Auth Modal
The Company is committed to protecting your privacy. This Privacy Policy outlines how The Company collect, use, disclose, and safeguard your personal information when you engage with us including but not limited to our trade shows, including online events and services. We adhere to the UK Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
Effective date: 29 September 2025.
Age: Our services are intended for adults aged 18+; we do not knowingly collect data from children.
Scope: This Policy applies to visitors and users of our websites and virtual event platforms. It does not cover exhibitors’ independent use of your details once you choose to share with them (see “Lead sharing”).
Interpretation & Definitions:
“Services” means our websites and virtual event platforms; “Visitor/User” means a non-exhibiting attendee or site user;
“Exhibitor” means a company/entity showcasing products/services; “Personal Data” has the meaning in UK GDPR;
“Processing” means any operation performed on Personal Data;
“Lead Data” means the contact details you choose to share with an Exhibitor; “Cookies/SDKs” includes web cookies, pixels, beacons, local storage, and mobile/JS SDKs;
“Special Category Data” means data listed in Art. 9 UK GDPR.
“Including” means “including without limitation.”
No Third-Party Rights: This Policy does not create any rights enforceable by any person other than you and Xpofairs.
a. Personal Information:
We collect personal information that you provide to us, including:
Exhibitors and Sponsors: Name, contact details (email address, phone number), company information, and preferences, job title, company affiliation, and areas of interest.
Attendees and Participants: Name, contact details, (email address, phone number), job title, company affiliation, and areas of interest.), company information, and preferences,
Visitors and Users (additional clarity): Account/profile data (name, email, role, company/affiliation), communication preferences, and push-notification preferences (if enabled).
Optional fields you may provide: job function/seniority, industry segment, interests you select, and any documents you upload (e.g., CVs or brochures).
We do not request or require Special Category Data; please do not submit it.
User Responsibility for Submissions: You are responsible for the lawfulness, accuracy, and rights associated with any data or documents you upload or submit, and you agree not to include Special Category Data or others’ personal data without a lawful basis.
b. Automatically Collected Information:
When you interact with our website or online platforms, we may collect:
Technical Data: IP address, browser type, operating system, and device information.
Usage Data: Pages visited, time spent on the site, and navigation paths.
Event/Attendance Data: Event areas visited, timestamps, feature usage, notification opens, and error diagnostics required to operate and secure the platform. We do not record visitor video; see “Transcripts/Accessibility” below.
Cookie/SDK Data (non-essential only with consent): Identifiers and events from analytics (e.g., GA4), marketing pixels (e.g., Meta), session replay/heatmaps, and cross-device/probabilistic matching technologies (where used).
Security Signals: Data from CAPTCHA/anti-abuse tools, rate-limiters, and infrastructure security services.
c. Information from Third Parties:
We may receive information from third-party services you link to our platform, such as social media profiles.
Security & Anti-abuse Services: Signals from CAPTCHA/anti-abuse providers that help us prevent fraud and automated misuse.
Single sign-on / integrations (if you use them): basic profile or token info needed to authenticate you and provide access.
We use your information to:
Facilitate registration and participation in our trade shows and events.
Enable communication between exhibitors, sponsors, and attendees.
Personalize and improve your experience on our platforms.
Send you updates, promotional materials, and information about our services, with your consent.
Analyse usage patterns to enhance our services.
Operate community features: Store and moderate chat/DMs, Q&A, polls, surveys, comments, and documents you upload to maintain a safe and professional environment.
Accessibility & Quality: Generate text transcripts/auto-captions (no visitor video recording by us) to support accessibility, moderation, and search.
Security & Integrity: Detect, prevent, and investigate fraud, abuse, and violations of our terms; protect the security of accounts and our platform.
Service optimisation: measure performance, diagnose issues, balance loads, and improve navigation and content relevance.
User support: respond to enquiries, troubleshoot issues, and provide service notices.
Direct marketing (with consent): email or push about events, features, and offerings; you can opt out at any time.
Aggregated insights: create de-identified or aggregated statistics to understand trends without identifying you.
De-identified/aggregated use and commercialisation: We may create, use, share, and commercialise de-identified or aggregated information for any purpose, and we will not attempt to re-identify individuals in such data.
