ExR Solutions Limited

Contributors’ Privacy Policy

FOR STAFF, CREW, CONTRACTORS, AND INDIVIDUALS FEATURED IN OUR CONTENT

Updated December 2025

This privacy policy sets out how ExR Solutions Limited (“ExR”, also “we”, “us”, and “our”) uses and protects personal data specifically belonging to:

Workers: our employed and contracted staff, production crew, pre‑ and post‑production team, and other freelancers, artists, subject matter experts and professionals engaged by us to work on a project; and
Featured Individuals: people captured on camera and/or featured on‑screen in our videos or other audiovisual content, such as medical professionals, hospital staff and patients

For ease, Workers and Featured Individuals are referred to collectively as “Contributors” throughout this policy. Where a provision applies only to one type of Contributor, it is clearly marked as such.

If you interact with us in a general, non‑Contributor capacity — for example, as a visitor to our website, viewer of our content, or if you are one of our other business partners, collaborators, or service providers — please refer to our General Privacy Policy for details on how we process personal data in those circumstances.

IMPORTANT INFORMATION AND WHO WE ARE (section 1)
TYPES OF PERSONAL DATA WE COLLECT ABOUT YOU (section 2)
HOW IS YOUR PERSONAL DATA COLLECTED? (section 3)
HOW WE USE YOUR PERSONAL DATA (section 4)
MARKETING (section 5)
DISCLOSURES OF YOUR PERSONAL DATA (section 6)
INTERNATIONAL TRANSFERS (section 7)
DATA SECURITY (section 8)
DATA RETENTION (section 9)
YOUR LEGAL RIGHTS (section 10)
CONTACT DETAILS (section 11)
COMPLAINTS (section 12)
CHANGES TO THIS PRIVACY POLICY AND / OR YOUR DATA (section 13)
THIRD PARTY LINKS (section 14)
CCTV (section 15)

1. IMPORTANT INFORMATION AND WHO WE ARE

Important Information.

If you contribute either on‑screen or behind the scenes in relation to an ExR project or audiovisual content, we refer to you as a “Contributor”. This privacy policy provides information about how ExR collects and uses personal data belonging to our Contributors and prospective Contributors. For information about how we process your data when you interact with us in a non‑Contributor capacity (for example, when you simply visit our Website or engage with us on social media, or if you are a supplier or collaborator of ours) please see our General Privacy Policy.

It is important that you read this privacy policy together with any other privacy/data‑protection notice or clauses we may provide on specific occasions so that you are aware of how and why we are using your personal data. This privacy notice supplements other notices and privacy policies and is not intended to override them, except where otherwise stated in those other privacy policies.

Our Website is not intended for children and we do not knowingly collect or process personal data belonging to children.

Who We Are.

EXR SOLUTIONS LIMITED, a company incorporated in England and Wales (co. reg. no. 12653591) with registered offices at 1 Pickle Mews, London, SW9 0FJ, United Kingdom (“ExR”), is an educational media company producing medical training videos and immersive VR content.

For the purposes of data‑protection law, ExR is the ‘controller’ and responsible for your personal data. If you have any questions about this privacy policy, including any requests to exercise your legal rights (section 10), please contact us using the information set out in the contact details section (section 11).

2. THE TYPES OF PERSONAL DATA WE COLLECT ABOUT YOU

Under the UK General Data Protection Regulation (UK GDPR), “personal data” means any information about a living individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data about you as a Contributor or prospective Contributor, which we have grouped together as follows:

Identity Data such as first name, surname and date of birth
Professional Data such as your job, employer or role in a work‑related context, to include any qualifications or degrees (where relevant)
Contact Data such as email address and telephone numbers. This may also include emergency contact details and next‑of‑kin information (where appropriate)
Financial & Payment Data such as bank account details, tax identification (NIN), payroll data (for PAYE or contractors), invoicing details, pension contributions
Engagement Contract Data such as the terms of your engagement with us (role, duration, remuneration), contractual obligations, NDAs, consents or release forms, and where necessary, your right‑to‑work and immigration status (including copies of your passport and/or visas and work permits)
Footage Data such as image, audio & video of your performance(s), images, headshots, behind‑the‑scenes footage, voice recordings, performance footage, production stills, and other audiovisual content depicting your likeness or characteristics
Technical Data related to your use of our Website or IT systems such as internet protocol (IP) address, browser type and version, time‑zone setting and location, browser plug‑in types and versions, operating system and platform
Usage Data such as information about how you interact with and use our Website and IT systems
Marketing Data such as your preferences in receiving marketing from us and our third parties and your communication preferences
Project Data such as production schedules, audition/interview recordings, contracts, consultation and other meeting notes, storyboards, correspondence and planning documents that include personal details
Legal & Compliance Data such as information containing personal data and related to regulatory compliance, contract disputes, tax and audit records, and rights management, contractual obligations, and compliance with applicable health, safety and/or safeguarding requirements

