1. Home
  2. Privacy Notice

Privacy Notice

Last Updated:  September 2025

ExlService Holdings, Inc. and its affiliates/ subsidiaries (collectively, “EXL”, “we”, “our”, or “us”) worldwide, are committed to respecting your online privacy and recognizing your need for appropriate protection and management of any personal data you share with us.
This privacy notice (referred to herein as the “Privacy Policy” or “Policy”) sets out how we collect and process your personal data when we act as “data controllers”.  This Policy does not cover our customers’ processing of personal data using our products or services, as we act solely as a “data processor” for such processing activities.  

Why You Should Read this Policy

As a commercial business, we may collect, use, and disclose personal data in the course of our standard operations. Where an EXL entity processes your personal data as controller (meaning that we determine why and how your personal data is used), this Privacy Policy sets out how we process that data in compliance with data protection and consumer privacy laws. This Policy also explains what rights you have relating to that personal data.

What does this Policy cover?

This Policy sets out how we use and protect personal data globally. If you live or work in certain countries, states or territories, there is additional information at the end of this Policy that relates to our use of your personal data.

It is important to note that this Policy does not apply to personal data we process on behalf of our customers. When we provide our products and services to our customers, in a majority of circumstances, we act as a data processor. This means it is our customers, and not EXL, who are in control of what personal data and other information they process using our products or services, and how they do so.  Where we are a data processor, we follow our customers’ instructions relating to that processing, in line with applicable laws.  We are not responsible for the privacy policies or the data collection, use, or disclosure practices of our customers or third-party sites. If you wish to understand how they process your personal data, we encourage you to review the privacy policies of each site you visit. 

In the limited circumstances that we act as a joint controller with our clients, we establish at the outset of our commercial relationship with our clients our respective roles in relation to the personal data.  This would involve an exchange of personal data between EXL and our client, authorizations on permitted uses of personal data, and an obligation to cooperate with each other to comply with certain regulatory requirements such as in handling data subject requests and incidents.   Due to the nature of our clients’ relationships with their customers, our clients typically handle disclosures to their customers, informing them that EXL may be required to process their data.

Updates to this Policy

We may make updates to this Policy from time to time. When we do so, we will post those changes here, so please check back periodically for any updates. Where we make changes to our processing that may affect the rights of individuals affected by those changes, we will inform those individuals where possible.

If you have any questions or concerns about this privacy notice or your personal data, please contact us at Privacy@exlservice.com.

Table of contents

1. What personal data we collect and how we collect it

2. Lawful basis for processing personal data. 

3. When do we share your personal data?

4. Cookies and Tracking Technologies

5. How long do we keep your personal data?

6. International and group company transfers of personal data.

7. Your Rights in Relation to Your Personal Data

8. Contact us and information regarding complaints.

 

1. What personal data we collect and how we collect it

Personal data, or personal information, means any information about an individual from which that person can be identified or identifiable. It does not include data where the identity has been irreversibly removed (anonymous data).

We collect personal data through three main sources:

1. Personal data you provide to us (for example, through forms or correspondence);
2. Personal data we collect automatically (for example, when you visit EXL websites and as described in the Technical Data as set out below);
3. Personal data from other sources (such as our service providers, business partners, and publicly available personal data as set out below):

