exxo.store | Effective Date: 26 March 2026 | Last Updated: 26 March 2026
1. Controller Identity
SYNTRIX NEXUS LTD ("Company", "we", "us"), registered in England and Wales under company number 17119014, registered office at 20 Wenlock Road, London, N1 7GU, England, United Kingdom, is the data controller for personal data processed in connection with the exxo.store platform at https://exxo.store. This Privacy Policy (“Policy”) explains how we collect, use, store, and share your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
For all privacy enquiries and data subject rights requests, contact: [email protected]
Unless otherwise defined in this Policy, all capitalised terms shall have the meanings ascribed to them in the Terms and Conditions.
2. Data We Collect
2.1 Data You Provide
- Identity data: full name, date of birth (where age verification applies), government-issued identity documentation (where KYC is required).
- Contact data: email address, correspondence address where applicable.
- Account data: username, password hash, purchase history, account preferences.
- Transaction data: order references, products purchased, payment confirmation records.
- Communications data: content of messages sent to our support or compliance teams.
2.2 Data Collected Automatically
- Technical data: IP address, browser type and version, operating system, device identifiers.
- Usage data: pages visited, navigation paths, session duration, referral URLs.
- Cookie data: as described in our Cookie Policy.
2.3 Data from Third Parties
- Payment processors: transaction status and fraud screening outcomes.
- Identity verification providers: KYC verification results and risk assessments.
- Sanctions and fraud screening services: results of automated screening.
We process only personal data that is necessary, relevant, and limited to what is required for the purposes described in this Privacy Policy, in accordance with the principle of data minimisation under UK GDPR Article 5(1)(c).
3. Lawful Bases for Processing
| Processing Activity | Lawful Basis (UK GDPR Art. 6) |
|---|---|
| Account creation and management; Order processing and fulfilment; Digital Product delivery; Transaction communications | Performance of a contract – UK GDPR Art. 6(1)(b) |
| Identity verification and KYC under Money Laundering Regulations 2017; Tax and accounting record retention; Responding to regulatory or law enforcement requests; SAR filing with the NCA | Legal obligation – UK GDPR Art. 6(1)(c) |
| Fraud detection and prevention; Platform security monitoring; Internal analytics for Platform improvement Internal analytics (where based on aggregated or non-identifiable data); Enforcement of Terms and Company legal rights | Legitimate interests – UK GDPR Art. 6(1)(f) Where processing is based on legitimate interests, we ensure that such interests are not overridden by your rights and freedoms, and we apply appropriate safeguards, including data minimisation and access controls |
| Marketing communications (where opt-in consent obtained); Non-essential cookies and tracking technologies | Consent -UK GDPR Art. 6(1)(a) – withdrawable at any time |
4. Data Retention
| Category | Retention Period | Legal Basis |
|---|---|---|
| Account and transaction data | 6 years from last transaction | UK tax and accounting law |
| KYC and identity verification records | 5 years from end of business relationship | MLR 2017, Reg. 40 |
| AML records and SARs | 5 years from relevant transaction | POCA 2002 / MLR 2017 |
| Marketing consent records | Until withdrawal + 1 year | Accountability — UK GDPR Art. 5(2) |
| Support communications | 3 years from resolution | Legitimate interests |
| Cookie consent records | 1 year | PECR accountability |
Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised in accordance with the Company's data destruction procedures.
5. Data Sharing
5.1 Data Processors
We share personal data with third-party service providers acting as data processors under written data processing agreements that impose equivalent data protection obligations. Categories include: payment service providers and card networks; KYC and AML compliance providers; cloud hosting and infrastructure providers; email delivery platforms; fraud detection and cybersecurity providers; analytics tools.
5.2 Regulatory and Law Enforcement Disclosure
We disclose personal data to competent authorities – including the National Crime Agency (NCA), HM Revenue and Customs (HMRC), the Information Commissioner's Office (ICO), and courts of competent jurisdiction – where required or permitted by applicable law. Where the Company is subject to oversight by a specific financial regulator, personal data may also be disclosed to that regulator in accordance with its statutory powers. We are subject to the tipping-off prohibition under POCA 2002 s.333A and will not disclose the existence of a SAR or investigation where such disclosure would prejudice an investigation.
5.3 Corporate Transactions
In the event of a merger, acquisition, or sale of the business, personal data may be transferred to the successor entity subject to equivalent data protection obligations and notification to you.
6. International Transfers
The Company is incorporated and primarily operates in the United Kingdom. Where personal data is transferred to a third-party service provider located outside the UK, we ensure at least one of the following safeguards applies: (a) the recipient country benefits from a UK adequacy decision issued by the Secretary of State under UK GDPR Art. 45; (b) the transfer is governed by a UK International Data Transfer Agreement (IDTA) or an addendum to EU Standard Contractual Clauses approved by the ICO; or (c) another lawful transfer mechanism under UK GDPR Chapter V applies. Details of the specific mechanisms used for particular transfers are available upon written request to [email protected].
7. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls, multi-factor authentication for administrative systems, and regular security assessments. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware and, where the breach is high risk, notify affected individuals without undue delay, in accordance with UK GDPR Articles 33–34.
8. Your Rights
| Right | Summary |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you. |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data. |
| Erasure (Art. 17) | Request deletion of your data where no overriding legal obligation requires retention. |
| Restriction (Art. 18) | Request restriction of processing in certain circumstances. |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format where processing is based on consent or contract and carried out by automated means. |
| Objection (Art. 21) | Object to processing based on legitimate interests or for direct marketing. |
| Withdraw Consent | Withdraw consent at any time; withdrawal does not affect prior lawful processing. |
To exercise any right, submit a written request to [email protected]. We will respond within one (1) calendar month, extendable by two further months for complex requests. We may need to verify your identity before processing your request.
9. Right to Complain to the ICO
If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk
We encourage you to contact us first so that we can address your concerns directly.
10. Automated Decision-Making
We use automated systems as part of fraud prevention and AML screening. Where automated processing produces decisions with legal or similarly significant effects, we will inform you and, subject to applicable law, provide the right to request human review of that decision.
11. Children
The Platform is not directed at children under eighteen (18). We do not knowingly collect personal data from individuals under this age. If you believe a child has provided data to us, please contact [email protected] and we will take prompt steps to delete such data.
12. Changes to This Policy
We may update this Privacy Policy at any time to reflect changes in applicable law, regulatory guidance, or our processing activities. The updated version will be published on the Platform with a revised effective date. For material changes, we will notify registered Users by email at least thirty (30) days before the changes take effect where practicable.
13. Contact
Data Controller: SYNTRIX NEXUS LTD
Company Number: 17119014
Registered Address: 20 Wenlock Road, London, N1 7GU, England, United Kingdom
Privacy Enquiries: [email protected]
Compliance: [email protected]
Website: https://exxo.store
This Privacy Policy was adopted by SYNTRIX NEXUS LTD on 26 March 2026.