Special Category Data: ExR will only process sensitive (“special category”) personal data, such as health information, where it is strictly necessary and permitted by law. For example, you may inform us of accessibility requirements to facilitate a safe and efficient visit to filming locations or certain sites. In such cases, we will only process such data where we have obtained your explicit consent or where processing is otherwise permitted under UK GDPR, and always in compliance with applicable data‑protection laws. If you are a Contributor or prospective Contributor, the special category data you may be asked to provide includes:

Union Membership Data: e.g. if you are a member of the BMA, UNISON, HCSA, or BECTU.
Criminal & Background Check Data: criminal record self‑disclosure forms, DBS checks (if applicable), and social‑media and background searches conducted by way of Internet search (e.g. Google).
Health & Medical Data: any medical or health information you provide to us, such as accessibility needs or health declarations for crew, or information inherent in the footage.

Important information regarding Health & Medical Data:

Workers’ Health & Safety: May include self‑disclosure health conditions such as allergies, accessibility needs, fitness to work assessments, medical incident reports, occupational health records (e.g., COVID‑19 tests, vaccination status).
Featured Individuals’ Health Data: During filming, ExR may record special‑category data relating to your health or medical condition — for example, if you are a patient undergoing a surgical procedure. This information is processed with your explicit consent and subject to strict safeguards.
Anonymisation in Final Content: By default, ExR anonymises Featured Individuals in the final published content (removing or obscuring identifying features such as face, name, or voice). For certain procedures (e.g., facial or airway surgery) anonymisation may not be feasible; in such cases you will be given the opportunity to provide consent (“opt‑in”) to being identifiable.
Disclosure and Safeguards: Regardless of whether anonymisation applies, we process health‑related personal data as part of our production workflow, handling raw footage and metadata prior to final editing. This processing is performed in accordance with applicable data‑protection laws and ExR’s internal safeguards.

Diversity Data: ExR does not routinely collect data regarding race, ethnicity, or religion of Contributors unless required by law or you choose to provide it.
Child Contributor Data: Our content is not designed to be viewed or accessed by individuals under the age of 18. However, ExR does film paediatric procedures and, where a Featured Individual is a minor, we will only process their personal data with requisite parental/guardian consent and in accordance with safeguarding procedures.
Aggregated and Statistical Data: We sometimes collect, use and share aggregated data such as statistical or demographic data which is not personal data because it does not directly (or indirectly) reveal your identity. For example, we may aggregate Usage Data to calculate the percentage of users accessing a specific page to analyse general trends in how users interact with our Website.

If you fail to provide personal data: Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may have to cancel or modify our arrangement with you. We will notify you if this is the case at the time.

3. HOW IS YOUR PERSONAL DATA COLLECTED?

We use different methods to collect data from and about you including through:

Your interactions with us. You may give us your personal data by corresponding with us by phone, email or otherwise interacting with our business. This includes personal data you provide when you: email or phone our offices; submit our ‘Contact Us’ form on our Website; enter into a contract with us; create an account with us to view our content collections; request marketing materials to be sent to you; or engage with our social media accounts for example Instagram and LinkedIn.
Automated technologies or interactions. As you interact with our Website, we automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. You can view our Cookie Policy here.
Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources where the context requires, as set out below:
- Technical Data is collected from analytics providers and search‑information providers (such as Google).
- Contact, Financial and Transaction Data is collected from providers of technical, payment and delivery services.
- Identity and Contact, Professional, and/or Footage Data may be collected from publicly available sources (such as Companies House or profiles posted on a hospital consultant profile), professional accreditation or regulatory bodies, or networking sites (such as LinkedIn).
Audiovisual content platforms. ExR may use third‑party platforms to share content in the future. If a user accesses such content via an external platform (e.g., if ExR hosts training videos on a third‑party app or website), some personal data (like viewing data or account info) might be collected by that third party and shared with us.