  • Contact Data – Name, address, email address, telephone number, mobile phone number, country of residence and social media handles. We may collect this information directly from you, your employer, from publicly available sources, our third-party partners who provide networking contact information, or indirectly through a third-party partner such as if we have co-hosted an event with them.
  • Professional Data: Company name, occupation contact details, occupation, employment history, areas of expertise, your experience with EXL products and services. We may collect this information directly from you, your employer, from publicly available sources, our third-party partners who provide networking contact information, or indirectly through a third-party partner such as if we have co-hosted an event with them.
  • Transaction Data – Products and/or services purchased, licenses purchased, types of products or services of interest, information provided in the course of the purchase or attempted purchase of EXL products or services, eligibility information such as whether your company is a customer of EXL this can be collected when you purchase products and services from EXL.
  • Payment Data – Payment or billing information (including tokenized payment details, as necessary). We may collect this information in the course of signing up for an EXL product or service or through the use of our website to purchase our products or services.
  • Communications Data – Messages, correspondence and other data created, or generated, by you when communicating with us via post, SMS, e-mail, posts on EXL or third-party channels, forums, social media platforms, other third-party platforms, or other means of electronic communication. We may collect this information when you interact with us or our employees, contractor, agents, third-party service providers and partners- for example through providing feedback or sharing your experiences of our products and services with us.
  • Technical Data – IP address, operating system, browser information, user agent. identifiers such as cookie IDs (see Cookie and Tracking Technologies below, and our Cookie Policy), mobile device ID, Wi-Fi data, interactions with EXL websites, authentication credentials, communications and promotional materials are collected automatically when you interact with EXL websites or third-party platforms hosting EXL content. For example, when we send marketing communications, we may collect data on whether you have opened a marketing communication you have received, or whether you clicked on any links in the message.
  • Government Identifiers: Government or state issued photographic identification documentation such as passport or driver license – for example when you provide it in the course of verifying your identity.
  • Audiovisual Data: Image, voice – including photographs, images and audio and video recordings – collected through security and monitoring systems or recorded during events, for example, when you participate in a EXL or EXL -affiliated event, visit a EXL office or present at a seminar hosted by EXL.
  • Inferred Data: Preferences, likelihood of interest in our products and/or services. Data generated by combining data (such as Contact Data, Professional Data, Transaction Data, Technical Data and Communication Data) collected by EXL with information obtained from third parties (such as Contact Data, Professional Data, Transaction Data, Technical Data and Communication Data), including partners and publicly available sources, which assist with the sale of products or services, compliance with laws, and that detect, prevent and otherwise address fraudulent, deceptive, or illegal activity.
  • Contact Preference Data: Consents or preferences that you give us, such as how you would like us to contact you or what EXL products or services interest you.

Why and How We Use Your Personal Data

The following lets you know how and why we use the personal data we collect:

1. To conduct our business operations and provide our products and services:

  • To communicate with you: We use your information, including Contact Data, and Communications Data so that we can communicate with you, answer your queries, or get in touch to understand if you are interested in our products and services.
  • To provide you with our products and services: We use your information, including your Contact Data, Payment Data, Technical Data, Communications Data,  and Professional Data, depending on the services provided, for various reasons, including to:
    • Verify your identity;
    • Send communications relating to the product or service purchased;
    • Fulfil our contract with you;
    • Provide you with access to our platforms and services.
  • To process financial transactions: We use your information, including Contact Data, Communications Data, Payment Data and Transactional Data to process transactions and to provide you with our products and services.
  • To analyze activity on our websites, improve our public facing platforms and communications:  We use your information, including Technical Data and Communications Data to understand how you use our websites, forums or  platforms and to understand and improve your experience of those websites, forums, and platforms and the communications we send.
  • To ensure compliance with our obligations: We may access, preserve, process, or disclose your information, where required, to comply with a court order or legal requirement, including to respond to governmental or regulatory requests, verify your identity when purchasing our products and services, enforce our policies and contracts, collect amounts owed to us, or assist with an investigation or prosecution of suspected or actual illegal activity.
  • To protect the rights, property, life, health, safety or security: We process your information, where required, to protect the rights, property, life, health, safety or security of EXL, our employees, our users (including you) or others.
  • To measure, develop and improve our products and services: We process your information, including Contact Data, Technical Data, and Communication Data to develop, improve and measure the performance of our products and services.
  • To create de-identified and aggregated information. We may use personal information to create de-identified and/or aggregated information, such as demographic information, information about the device from which you assess our services, or other analysis we create.

2. To enable our sales and marketing functions to carry out marketing related to our products and services:

  • To send sales and marketing communications: We use your Contact Data, Professional Data, Technical Data, Communication Data, Transaction Data, Inferred Data and Contact Preference Data to send you marketing communications about Palantir products and services you have purchased or attempted to purchase, or communications about Palantir products and services we think you might be interested in purchasing or events you might wish to attend, and to carry out targeted marketing campaigns including posts to third party platforms such as social media platforms and networking websites.
  • To understand who would be most interested in our products and services and to personalize our communications: We use your Contact Data, Communication Data, Professional Data, Technical Data, Transaction Data, Inferred Data and Contact Preferences to understand who may be interested in our products and services to personalize our communications with you, including sending marketing communications.
  • To analyse the effectiveness of our communications: We use your Contact Data, Communication Data and Technical Data to understand the impact of our communications, for example to understand the effectiveness of our marketing campaigns and to improve them going forward.
  • To target advertising:  We use your Contact Data, Professional Data, Communication Data, Technical Data, Transaction Data, and Inferred Data to target advertisements and messages to you, this can include targeted advertising via third party advertising platforms including search engines and social media/networking platforms such as LinkedIn or Twitter.

