The document explains the personal data we process, how and where we may use it, how we protect it, who has access to it, with whom we share it, and how you may correct it according to the EU Regulation 2016/679 (GDPR).
As xpath.one ecosystem is a B2B solution, most of the data that we process is in fact company data. However, personal data of the employees of the parties, affiliates, commercial partners, consultants, etc might be used on the platform. In compliance with the GDPR, we treat all information that may identify a physical person as personal data and protect it accordingly.
any personal data exchanged between the Client and the Service Provider for the provision of Services or the fulfillment of Orders;
any personal data processed by the Nestlers Group outside the xpath.global Platform.
All definitions in the Terms and Conditions will apply to this document and will be completed with the definitions from the GDPR regulations.
If you register on our website, either as a Client or as a Service Provider, we will ask for the company data; that might include some basic personal data of the company representative, including name, telephone number or email address.
The Client may also create accounts on the xpath.global Platform for any of its expats, irrespective of their specific contractual relationship with the Client, such as employees of the parties, affiliates, commercial partners, consultants, etc. In these cases, data similar to the ones mentioned above may be required, but we may also ask for information that is directly relevant to you for using the Platform.
We might also collect data from you if you are using our interactive website tools such as customer reviews, posts or other material, or if there is any contact between us by email, telephone, postal mail or any other communication method such as online communication tools, social media, etc.
As regards the visitors on our website, we will only collect technical data for the proper usage of our website, unless they specifically consent to other services (e.g., they subscribe to the newsletter or they contact us).
The data that we might collect as described above, may be used for the following purposes:
As explained above, we manage a multi-service provider marketplace, listing services from many Service Providers – also known as suppliers. As a marketplace, we provide a platform for Clients to buy services from Service Providers.
We may contact you via phone or email to either resolve or process a technical issue, request your feedback or discuss any review, post or similar communication you had on our site. Also, if you have inquired about a particular service or have added it to My Favorites or in your Cart, we may email you or contact you in another manner with any relevant information regarding that particular service. For example, if you were interested in a certain product, and a new similar product is listed on our website, we may email you to inform you about this new product. We will not send you any email if you have previously “opted out” of receiving emails from us. You will always have an opportunity to opt out of such emails, before we send them to you.
If you subscribe to our newsletter or our blog updates, we will regularly send you updated information via email. Of course, you may always unsubscribe.
We process IP addresses to identify and prevent fraud. We can block an IP address if spam or any other harmful items are coming from this specific IP address.
Cookies are small text files that are placed on your computer by the websites you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Almost all web browsers allow some control of most cookies through the browser settings, which is the safest way to manage them.
Most of the cookies we use are first-party cookies added and managed by xpath.global and have a functional purpose.
You can change the cookie settings by adjusting the settings on your browser (see your browser’s Help section for how to do this) or use a plugin that does that for you – either for first-party or third-party cookies. Without our first-party cookies, the website functionality, including login, might not work.
To opt out of being tracked by Google Analytics across all websites, visit:
Below is a summary of the legal basis for each activity. We have conducted a “Legitimate Interests’ Assessment” for any process where Legitimate Interests are listed as the legal basis for processing such data.
Also, we don’t use any data for decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
In providing the xpath.global Platform, we cooperate with other third-party service providers that are data processors, who help us provide our marketplace services. These service providers include software companies or cloud platforms where we may store our client data. We have all necessary contracts and agreements in place with these providers to ensure all the legal and privacy protection that is required.
Basically, we will not reveal any personal data about its users to third parties without the exceptions mentioned above.
Exceptionally, we may reveal personal data to competent authorities, upon their legal request and in accordance with the applicable laws, or whenever this is necessary, in order to protect the rights and interests of our clients and of xpath.global.
We may also need to transfer your data outside of EEA (European Economic Area) for many reasons, but mostly if you wish to use or are using a service provider from our marketplace who is based outside of the EEA. Some countries offer a similar privacy protection as EEA countries, but others do not. In the event that data needs to be transferred to a country without similar protection, we will do everything reasonable to ensure that the recipient of your data complies to the highest international privacy standard possible.
We will keep your data for only as long as it is deemed necessary for the purpose that it was intended for and/or as legally required.
We will keep your account-related personal data for the entire period the Service Provider- or Client-account is open and 3 (three) years after its closure, for the proper fulfillment of the contract between the two companies or for the establishment, exercise or defense of legal claims between us and these parties.
As regards other data – for example for support activities – the data is kept for a period of up to 5 (five) years from the date and time the support activities were provided, unless the previous paragraph applies.
Regarding the legitimate interest-based communication, we will store the data until you object or you no longer show an interest for our products and services, unless the previous paragraph applies.
If we collect the data based on consent, we will keep it until you withdraw your consent or you no longer show an interest for our products and services.
In all these cases above, we might keep log data and other metadata for unsubscribing or data deletion, in case we receive a complaint from you or for the establishment, exercise or defense of legal claims.
If you choose, or you are provided with, a username, a password or any other piece of information as a part of our security procedures, you must treat such information as confidential. You must not disclose such information to any other person.
GDPR provides you with a number of legal rights. Some of these rights are listed above in the previous paragraphs. Additional rights are explained below.
Right of access – You have the right at any time to ask us for a copy of the personal information that we hold about you, and to check that we are lawfully processing it.
Right of rectification – If personal information that we hold about you is not accurate or is out of date and requires amendment or correction, you have a right to have the data rectified or completed.
Right of erasure – In certain circumstances, you have the right to request that personal information we hold about you is erased (e.g., if the information is no longer necessary for the purposes for which it was collected or processed).
Right to object or to restrict processing – In certain circumstances, you have the right to object to our processing of your personal information. For example, if we are processing your information on the basis of our legitimate interests, and there are no compelling legitimate grounds for our processing which override your rights and interests.
Right of data portability – In certain instances, you have a right to receive any personal information that we hold about you in a structured, commonly used and machine-readable format.
Right to withdraw consent – In the limited circumstances (such as the newsletter) where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. You can exercise this right by contacting us at email@example.com.
As explained above, you can exercise your right to withdraw consent, as well as any other rights under GDPR, by informing us by email at firstname.lastname@example.org. Alternatively, you can write us at the above-mentioned address, or inform us if you prefer to speak to us by telephone or by other means.
You also have the right to lodge a complaint with a competent supervisory authority or to complain in a competent court of law.