Workforce Privacy Policy

Introduction

This Privacy Policy explains how  Xceedance Consulting Limited (“Xceedance” or “we”) and its group entities, collect, use, store, disclose, and protect the personal data of individuals who are:

  • Applying for employment with the Company,
  • Undergoing onboarding
  • Employed by the Company
  • Third-party personnel engaged to perform work for or on behalf of Xceedance, such as contractors, consultants, agency workers, interns, secondees, and other contingent workers
  • Former employees whose data is retained for statutory, contractual or legitimate business purposes


The policy applies to all locations and operations of Xceedance and is applicable to all personal data processed through human resource platforms, including but not limited to Darwinbox. Additional country-specific notices, acknowledgements, or documents may be required to meet local legal requirements. Workforce members will be notified separately where applicable.

Definitions

To help you better understand this Privacy Policy, here are some key terms we use:

  • Personal Data: Any information relating to an identified or identifiable individual, such as name, contact details, identification numbers, location data, or online identifiers.
  • Data Subject/ Principal: The individual whose personal data is being collected and processed.
  • Data Controller: The entity that determines the purposes and means of processing personal data.
  • Data Processor: The entity that processes personal data on behalf of the data controller, following instructions and contractual obligations.
  • Processing: Any action performed on personal data—like collecting, storing, using, or deleting it.
  • Consent: A freely given, specific, informed, and unambiguous indication of agreement by the data subject to the processing of their personal data.
  • Data subject rights are the legal entitlements individuals have to control how their personal data is collected, used, and shared under data protection laws.
  • Profiling: Any form of automated processing of personal data to evaluate personal aspects of an individual, such as preferences, behavior, or performance.
  • Third Party: Any entity other than the data subject, data controller, or data processor that may receive or process personal data.
  • Anonymization: The process of removing personal identifiers from data so that it can no longer be linked to an individual.

Categories of data subjects 

This policy applies to: 

  • Prospective candidates: Individuals applying for roles at Xceedance. 
  • Onboarding employees: Individuals in the process of joining the Company. 
  • Current employees: Individuals currently employed by the Company.
  • Former employees: Individuals whose employment has ended but whose data is retained for legal, contractual, or legitimate purposes.

Types of personal data collected

We collect and process only the minimum personal data necessary to fulfill the stated purposes, and obtain this data either directly from you or from authorized third-party sources.

Data Subject GroupCategories of Personal DataLegal Basis for Processing
Prospective Candidates

Contact details (name, email, phone)
Resume/CV, Qualifications, work history Screening/assessment results
Interview notes, recruiter feedback		Legitimate interest (recruitment, hiring process)
Consent (where assessments/tests are optional)

Onboarding EmployeesGovernment-issued IDs
Bank details, payroll setup information
Statutory compliance documents		Legal obligation (statutory records, tax, compliance) Contractual necessity (employment contract)
Current EmployeesAttendance, leave, shift records  
Salary, tax, and benefits data  
Performance evaluations, promotions, training history
System usage details (login logs, device/IP)  
Engagement surveys, policy acknowledgments		Contractual necessity (HR operations, payroll)
Legal obligation (employment/tax laws)
Legitimate interest (workforce management, IT security)
Consent (optional engagement surveys, wellbeing programs)
Former EmployeesExit documentation  
Payroll and tax records  
Pension/beneficiary details

Legal obligation (record retention)   
Legitimate interest (defending legal claims)

Purposes of data processing 

Xceedance collects and processes personal data for the following purposes: 

  • Recruitment and talent acquisition
  • Onboarding and employment formalities 
  • Payroll, taxation, and statutory compliance 
  • Leave and attendance management 
  • Performance monitoring and career progression 
  • IT system access, security, and audit requirements 
  • Internal communication and employee engagement 
  • Legal and regulatory compliance 
  • Exit formalities and post-employment obligations
  • Learning and organizational development (L&D)
  • Personal and family information management – for statutory reporting, insurance/benefits enrolment, and employee lifecycle events
  • Employee engagement events and welfare activities
  • Third-party service enablement  e.g., mailing/courier services for official communication. 

