Vyxel Privacy Policy
Version: 1.1 Effective Date: 28 May 2026 Last Updated: 28 May 2026 Document Classification: Public
1. Introduction
1.1 Who we are
Vyxel is operated by Vyxel Ltd, a company incorporated in England and Wales under company number 17218517, with its registered office at 128 City Road, London, EC1V 2NX, United Kingdom. Vyxel Ltd is registered with the United Kingdom Information Commissioner's Office under registration number ZC155592. In this policy, "Vyxel", "we", "us" and "our" mean Vyxel Ltd.
For the purposes of the United Kingdom General Data Protection Regulation, Vyxel Ltd is the data controller of the personal data described in this policy, save where we act as a data processor on behalf of a customer organisation under a separate Data Processing Agreement. Where we act as a processor, the customer organisation is the data controller and that processing is governed by the relevant Data Processing Agreement rather than by this policy.
1.2 What this policy covers
This policy describes how we collect, use and protect personal data when:
- you visit our website at vyxel.co.uk;
- you sign up for, or use, the Vyxel software platform;
- you communicate with us by email, telephone or in person;
- you interact with us in any other capacity in connection with our business.
1.3 When this policy applies
This policy applies from the Effective Date stated above. We may update this policy from time to time as described in section 10.
1.4 The legal framework
We process personal data in accordance with the United Kingdom General Data Protection Regulation, the Data Protection Act 2018 and, where applicable, the European Union General Data Protection Regulation. References in this policy to the "UK GDPR" are to the United Kingdom General Data Protection Regulation.
2. Information we collect
Vyxel is a property capture and digital twin platform. Most of the data we hold relates to buildings and the work carried out on them. The personal data we process is limited and is described below.
2.1 Information you provide directly
When you create an account, use the Vyxel platform, or otherwise interact with us, we collect the following categories of information that you provide:
| Category | Examples |
|---|---|
| Identity and contact information | Full name, work email address, job title, organisation membership, telephone number where you provide it |
| Account information | Username, role, notification preferences |
| Property and survey content | Property addresses, Unique Property Reference Numbers (UPRNs), 360-degree photographs, three-dimensional point clouds, external photographs, measurements, notes and reports that you upload or generate through the platform during a survey |
| Communication content | The content of messages you send to us, including support enquiries, sales enquiries and feedback |
2.2 Incidental personal data captured during surveys
The Vyxel platform is used by surveyors to capture imagery of residential properties. That imagery is primarily of buildings, fabric and building services. It may, however, incidentally contain personal data, for example faces of occupants or visitors who happen to be present during the survey, vehicle registration plates, personal possessions visible in the property, or correspondence visible in shared areas.
Where faces are detected in 360-degree imagery, the platform applies automatic blurring at the point of processing. Automatic detection is not perfect; residual incidental personal data may remain in captured imagery. Customer organisations operating the platform are responsible for instructing surveyors appropriately and for managing the imagery once captured.
2.3 Information collected automatically
When you use the Vyxel platform or our website, we automatically collect certain technical information, including:
| Category | Examples |
|---|---|
| Device and connection information | Internet protocol address, browser type and version, operating system, device identifiers, timezone setting |
| Usage information | Pages visited, features used, navigation patterns, timestamps |
| Error and performance information | Stack traces of unhandled exceptions, performance traces and application logs, with personal data filtered at source where reasonably practicable |
| Cookies and similar technologies | Session identifiers, authentication tokens, theme preferences, as described in section 2.5 |
2.4 Information from third parties
We receive limited information about you from our authentication sub-processor, Clerk, comprising the email address, name and identity provider user identifier associated with your account. We do not receive information about you from advertising networks, data brokers or social media providers in connection with the operation of the Vyxel platform.
2.5 Cookies and similar technologies
We use cookies and similar technologies for the following purposes:
- Strictly necessary cookies, including session cookies issued by our authentication sub-processor, that are required for the operation of the platform. These cookies are exempt from the consent requirement under the Privacy and Electronic Communications Regulations.
- Functional cookies that store user preferences, including theme preference and dismissal of one-time prompts. These cookies do not identify you to third parties.
We do not currently use advertising cookies, third-party analytics cookies or social media tracking cookies on the Vyxel platform. Where this changes in future, we shall update this policy and, where required, request your consent.
