Privacy Policy

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

X-ray Leads Ltd is a limited company incorporated under the laws of England and Wales, registered number 11345967 with its registered office address at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ (“XR” “we”).

This Privacy Policy should be read together with any Terms and Conditions XR may provide to you and sets out how we will treat any personal data that you provide us or that we collect about you, and  provides details of the systems and processes X-Ray Leads use to protect its IT infrastructure and minimise the risk of data loss and cyber attack.


This Privacy Policy sets out how XR uses and protects any information that XR use about you (including information provided through the website (“Website”)).  XR may collect personal data of contacts, its clients or potential clients (“Services”), in accordance with this Privacy Policy. In addition to this, the Website also collects certain personal data from its users, via webforms and monitoring software. 

XR is firmly committed to respecting and protecting the privacy of all personal data received or collected, in strict adherence to Data Protection Legislation (defined below) and best business practice.

Gary Vantil is the data protection officer for XR to contact the data protection officer please email

Data Protection

XR’s data protection and privacy measures are governed by the (i) the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 2018 (“Data Protection Legislation”).

For the purpose of Data Protection Legislation, where personal data is provided directly to XR through use of its Website, email, or other means where XR is providing its Services, XR will be a data controller of such information.  Where XR is a data controller, it shall collect and process that personal data in accordance with this Privacy Policy.

Where XR cannot determine the use of such personal data and is provided with that personal data by its clients, third parties or by users of XR’s Services who are not in a direct contract with XR, XR will be data processor of such personal data on behalf of the data controllers who determine how that personal data is processed, in accordance with their instructions.   In such instances, those data controllers will be responsible to those individuals whose personal data may be processed by XR on behalf of that data controller in respect of how their personal data is processed, in accordance with that data controller’s own privacy statements.

Personal data collected 

XR may collect, use, store and transfer different kinds of personal data about you and because of the nature of the Services we provide, the types of data we process can be quite varied, but will usually include:

  • Identity Data including your first name, last name, title and job title;
  • Contact Data including your address, billing address, delivery address, email address and telephone numbers;
  • Financial Data including bank account and payment card details;
  • Transaction Data including details about payments to and from you and other details of products and Services you have purchased from us;
  • Usage Data including information about how you use XR’s Services or submit an enquiry or query through the Website including your IP address; 
  • Technical Data including information from your visits to the Website or in relation to materials and communications we send to you electronically; and
  • Event Data including the information you provide to us for the purposes of attending meetings and events, including your preferences, access and dietary requirements.

If you fail to provide personal data

Where XR need to collect personal data by law, or under the terms of a contract XR has with you (or our customer for whom you are acting on behalf of) and you fail to provide that data when requested, XR may not be able to perform the contract it has or are trying to enter. In this case, XR may have to cancel the Services but will notify you if this is the case. 

How is your personal data collected?

Where XR is acting as a data controller, XR uses different methods to collect personal data from and about you, including through:

  • Interacting with XR. You may give us your data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you may provide us with when giving us feedback. 
  • This includes data provided to us by an introducer or third party.
  • Identity and Contact Data from publicly availably sources such as Companies House and the Electoral Register based inside the EU.

How XR will use your personal data

XR will only use your personal data in ways in which the law allows. Where acting as the data controller, most commonly we will use;

  • Services for clients – Where we need to perform the contract we are about to enter into or have entered into. To provide you (or the company on behalf of which you instruct us) with services or other information that you have requested from us;
  • Business Analytics – To manage our business performance and assess client satisfaction and improvement to our Services. 
  • Making/Chasing Payment – To invoice you for Services we have provided to you (or the company on behalf of which you instruct us) and to trace and collect debts where required;
  • Compliance – To keep records of the work we have carried out for you (or the company on behalf of which you instruct us);
  • Marketing – To send you electronic and/or paper-based marketing materials relating to our Services and to invite you to seminars or other events hosted by us (so far as permitted by law);
  • Events – To enable us to provide events to you which are tailored to your needs and preferences

How your personal data may be shared

Personal data XR collects in accordance with this Privacy Policy, may be shared as follows: 

  • with third party consultants selected by XR, whom we outsource certain support services such as word processing, translation, photocopying, data room hosting, document review and IT services or where we are using a third-party service provider to provide services that involve data processing, such as Eclipse, SecureDocs, Dotmailer or the Royal Mail;
  • with event partners or providers of hospitality;
  • with the Information Commissioners Office or other regulatory body where XR is under a duty to disclose your personal data to comply with any legal obligation (for example, in order to fulfil our regulatory obligations or comply with an auditor);
  • with third parties to whom we may choose to sell, transfer, or merge parts of our business or with existing sister businesses. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice;
  • to protect the rights, property, or safety of XR, XR’s customer, or others or to enforce any terms and conditions we provide to you. This includes exchanging information with other companies and organisations for the purposes of fraud protection and for compliance with laws;
  • where you have expressly consented for us to share your personal data with third parties;
  • with debt recovery agencies;

All our third parties are required to respect the security of the personal data we provide them and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with the instructions we have provided them.