The types of information that may be collected may include:
Personal contact details like your name, email address, mailing address, and phone number.
Information on education, nationality, and professional background
Demographic details, including gender and date of birth.
Account credentials, such as usernames and passwords.
Payment data, including credit or debit card numbers and bank account information.
Content provided by you, such as comments, feedback, ratings, posts, and survey responses.
Preferences for communication and areas of interest, along with any marketing permissions granted.
Location data, for instance, from mobile applications or Bluetooth beacons
Visual media, such as photos or videos, captured via CCTV, cameras in apps, or photographs required for exhibition and visiting events.
Audio recordings, like those collected through mobile apps.
Identity verification details, IP address and details of your website and communication activity, including usage of our services and interactions tracked by cookies or similar technologies.
Conduct legitimate business activities, such as internal reporting, data analysis, and operational improvements.
Clarifications for visitors: We do not collect visitor payment or KYC data (no ticketing via us). We do not use biometric recognition. Push/in-app messaging may be sent where you opt in.
User discretion: If you choose to upload documents or include sensitive information in free-text fields, you are responsible for ensuring such content is appropriate and lawful. Please avoid sharing Special Category Data.
If you have any questions or concerns about this Privacy Policy, please contact us at: Xpofairs, Rotunda Point, 11 Hartfield Crescent, London SW19 3RL.
Privacy Team email: privacy@xpofairs.com
Preferred contact method for rights requests: email with subject “Data Rights Request – Xpofairs”.
This privacy policy was last updated on 30 September 2025
Controller: Xpofairs, Rotunda Point, 11 Hartfield Crescent, London SW19 3RL, UK. Contact: privacy@xpofairs.com
Our processing of your personal data is based on:
Consent: For sending marketing communications.
Contractual Necessity: To fulfil our obligations to exhibitors, sponsors, and attendees.
Legitimate Interests: To improve our services, ensure security, and carry out business activities essential to our operations.
Detailed mapping (for transparency):
• Contract (Art. 6(1)(b)) — account signup/access; chat/DMs; Q&A/polls/surveys; document uploads; essential service communications.
• Legitimate Interests (Art. 6(1)(f)) — platform security; attendance/usage logging; moderation; accessibility transcripts; basic service analytics; fraud/abuse prevention. We have conducted balancing tests and determined these interests are not overridden by your rights and freedoms.
• Consent (Art. 6(1)(a)) — marketing emails; push/in-app notifications (where not strictly necessary); non-essential cookies/SDKs (analytics, marketing pixels, session replay/heatmaps, cross-device matching). You may withdraw consent at any time (this won’t affect processing before withdrawal).
• Legal Obligation (Art. 6(1)(c)) — disclosures required by law, regulatory requests, and record-keeping where applicable. Special Category Data: We do not intentionally process it; if you submit it, we may delete or restrict it to protect your privacy. Legitimate Interests documentation: We maintain legitimate-interest assessments (LIAs) and, where applicable, Data Protection Impact Assessments (DPIAs); summaries are available on request.
Legitimate Interests examples: ensuring availability, preventing abuse, debugging, measuring feature adoption, and safeguarding the community. We use proportionate safeguards such as access controls, data minimisation, and opt-outs where appropriate.
Sharing Your Information
Condition of Use and Participation:
By visiting our site and participating in any of our events, you acknowledge and agree that we may share your information with third parties as a condition of access. This includes sharing data with:
Other Entities in the Xpofairs Group for Specific Purposes:
For example, where they may assist in providing products and services to you, manage internal analysis of the usage of Xpofairs products and services, or offer relevant products and services which may be of interest.
Selected Third Parties that we work with for Service Delivery
For instance, when you register to attend an event hosted by us, we may need to share your information with third-party sub-contractors, service providers, or other Xpofairs Group entities. These may include IT and marketing technology providers, web and data hosting providers, mailing houses, ad servers, logistics and general service contractors, health and safety partners, event registration partners, sales platform providers, communication tool providers, stand designers/builders, suppliers of sponsorship/marketing/PR collateral, and other event collaboration partners. When using such third parties, we enter into contracts that endeavour to ensure the third party provides a level of data protection equivalent to that of the Xpofairs Group entity entering into the contract, and we take reasonable steps to ensure the contractor processes the personal data in a manner consistent with this Privacy Policy and our internal policies on the protection of personal data.