3. To manage your visit to a EXL managed space or event:

  • To enable your visit to a EXL designated space: Depending on how you engage with EXL’s facilities when you visit our designated spaces or offices, we process your Contact Data, Communication Data, Professional Data, Technical Data and Audiovisual Data when you attend a EXL designated space such as offices or pop-ups.
  • Event management: Depending on the event or how you engage with us in the course of an event hosted, or co-hosted by EXL, we process your Contact Data, Professional Data, Communication Data, Audiovisual Data and Technical Data to enable your attendance at EXL hosted or affiliated events such as conferences or webinars. We may also process information we receive, including from our partners, during such events to understand whether you are interested in our products or services so that we can present you with the most relevant information on our products and services at the relevant event or in post event communications.
  • To protect our business, our affiliates, our visitors, and others: We process your personal data which can include Contact Data, Professional Data, Transaction Data, Technical Data, Audiovisual and Communication Data to monitor for, or detect, fraudulent, harmful or illegal activity.

4. To comply with legal obligations and maintain the physical and information security of our products and services, employees and partners:

  • To comply with legal obligations: Where necessary, we use your personal data, including Contact Data, Technical Data, Communication Data and Government Identifiers, where necessary, to comply with legal obligations such as tax reporting, regulatory requirements or fulfilling your rights request.
  • To help you exercise your rights and control over your personal data: Where you contact us to exercise your rights as a data subject or to opt-out from certain forms of communication, we may need to further process your personal data such as Contact Data, Communication Data and any applicable personal data together with any Government Identifiers you may provide, to comply with your request (for example, if you request a copy of your personal data and you provide your ID to confirm your identity).
  • To protect our business, our affiliates, and others: We process your personal data which can include Contact Data, Professional Data, Payment Data, Transaction Data, Technical Data, Audiovisual and Communication Data to monitor for, or detect, fraudulent, harmful or illegal activity.

2. Lawful basis for processing personal data.

EXL processes the personal data it has acquired from you based on any of the below mentioned legal bases:

  • Consent:  Where we process personal data based on consent, you have provided consent by opting in to our use.  If at any point you wish to withdraw your consent, unsubscribe from any of our communications, or in case of any queries/concerns with regards to your personal data processed by us, you may contact us at Privacy@exlservice.com.
  • Contract: When we need to carry out a contract with you that we are about to enter into or have already entered into. This applies in any case where we provide services to you pursuant to a contract. If you do not provide the personal data that we need in order to provide our services, we may not be able to provide our services to you.
  • Legal or regulatory obligation: This includes records keeping, performing compliance reviews (e.g., anti-money laundering, financial checks) and submission of regulatory updates to the local regulators. This includes automatic checks of the personal data you submit regarding your identification against appropriate databases, as well as contacting you to confirm your identity for compliance purposes or maintaining records of our communication for compliance purposes.
  • Legitimate interests: Wherever necessary for our legitimate interests, such as conducting and developing our business, meeting and anticipating the requirements of our current and prospective customers, appropriate controls to ensure our website, processes, and procedures are running effectively, for the prevention and detention of fraud, for Information Technology (IT) security purposes.

Third Party Links. Our websites and applications may have links to the websites/apps of other third parties and these third-party websites/apps may collect personal data about users for their own purpose. In such cases, our Privacy Policy does not extend to these external websites/apps of third parties. Please be aware that if you access these links, you will be leaving our website (s). We encourage users to read the privacy policies of those websites/apps, as we are not responsible for their content, links, or privacy procedures.

3. When do we share your personal data?

We may disclose or transfer personal data that we process as required in the course of operating our business to the following recipients and purposes:

EXL affiliates: Personal data is disclosed to and from ExlService Holdings, Inc. and its affiliates to enable and fulfil our business operations requirements.  Affiliates are bound our policies and by contractual obligations to process any personal information in compliance with data protection and consumer privacy laws that apply.

