Skip to main content

Privacy policy

Last updated: 23 April 2026

This notice explains what personal data we collect when you use xmahub, why we collect it, how long we keep it, and the rights you have over it. We write it in plain English. If anything here is unclear, email hello@xmahub.com and we will answer.

01

Who we are

xmahub is operated by Steffen Hoyemsvoll Limited, a company registered in England and Wales under company number 09302803, with its registered office at 5 Brayford Square, London, England, E1 0SG. In this notice we refer to ourselves as “xmahub”, “we”, or “us”.

For the purposes of the UK GDPR and the Data Protection Act 2018, xmahub is the data controller for your personal data. You can contact us about any data-protection matter at hello@xmahub.com. Registration with the Information Commissioner's Office is in progress; the registration number will be published here once issued.

02

What we collect

We only collect what we need to run the assessment, deliver the protocol, and keep the business accountable. Specifically:

  • Email address. Provided when you submit the eczema assessment or purchase the protocol.
  • Assessment responses. Your answers to the eight-question quiz, the profile we derive from them, and the calibration flags we use to tailor your starter protocol.
  • Purchase records. If you buy the protocol, the Stripe session identifier, the amount paid, and a flag recording whether the protocol email was sent.
  • Authentication cookie. If you log in to the members area, a signed xmahub-session cookie that identifies you on subsequent requests. It contains only a base64-encoded copy of your email and an HMAC signature.
  • Consent cookie. A small xmahub-consent cookie recording your choice from our cookie banner so we do not ask you again.
  • Analytics data, if you consent. Page views, clicks, quiz progress, and aggregate funnel data. See the cookie policy for detail.

We do not collect special category health data. Your eczema assessment answers are lifestyle and environmental questions that help calibrate the educational content we send; they are not a medical record.

We never see or store your payment card. Card details are collected by Stripe in an iframe and transmitted directly to Stripe's servers.

03

How we use it, and the legal basis

We only use your data for the purposes listed here. Each purpose has a lawful basis under Article 6 of the UK GDPR.

  • To deliver the assessment result and starter protocol email after you submit the quiz. Basis: Article 6(1)(b), performance of a contract you requested.
  • To process your purchase and send the post-purchase email with access to the full protocol. Basis: Article 6(1)(b), performance of the purchase contract.
  • To send abandonment-recovery and nurture emails at day one, day three, and day seven after the assessment. Basis: Article 6(1)(f), legitimate interests in following up with people who asked for our content. You can opt out at any time using the unsubscribe link in any email.
  • To operate the members area via magic-link login. Basis: Article 6(1)(b).
  • To measure how the site performs using analytics. Basis: Article 6(1)(a), consent, captured via the cookie banner.
  • To meet tax and accounting obligations. Basis: Article 6(1)(c), legal obligation.
04

Who we share it with

We use a small number of trusted service providers to run xmahub. We do not sell your data. Each processor handles only what it needs to perform its function, under a contract that requires UK GDPR-compliant handling.

  • Stripe Payments UK, Ltd. Processes payments. Receives your email address and card details (which never touch our servers). Payment processing privacy notice: stripe.com/gb/privacy.
  • Resend (Resend Inc., US). Sends transactional and nurture emails. Receives your email address and the email content we send you. Transfers to the US are covered by the UK International Data Transfer Addendum.
  • Supabase (Supabase Inc., hosted in the EU). Stores the leads and purchases tables. Receives the fields listed in section 02.
  • Vercel (Vercel Inc., US). Hosts the website. Receives standard server logs (IP address, user-agent, URL) as part of normal operation. UK to US transfer covered by the UK IDTA.
  • PostHog (PostHog Inc., EU region). Product analytics, if you consent. Receives page events and your email address once you submit the assessment. Hosted on eu.i.posthog.com.
  • Google Analytics 4 (Google LLC, US).Aggregate traffic analytics, if you consent. Receives standard GA4 events and your email address after quiz submission (GA4 hashes it internally). Transfers covered by Google's UK IDTA.
  • Vercel Analytics. Anonymous web-vitals and page-view counts, if you consent. No personal identifiers.

We do not use any other third parties for marketing or advertising. We do not run retargeting pixels.

05

How long we keep it

We keep data only as long as we need it.

  • Assessment leads that do not convert: 24 months from capture, then deleted. You can ask us to delete earlier at any time.
  • Purchase records: 7 years, as required by HMRC for tax and VAT records.
  • Members-area session cookies: cleared on sign-out; expire after 30 days of inactivity if you do not sign out.
  • Consent cookie: 12 months, then we ask again.
  • Analytics data: retained by each provider under its own retention policy, typically 14 to 26 months.
  • Support emails: retained for 24 months after the conversation ends.
06

Your rights

Under UK GDPR you have the following rights. To exercise any of them, email hello@xmahub.com. We respond within one calendar month, usually much sooner.

  • Right of access. Ask for a copy of the personal data we hold on you.
  • Right to rectification. Ask us to correct anything that is wrong.
  • Right to erasure. Ask us to delete your data. We will delete it unless we need it for a legal obligation such as tax records.
  • Right to restrict processing. Ask us to pause use of your data while we deal with a query.
  • Right to data portability. Ask for your data in a structured, machine-readable format.
  • Right to object. Object to use based on legitimate interests (for example, our nurture emails) at any time.
  • Right to withdraw consent. Withdraw any consent you have given (for example, analytics) at any time, without affecting processing done before you withdrew.

If you are unhappy with how we handle your data, you can complain to the Information Commissioner's Office at ico.org.uk or on 0303 123 1113. We would prefer you tell us first so we can try to fix it.

07

How we protect your data

Your data is held in EU-region Supabase databases with row-level security enabled. Access to the production database is restricted to service-role credentials held only in Vercel environment variables. Traffic between you, our servers, and our processors is encrypted in transit. Payments are handled by Stripe, a PCI DSS Level 1 service provider. Emails are transmitted over TLS where the receiving server supports it.

08

Children

xmahub is not directed at children. We do not knowingly collect data from anyone under 16. If you believe a child has submitted data to us, tell us and we will delete it.

09

Changes to this notice

We may update this notice. When we make a material change, we will update the “last updated” date at the top, and if the change is significant we will email existing customers. Older versions are available on request.