Last reviewed & updated: September 16, 2021

1. Introduction

This Privacy Policy (“Policy”) has been developed to ensure our customers, EXA Infrastructure website visitors and any other interested parties (“you”) feel confident about the privacy and security of personal data. It outlines how EXA Infrastructure meet the obligations under the General Data Protection Regulation (“GDPR”) and other applicable data protection and privacy legislation, as amended, revised, modified or replaced from time to time (together, the “Legislation”). Under the Legislation, ‘personal data’ is any information that identifies you, or could identify you, directly or indirectly, as an individual. To the extent EXA Infrastructure acts as a ‘data controller’, as defined in the Legislation, we comply with the data protection principles and obligations set down in the Legislation.

This Policy applies to all personal data collected, processed and stored by EXA Infrastructure through our websites, applications, and any related services, sales, marketing, or events in the course of our activities. The purpose of this Policy is to explain the procedures that are followed when dealing with personal data and how EXA Infrastructure collects and manages personal data in accordance with the Legislation. The procedures set out in this Policy are followed by EXA Infrastructure, our employees, agents, contractors and other third parties acting on behalf of EXA Infrastructure. This Policy extends to all personal data whether stored in electronic or paper format.

2. What personal data do we collect?

EXA Infrastructure only holds personal data that is directly relevant to our dealings with a given data subject. That data will be collected, held, processed and disposed of in accordance with the Legislation and with this Policy in a reasonable and lawful manner.

EXA Infrastructure collects personal data that is voluntarily provided to us when signing up for our services, expressing an interest in obtaining information about us or our products and services, when participating in activities on our sites, or otherwise contacting us. The personal data that we collect depends on the context of the interactions with us and our sites, the choices made and the products and features selected and used. For example:

  • Customers will be requested to provide the following information for the provision of services and for the purposes of account administration and billing: personal identification data, including name, address, phone number and/or email address(es).
  • Some information (such as online identification data, including IP address, browser and device characteristics, referring URLs, country, location, information about how and when you use our site and other technical information) is automatically collected when visiting our websites. This information is primarily needed to maintain the security and operation of our sites, and for our internal analytics and reporting purposes.
  • We collect information through cookies and similar technologies - more information can be found in our Cookies Policy.
  • We hold credentials and other authentication data for EXA Infrastructure customer accounts.
  • We may obtain information about customer/supplier/website visitors from other sources, such as public databases, joint marketing partners, social media platforms, as well as from other third parties. Examples of the information we receive from other sources may include: social media profile information (name, email, hiring company, physical addresses, user identification numbers for Customer’s contacts, URL and any other information that is chosen to make public); marketing leads and search results and links, including paid listings (such as sponsored links).

3. Processing personal data

Any and all personal data collected from our customers is collected in order to ensure that we can provide the services under the terms of our services agreement, that we provide the services in the best possible manner and that we can efficiently manage our customers as a whole.

We process your information for purposes based on legitimate business interests, the fulfilment of our contract with you, compliance with our legal obligations and/or your consent. We use the personal data provided by you to provide the services and for business purposes such as processing and fulfilling orders, billing, service improvement, research, marketing and for other general business purposes. EXA Infrastructure may share such information with third parties for business and marketing purposes. Business purposes may include:

  • direct provisioning of the services to you;
  • resolving issues arising during the provisioning of the services or our services agreement with you;
  • billing for services provided by us under our services agreement with you;
  • administration of customer accounts, including:
    • ensuring the ongoing provision of optimized services to you;
    • informing you of the status of the services;
    • implementing any changes to services;
    • billing or customer information as requested by you;
  • account creation and logon processes;
  • marketing and promotional communications: We and/or our third-party marketing partners may use the personal data you send to us for our marketing purposes, you may unsubscribe at any time by clicking the link included in the information;
  • requesting feedback and contacting you about your use of our sites;
  • contacting you regarding information on available upgrades or updates.

4. Accuracy

We endeavour to ensure personal data held by us is up to date and accurate. We shall employ reasonable means to keep personal data accurate, complete and up to date in accordance with the purposes for which it was collected. You, as customer, are responsible for ensuring that you inform the relevant department of any changes in your personal details. Changes to personal data may be made by contacting your Account/Service Manager and/or by contacting EXA Infrastructure Data Protection team directly via email to

5. Do we disclose personal data to anyone else?

Personal data may be disclosed internally when passed from one department to another in accordance with the data protection principles and this Policy. Personal data is not passed to any internal department or any individual that does not reasonably require access to that personal data with respect to the purpose(s) for which it was collected and is being processed. Relevant internal departments to whom personal data may be disclosed includes sales, marketing, customer service, billing, account and technical managers, network operations, security operations and legal.