4. HOW WE USE YOUR PERSONAL DATA

Legal basis: The law requires us to have a proper reason (“legal basis”) for collecting and using your personal data. We rely on one or more of the following legal bases:

Performance of a contract with you: Where we need to perform the contract we are about to enter into or have entered into with you.
Legitimate interests: We may use your personal data where it is necessary to conduct our business and pursue our legitimate interests (e.g., to prevent fraud and improve our relationships with partners and clients). We consider and balance any potential impact on you before processing your data for legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted by law).
Legal obligation: We may use your personal data where it is necessary for compliance with our legal obligations. We will identify the relevant legal obligation when we rely on this legal basis.
Consent: We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you subscribe to an email newsletter.

Purposes for which we will use your personal data: The table below summarises the ways we plan to use the various categories of your personal data in relation to your activities as a Contributor, and the legal bases we rely on. For information about how we process your data when you interact with us in a non‑Contributor capacity (for example, when you simply visit our Website or engage with us on social media) please see our General Privacy Policy.

Purpose/Use	Type of data (see section 2 for definitions)	Legal basis or bases
To create, produce, and distribute our educational videos/VR content featuring your work and/or you	(a) Identity (b) Footage (c) Health & Medical	Necessary for our legitimate interests: ExR must use your personal data – including recorded footage and any information you provided – to develop and edit the training content, incorporate it into our educational programmes, and distribute those programmes to our audience.
To assess your suitability for a role (on‑screen, crew, contractor, or other production engagement)	(a) Identity (b) Contact (c) Professional (d) Production‑Related	Performance of a contract with you: This processing is necessary to establish and manage professional relationships and to establish contractual terms and fulfill obligations. Necessary for our legitimate interests: We need to evaluate Contributors to ensure the right talent is engaged. This may involve reviewing experience, work history, and references.
To facilitate and perform under our various production and project agreements, and to enforce contracts	(a) Identity (b) Professional (c) Contact (d) Production‑Related (e) Legal & Compliance	Performance of a contract with you: Necessary for our production and project contracts, licensing agreements, and other arrangements with you as our Contributor. Necessary for our legitimate interests: Ensuring efficient legal and business negotiations, protecting ExR’s commercial interests, and complying with regulatory requirements in healthcare &/or digital media services.
To maintain proper archive collections of our content	(a) Identity (b) Professional (c) Production‑Related	Necessary for our legitimate interests: ExR may use and retain your data as part of our content archives for future reuse, reference, or inclusion in compilations or retrospective works.
To process and administer payroll, invoicing, and payments, as well as to handle any financial disputes, deductions, or reimbursements	(a) Identity (b) Financial & Payment (c) Engagement Contract (d) Transaction (e) Legal & Compliance	Performance of a contract with you: This is necessary to process payments for services rendered, issue payslips, reimburse expenses, and fulfil contractual obligations. Necessary for our legitimate interests: We need to resolve financial matters, such as payment disputes, expenses, and deductions, to ensure financial accountability. Necessary to comply with a legal obligation: We must comply with tax, National Insurance, and manage financial obligations efficiently, including ensuring timely payments and compliance with tax regulations.
To verify right to work, tax status, and process National Insurance (if applicable)	(a) Identity (b) Financial & Payment (c) Engagement Contract	Necessary to comply with a legal obligation: We are required under UK employment and immigration laws to verify work status, maintain tax records, and process contributions correctly.
To assess fitness to work, ensure accessibility needs are met, and provide a safe working environment	(a) Health & Medical (b) Identity (c) Contact	Necessary to comply with a legal obligation: We are required under health and safety laws to assess working conditions, provide reasonable adjustments, and mitigate risk. Explicit consent: If voluntarily provided, we process accessibility needs only with the individual’s consent.
To comply with health and safety requirements (e.g., self‑disclosure health forms for production safety)	(a) Health & Medical	Necessary to comply with a legal obligation: Some projects require self-disclosure health forms for compliance with partner requirements or regulatory mandates. Necessary for our legitimate interests: Ensuring the safety of all participants is essential to our operations. For instance, we use any medical or accessibility information you provided to accommodate your needs on set or comply with hospital protocols while filming.
