Privacy Policy.

This policy applies to the website at onexe.comand to the professional services delivered by onexe (“onexe”, “we”, “us”, or “our”).

For the purposes of applicable data protection law — including the UK GDPR, EU GDPR, and the California Consumer Privacy Act as amended by the CPRA — onexe is the data controller for personal data collected through this website and for information you provide when contacting us. When we process personal data inside the tools and systems of a client engagement, we act as a data processoron that client's instructions under a separate data processing agreement.

Questions, requests, or complaints about this policy can be addressed to privacy@onexe.com.

We collect only the personal data we need, in the following categories.

• Contact information — your name, email address, company, and the message you send us when you use the contact form, email us directly, or book a call.
• Engagement data — information you share with us while we scope or deliver a project, which may include business documents, tool credentials (always scoped and revocable), and sample data required to build and test the agents we ship.
• Website usage data — pseudonymous analytics events (page views, clicks, session duration, referrer, and approximate location derived from IP), collected via privacy-respecting analytics. We do not use these to build advertising profiles.
• Technical logs — IP address, browser type, and request metadata retained for short periods to protect the site from abuse and diagnose errors.
• Cookies and similar technologies— strictly necessary cookies that keep the site working, and (where we rely on your consent) analytics cookies. See “Cookies” below.

We do not knowingly collect special category data (such as health or biometric data) through this website. If a client engagement requires it, we agree the safeguards in writing before processing begins.

We use personal data only for clearly defined purposes, each tied to a legal basis under applicable law.

• To respond to your enquiries — processed on the basis of our legitimate interest in replying to people who contact us and, where relevant, to take steps at your request before entering a contract.
• To deliver services under a signed engagement — processed to perform the contract and to comply with the data processing terms within it.
• To run and improve the website — processed on the basis of legitimate interest for core operation, and on the basis of consent for non-essential analytics.
• To protect the site and our clients — processed on the basis of legitimate interest in preventing fraud, abuse, and unauthorised access.
• To comply with legal obligations — including tax, accounting, and lawful requests from regulators or courts.

onexe builds AI systems. You should understand how AI interacts with your data when you work with us.

• Public model training — we do not permit the use of your data to train third-party public foundation models. Our vendor contracts are configured to disable training on customer data where the vendor offers that setting, and we prefer vendors who offer it by default.
• Processing by AI vendors — agents we build may send prompts and task context to model providers (for example, Anthropic and OpenAI) to generate responses. These providers act as subprocessors under their own enterprise terms, with data handling commitments documented in our DPA.
• No solely automated decisions with legal effect — we do not use this website to make decisions about you that produce legal or similarly significant effects without a human in the loop. Where a client engagement uses automation to assist decision-making, we document the human review step in the runbook.

We do not sell personal data, and we do not share it for cross-context behavioural advertising. We share personal data only with the following categories of recipient, under contract, and only to the extent needed.

• Subprocessors who provide the infrastructure we rely on — hosting, email, analytics, CRM, and the AI model providers that power the agents we build. A current list is available on request to privacy@onexe.com.
• Professional advisors — legal, accounting, and insurance advisors under confidentiality obligations.
• Authorities — when we are required by law, or to protect the rights, property, or safety of onexe, our clients, or the public.
• Successors — in the event of a corporate transaction such as a merger or acquisition, subject to this policy.

Some of our subprocessors are located outside the United Kingdom and the European Economic Area, including in the United States. Where personal data is transferred outside those regions, we rely on recognised transfer mechanisms — typically the UK International Data Transfer Addendum and the EU Standard Contractual Clauses — together with additional safeguards where appropriate.

You can request a copy of the transfer mechanism and the supplementary measures in place for a given subprocessor by writing to privacy@onexe.com.

We retain personal data only for as long as needed for the purpose we collected it, or for the period required by law.

• Contact enquiries that do not become engagements — up to twenty-four months.
• Client engagement records — for the duration of the engagement plus the period required by our tax, accounting, and professional obligations.
• Website analytics — event-level data for up to twenty-four months, in aggregate or pseudonymous form.
• Security logs — up to ninety days unless retained longer for incident investigation.

When the retention period ends we delete or irreversibly anonymise the relevant data.

We apply security measures proportionate to the risk, including encryption in transit, encryption at rest on supported platforms, principle-of-least-privilege access control, multi-factor authentication for team accounts, scoped and revocable credentials when accessing client systems, and documented incident response procedures.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within seventy-two hours where required, and we will notify affected individuals without undue delay when the breach is likely to result in a high risk.

Depending on where you live, you may have the following rights over your personal data.

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct data that is inaccurate or incomplete.
• Erasure — ask us to delete personal data when the legal basis for keeping it no longer applies.
• Restriction — ask us to limit how we use your data while a concern is resolved.
• Portability — receive your data in a structured, machine-readable format, and ask us to transmit it to another controller where technically feasible.
• Objection — object to processing based on our legitimate interests, and to any direct marketing.
• Withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting processing already carried out.
• Do not sell or share (California) — we do not sell personal information or share it for cross-context behavioural advertising. You can confirm this position in writing at any time.
• Complaint— lodge a complaint with your supervisory authority. In the UK that is the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, email privacy@onexe.com. We respond within one month and may ask for proof of identity before releasing personal data.

We use a small number of cookies. Strictly necessary cookies keep the site working and cannot be refused without breaking core functionality. Analytics cookies, where used, are loaded only with your consent.

You can clear cookies at any time using your browser settings. Refusing analytics cookies will not prevent you from using the site.

Our services are not directed to children under the age of sixteen, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@onexe.com and we will delete it.

We may update this policy from time to time. When we do, we update the effective date at the top of the page. Material changes will be highlighted on the site before they take effect. Continued use of the site after an update means you accept the revised policy.

For privacy questions, requests, or complaints, write to privacy@onexe.com. For general enquiries, hello@onexe.com.