3. How we use your information and our lawful basis
We use personal data for the purposes set out in the following table. For each purpose, we identify the lawful basis on which we rely under Article 6 of the UK GDPR.
| Purpose | Examples | Lawful basis |
|---|---|---|
| Providing the platform | Creating and maintaining your account, processing captures, generating deliverables, supporting workflows you initiate | Article 6(1)(b) Contract |
| Authenticating and securing access | Verifying your identity, issuing and validating session tokens, supporting multi-factor authentication | Article 6(1)(b) Contract |
| Communicating with you | Sending transactional emails (invitations, password resets, notifications, service announcements), responding to your enquiries | Article 6(1)(b) Contract |
| Marketing communications | Sending occasional updates about the Vyxel platform to business contacts who have opted in or who are reasonably contacted under the soft opt-in for existing customers | Article 6(1)(a) Consent or Article 6(1)(f) Legitimate Interests |
| Maintaining the security of the platform | Detecting and investigating security incidents, preventing fraud and abuse, maintaining audit logs | Article 6(1)(f) Legitimate Interests |
| Improving the platform | Analysing usage patterns to inform platform development, with personal data filtered at source where reasonably practicable | Article 6(1)(f) Legitimate Interests |
| Complying with legal obligations | Responding to lawful requests, meeting our obligations under the UK GDPR (including breach notification), maintaining records for regulatory purposes | Article 6(1)(c) Legal Obligation |
| Establishing, exercising or defending legal claims | Where necessary in the context of legal proceedings, regulatory investigations or contractual disputes | Article 6(1)(f) Legitimate Interests |
Where we rely on legitimate interests, we have assessed the balancing test required by Article 6(1)(f) of the UK GDPR and concluded that those legitimate interests are not overridden by your interests, rights and freedoms. You may request further information about our legitimate interests assessment by contacting us as set out in section 11.
4. How we share your information
4.1 Sub-processors and third parties
We engage a small number of sub-processors to operate the Vyxel platform. The current sub-processors are:
| Sub-processor | Purpose | Location of processing |
|---|---|---|
| Clerk | Authentication and identity management | United States |
| Cloudflare | Object storage (Cloudflare R2) and content delivery | European Union |
| Neon | Managed PostgreSQL database | London, United Kingdom |
| Resend | Transactional and operational email | European Union |
| Sentry | Application error monitoring | Germany |
We shall update this list when sub-processors are added, replaced or removed.
4.2 With your organisation
If you are an authorised user of an organisation that operates the Vyxel platform under a service agreement, your activity on the platform is visible to the administrators of your organisation in accordance with the role and permission model of the platform.
4.3 For legal reasons
We may disclose personal data:
- where required to do so by law, court order or other lawful demand;
- to comply with our regulatory obligations, including notifications to the Information Commissioner's Office under the UK GDPR;
- to establish, exercise or defend legal claims;
- where necessary to prevent fraud, protect the security of our systems or protect the rights, property or safety of our customers, our users or others.
4.4 In the event of a corporate transaction
If we are involved in a merger, acquisition, financing or sale of business assets, personal data may be transferred as part of that transaction. In any such case, we shall take reasonable steps to ensure that the personal data continues to be protected in accordance with this policy and applicable law, and we shall notify affected data subjects where required to do so.
4.5 No sale of personal data
We do not sell personal data to third parties. We do not share personal data with advertising networks or data brokers in connection with the operation of the Vyxel platform.
5. Where your data is stored and international transfers
Primary customer data is held in the United Kingdom and the European Economic Area. In particular:
- the application database is hosted by Neon in London, United Kingdom;
- captured imagery and other object data are stored in Cloudflare R2 with European Union data residency.
Certain of our sub-processors are incorporated in or operate from the United States of America (notably Clerk, which provides authentication services). Where personal data is transferred outside the United Kingdom or the European Economic Area to a destination that is not subject to a current adequacy decision, we put in place appropriate safeguards under Chapter V of the UK GDPR.
These safeguards may include:
- the United Kingdom International Data Transfer Addendum issued by the Information Commissioner;
- the Standard Contractual Clauses adopted by the European Commission under Commission Decision (EU) 2021/914;
- where applicable, the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework certifications held by the relevant sub-processor.
6. Data retention
6.1 General principles
We retain personal data only for as long as is necessary for the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, regulatory or reporting requirements that apply to us or to our customers.