To conduct background screening where necessary (e.g., safeguarding, working with minors)	(a) Criminal & Background Checks (b) Identity	Necessary to comply with a legal obligation: If a role involves working with children or vulnerable individuals, background checks may be legally required. Necessary for our legitimate interests: Conducting checks ensures the safety and reputation of our productions.
To perform online background checks (social media & Google searches for reputation and safeguarding assessments)	(a) Criminal & Background Checks (b) Identity	Necessary for our legitimate interests: Publicly available data may be reviewed to assess reputational risks to our productions and protect the wellbeing of other Contributors.
To produce, distribute, and market content featuring Contributors (including edited and promotional materials)	(a) Image, Audio & Video (b) Identity (c) Professional	Performance of a contract with you: Contributors may sign agreements that grant ExR rights to use their image, voice, and footage in connection with the content. Necessary for our legitimate interests: Marketing and promotional activities are an essential part of growing our business and advertising our content and services.
To store and maintain footage, behind‑the‑scenes content, and promotional materials	(a) Image, Audio & Video (b) Production‑Related	Necessary for our legitimate interests: Long‑term storage of footage is standard in the industry for legal, creative, and archival purposes.
To manage secure access to facilities (e.g., swipe cards, security logs)	(a) IT & System (b) Identity	Necessary for our legitimate interests: Access control is necessary to protect the security of production information and other assets, and prevent unauthorised entry.
To store production communications (e.g., emails, messages, and agreements related to creating content)	(a) IT & System (b) Production‑Related	Necessary for our legitimate interests: Email and document storage ensures continuity of operations, collaboration, and record‑keeping.
To comply with legal and regulatory obligations, including tax, employment, and industry-specific compliance	(a) Legal & Compliance (b) Financial & Payment (c) Engagement Contract	Necessary to comply with a legal obligation: We must maintain records for tax, employment, and compliance with UK law.
To market our content and services and manage press, PR, and media inquiries	(a) Identity (b) Professional (c) Contact (d) Production‑Related	Necessary for our legitimate interests: We may post excerpts from our content on social media platforms (e.g., LinkedIn) or testimonials on our Website from time to time to engage with audiences, users, and industry media in connection with ExR’s case studies, content, and other marketing and public relations. Consent: Where information shared for the purposes of marketing include personal data (such as featuring a Contributor’s image or attributing a testimonial to an individual), we will obtain consent beforehand.
To comply with legal obligations (including tax, audit, and regulatory compliance)	(a) Identity (b) Financial (c) Legal & Compliance	Legal obligation: We must retain certain records for statutory, tax, and regulatory purposes, including compliance with UK &/or EU media law and healthcare training requirements.
Ensuring safeguarding and welfare of under‑18 Contributors	(a) Identity (b) Contact (c) Child Contributor (d) Health & Safety Data	Necessary to comply with a legal obligation: If a minor contributor is engaged, we must comply with child protection laws, including UK safeguarding legislation and industry best practices. Necessary for our legitimate interests: Ensuring appropriate welfare, parental consent, and compliance with work permits for minors.
Parental/Guardian consent & oversight	(a) Identity (b) Contact (c) Child Contributor	Necessary to comply with a legal obligation: We require verifiable parental consent before processing a child’s personal data, particularly for those under 16.
Managing child work permits & licensing	(a) Identity (b) Engagement Contract (c) Child Contributor	Necessary to comply with a legal obligation: We collect and store child performance licenses and school exemption records in compliance with UK employment law.

Change of Purpose. We will only use your personal data for the purposes we collected it for, unless we need to use it for another reason that is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so.

5. MARKETING

Direct marketing: You will receive marketing communications from us only if you have requested information from us and you have not opted out of receiving the marketing. We may also analyse your Identity, Contact, Technical, Usage and Transaction Data to form a view of which content, services and offers may be of interest to you so that we can then send you relevant marketing communications.

Third‑party marketing: We will obtain your express consent before we share your personal data with any third party for their own direct marketing purposes.