We shall disclose your personal data to third parties only when it is necessary as part of our business practices, when there is a legal or statutory obligation to do so, or with your consent. Categories of such third parties may include service providers, subcontractors, credit collection agencies, auditors and authorities to whom we are legally obliged to disclose personal data (e.g. law enforcement, tax authorities, etc.). Whenever we disclose personal data to third parties, we will only disclose that amount of personal data necessary to meet such business need or legal requirement. Third parties that receive personal data from us must provide sufficient guarantees and satisfy us as to the measures taken to protect the personal data such parties receive and process it in accordance with the Legislation. Appropriate measures will be taken to ensure that all such disclosures or transfers of personal data to third parties will be completed in a secure manner and pursuant to contractual safeguards.

We may provide personal data, when legally obliged to do so and in response to properly made requests, for example under a court order or for the purpose of the prevention and detection of crime and the apprehension or prosecution of offenders. In the case of any such disclosure, we will do so only in accordance with the Legislation. We may also transfer data to legal counsel where this is necessary for the defence of legal claims. If there is any change in the ownership of EXA Infrastructure or any of its assets, we may disclose personal data to the new (or prospective) owner(s). If we do so, we will require the other party(ies) to keep all such information confidential.

6. How long do we keep personal data?

We keep your information for as long as necessary to fulfil the purposes outlined in this Policy unless otherwise required by law. When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymise it, or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

The time period for which we retain personal data varies according to the law provisions about the use of that information. In some cases, there are legal requirements to keep personal data for a minimum period of time. Unless specific legal requirements dictate otherwise, we will retain personal data no longer than is necessary for the purposes for which the data was collected or for which they are further processed. Customer personal data will be held for as long as the customer holds a services agreement for the provision of services with us. Following termination of service, personal data shall continue to be retained for the minimum period mandatory under local law. Following this mandatory period, personal data shall be retained for no longer than necessary to allow for the defence of legal claims in accordance with applicable statutory limitation periods under local law. Following the expiry of this period, personal data held by us will be destroyed.

7. How do we protect data about customers when it is transferred out of Europe?

We may transfer customer personal data outside the EEA for storage, and other purposes. Any transfer of your personal data outside of the EEA shall be made through transfer mechanisms approved or allowed for under the Legislation and we shall take all necessary steps to ensure that there is adequate protection, as required by the Legislation. Please note that EXA Infrastructure does not rely on the Privacy Shield, EXA Infrastructure has signed Standard Contractual Clauses (SCCs) between its affiliates.

EXA Infrastructure is an international company and as such we have offices and personnel all over the world.

You may obtain a copy of our standard contractual clauses (SCCs) by contacting us at

8. How can you exercise your rights in respect of personal data we hold about you?

We shall respect all your rights under the Legislation. These rights are as follows:

  • your right to request from us access to your personal data;
  • your right to have any incorrect personal data rectified;
  • your right to the restriction of processing concerning you or to object to processing;
  • your right to have your personal data transferred to another service provider;
  • your right to have your personal data erased (where appropriate).

If we are relying on your consent to process your personal data, you have the right to withdraw your consent at any time. Please note, however, that this will not affect the lawfulness of the processing before withdrawal of such consent.

Giving effect to your rights shall not affect any obligations which we may have under the Legislation. If you want to know what personal data we hold about you or exercise any of the above rights, you can do so by making your specific request to our Privacy & Data Protection team in writing to the following e-mail address: We will confirm your request after validating your identity and process your request without undue delay and within 30 days of receipt. If the information we hold about you is inaccurate, we request that you advise us promptly so that we can make the necessary amendments and confirm that these have been made within 30 days of receipt of your request.

9. How do we protect personal data?

We shall employ reasonable and appropriate administrative, technical, personnel, procedural, and physical measures to safeguard information against loss, theft and unauthorized uses, access, or modifications.

EXA Infrastructure has an ISO 27001:2013 certified Information Security Management System (ISMS). EXA Infrastructure is assessed and regularly audited by independent third parties to ensure that the highest security standards are maintained and continuously improved.

10. How do we protect personal data?

Complaints on the use, retention and disposal of personal data can be submitted via email to:

As a customer, you also have the right to lodge a complaint with your National Data Protection supervisory Authority -

11. Review

This Policy will be reviewed and updated annually to take into account changes in applicable laws and the experience of the Policy in practice. If we make material changes to this Policy, we may notify you by publishing this Policy on our website. We encourage you to review this Policy frequently to be informed of how we are protecting your information.