eXp is committed to protecting the privacy and security of your personal information.
What is the Purpose of this Privacy Notice?
This Privacy Notice describes how we collect and use personal information about you, in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and any other national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the relevant European jurisdiction to which the processing relates (Data Protection Legislation).
It is important that you read this Privacy Notice together with any other privacy notice or fair processing notice that we may provide to you on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Notice supplements any other such notices that we may provide to you and is not intended to override them.
Who are We?
eXp World UK Limited is a company incorporated in England and Wales under number 12016573 and our registered office is at 68 West Hill, Hitchin, Hertfordshire SG5 2HY, England (“eXp UK”)
For the purposes of Data Protection Legislation, the legal entities overseeing the processing of your personal data are eXp UK and its parent company, eXp Realty, LLC., a company incorporated in State of Washington, United States (“eXp US”). In this Privacy Notice references to “eXp”, “we”, “us” and “our” refer to eXp UK and eXp US.
In summary the usual arrangement under which eXp collects and processes personal data is that eXp UK and eXp US are each data controllers in their own right. A data controller is responsible for deciding how it will hold and use personal data. On occasion, for certain processing activities, eXp US may act as a data processor for eXp UK. There may also be processing activities for which we would be considered joint data controllers in that we may jointly determine the purposes and means by which your personal data is processed by us.
For purposes of the GDPR, eXp US, in its capacity as a data controller, identifies eXp UK of 68 West Hill, Hitchin, Hertfordshire SG5 2HY, England as its EU representative.
How We Collect Your Personal Information
We obtain information about you when you use our websites, for example: (i) when you fill in forms on our websites, subscribe to any service, request further services, or contact us about eXp’s services; (ii) if you contact us online we may keep a record of that correspondence; and (iii) we collect details of your visits to our websites including traffic data, location data, weblogs and other communication data, and the resources that you access.
If you contact us by telephone, post, email or social media we may keep a record of those communications.
If you are an eXp Agent then, in addition to the above, we will obtain information about you when you register with us as an eXp Agent and during the course of our interactions with you as part of that relationship including through your use of your back office and approved company channels including online platforms, electronic communications and official company materials provided to you.
We may also obtain your personal data from the following sources: third party online public platforms, social media, and the public domain (“third party sources”). We may combine the information which you provide to us with information which we obtain about you from these third party sources.
What Personal Data Do We Collect From You?
eXp will only collect personal data required to serve the purpose for which it was collected. The type of personal data we collect will depend upon the nature of your relationship with us (e.g. a customer or prospective customer, eXp Agent or applicant, job candidate, service provider, or visitor), the purpose for which the data is required, and our legal and regulatory obligations.
Please note that we may process your personal data without your knowledge or consent where this is required or permitted by law.
As a customer, the information we collect from you may include the following:
- contact details (including names, postal addresses, email addresses and telephone numbers);
- a copy of your driver’s licence, passport, or other suitable documentation to identify you;
- your credit card or debit card details if you make a payment for any services;
- your username and password for any online account with eXp UK;
- information about any services you have requested us to provide and your activities in relation to those services;
- any information you send to us, including information relating to the matters about which you contact an eXp Agent; and
- information as required by regulatory “know your client,” anti-money laundering or proceeds of crime legislation — some of this information we may request or obtain from third-party sources.
As a prospective customer for eXp UK, the information we collect from you may include contact details (including names, postal addresses, email addresses and telephone numbers).
- Identity Data includes first name, middle names, maiden name, last name, username or similar identifier, marital status, title, date of birth, place of birth, country of citizenship, first language, and gender.
- Contact Data includes billing address, delivery address, email address and telephone numbers.
- Financial Data includes bank account and credit card details.
- Transaction Data includes details about payments to and from the Company and other details of products and services you purchased from or provided to the Company.
- Technical Data includes internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on devices used to access Company websites and other online services.
- Profile Data includes username and password, interests, preferences, feedback and survey responses.
- Usage Data includes information about the use of eXp websites and services.
- Marketing and Communications Data includes preferences in receiving marketing from eXp and its third parties and communication preferences.
The Company may also compile aggregated data such as statistical or demographic data. Aggregated data may be derived from the eXp Agent’s personal data but is not considered personal data in law as it does not directly or indirectly reveal the eXp Agent’s identity.
In connection with the provision of our services, we collect and process different personal data depending on the services being provided, and the third parties with whom we communicate, obtain data from or otherwise deal with in connection with the services provided to our customers.