Opting out of marketing: You can ask to stop sending you marketing communications at any time by following the opt‑out links within any marketing communication sent to you or by contacting us using the contact details provided below (section 11). If you opt out of marketing communications, you will still receive communications that are essential for doing business with you, for example, messages relating to a project we are working on together.

6. DISCLOSURES OF YOUR PERSONAL DATA

Where necessary, we may share your personal data with the parties set out below, strictly for the purposes set out in the Purposes for which we will use your personal data table above (section 4). We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third‑party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes, in accordance with our instructions.

Business Partners and Collaborators: ExR works with a variety of business partners and collaborators to create cutting‑edge content, including medical device manufacturers, medical charities, NHS trusts, academic and medical institution partners, professional healthcare associations, subject‑matter experts, and other Contributors. Where we work with such Business Partners and/or Collaborators to produce or distribute the content, we may share Contributor details and footage with them. This is for processing information essential to our content and projects, including managing pre‑production, post‑production, production shooting, equipment and other logistics.
Email and Cloud Storage: For sending and storing information essential to our business. For example, ExR uses secure email and cloud storage services (currently ProtonMail/ProtonDrive based in Switzerland) to send and store information.
Payment Service Providers: For processing payments and ensuring secure financial transactions.
IT and System Administration Providers: For hosting our Website, maintaining network security, and troubleshooting system issues. For example, our website and content are hosted on Amazon Web Services (AWS) servers in the UK.
Marketing Communications Providers: We may use tools (such as Mailchimp or similar) to send you information we believe is of interest, or to invite you to events, but only if you have opted in. We may also work with marketing agencies to help promote our services, but we will only share your personal data with such partners with appropriate consent or as permitted by law.
Social media platforms and users: We may post content on social media platforms (e.g., LinkedIn) but if those posts include personal data (such as featuring a Contributor or partner by name or image), we will obtain consent beforehand.
Third parties involved in regulatory or legal compliance: For instance, where required to comply with applicable laws, law enforcement, or government authorities such as HMRC.
Third‑party advisers to ExR: In some cases we may share limited personal data in the context of a project or video content when obtaining services or advice from our professional advisers and representatives, to include our accountants and solicitors.
Third parties in connection with business transactions: If we sell or transfer part of our business, the acquiring party may use your personal data in line with this policy.

7. INTERNATIONAL TRANSFERS

The majority of our business partners, collaborators, users, and Contributors are based in the United Kingdom. However, from time to time we may transfer your personal data internationally to entities based in other jurisdictions that carry out certain functions on our behalf. In particular, our email and cloud storage provider is in Switzerland, and we may in future use platforms based in the United States or elsewhere to host video content.

In some instances, the destination country or countries may have laws that do not provide the same level of data protection as required in the UK or elsewhere in Europe. Accordingly, whenever we transfer your data internationally:

We will only transfer your personal data to countries that have been deemed by the UK to provide an adequate level of protection for personal data, such as countries within the European Economic Area (EEA) (being the member states of the European Union (EU) together with Iceland, Liechtenstein, and Norway); and/or
We will use specific terms which give the transferred personal data the same protection as it has in the UK, namely the UK adequacy decision for Switzerland, the International Data Transfer Agreement or The International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers (as appropriate), and/or the UK Extension to the EU‑U.S. Data Privacy Framework to transfer personal data to the United States.

8. DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. For example, ExR uses encryption, password protections, and multi-factor authentication on its systems to prevent unauthorised access to personal data. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties (such as our Business Partners and Collaborators, described in section 6) who have a proper justification to use your personal data. We also have procedures to deal with any suspected personal data breach and will follow all legal requirements with regard to notifying you and any applicable regulator of a breach.

9. DATA RETENTION

The GDPR’s data minimisation principle states that personal data should only be collected and stored when it is necessary to accomplish a specific purpose. It also states that data should only be kept for as long as it is needed.

To determine the length of time ExR will keep (retain) your personal data, we consider:

the amount, nature and sensitivity of the personal data
the potential risk of harm from unauthorised use or disclosure of that personal data
the purposes for which the personal data were collected
whether we can achieve those purposes without your personal data
the applicable legal, regulatory, tax, accounting or other requirements
the long‑term nature of the content, including our need to distribute or licence it in the future

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including any tax or regulatory requirements. Some Contributor data may also need to be retained for extended periods due to the nature of our business: we have set out further details below.