6.2 Survey and property records
The Vyxel platform is used to record evidence in support of whole-house retrofit work delivered under PAS 2035:2023. PAS 2035 requires the relevant evidence to be retained for a period of seven (7) years. Accordingly, survey content, including 360-degree imagery, 3D point clouds, external photographs, measurements and reports, is retained for a minimum of seven (7) years from the date of capture or such longer period as agreed with the relevant customer organisation.
6.3 Account data
When you, or your organisation administrator, request the deletion of your account, your personal data fields are anonymised or deleted in accordance with our standard account deletion process. A short grace period may apply to allow recovery from accidental deletion.
6.4 Backup data
Backup data is held by our managed database sub-processor under a point-in-time recovery window. Personal data that has been deleted from production may remain recoverable from backup for the duration of that window, after which it is no longer retrievable.
6.5 Telemetry data
Operational telemetry held by Sentry and application logs held by our hosting provider are retained for the periods set by those providers (typically up to ninety days). Personal data is filtered from telemetry payloads at source where reasonably practicable.
6.6 Marketing data
Where you have provided your contact details for marketing purposes, we retain those details for the duration of your interest in our services. You may withdraw your consent or opt out at any time as described in section 7.
7. Your rights under the UK GDPR
Subject to the conditions and exceptions in the UK GDPR, you have the following rights in respect of your personal data:
| Right | Description |
|---|---|
| Right of access (Article 15) | You may request a copy of the personal data we hold about you. |
| Right to rectification (Article 16) | You may request the correction of personal data that is inaccurate or incomplete. |
| Right to erasure (Article 17) | You may request the deletion of your personal data in the circumstances set out in the UK GDPR. |
| Right to restriction of processing (Article 18) | You may request that we restrict the processing of your personal data in the circumstances set out in the UK GDPR. |
| Right to data portability (Article 20) | You may request the transmission of your personal data to another data controller in a structured, commonly used and machine-readable format. |
| Right to object (Article 21) | You may object to the processing of your personal data in the circumstances set out in the UK GDPR, including in respect of direct marketing communications. |
| Right to withdraw consent | Where we rely on your consent for a particular processing activity, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal. |
| Right not to be subject to automated decision-making | We do not make decisions affecting you based solely on automated processing that produce legal effects concerning you or similarly significantly affect you. |
| Right to lodge a complaint | You have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk. |
To exercise any of these rights, please contact us at privacy@vyxel.co.uk. We shall respond to your request within one month of receipt, extending the response period by a further two months where necessary, taking into account the complexity and number of requests, in accordance with Article 12(3) of the UK GDPR. We may need to verify your identity before responding to your request.
8. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. Those measures include transport security using Transport Layer Security on all public endpoints, encryption at rest at the database and object storage layers, role-based access control, multi-factor authentication, audit logging and application error monitoring with personal data filtered at source where reasonably practicable.
No method of transmission over the internet or method of electronic storage is completely secure. While we apply the measures described above and undertake regular review, we cannot guarantee absolute security. If you believe that the security of your account has been compromised, please contact us immediately at security@vyxel.co.uk.
9. Children
The Vyxel platform is not directed at children and is intended for use by professionals operating in the United Kingdom property and housing retrofit sector. We do not knowingly collect personal data from children under the age of 16. If you believe that a child has provided us with personal data, please contact us at privacy@vyxel.co.uk and we shall take steps to delete the personal data.
10. Changes to this policy
We may update this policy from time to time. The Last Updated date at the top of this policy indicates when the policy was last updated. Where we make a material change to this policy that affects your rights or our processing of your personal data, we shall provide you with notice (for example, by email or through a notice on the Vyxel platform) before the change takes effect.
11. Contact us
If you have any questions about this policy, would like to exercise your rights under the UK GDPR, or would like to make a complaint about the way we handle your personal data, please contact us:
| Subject | Contact |
|---|---|
| Data protection enquiries | privacy@vyxel.co.uk |
| Security enquiries | security@vyxel.co.uk |
| General enquiries | hello@vyxel.co.uk |
| Postal address | Vyxel Ltd, 128 City Road, London, EC1V 2NX, United Kingdom |
The supervisory authority for the processing described in this policy is the Information Commissioner's Office. Our registration number is ZC155592. The Information Commissioner's Office can be contacted at ico.org.uk or on 0303 123 1113. You have the right to lodge a complaint with the Information Commissioner's Office at any time.
End of Privacy Policy.