Any Other Xpofairs Group Entity or Selected Third Party for Marketing Purposes
We may share your data with other Xpofairs Group entities or selected third parties for marketing purposes.
Other Third Parties to Protect Our Legal Rights or for Law Compliance
We may disclose your information to other third parties as necessary to enforce our legal rights, protect the rights, property, or safety of our employees, or as permitted or required by law.
Third Parties in the Event of a Business Transaction
In the event of a sale, merger, acquisition, partnership, joint venture, collaboration, or negotiations related to any of these, we may share your personal information with third parties outside of the Xpofairs Group, such as the Securities Exchange.
Event and Product Partners (Co-branded, Co-delivered, or Sponsored Events)
Some of our events and products are co-branded, co-delivered, or sponsored by third-party exhibitors or sponsors. We may share your information with these third-party partners. The use of your details by these third-party partners will be governed by their privacy policies and notices and is not covered by this Privacy Policy.
Lead sharing to exhibitors (visitors): When you choose to share your contact details with an exhibitor (e.g., clicking “share details,” submitting a stand form, or similar), we will provide your name, email address, company, and role to that exhibitor. Xpofairs and the exhibitor act as independent controllers; the exhibitor’s subsequent use is governed by its own privacy notice. You can withdraw consent for future sharing at any time via your account/links provided. Processors (service providers):
We use providers for hosting/CDN, analytics, session replay/UX, messaging/email/push, CAPTCHA/anti-abuse, support, and security. They act on our instructions under data-processing agreements. No endorsement: Links or integrations with third-party sites/services are provided for convenience; their use is subject to their own terms and privacy notices. Lawful requests & prevention of harm: We may disclose data to competent authorities or parties where we reasonably believe it is necessary to comply with law, respond to valid legal process, or prevent imminent harm. Group analytics & operations: We may share de-identified or aggregated information within our group to analyse performance and improve services.
As we serve an international audience, your information may be transferred to and processed in countries outside the UK. We ensure appropriate safeguards are in place to protect your data in accordance with GDPR requirements.
Current position: We currently host and process visitor data within the UK. If a future transfer outside the UK is necessary, we will implement appropriate safeguards (e.g., UK IDTA/Addendum or adequacy decisions) and update this Policy.
Cross-border requests: Where a non-UK authority seeks access, we will assess the request’s validity and scope, and, where permitted, notify you before disclosure.
Global sub-processors (future-proofing): We may engage carefully vetted global sub-processors; where international transfers occur, we apply appropriate safeguards and, where relevant, supplementary measures (e.g., encryption in transit, access controls).
We retain personal data only as long as necessary and then delete or anonymise it. Unless a longer period is required for security, legal obligations, or to establish, exercise or defend legal claims, we apply the following maximum periods:
Typical retention ranges: We retain personal data only as long as necessary and then delete or anonymise it. Unless a longer period is required for security, legal obligations, or to establish, exercise or defend legal claims, we apply the following maximum periods:
• Accounts & profiles: up to 24 months after last activity.
• Chats/Q&A/surveys/comments: up to 24 months after the relevant event concludes.
• Attendance/technical logs: up to 12 months.
• Transcripts/auto-captions (no video): up to 12 months.
• Security/anti-abuse logs: up to 24 months.
• Lead-sharing audit records: up to 12 months.
Backups: encrypted and subject to rolling purge within 180 days.
Note: We may retain minimal suppression records (e.g., hashed email) to honour opt-outs.
Exhibitors set their own retention once they receive your lead details. Deletion & back-ups: Upon deletion, we will endeavour to remove personal data from active systems promptly; residual copies may persist in encrypted back-ups for up to 180 days under our disaster-recovery schedules before being overwritten.
Legal holds: Where necessary to establish, exercise, or defend legal claims, or to comply with legal obligations, we may retain relevant information beyond the standard periods.
We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction.