As a prospective employee of eXp UK, the information we collect from you for recruitment purposes may include the following:
- contact details (including names, postal addresses, email addresses and telephone numbers);
- your racial or ethnic origin, sex and sexual orientation, religious or similar beliefs in order to undertake equal opportunity monitoring and reporting in the public interest;
- information regarding your criminal and disciplinary records (if any), including from background checking authorities, agencies and any regulators, to carry out our legal and regulatory obligations;
- details of your references;
- information about your previous academic and/or employment history, including details of any conduct, grievance or performance issues, appraisals, time and attendance, from references obtained about you from previous employers and/or education providers;
- information regarding your academic and professional qualifications;
- your nationality and immigration status and information from related documents, such as your passport or other identification and immigration information;
- a copy of your driver’s licence or other suitable documentation to identify you and verify your identity;
- information we may request and/or obtain from third-party sources on disciplinary records.
We collect limited information that could be considered personal data from providers of services to eXp. The information we collect from you may include the following:
- your name and contact details;
- your qualifications and employment history;
- bank account details, should we need to transfer funds to you.
As a user of one of our websites or any other web address operated by or on behalf of eXp that links to this Privacy Notice, we collect information that you submit to us when you interact with features of the websites such as logging into your account. When you do this we may collect:
- your name and contact details (i.e., address, home and mobile phone numbers, email address);
- your username and password;
- anything you download from the websites;
- any information that you input into the websites.
In addition to collecting information, we collect analytics relating to your time spent on the Sites. We collect your internet protocol (IP) address; your login data, browser type and version; time zone setting and location; browser plug-in types and versions; operating system and platform; and other technology on the devices you use to access the websites.
More information can be found within our Cookies Policy.
Visitors to our premises
As a visitor to eXp UK’s premises, we may capture the following information about you:
- contact details (including names, postal addresses, email addresses and telephone numbers);
- images captured by our premises’ CCTV cameras.
The Ways We Use Information
We may process your personal data for purposes necessary for the performance of a contract with you, for example for the processing or fulfilment of the provision of our services, and to comply with our legal obligations.
We may process your personal data for the purposes of our own legitimate interests provided that those interests do not override any of your own interests, rights and freedoms which require the protection of personal data. This includes processing for marketing, business creation, development, management, and statistical and research purposes, which will include analysis and tracking of transactions and the creation of marketing profiles. You have the right to object to this processing where we rely on a legitimate interest and either there is something about the particular situation which makes you wish to object to processing on that ground or the processing is for direct marketing purposes.
We may process your personal data for certain additional purposes with your consent, and in these limited circumstances where your consent is required for the processing of your personal data then we will obtain your separate consent at that time and you will also have the right to withdraw your consent to processing for these specific purposes (see ‘Right to Withdraw Consent’ section below)..
Please note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.
Purpose and legal basis for processing
When processing your personal data, the purpose and legal basis include the following, to the extent that they apply to you:
- to perform customer services to fulfil our contractual obligations toward you, and on the basis of our legitimate interests, or our customers’ legitimate interests, to provide the best customer service we can;
- to support our business processes including our information technology, electronic communications and electronic documents storage, management and transmissions, to fulfil our contractual obligations toward you, or, if not applicable, on the basis of our legitimate interests to provide the best customer service we can, to support our business operations, administration, IT services, and network security, and to prevent fraud;
- to safeguard your personal data and our IT system with appropriate security, on the basis of your and our legitimate interest for such security;
- to exchange information, conduct due diligence, and answer your initial questions, to take steps required to enter into a contract with you, or for the purposes of our legitimate interests to protect our legal rights and a third party’s rights, or, if not applicable, on the basis of your consent;
- in the case of a prospective employee, for our recruitment purposes, including in the context of a selection and recruitment procedure, to take steps prior to entering into an employment relationship or contract with you or on the basis that it is our legitimate interest to use your personal data in such a way to ensure that we can make the best recruitment decisions — we will not process any special categories of personal data except where we are able to do so under applicable legislation or with your explicit consent;
- to keep you up-to-date with news that may be of interest to you, on the basis of your consent or our legitimate interests to use your personal data for marketing purposes;
- to present our websites and online content in the best possible way for you and on your computer, on the basis of our legitimate interests to keep our websites updated and relevant, to develop our outreach and business operations, and to develop marketing strategy;
- for business transactions such as a merger, acquisition by another company, or sale of all or a portion of our assets on the basis of our legitimate interests to sell or expand our business operations; and/or
- to comply with legal and regulatory requirements applicable to us (including the need to prevent and combat money laundering).
