Privacy Policy

This Privacy Policy explains how xR2 ("we," "our," or "us") collects, uses, discloses, and protects your personal data when you use our website xr2.uk and related services ("Services").

We are committed to protecting your privacy and processing your personal data in accordance with applicable data protection laws, including:

- The EU General Data Protection Regulation (GDPR) 2016/679

- The UK General Data Protection Regulation and Data Protection Act 2018

- Federal Law No. 152-FZ of the Russian Federation "On Personal Data"

By using our Services, you acknowledge that you have read and understood this Privacy Policy.

xR2 is the data controller responsible for the processing of your personal data collected through the Services.

For inquiries regarding data protection, please contact us at: hello@xr2.uk

We collect personal data in the following categories:

Data You Provide Directly

- Account registration data: email address, name, password

- Profile information: company name, job title

- User-generated content: prompts, configurations, and workspace settings you create

- Communications: correspondence when you contact our support team

Data Collected Automatically

- Technical data: IP address, browser type and version, operating system, device identifiers

- Usage data: pages visited, features used, timestamps, API interactions

- Cookies and similar technologies: as described in our [Cookie Policy](/legal/cookies)

Data from Third Parties

- Authentication data: when you sign in using a third-party provider (e.g., Google, GitHub)

- Payment confirmation: transaction status from payment processors (we do not receive or store your payment card details)

We process your personal data for the following purposes:

Service Delivery

- To create and manage your account

- To provide access to the Services and their features

- To process and respond to your support requests

- To personalize your experience based on your preferences

Service Improvement

- To analyze usage patterns and optimize the Services

- To develop new features and functionality

- To conduct internal research and analytics

Legal and Security

- To comply with applicable laws and regulatory requirements

- To enforce our Terms of Service

- To protect the security and integrity of the Services

- To detect, prevent, and respond to fraud or unauthorized access

Communication

- To send service-related notifications (e.g., account updates, security alerts)

- To inform you of material changes to our policies or Services

Under the GDPR and UK GDPR, we process your personal data on the following legal bases:

Performance of Contract (Article 6(1)(b))

Processing necessary to provide the Services to you, including account management and service delivery.

Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests, including service improvement, security, and fraud prevention. We balance these interests against your rights and freedoms.

Legal Obligation (Article 6(1)(c))

Processing necessary to comply with applicable laws and regulations.

Consent (Article 6(1)(a))

Where we rely on consent (e.g., for marketing communications or non-essential cookies), you may withdraw your consent at any time.

Under Federal Law 152-FZ of the Russian Federation, we process personal data based on your consent or other lawful grounds established by law.

We may share your personal data with the following categories of recipients:

Service Providers

Third-party vendors who process data on our behalf, including:

- Cloud infrastructure providers (hosting and storage)

- Analytics providers (anonymized usage data)

- Payment processors (transaction processing)

- Communication platforms (email delivery)

All service providers are bound by data processing agreements and may only process your data according to our instructions.

Legal Disclosures

We may disclose your data when required by law or in response to valid legal process, including court orders and government requests. We may also disclose data to protect our legal rights or the rights of third parties.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the successor entity. We will notify you of any such change.

In accordance with applicable data protection laws, we store your personal data on servers located in jurisdictions appropriate to your country of residence:

Users in the Russian Federation

In compliance with Federal Law No. 152-FZ, personal data of Russian citizens is stored and processed on servers located within the territory of the Russian Federation.

Users in the European Union and United Kingdom

Personal data of EU and UK users is stored and processed on servers located in the United Kingdom, ensuring compliance with GDPR and UK GDPR requirements.

Other Users

Personal data of users from other jurisdictions is stored on servers located in the United Kingdom.

In certain circumstances, your personal data may need to be transferred to countries other than where it is primarily stored. When such transfers occur, we implement appropriate safeguards:

Transfers from the EU/EEA

- Standard Contractual Clauses approved by the European Commission

- Transfers only to countries recognized as providing adequate protection

Transfers from the UK

- International Data Transfer Agreement (UK SCCs)

- Transfers only to countries recognized by the UK as providing adequate protection

Transfers from Russia

- Compliance with cross-border transfer requirements under Federal Law 152-FZ

- Primary storage remains within Russia; transfers abroad only with appropriate legal basis and safeguards

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Account Data

Retained for the duration of your account. Upon account deletion, we will delete or anonymize your data within 30 days, unless retention is required by law.

Transaction Records

Retained for the period required by applicable tax and accounting regulations, typically 5-7 years.

Log and Analytics Data

Personal identifiers are removed or anonymized within 26 months. Aggregated, non-identifiable analytics data may be retained indefinitely.

Legal Holds

Data may be retained beyond standard periods when necessary to comply with legal obligations or to establish, exercise, or defend legal claims.

Subject to applicable law, you have the following rights regarding your personal data:

Right of Access

You may request confirmation of whether we process your personal data and obtain a copy of such data.

Right to Rectification

You may request correction of inaccurate or incomplete personal data.

Right to Erasure

You may request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the original purpose.

Right to Restriction

You may request that we restrict processing of your personal data in certain circumstances.

Right to Data Portability

You may request to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object

You may object to processing based on legitimate interests. You may also object to processing for direct marketing purposes at any time.

Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise your rights, please contact us at hello@xr2.uk. We will respond within the timeframes required by applicable law (generally 30 days under GDPR).

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

- Encryption of data in transit using TLS

- Encryption of data at rest

- Access controls and authentication mechanisms

- Regular security assessments and monitoring

- Incident response procedures

While we take reasonable precautions, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data.

The Services are not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children.

If you believe that a child has provided personal data to us, please contact us at hello@xr2.uk. We will take steps to delete such data.

If you have concerns about our data processing practices, we encourage you to contact us first at hello@xr2.uk.

You also have the right to lodge a complaint with a supervisory authority:

EU Residents

Contact the data protection authority in your EU Member State.

UK Residents

Information Commissioner's Office (ICO): https://ico.org.uk

Russian Federation Residents

Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor): https://rkn.gov.ru

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. When we make material changes, we will notify you by posting a notice on the Services or by other appropriate means.

The "Last updated" date at the top indicates when this policy was last revised. We encourage you to review this policy regularly.

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: hello@xr2.uk

Website: https://xr2.uk