Examples of measures: encryption in transit, access controls based on least privilege, logging/monitoring, vulnerability management, and periodic reviews of service providers. No system is perfectly secure; if you suspect account compromise, contact us immediately at privacy@xpofairs.com.
Account safety: Use unique, strong passwords; keep devices updated; be cautious with links from unknown sources.
Security research: If you discover a potential vulnerability, please report it responsibly to our Privacy Team; do not publicly disclose until we address it.
Operational safeguards: We may throttle features, restrict access, or disable accounts to protect platform integrity, security, and other users.
Xpofairs operates in countries with data protection laws that provide different rights to individuals in respect of access, deletion, rectification and limiting processing of personal information. In most cases the Controller will determine the rights you are entitled to. To exercise these rights, please contact us using the details provided below.
UK GDPR rights include: access, rectification, erasure, restriction, portability, and objection (including to processing based on legitimate interests), as well as the right to withdraw consent at any time (this does not affect the lawfulness of processing before withdrawal).
How to exercise: Use the contact details below; we typically respond within one month and may request information to verify your identity. Regulator: You may lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).
Requests handling: We may charge a reasonable fee or refuse manifestly unfounded or excessive requests, consistent with law. If we decline, we will tell you why and how to challenge the decision.
Representation: If you are acting on someone else’s behalf, please provide proof of authority.
Preference management: You can change marketing and cookie/SDK choices at any time via settings or links we provide. Identity verification & records: We may require proof of identity (for example, limited ID details) and retain a minimal record of your request and our response for audit and compliance purposes.
Erasure limits: We may decline to erase data needed for security logs, fraud prevention, legal obligations, or to establish, exercise, or defend legal claims, and we may retain limited suppression records to honour future opt-outs.
Our website uses cookies to enhance your experience. For more information, please refer to our Cookie Policy.
Consent & preferences: We use (a) strictly necessary cookies (no consent needed) and, with your consent, (b) analytics cookies/SDKs, (c) marketing/retargeting pixels, and (d) session replay/UX tools. You can manage or withdraw consent anytime via our cookie banner/settings. We honour applicable browser/OS-level consent signals where required by law.
Cookie categories: session/authentication, load balancing, security/anti-abuse, analytics/measurement, marketing/retargeting, and UX improvement (e.g., replay/heatmaps).
Cross-device choice: Where cross-device or probabilistic matching is used, it is subject to your consent and can be disabled via settings.
Our platforms may contain links to third-party websites. We are not responsible for their privacy practices. We encourage you to review their privacy policies.
Integrations: When you interact with embedded content or plugins, those providers may collect data subject to their own policies. Disable third-party cookies if you prefer.
No responsibility for third-party retention: We do not control third-party retention or security once you leave our Services or share data directly with third parties.
We may update this Privacy Policy periodically. Changes will be posted on this page with an updated effective date. We encourage you to review this policy regularly.
Material changes: For significant changes, we will provide appropriate notice in-product or on the Site. Versioning: We keep a change log noting substantive updates, dates, and a brief summary.
Continued use: Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.
Annex A — Data Protection Principles (Informative)
We follow the UK GDPR principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.
Annex B — Lawful Basis Matrix (Summary)
(a) Contract: account, access, chats, Q&A/polls, service emails.
(b) Legitimate interests: security, logs, moderation, accessibility transcripts, basic analytics.
(c) Consent: marketing emails, push (non-essential), analytics/marketing cookies, session replay, cross-device matching.
(d) Legal obligation: required disclosures/compliance.
Documentation: We maintain LIAs/DPIAs where appropriate; summaries available on request.
Annex C — Your Choices & Controls
You can: manage marketing preferences; manage cookie/SDK consent; choose whether to share Lead Data with exhibitors; request a copy of your data; request deletion (subject to limits in “Your Rights”); download your data where feasible; and close your account.
Suppression: We may retain minimal suppression data (e.g., email hash) to ensure future opt-outs are honoured.
Annex D — Platform Integrity & Anti-Abuse (Privacy-Relevant)
We use security and anti-abuse tooling (including rate-limiting, bot detection, and behavioural signals). We may throttle features, restrict access, or disable accounts to protect users and the platform.
Version date: 30 September 2025.