Service providers: We disclose information as needed to our agents, contractors and service providers. These parties are bound by contractual obligations to keep personal data confidential and use it only for the purposes of providing services for, or with, us. Examples of service providers include marketing and sales services, event management, website hosting and training providers.

Third Parties: We disclose your personal data to third parties, including third party partners where applicable to:

  • Verify your identify when signing up for products and services;
  • Disclose personal data to our partners when offering co-branded services, selling or distributing our services, running branded events with our partners, or engaging in joint marketing activities;
  • Show you relevant adverts – we may disclose pseudonymous data with advertising networks as set out in more detail in Cookies and Similar Technologies below, and our Cookie Policy.
  • Comply with a court order or legal requirement, including to respond to government, regulatory requests, tax authorities, police agencies, public prosecutors, civil disclosure requests or judicial requests; and
  • Protect the rights, property, life, health, safety or security of EXL, our employees, our users (including you), our products and services, or others.
  • We may also disclose personal data to third parties at your request or direction. You also may provide personal data directly to third parties, such as when inputting credit card information onto our websites to purchase products or services. In this case the information is processed directly by our payment processor partner.

4. Cookies and Tracking Technologies

We use cookies and similar technologies, such as pixels and beacons, to understand how you engage with our websites, communications, advertisements or content on third party platforms. See our Cookie Policy)  for more information on the types of cookies we use, and how to control which cookies are stored on your device.

If you activate a social media plug-in, the social media platform automatically makes available the content to your browser, which then integrates it into our websites. In this situation, personal data may also be transferred that is initiated and controlled by the respective social network, e.g., LinkedIn. Your connection to a social media platform, the personal data transfers that take place between the social media platform and your system and your interactions on this platform are governed exclusively by the data protection provisions of the relevant social media platform.

5. How Long Do We Keep Your Personal Data

We collect and keep personal data only as needed or allowed for the purposes set out in this Policy, based on the reason we collected the personal data in the first instance and what is permitted under the laws that apply to the processing.

We keep the personal data we collect in line with our internal data retention policies for as long as you use our services or as long as is necessary to: (i) fulfil the purpose(s) for which we collected the personal data; (ii) provide and secure our products and services to you; (iii) resolve disputes, establish legal defenses, enforce our agreements and comply with applicable laws; (iv) conduct audits; and (v) comply with our internal policy requirements which are designed to comply with applicable laws and our Code of Conduct.

6. International and Group Company Transfers of Personal Data

Your personal data may be transferred by or to the United States, to or from other jurisdictions where we conduct business activities, such as the EU, UK, India, South Africa, Australia, the Philippines, Canada, Colombia, and Mexico.  If your personal data is transferred to a country or organization that is not subject to an adequacy decision by the European Commission or (where relevant) the UK Secretary of State, we will put in place suitable safeguards to ensure that any transfer is carried out in compliance with applicable data protection rules. To ensure an adequate level of protection for your personal data, we will use a data transfer agreement with the recipient based on the most up to date Standard Contractual Clauses approved by the European Commission, the UK Secretary of State, or the UK Information Commissioner’s Office (as applicable) under the UK GDPR and the EU GDPR (as applicable).

You may request additional information in this respect and obtain information regarding the relevant safeguard by exercising your rights as set out in the Your Rights in Relation to Your Personal Data section.

We may share the Personal data collected from the Sites/Apps with third parties as outlined in this section.

7. Your Rights in Relation to Your Personal Data

In some countries and territories, data protection and consumer privacy laws provide individuals with rights regarding the personal data processed by organizations. If you live or work in the UK, EU or Switzerland, you have the rights below in relation to the personal data processed by EXL. If you live or work in any other country, and that country you live or work in grants similar rights, you may also have some or all of the rights below in relation to the personal data processed by us. To exercise such rights, please contact Privacy@exlservice.com. 

Please note that these rights are not absolute, and in some circumstances may be balanced against other considerations, including the privacy rights of other individuals. Your rights:

Residents of EU, UK or Switzerland

The right of access to your personal data: You may have the right to receive confirmation about whether we process your personal data and, if we do, to obtain access to your personal data. You may also have the right to obtain certain information about how we process your personal data.

