LEGAL
GDPR Compliance
How xNord meets UK GDPR and supports your rights as a data subject.
Last updated: 19 March 2026
xNord Ltd · Registered in England and Wales · legal@xnord.co.uk
Overview
xNord is committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains our approach to GDPR compliance and how we uphold your rights as a data subject.
xNord Ltd acts as the data controller for personal data processed through our platform. For email processing (AI triage and draft generation), subprocessors operate only on our instructions — typically self-hosted inference, or an approved commercial API where explicitly configured.
Data controller
Company: xNord Ltd
Registered in: England and Wales
Data protection contact: legal@xnord.co.uk
Response time: within 5 business days
We are not currently required to appoint a Data Protection Officer (DPO) but have designated a responsible person for data protection matters who can be contacted at the address above.
Lawful basis for processing
| Processing activity | Lawful basis |
|---|---|
| Providing the Service (account, inbox processing, drafts) | Contractual necessity (Article 6(1)(b)) |
| Security and fraud prevention | Legitimate interests (Article 6(1)(f)) |
| Analytics and product improvement | Legitimate interests (Article 6(1)(f)) |
| Sending transactional emails | Contractual necessity (Article 6(1)(b)) |
| Sending marketing emails | Consent (Article 6(1)(a)) |
| Complying with legal obligations | Legal obligation (Article 6(1)(c)) |
Your rights under UK GDPR
Right of Access (Article 15)
You have the right to obtain a copy of all personal data we hold about you and information about how we process it. Submit a Subject Access Request (SAR) to legal@xnord.co.uk. We will respond within 30 days. We may ask you to verify your identity. There is no charge for a SAR unless the request is manifestly unfounded or excessive.
Right to Rectification (Article 16)
If any of your personal data is inaccurate or incomplete, you have the right to have it corrected. Most account data can be corrected directly in Settings. For other data, email legal@xnord.co.uk.
Right to Erasure (Article 17)
You have the right to request deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purpose it was collected, when you withdraw consent, or when you object to processing and there are no overriding legitimate grounds.
Some data may be retained where we have a legal obligation to do so (e.g. financial records for 7 years). We will tell you if any data cannot be deleted and why.
Right to Restriction (Article 18)
You have the right to request that we restrict processing of your data in certain circumstances, such as while a rectification request is being assessed, or while you have objected to processing.
Right to Data Portability (Article 20)
Where processing is based on consent or contractual necessity and is carried out by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format (JSON or CSV). Email legal@xnord.co.uk to request a data export.
Right to Object (Article 21)
You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is for the establishment, exercise, or defence of legal claims.
Rights Related to Automated Decision-Making (Article 22)
xNord uses AI to classify and triage your emails. This automated processing informs decisions about urgency, categorisation, and draft generation but does not produce legal or similarly significant effects on you. You have the right to request human review if you believe an automated decision has significantly affected you.
International data transfers
xNord processes data primarily within the EU/EEA. Default deployments use AI inference on infrastructure we control in-region. If you enable a third-party AI provider that processes outside the EU/EEA, we rely on appropriate safeguards (such as SCCs and DPAs) for those transfers.
Approved providers are contractually bound to process content only to deliver results to xNord and not to train models on your email body text.
Data protection by design
We have implemented data protection by design and by default as required by Article 25 UK GDPR:
- We collect only the minimum data necessary (data minimisation)
- Email body text is processed but not stored
- Row-level security ensures users can only access their own data
- OAuth tokens are encrypted with an additional application layer beyond database encryption
- Retention periods are defined and automatically enforced for each data category
Data processing agreements
We have Data Processing Agreements in place with all third-party processors who handle personal data on our behalf, including:
- AI inference subprocessors (as listed in your workspace settings)
- Supabase (database hosting)
- Stripe (payment processing)
- Resend (email delivery)
- Vercel (application hosting)
Complaints
If you are not satisfied with our response to a data rights request, or believe we are processing your data unlawfully, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
ico.org.uk
0303 123 1113