Data Retained for Limited Periods

Health & Medical Data (self‑disclosure forms, accessibility needs, fitness to work assessments) are retained only for as long as necessary to comply with health and safety laws, and then securely deleted unless required for an ongoing issue.
Criminal & Background Check Data (self‑disclosure forms, social media searches, DBS checks if applicable) are retained only for as long as necessary for the specific production and then securely deleted.

Data Retained for Business & Compliance Purposes

Contracts, Payment & Financial Records are retained for at least six years after the content is produced in order to comply with tax and accounting laws.
Project‑Related Data such as scheduling and correspondence are retained for a period after production wraps (typically two or three years) depending on contractual and legal obligations.
Passports & Visas/Work Permits may be retained as per UK Home Office rules (typically six years after the engagement or employment ends).
In the event of a complaint or dispute we may retain personal data for a longer period (typically up to seven years after our contractual relationship with you ends) to cover legal litigation.

Data Retained Indefinitely (or Long‑Term)

Production‑related contracts and financial records may be retained for at least six years (but in some cases longer) to comply with industry norms.
Footage & Production Archives (image, audio and visual data, on‑screen content, behind‑the‑scenes material, release forms) may be retained indefinitely as part of ExR’s content collection library for archival, marketing, and future re‑use.
On‑Screen Credits are retained indefinitely for industry record‑keeping and professional attribution.

In some situations you can ask us to delete your data: please see section 10 below for further information.

10. YOUR LEGAL RIGHTS

You have certain rights under data‑protection laws in relation to your personal data:

Request access to your personal data (commonly known as a “subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide.
Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully, or where we are required to erase your personal data to comply with local law. Please note, however, that we may not always be able to fulfil your erasure request. We will be notified and the reasons explained to you, if this applies to you.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
Object at any time and for any reason to the processing of your personal data for direct marketing purposes.
Request the transfer of your personal data to you or to a third party. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time, where we are relying on consent as the lawful basis to process your personal data (see the table in section 4 for details). However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, you may not be able to participate in our production or project and our arrangement and / or contracts with you may need to be changed. We will advise you if this is the case at the time you withdraw your consent.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

If you wish to exercise any of these rights, please contact us using the contact details provided in section 11.

No fee usually required: You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you: We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond: We try to respond to all legitimate requests within 30 days. Occasionally it could take us longer than a month if your request is particularly complex or you have made multiple requests. In any event, we will notify you.

11. CONTACT DETAILS

If you have any questions about this privacy policy or wish to exercise your rights, please contact us in the following ways:

Email address: info@exr.education
Postal address: 1 Pickle Mews, London, SW9 0FJ, United Kingdom

12. COMPLAINTS

You have the right to make a complaint at any time regarding our use of your personal data, including where you believe we are unlawfully processing your data. For UK residents, data‑protection complaints are handled by the Information Commissioner’s Office (ICO), the UK regulator for data‑protection issues (www.ico.org.uk). For EEA residents, you may complain to your local data‑protection authority (https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm).

We would, however, appreciate the chance to address your concerns before you approach the ICO or other regulator, so please so contact us in the first instance.

13. CHANGES TO THIS POLICY AND / OR YOUR PERSONAL DATA

We keep our privacy policy under regular review, and the date of last update appears at the beginning of it. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

Please note that this notice does not form part of your engagement contract or other agreements with us unless explicitly stated and does not create contractual rights or obligations. It may be amended by us at any time.

14. THIRD‑PARTY LINKS

Our Website may include links to third-party websites, plug-ins, or applications. By clicking on those links or enabling those connections, third parties may be able to collect or share data about you. Please note that ExR does not endorse, monitor, or assume responsibility for the content, privacy practices, or data processing activities of these third-party websites. When you leave our Website, we encourage you to read the privacy policy of every other website you visit.

15. CCTV

In the interests of transparency, please note that ExR may work at properties or in areas that are under surveillance by a closed-circuit television (CCTV) system. However, unless otherwise indicated, these CCTV systems are neither managed nor monitored by ExR; you must contact the relevant site manager or landlord for more information.