Purposes for which XR will use your personal data

The details below set out a description of all the ways we plan to use your personal data where we are the data controller for your personal data, and which of the legal basis for doing so.

We have also identified what our legal bases are where appropriate and for further details please contact XR if you need the legal ground, we are relying on to process your personal data where more than one ground has been set out below.

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest

  • To register you as a new customer and verify your identity 

* We will use your: (a) Identity (b) Contact data* Legal basis = Performance of a contract, Consent (for use of special categories of data) and /or Compliance with a legal requirement

– To process and deliver the Services including: (a) managing payments, fees and charges (b) collecting and recovering money owed to us (c) contacting you and corresponding about the Services

* We will use your: (a) Identity (b) Contact (c) Financial (d) Transaction data

* Legal basis = Performance of a contract, Necessary for our legitimate interests (to recover debts due to us), Compliance with a legal requirement

– To respond to queries, complaints, claims and enquiries

* We will use your: (a) Identity (b) Contact data

* Legal basis= Legitimate interests

– Marketing

* We will use your: (a) Identity Data (b) Contact Data

* Legal basis = Legitimate interests, or Consent (where an individual consumer) 

  • Events
  • We will use your: (a) Identity Data (b) Individual Data (c) Event Data
  • Legal basis = Legitimate interests
  • Business Performance 
  • We will use your: (a) Identity Data (b) Individual Data
  • Legal basis = Legitimate interests
  • Operation of our Website
  • We will use your: Technical data
  • Legal basis = Legitimate interests

What if the purpose changes?

XR will only use your personal data for the purposes for which it was collected for at the beginning of our relationship, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact XR. 

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above or where this is required or permitted by law.

How XR stores personal data

For secure storage, XR does not transfer your personal data outside the European Economic Area (EEA). We do not normally share your personal data with anyone outside the EEA, however, we may do so when a circumstance or the Services we provide to you requires us to do so, whilst ensuring that adequate measures are in place in order to keep your personal data secure when transferring your personal data to that third party. 

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions (where we act as data controller) and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator or a breach where we are legally required to do so

Personal Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Generally, we keep personal data in accordance with our internal retention procedures, which are determined in accordance with our regulatory obligations and good practice. These retention periods depend on the nature of the information and are subject to change. If you have any questions in this regard, please contact us using the details below.


We may send you marketing material where you are a business customer and we consider the marketing material to be relevant to you or where you are a business customer and we have previously provided you with Services, and you have not opted out of receiving such communication. 

You can update your marketing preferences by emailing

Your Rights

Under certain circumstances, you have rights under Data Protection Legislation in relation to your personal data. Your rights are as follows:   

  • Request access to your personal data;
  • Request correction of your personal data;
  • Request erasure of your personal data;
  • Object to processing of your personal data;
  • Request restriction of processing your personal data;
  • Request transfer of your personal data;
  • Right to withdraw consent.

To exercise any of the above rights please contact us using the details below.

Where you exercise your right to erasure or where information is deleted in accordance with XR’s retention policy, please note that after the deletion of your personal data, it cannot be recovered, so if you require a copy of this personal data, please request this during the period XR retains the data. Please note that where you make a request for us to delete your personal data, we may have another legal basis for retaining your personal data and we may do so for so long as the other legal basis remains valid. 

Where you exercise your right to request access to the information XR processes about you, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Where you provide us with information it is your responsibility to ensure that all such information is complete in all material respects and not misleading. The accuracy and appropriateness of our advice may be affected as a consequence of your failure to do so. If any information changes, please let us know so that we can keep it updated on our systems.


The Website is not intended for children and XR will not knowingly collect any personal data from persons under the age of 18. XR may collect personal data about children which is incidental to the Services it provides. In this case XR will ensure that such personal data is processed securely. 


If you would like to make a complaint in relation to how XR may have stored, used or processed your personal data, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (

XR would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Remember the Risks Whenever You Use the Internet

XR is committed to ensuring that your information is secure and has in place reasonable and proportionate safeguards and procedures to protect your personal information. While XR does its best to protect your personal information, XR cannot guarantee the security of any information that you transmit to XR and you are solely responsible for maintaining the secrecy of any passwords or other account information. 

External Websites

The Website may, from time to time, contain links to and from the websites of XR  partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. XR is not responsible for the content of external internet sites and you are advised to read the privacy policy of external sites before disclosing any personal information. 

Changes to this Privacy Policy

All changes to this Privacy Policy will be posted on this website from time to time.

The latest update of our Privacy Policy was made on 2nd January 2020

Questions and Contact information

For any questions or for further information, please