top of page
Asset 26.png

Privacy Policy

Last updated: 23rd February 2026

XR Consultancy (“we”, “us”, “our”) is committed to protecting and respecting your privacy. This notice explains how we collect, use, store and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

This notice applies to clients, prospective clients, education partners, workshop attendees, website visitors, and job applicants.

1. Who We Are

XR Consultancy is a UK-based education and career consultancy providing apprenticeship guidance, interview coaching, CV services and related workshops.

Data Controller: XR Consultancy


Email: dataprotection@xrconsultancy.co.uk

We are the “data controller” for the personal data described in this notice.

2. The Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

A. Identity and Contact Information

  • Full name

  • Postal address

  • Email address

  • Telephone number

  • Date of birth

B. Client Service Information

  • CVs and supporting documents

  • Education history

  • Employment history

  • Apprenticeship applications

  • Coaching session notes

  • Assessment centre preparation materials

  • Interview feedback

C. Account and Transaction Data

  • Booking information

  • Purchase history

  • Payment confirmation details

  • Billing address

  • Marketing preferences

(Note: We do not store full card details. Payments are processed securely through third-party payment providers.)

D. Technical and Website Data

  • IP address

  • Device and browser information

  • Website usage data

  • Cookie tracking data

  • User journey analytics

E. Recruitment Information

If you apply to work with us:

  • CV

  • Employment history

  • Qualifications

  • References

  • Right to work information

F. Communications

  • Emails and messages

  • Enquiries

  • Complaints

  • Consultation discussions

We do not intentionally collect special category data (such as health or ethnicity information) unless you voluntarily provide it and it is necessary for providing our services.

3. How We Use Your Personal Data

We use your data to:

  • Deliver coaching, guidance and workshop services

  • Manage bookings and payments

  • Respond to enquiries and provide customer support

  • Send service updates

  • Improve our services and website performance

  • Send marketing communications (where permitted)

  • Meet legal and regulatory obligations

  • Establish, exercise or defend legal claims

We do not sell personal data.

4. Lawful Bases for Processing

Under UK GDPR, we rely on the following lawful bases:

Contract

Where processing is necessary to deliver services you have booked or requested.

Legitimate Interests

Where processing is necessary for:

  • Running and improving our business

  • Website analytics

  • Responding to enquiries

  • Preventing fraud or misuse

  • Maintaining records of services provided

We ensure our legitimate interests do not override your rights.

Consent

Where required for:

  • Email marketing

  • Certain cookies

  • Optional communications

You may withdraw consent at any time.

Legal Obligation

Where we must comply with UK law, including tax and accounting requirements.

5. Marketing Communications

We will only send marketing emails where:

  • You have opted in, or

  • You are an existing client and marketing relates to similar services (soft opt-in under PECR).

You can unsubscribe at any time using the link in emails or by contacting us.

6. Cookies and Website Tracking

Our website uses cookies and similar technologies for:

  • Essential functionality

  • Performance analytics

  • Marketing (where consent is given)

You can manage your cookie preferences via our cookie banner or browser settings.

7. Where We Get Personal Data From

We collect personal data:

  • Directly from you

  • From education providers (with appropriate authority)

  • From publicly available sources

  • From event registrations

  • From marketing list providers (where legally obtained)

8. Data Sharing

We may share personal data with:

  • Payment processors

  • Website hosting providers

  • Email service providers

  • Professional advisers (accountants, legal advisers)

  • Regulatory or law enforcement bodies (where legally required)

All third parties are required to respect data security and process data in accordance with the law.

We do not transfer personal data outside the UK unless appropriate safeguards are in place.

9. How Long We Keep Data

We retain personal data only for as long as necessary:

  • Client records: up to 6 years after last service (for legal and tax purposes)

  • Marketing records: until you withdraw consent or after 3 years of inactivity

  • Recruitment data: up to 12 months after decision

  • Website analytics: in line with cookie policy settings

We may retain data longer if required by law or for legal claims.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data from:

  • Unauthorised access

  • Accidental loss

  • Alteration

  • Disclosure

Access to personal data is restricted to those who need it.

11. Your Data Protection Rights

Under UK data protection law, you have the right to:

  • Request access to your personal data

  • Request correction of inaccurate data

  • Request deletion of your data

  • Restrict processing

  • Object to processing based on legitimate interests

  • Request data portability

  • Withdraw consent at any time (where consent is relied upon)

Requests can be made via dataprotection@xrconsultancy.co.uk.

We will respond within one month unless legally permitted to extend.

12. Automated Decision Making

XR Consultancy does not carry out automated decision-making or profiling that produces legal or similarly significant effects.

13. Children’s Data

Our services may be used by individuals under 18. Where required, we will seek appropriate parental or guardian consent.

14. Use of Artificial Intelligence and Automated Processing

We use artificial intelligence (“AI”) systems and large language models to support certain features of our services, including but not limited to interview simulations, automated feedback, content generation, data analysis and customer support functionality.

How AI Is Used

Where you engage with features powered by AI, information you provide (which may include your name, written responses, audio recordings, interview performance data or other submitted content) may be processed by automated systems to generate outputs such as feedback, scoring, summaries or structured responses.

AI tools are used to enhance service delivery, improve user experience and provide structured analytical feedback.

These systems do not make legally binding decisions about you without human oversight.

Third-Party AI Providers

To provide these services, we may use third-party AI and cloud service providers. These may include, but are not limited to:

  • OpenAI

  • Anthropic

  • Google

  • Other AI, machine learning or cloud infrastructure providers

Your data may be transmitted to and processed by such providers strictly for the purpose of delivering our services.

We take reasonable steps to ensure that:

  • Data is shared only where necessary for service provision

  • Appropriate contractual safeguards are in place

  • Providers are subject to confidentiality and data protection obligations

  • Transfers outside the United Kingdom are subject to appropriate safeguards in accordance with UK data protection law

International Transfers

Where personal data is processed outside the United Kingdom, we rely on lawful transfer mechanisms under UK GDPR, which may include adequacy regulations, international data transfer agreements or other approved safeguards.

Data Minimisation and Retention

We aim to limit the personal data shared with AI providers to what is necessary for the specific function being performed. Data is retained only for as long as required to provide services, comply with legal obligations or resolve disputes.

No Model Training Using Client Data

We do not intentionally use your personal data to train or improve public AI models unless explicitly stated and permitted by you. Where third-party AI providers process data, this is done in accordance with their contractual data processing terms.

Your Rights

You retain all rights available under UK data protection law, including the right to:

  • Access your personal data

  • Request correction of inaccurate data

  • Request erasure where applicable

  • Object to certain forms of processing

  • Request restriction of processing

Requests can be made using the contact details provided in this Privacy Policy.

15. Complaints

If you have concerns about how we handle your personal data, please contact us first at:

dataprotection@xrconsultancy.co.uk

If you remain dissatisfied, you may contact the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline: 0303 123 1113
Website: https://www.ico.org.uk

bottom of page