Purpose
This policy sets out how Exquisite Gaming Ltd (EXG Pro) collects, handles, and protects personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
EXG is registered with the Information Commissioner's Office (ICO) as a data controller. The designated lead for data protection is the Digital & Technology Director (Lauren Bath — lauren@exgpro.com).
Scope
This policy applies to all EXG employees, contractors, and third parties who process personal data on EXG's behalf. It covers all personal data held in any format — digital, paper, or otherwise.
What Personal Data We Hold
EXG processes personal data across the following categories:
| Category | Examples | Systems |
|---|---|---|
| Employee data | Names, contact details, payroll, contracts, performance records | SharePoint, Xero |
| Customer & order data | Names, delivery addresses, order history, contact details | Shopify, Zoho Inventory |
| Partner & licensee data | Contact details, company representatives, agreement details | SharePoint, Zoho |
| Supplier data | Contact names, business addresses, payment details | Zoho Inventory, Xero |
| Website visitor data | Analytics, browsing behaviour (anonymised where possible) | Fathom Analytics |
EXG does not process special category data (e.g. health, biometric, or religious data) unless required by law (e.g. for statutory sick pay or reasonable adjustment purposes), in which case it is handled under strict access controls.
Lawful Bases for Processing
EXG relies on the following lawful bases under UK GDPR Article 6:
| Basis | When Used |
|---|---|
| Contract | Processing necessary to fulfil an order, employment contract, or licensing agreement |
| Legal obligation | Payroll records (HMRC), statutory HR records, accounting records (Companies Act) |
| Legitimate interests | Business communications, fraud prevention, product/service improvement |
| Consent | Marketing communications where consent has been explicitly given |
Where EXG relies on legitimate interests, a Legitimate Interests Assessment (LIA) is conducted and documented before processing begins.
Data Protection Principles
EXG processes all personal data in accordance with the UK GDPR principles. Data must be:
- Lawfully, fairly and transparently processed — individuals are informed how their data is used
- Collected for specified, explicit and legitimate purposes — not used beyond the original purpose
- Adequate, relevant and limited — only data necessary for the purpose is collected
- Accurate and kept up to date — inaccurate data is corrected or deleted promptly
- Retained only as long as necessary — see retention periods in the Backup & Disaster Recovery Policy
- Processed securely — appropriate technical and organisational measures are in place (see Data Security section)
Data Subject Rights
Individuals whose data EXG holds have the following rights under UK GDPR:
| Right | Description | Response Time |
|---|---|---|
| Right of access | Request a copy of all personal data EXG holds about them (Subject Access Request) | 1 calendar month |
| Right to rectification | Request correction of inaccurate or incomplete data | 1 calendar month |
| Right to erasure | Request deletion of personal data where no longer necessary, consent is withdrawn, or processing is unlawful | 1 calendar month |
| Right to restriction | Request that processing is limited while accuracy or lawful basis is disputed | 1 calendar month |
| Right to portability | Receive data in a structured, machine-readable format (applies to automated processing under consent or contract) | 1 calendar month |
| Right to object | Object to processing based on legitimate interests or for direct marketing purposes | Immediate (marketing); 1 month (other) |
How to exercise rights: Submit requests in writing to lauren@exgpro.com. EXG will respond within one calendar month. In complex cases, this may be extended by a further two months with notification.
EXG will not charge a fee for reasonable requests. Manifestly unfounded or excessive requests may be refused or subject to an administrative fee.
Third-Party Data Processors
EXG uses third-party platforms that process personal data on our behalf as data processors. EXG remains the data controller and is responsible for ensuring these processors provide sufficient data protection guarantees.
| Processor | Data Processed | Location |
|---|---|---|
| Zoho Inventory | Customer orders, supplier contacts | EU (Zoho EU data centre) |
| Xero | Financial records, supplier/customer details | UK/EU |
| Shopify Plus | Customer orders, delivery addresses, payment (tokenised) | USA (Standard Contractual Clauses apply) |
| Amazon (Seller Central) | Order and customer data for marketplace orders | USA (Standard Contractual Clauses apply) |
| Microsoft 365 | Employee data, documents, email (managed by Xenace) | EU region |
| Netlify | Anonymised access logs for department hubs | USA (Standard Contractual Clauses apply) |
| Fathom Analytics | Anonymised website analytics | EU |
EXG does not sell personal data to any third party. No personal data is shared with third parties for marketing purposes without explicit consent.
International Data Transfers
Some EXG processors are based outside the UK/EU (Shopify, Amazon, Netlify). All international transfers are protected by one or more of the following mechanisms:
- UK Adequacy Regulations — transfers to countries with an adequacy decision
- Standard Contractual Clauses (SCCs) / International Data Transfer Agreements (IDTAs) — contractual safeguards with processors in non-adequate countries
- Binding Corporate Rules — where applicable
Data Security
All personal data held by EXG is protected through the measures described in the Backup & Disaster Recovery Policy, including:
- Encryption at rest and in transit for all databases
- Access control via Microsoft Azure AD roles (staff / manager / board)
- API credentials stored in a shared secrets manager, never in source code
- No personal data stored on personal devices or unmanaged cloud storage
Data Breach Response
In the event of a personal data breach, EXG follows the procedure set out in the Backup & Disaster Recovery Policy (Scenario 5 — Personal Data Breach), including mandatory ICO notification within 72 hours where required under UK GDPR Article 33.
ICO contact: 0303 123 1113 | ico.org.uk
Staff Responsibilities
All EXG staff who handle personal data must:
- Only access personal data they are authorised to view
- Not share personal data with unauthorised individuals inside or outside EXG
- Report any suspected data breach or security incident to Lauren Bath (lauren@exgpro.com) immediately
- Complete data protection awareness training when required
- Not store personal data on personal devices, personal email accounts, or unauthorised cloud services
Failure to comply with this policy may result in disciplinary action.
Review Schedule
This policy is reviewed annually or following any significant change in data processing activities or applicable law.
Next review due: March 2027
