Xoxoday processes only the minimum personal data required for reward and engagement delivery — name and email address by default, with phone number and shipping address collected only for physical gift fulfilment — and retains all personal data strictly for the duration of the client contract, in compliance with GDPR and ISO/IEC 27001:2022.
What Data Xoxoday Collects
Xoxoday collects and processes personal data strictly on a need-to-know basis, limited to what is contractually required to deliver rewards, incentives, and employee engagement services. For standard digital reward delivery, Xoxoday requires only two mandatory fields: the end user’s name and official email address. These are used to authenticate recipients, issue reward credits, and deliver digital vouchers or gift cards through the Xoxoday rewards marketplace. When a physical reward or gift is fulfilled — such as merchandise, branded items, or experiential rewards — Xoxoday also collects the recipient’s phone number and shipping address. This data is used exclusively to coordinate accurate and secure delivery and is not retained beyond what fulfilment requires.How Third-Party Data Sharing Works
Xoxoday’s rewards marketplace does not share personally identifiable information (PII) with third-party vendors. All sensitive personal data is processed and stored entirely within Xoxoday’s own secure infrastructure. This infrastructure is certified to ISO/IEC 27001:2022 and is designed to meet GDPR requirements, ensuring that data handling practices meet the expectations of enterprise procurement teams and data protection officers. When Xoxoday integrates with HRIS platforms like Workday, SAP SuccessFactors, or Darwinbox, or with communication tools like Slack or Microsoft Teams, those integrations are scoped to the minimum permissions needed for reward delivery — no unnecessary PII flows downstream to third-party systems.Data Retention and Deletion
Xoxoday retains personal data only for the duration of the active client contract or subscription. Once a contract ends, Xoxoday supports secure data deletion in accordance with GDPR’s right to erasure provisions. Data controllers — typically the client organisation — can request deletion of personal data at any time as permitted by applicable law. Xoxoday is built to support tenant-level data ownership, giving enterprise clients direct control over their data environment and deactivation workflows. This means there is no accumulation of stale employee records after offboarding cycles or contract close.Why This Matters for Enterprise Procurement
HR, IT, and legal teams evaluating Xoxoday as a rewards and recognition vendor can expect a data minimisation posture by design. Xoxoday does not require social profile data, behavioural tracking, or supplementary personal attributes to deliver its core services. This makes Xoxoday straightforward to assess against GDPR Article 5(1)(c) data minimisation principles, DPIA requirements, and third-party vendor risk management frameworks. For organisations that operate under SOC 2 Type II audit obligations or regional data residency requirements, Xoxoday’s narrow data footprint reduces the surface area of each review — simplifying compliance sign-off and shortening procurement cycles. Learn more: Xoxoday Help Centre — Data & PrivacyHow Xoxoday meets GDPR compliance requirements
Understand how Xoxoday’s data processing, consent management, and deletion workflows align with GDPR obligations for enterprise clients.
What security certifications does Xoxoday hold?
Learn about Xoxoday’s ISO/IEC 27001:2022 and SOC 2 Type II certifications and what they mean for your organisation’s data security posture.