Loading...
We take data protection seriously. Here's how Xpeak, operated by Ooh Marketing Limited (Company No. 16860604), complies with the UK GDPR and Data Protection Act 2018.
Request a full copy of all personal data we hold about you or your customers at any time. We will respond within 30 days.
Request deletion of your data. We'll remove it within 30 days, unless legally required to retain it. Email privacy@xpeak.io with subject 'Data Deletion Request'.
Export your data in a machine-readable format via your account settings or by contacting us. Take your data with you if you leave.
Ask us to limit how we process your data while a complaint or request is being resolved.
We'll always tell you clearly what data we collect, why, and how it's used. No hidden practices.
Object to processing of your data for specific purposes, including direct marketing.
When you use Xpeak to manage your customers' WhatsApp conversations, Ooh Marketing Limited acts as a Data Processor on your behalf. You remain the Data Controller of your customer data. We process data strictly according to your instructions and for the purposes of providing our Service.
As a Meta Tech Provider, we access the WhatsApp Business API on behalf of your business. All data obtained through the WhatsApp Business Solution is processed solely to deliver our messaging services — we do not use this data to build user profiles, retarget individuals, or share it with third parties beyond the sub-processors listed below.
We process personal data under the following lawful bases:
Contract: Processing necessary to provide the Service you've subscribed to.
Legitimate Interest: Platform security, fraud prevention, and service improvement.
Legal Obligation: Where required to comply with applicable laws, including UK GDPR and the Data Protection Act 2018.
Consent: Marketing communications and optional analytics.
We offer a Data Processing Agreement (DPA) to all business customers. The DPA outlines our obligations as a data processor, including security measures, sub-processor notifications, and breach notification procedures. Contact privacy@xpeak.io to request a DPA.
We use the following sub-processors to deliver our Service. All sub-processors are bound by data processing agreements and required to maintain appropriate security measures:
We will notify you of any changes to our sub-processors with reasonable advance notice.
As a Meta Tech Provider, we are bound by WhatsApp's Business Solution Terms regarding data use. Specifically, data obtained through the WhatsApp Business API must not be used to:
Xpeak processes WhatsApp data exclusively to deliver messaging, automation, and customer support services on your behalf.
Where data is transferred outside the UK (for example, to OpenAI, Stripe, or Clerk in the US), we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO, and verification that receiving countries provide adequate data protection under UK GDPR Article 46.
In the event of a personal data breach, we will notify affected customers within 72 hours of becoming aware, notify the ICO where required by law, document the breach including its nature, effects, and remedial actions taken, and provide support in notifying affected data subjects where necessary.
To request deletion of your personal data or your customers' data, email us at privacy@xpeak.io with the subject line "Data Deletion Request". You can also manage your data directly from your account settings. We will action all deletion requests within 30 days.
For GDPR-related enquiries, data subject access requests, or to exercise any of your rights, contact us at privacy@xpeak.io. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
Ooh Marketing Limited
Company No. 16860604
Flat 18 Eton House, Anglian Close, Watford, England, WD24 4RF
privacy@xpeak.io