.
All disclosures are documented and limited to what is legally necessary.
Employment
Information provided when seeking employment may be retained for up to six months for recruitment assessment.
Employee records are retained for the duration of employment and up to six years thereafter, in accordance with statutory obligations.
Employee data is processed for HR, payroll, training, and compliance purposes only and is never shared without lawful basis.
Under 18 Individuals
Individuals under 18 may engage with X-on Health only with the consent of a parent or responsible adult.
Third Parties
X-on Health does not rent or sell any personal data for any reason.
All data is held in secure, access-controlled environments.
UK Data
Personal data is processed and stored within the United Kingdom unless contractual services require international transfer, in which case suitable safeguards (such as UK IDTA or EU Standard Contractual Clauses) are applied.
Your Rights
Under the UK GDPR, you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate information
- Request deletion or restriction of processing
- Object to certain types of processing, including direct marketing
- Request data portability (where applicable)
- Withdraw consent at any time where processing is based on consent
To exercise your rights, contact privacy@x-on.co.uk.
We may need to verify your identity before fulfilling a request.
Complaints
If you have concerns about how X-on Health handles your data and they are not resolved to your satisfaction, you have the right to contact the Information Commissioner’s Office (ICO):
www.ico.org.uk | ☎ 0303 123 1113.
Compliance
X-on Health complies with:
Other applicable data-security standards and sector regulations.
The UK General Data Protection Regulation (UK GDPR)
The Data Protection Act 2018
The Data Use & Access Act 2025
MiFID II call-recording and PCI-DSS requirements