If you are an eXp Agent we may process your personal data for the following additional purposes:
- Processing the eXp Agent’s application and Independent Contractor Agreement;
- Developing downline genealogy reports and other related business reports;
- Providing support services to the eXp Agent such as planning and facilitating meetings and training;
- Administering the eXp Agent’s benefits including under the Revenue Share Plan;
- Developing and implementing policies, marketing plans, and strategies;
- Publishing personal information in the Company’s newsletters, promotional materials and company and intra-group communications;
- Complying with applicable laws and regulatory requirements and assisting with any governmental or police investigation; and
- Other purposes directly relating to any of the above.
Where the processing of your personal data is based on your consent only, you have the right to withdraw this consent at any time. We will then erase your personal data and stop processing it.
You may receive marketing communications from us if you are an existing customer or if you provided us with your consent or where we are pursuing a legitimate interest and have a lawful right to do so and, in each case, you have not opted out of receiving that marketing. You can ask us to stop sending you marketing messages at any time by following the unsubscribe links on any marketing message sent to you or by contacting email@example.com at any time.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We will share your personal information with third parties where required by law, where it is necessary to administer the relationship with you or where we have another legitimate interest in doing so. Some of these transfers will involve international transfers of your personal data outside the European Economic Area (EEA) including to our data centres or those of our service providers or public and regulatory bodies.
Where permitted by Data Protection Legislation, eXp may share such information from time to time with the following third parties:
- Other entities within the eXp group and those employees, directors and managers of eXp and its local and foreign associated/affiliated companies who have a need to access your personal information in carrying out their responsibilities; and
- eXp Agents, including Sponsors and upline eXp Agents who may need access to downline eXp Agents' personal information in order to monitor sales activity and business development in their sales revenue groups
- Any agent, contractor, supplier, vendor, or third party service providers who provides administrative, payment processing, IT, marketing, printing, shipping, fulfilment, web-tools, fraud prevention or other services to eXp or its affiliated companies.
- Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, security, insurance and accounting services.
- tax authorities, regulators and others who require reporting of processing activities in certain circumstances.
Where our third-party service providers act as our data processors then they are required to take appropriate security measures to protect your personal information and we do not allow those third-party service providers to use your personal data for their own purposes; we only permit them to process your personal data for specified purposes and in accordance with our instructions.
However, certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions. For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers.
We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.
Transferring information outside of the EU
Your personal information may be stored and processed in any country where we have operations. For example, [our parent company], eXp US is based outside the European Economic Area (“EEA”) in the USA and your personal data will be transferred to and processed in the USA. The USA is not deemed to provide an adequate level of protection for personal data, but eXp US as a data controller will process your personal data in the USA in compliance with Data Protection Legislation.
Many of our external third party data processors are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Where we transfer your personal data to a data controller outside of the EEA in a country that has not been deemed to provide an adequate level of protection for personal data by the European Commission (which includes a transfer by eXp UK to eXp US in the United States), eXp will use the ‘controller to controller’ model contract clauses approved by the European Commission which give personal data the same protection it has in the European Union;
- Where we transfer your personal data to a data processor outside of the EEA in a country that has not been deemed to provide an adequate level of protection for personal data by the European Commission we will use the ‘controller to processor’ model contract clauses approved by the European Commission which give personal data the same protection it has in the European Union.
- Where we use providers based in the US, we may either use the above contracts approved by the European Commission or we may transfer data to them if they are part of the EU–U.S. Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
Please contact us at firstname.lastname@example.org if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
We have appropriate security measures in place to protect against the accidental loss, misuse, access and/or alteration of the information you provide. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected which retention period is determined by the nature and duration of your relationship with us. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances eXp may anonymise or pseudonymise the personal data so that it can no longer be associated with you, in which case eXp may use such information without further notice to you.
If you request that we stop sending you marketing materials, we will continue to keep a record of your contact details and appropriate information to enable us to comply with your request not to be contacted by us.
Rights of Access, Correction, Erasure, and Restriction
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes and of which we need to be made aware.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
- Request access to your personal information. This enables you to receive details of the personal information we hold about you and to check that we are processing it lawfully.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
- You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you want to exercise any of the above rights, please contact us using the contact details below.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if any request made by you is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to Withdraw Consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose (for example, in relation to direct marketing that you have indicated you would like to receive from us), you have the right to withdraw your consent for that specific processing.
You can exercise this option at any time by contacting us, using the contact details outlined below. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Changes to this Notice
Any changes we may make to our Privacy Notice in the future will be posted on this webpage.
Questions Regarding this Notice/Contact Details
Should you have any questions regarding this Privacy Notice, you can contact us either by post: 68 West Hill, Hitchin, Hertfordshire SG5 2HY, England; email: email@example.com. Please mark all email correspondence with: “Data Protection”.
If you are not satisfied with our response or believe we are not lawfully processing your data you can also complain to the Information Commissioner’s Office (www.ico.org.uk) at any time.