Legal basis for processing

Processing of personal data is carried out under the following legal bases: 

  • Consent: For certain recruitment and optional employee initiatives 
  • Contractual Necessity: For onboarding and ongoing employment-related obligations 
  • Legal Obligation: Compliance with employment laws, tax, and statutory authorities 
  • Legitimate Interest: For internal operations, system security, and organizational planning 

Data sharing and disclosure

Personal data may be shared with: 

  • Authorized internal departments (e.g., HR, Legal, Finance, IT) 
  • Government bodies and statutory authorities (as mandated by law) 
  • External service providers and vendors, including: 
      – Payroll processors and other benefits providers

  – Recruitment agencies
  – Background verification partners 
  – IT infrastructure and cloud service providers 

  • Post-Retirement Benefits – Personal data may be shared with benefit administrators, insurers, or government bodies to manage pensions, retirement accounts, health coverage, or other entitlements after employment ends

All external parties are bound by appropriate confidentiality and data processing agreements. 

International data transfers

Workforce data may be processed or stored on systems hosted outside the employee’s home country. Such transfers are safeguarded through recognized legal mechanisms, such as:

  • Standard Contractual Clauses (SCCs), 
  • Adequacy determinations, 

Xceedance operates in the UK, US, Poland (EU), India, Australia, and Canada, and workforce data may be accessed or processed across these regions, with India serving as a central processing hub.

Data retention

Personal data will be retained only for as long as necessary for the recruitment process and, where applicable, subsequent employment. Retention periods for candidate records, onboarding documentation, and employment-related data are determined in accordance with the applicable legal and regulatory requirements of the jurisdiction in which the data is processed. Where statutory obligations require longer retention (e.g., tax, labor, or compliance purposes), records will be maintained for the duration mandated by law. Once the retention period expires, data will be securely deleted.

Data subject rights

Individuals have the following rights regarding their personal data: 

  • Right to access data 
  • Right to rectify inaccuracies 
  • Right to request erasure (subject to statutory exceptions) 
  • Right to withdraw consent (where consent is the lawful basis) 
  • Right to restrict or object to processing (where applicable) 
  • Right to data portability (where applicable) 
  • Right to Grievance Redressal 
  • Right to Nominate 

Requests can be made by contacting Xceedance’s Data Protection Officer (DPO) at [email protected], and will be responded to within one month in accordance with applicable data protection regulations.

Security measures

We are committed to protecting your personal data through robust technical and organizational safeguards.

Certifications & Standards:

Xceedance is ISO/IEC 27001:2022 certified and holds a SOC 2 Type II attestation, reflecting our commitment to information security best practices.

Regulatory alignment:

Our data protection practices are aligned with global privacy regulations, including:

  • EU General Data Protection Regulation (GDPR)
  • UK GDPR
  • India’s Digital Personal Data Protection Act (DPDP Act)
  • U.S. federal and state privacy laws
  • Australian Privacy Principles (APPs)

Your role in security:

While we implement industry-standard security controls, data transmission over the internet can never be guaranteed to be 100% secure. We encourage you to:

  • Keep your login credentials confidential
  • Use secure networks when accessing our services
  • Report any suspicious activity or phishing attempts claiming to be from Xceedance

If you suspect a security issue or receive suspicious communication, please contact us at  [email protected].

Contact details 

For questions, any grievances or to exercise your rights under this policy, please contact: 
Data Protection Officer (DPO): [email protected].

Changes to this privacy statement

We reserve the right to update, modify or amend this privacy notice at any time at our sole discretion. Changes will be posted on this page, and additional notifications may be provided.

The most recently published privacy notice shall prevail over any of its previous versions. You are encouraged to check this privacy notice to stay informed of any changes. We may also notify you in other ways from time to time about the processing of your personal data.

Your privacy is our priority, and we are committed to addressing any questions you may have regarding handling your data. For any data privacy queries, please get in touch with our Data Protection Officer at [email protected].