Privacy Policy

Version 1.0 · Effective date: 28 May 2026

OnXR Ltd ("OnXR", "we", "us", "our") is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, store and protect personal data when you visit onxr.co.uk or interact with OnXR. It applies to personal data processed in our capacity as data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

OnXR Ltd is a company registered in England and Wales (Company No. 15927771) with its registered office at Arena Offices, 100 Berkshire Place, GF33, Winnersh, Berkshire, RG41 5RD, United Kingdom. OnXR Ltd is the data controller for personal data processed in connection with this website and our wider business activities.

2. How to contact us

For any privacy-related enquiry, including data subject rights requests, write to our Data Protection Officer at dpo@onxr.co.uk, or by post to the address in section 1 marked "FAO: Data Protection Officer". You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

3. What personal data we collect

We collect personal data only when you choose to provide it. The main routes are:

• Website contact form: your name, work email address, organisation (optional) and the content of your message.
• Direct contact: if you email us at hello@onxr.co.uk or another OnXR address, we will hold the email correspondence, your email address and any information you include.
• Technical data: standard server logs (IP address, browser type, pages visited, referral source, timestamps) are recorded by our hosting provider for security and operational purposes.
• Analytics, with your consent: if you accept analytics via our consent banner, Google Analytics 4 may set cookies that record anonymised information about your visit (with IP anonymisation enabled). See our Cookie Policy.

We do not deliberately collect special category data (such as health, ethnicity or biometric data) through the website. Please do not include such data in messages to us unless we have specifically asked you to.

4. Lawful bases for processing

We rely on the following lawful bases under UK GDPR Article 6:

• Legitimate interests (Art. 6(1)(f)) for responding to enquiries you submit, for protecting our website and IT systems, and for direct B2B sales and marketing communications to organisations that have expressed interest in our platform. Our legitimate interest is the operation and growth of our business; we have assessed that this does not override your rights and freedoms.
• Consent (Art. 6(1)(a)) where you have opted in to specific communications or to non-essential cookies.
• Contract (Art. 6(1)(b)) where processing is necessary to take steps at your request prior to entering into a contract, or to perform a contract you are party to.
• Legal obligation (Art. 6(1)(c)) where we are required to process data to comply with UK law (for example, tax, accounting or regulatory record-keeping).

5. How we use your data

• Respond to enquiries and provide requested information about OnXR.
• Send relevant follow-up communications about OnXR's products and services where there is a legitimate B2B interest.
• Operate, secure and improve the OnXR website and our internal systems.
• Comply with our legal and regulatory obligations.

We do not sell or rent personal data to third parties. We do not use personal data for automated decision-making with legal or similarly significant effects.

6. Who we share data with

We share personal data only with carefully selected processors who help us run our business:

• Web3Forms processes contact form submissions on our behalf and forwards them to our team inbox. Web3Forms is governed by its published data protection terms; international transfers are made on the basis of those terms and any applicable UK GDPR transfer safeguards.
• Microsoft 365 (Microsoft Ireland Operations Ltd) provides our email and document collaboration; data is hosted in EU/UK data centres.
• Our hosting provider (UK-based) stores website data and server logs in the United Kingdom.
• Google Analytics (Google Ireland Ltd, if you have accepted analytics) provides aggregated usage statistics with IP anonymisation enabled.

We will also disclose personal data where required to do so by law, by a court order, by a regulator with jurisdiction, or to protect the rights, property or safety of OnXR, our customers or others.

7. International transfers

Where personal data is transferred outside the UK, we ensure an appropriate UK GDPR transfer mechanism is in place. This typically means transfers under the UK International Data Transfer Addendum (UK IDTA) to the EU Standard Contractual Clauses, or transfers to countries the UK Government has determined provide an adequate level of protection.

8. How long we keep your data

• Contact-form enquiries and email correspondence: typically 24 months from the date of last meaningful contact, after which records are reviewed for deletion or anonymisation.
• Customer and contract records: for the duration of the contract plus 7 years to meet UK accounting and statutory record-keeping obligations.
• Server logs: typically 90 days, longer where retention is needed for a security investigation.
• Analytics data: retained at the default Google Analytics 4 retention setting (currently 14 months).

9. Your rights

Under UK GDPR you have the right to:

• Be informed about how your data is used (this notice).
• Request access to a copy of your personal data ("subject access request").
• Request correction of data that is inaccurate or incomplete.
• Request erasure of your data ("right to be forgotten") where applicable.
• Request restriction of processing in defined circumstances.
• Object to processing based on legitimate interests, including direct marketing.
• Request data portability where processing is based on consent or contract and is carried out automatically.
• Withdraw consent at any time where consent is the lawful basis.
• Lodge a complaint with the ICO (see section 2).

To exercise any of these rights, contact dpo@onxr.co.uk. We will respond within one calendar month. We may ask you to verify your identity before processing the request.

10. Security

We take appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction, including transport encryption and access controls appropriate to the risk. No system is perfectly secure; if we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals where required.

11. Cookies

Our use of cookies is described in our Cookie Policy.

12. Children's data

The OnXR website is intended for business users and is not directed at children under the age of 16. We do not knowingly collect personal data from children.

13. Changes to this policy

We may update this Privacy Policy from time to time. The effective date at the top of the page reflects the most recent version. Where changes are material we will take reasonable steps to bring them to your attention.

Any questions about this policy should be sent to dpo@onxr.co.uk.