Legal

Privacy Policy

Last updated: 29 May 2026  ·  Xenova Systems Limited

This Privacy Policy explains how Xenova Systems Limited ("Xenova", "we", "us", or "our") collects, uses, and protects your personal data when you use the SmartPothole platform, mobile application, or website. We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Xenova Systems Limited is a company registered in England and Wales. We operate the SmartPothole road defect detection platform, including the mobile application, web dashboard, REST API, and this website.

For any data protection queries, please contact us at: our contact form.

2. Data We Collect

2.1 Website Contact Form

When you submit an enquiry through our website, we collect:

  • Full name
  • Organisation name
  • Email address
  • Area of interest
  • Message content

This data is used solely to respond to your enquiry and is not shared with third parties for marketing purposes.

2.2 Mobile Application — Sensor Data

When you use the SmartPothole mobile application, we collect:

  • Accelerometer and gyroscope readings (motion data)
  • GPS location coordinates and ground speed
  • Barometric pressure (where supported by your device)
  • A anonymised device identifier and session identifier
  • Timestamps of sensor readings

Sensor data is collected only while you are actively recording a session. We do not collect data in the background. GPS data is used exclusively for road defect clustering and is not used to track individuals.

2.3 Usage Data

We may collect anonymised usage data such as API request counts and dashboard access logs for the purpose of service monitoring, security, and performance improvement. This data does not identify individual users.

3. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

  • Legitimate interests — processing sensor data to provide road defect detection services to local authorities and infrastructure organisations.
  • Contract performance — processing contact and account data to fulfil service agreements.
  • Consent — where you have explicitly agreed to data collection through the mobile application.

4. How We Use Your Data

  • To detect and confirm road defects using AI and ML analysis
  • To respond to your enquiries and demo requests
  • To generate road condition reports for authorised stakeholders
  • To improve the accuracy and performance of our detection platform
  • To comply with legal obligations

5. Data Sharing

We do not sell your personal data. We may share data with:

  • Google Cloud Platform — our cloud infrastructure provider (data processing agreement in place)
  • EmailJS — used to process contact form submissions
  • Authorised clients — local authorities and highway agencies who have contracted our services receive aggregated, anonymised pothole detection data relevant to their road networks only
  • Legal authorities — where required by law

6. Data Retention

  • Contact form data — retained for up to 12 months from the date of submission
  • Raw sensor readings — retained in BigQuery for up to 90 days, then automatically deleted
  • Confirmed pothole records — retained for the duration of the service agreement with the relevant client
  • Usage logs — retained for up to 30 days

7. Your Rights

Under UK GDPR, you have the following rights:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate data
  • Right to erasure — request deletion of your personal data
  • Right to restrict processing — request that we limit how we use your data
  • Right to data portability — request your data in a portable format
  • Right to object — object to processing based on legitimate interests

To exercise any of these rights, please contact us via our contact form. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

This website does not use tracking cookies or advertising cookies. We do not use Google Analytics or any third-party analytics trackers. The only scripts loaded are Google Fonts (for typography) and EmailJS (for form submission).

9. Data Security

We implement appropriate technical and organisational security measures to protect your data, including:

  • All data transmitted over HTTPS/TLS encryption
  • Credentials stored in Google Cloud Secret Manager — never in source code
  • Private VPC networking between cloud services
  • API key authentication for all data access endpoints
  • Role-based access controls with least-privilege service accounts

10. International Transfers

Our cloud infrastructure is hosted in Google Cloud Platform's EU (Europe West) region. Data is not routinely transferred outside the UK or European Economic Area. Where any transfer occurs, appropriate safeguards are in place.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The date at the top of this page reflects the most recent revision. Continued use of the platform after changes constitutes acceptance of the updated policy.

12. Contact Us

For any privacy-related questions or to exercise your data rights, please use our contact form. Xenova Systems Limited, registered in England and Wales.