Privacy Notice – EXU

Effective date: December 2025 Entity responsible: EXU IT Consultancy

EXU values the protection of your personal data and is committed to handling it in a lawful, fair, and transparent manner, in line with the General Data Protection Regulation (GDPR – EU Regulation 2016/679) and applicable privacy laws.

1. Identity & Contact

EXU acts as the data controller for personal data collected in the course of its consultancy, recruitment, and project activities. For privacy inquiries, you may contact our Data Protection Officer (DPO) at: privacy@exu-consulting.com.

2. What Data We Collect

We may collect and process:

  • Identification details (name, email, phone, address).

  • Professional information (CV, role, skills, project history).

  • Company and client contact data.

  • Technical information (IP address, login details, usage data).

  • Financial and contractual data when relevant.

3. Purposes of Processing

Your personal data is processed for:

  • Client & project management – maintaining contacts, contracts, and project records.

  • Recruitment & staffing – matching consultants and freelancers to client missions.

  • Communication – newsletters, updates, and professional information.

  • Legal & compliance – fulfilling contractual and regulatory obligations.

  • Service improvement – analysing data and, where appropriate, using AI tools to enhance efficiency and accuracy.

4. Use of AI Tools

EXU may use licensed AI tools (e.g., Copilot) to support consultants and clients.

  • AI is used only to assist business activities, never to replace human oversight.

  • Data sets are tested to minimise bias and ensure accuracy.

  • Technical and organisational safeguards are applied to protect personal data.

5. Sharing of Data

We may share personal data with:

  • Trusted partners (IT infrastructure, payroll, compliance providers).

  • Clients, when required for project onboarding or security clearance.

  • Entities within EXU’s group structure, for legitimate business purposes.

Data is not transferred outside the European Economic Area (EEA) unless adequate safeguards are in place.

6. Retention Periods

  • Candidates not retained: up to 2 years (or 5 years with consent).

  • Contractual relationships: up to 10 years after contract end, for legal and financial obligations.

  • Technical data (e.g., IP addresses): retained per cookie policy and system logs.

7. Your Rights

You have the following rights under GDPR:

  • Right of access and copy.

  • Right to rectification.

  • Right to erasure (“right to be forgotten”).

  • Right to restrict processing.

  • Right to withdraw consent.

  • Right to object (including to direct marketing).

  • Right to data portability.

  • Right to lodge a complaint with your national Data Protection Authority.

8. Security

EXU applies appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse.

9. Updates

This Privacy Notice may be updated to reflect changes in law, technology, or EXU’s practices. The latest version will always be available on EXU’s website.