The right to ask us to correct any personal data we hold on you: You may have a right to request correction of your personal data if it is inaccurate or incomplete.

The right to request erasure of your personal data: You may have a right to request the deletion of your personal data if certain grounds for erasure apply.

The right to restrict how we process your personal data: In certain circumstances, you may have a right to restrict our ability to keep using your personal data. When processing is restricted, we may still store your personal data, but may not use it unless we have your consent or need to process your personal data in connection with a legal claim, important public interest, or to protect the right of others.

The right to object to our processing of your personal data: In certain circumstances, you may have a right to object to our ability to use your personal data in certain ways. In particular, in certain circumstances, you may have: (i) the right to object to the processing of your personal data where that processing is based on our legitimate interests; (ii) the right to object to processing for direct marketing purposes (including profiling).

The right to data portability: In certain circumstances, you may have a right to obtain and reuse certain of your personal data in a structured, commonly used and machine-readable format. Where certain conditions apply, you may also have the right to have that personal data transferred directly to a third party.

Right to withdraw your previously given consent to our use of your personal data: Where you have given us your consent to engage in certain types of processing of your personal data (e.g., where we have said we rely on consent as a lawful basis for processing your personal data), you may have the right to withdraw your consent at any time. Your withdrawal of consent will only apply to our use of your personal data in the future, and will not affect the lawfulness of anything we have done with your personal data prior to your consent being withdrawn.

Right to lodge a complaint with the data protection or consumer privacy regulatory or authority: If you believe that the processing of your personal data violates legal requirements, and if the right exists in your country, state or territory, you have the right to lodge a complaint with the competent data protection authority or consumer privacy supervisory authority

If you live or work in the UK, you may complain to the Information Commissioner’s Office using this link.

If you live or work in the EU, you can find details of the data protection authority in your country here.

In accordance with the GDPR, we will respond to your request within one month upon receipt of your request. Provided we are unable to progress your response, we will contact you. In certain circumstances, we may extend the timeline of our response to 3 months in accordance with applicable law.

 

Additional disclosures for US residents

US Consumer Privacy Act Notice

Last updated August 2025.

This section (the “US Notice”) provides additional information regarding the applicable US state comprehensive privacy laws that are in effect as of January 15, 2025 (individually known as a “US State Privacy Law” and collectively known as “US State Privacy Laws”) and supplements the disclosures and information throughout this Privacy Policy. The commitments in this US Notice apply only to individuals covered by the US State Privacy Laws and are subject to certain statutory exceptions laid out in the US State Privacy Laws. 

The Privacy Policy and US Notice have been designed to be accessible to people with disabilities. If you experience any difficulties accessing the information here, please contact us at Privacy@exlservice.com.   

Personal Information we collect

“Personal Information” is defined under each US State Privacy Law and includes information that identifies, relates to, or could reasonably be linked with a particular consumer or household. “Personal Information” does not include publicly available information, de-identified or aggregated information, or information covered by certain sector- specific privacy laws. “Sensitive Personal Information” is defined under each US State Privacy Law.

Below, we identify (1) the categories of Personal Information and Sensitive Personal Information that we plan to collect, process, and use, and have collected, processed, and used within the preceding 12 months; (2) the categories of recipients to which we have disclosed each category of Personal Information or Sensitive Personal Information for our operational business purposes within the preceding 12 months; (3) the criteria we use to determine the retention period for each category of Personal Information or Sensitive Personal Information; and (4) the categories of Personal Information and Sensitive Personal Information we have sold or shared within the preceding 12 months, as “sale” and “sharing” are defined under the respective US State Privacy Laws.

Please note, we do not sell Personal Information in the traditional sense of the word for monetary consideration. However, because the definitions of “sale” and “sharing” under the US State Privacy Laws are broad enough such that they include the disclosure of your information to certain types of advertising and marketing partners, we provide consumers with the right to opt-out of any such sale or sharing of their Personal Information (see Request to Opt-Out of the Sale or Sharing section below. We do not knowingly sell or share the Personal Information of anyone under 16 years old.

Use of Personal Information

We use Personal Information for a variety of business and commercial purposes, as described in the Why and How We Use Your Personal Data section above.

 

 

Category of Personal Information Collected and Processed:

  • Contact Data identifiers such as name, address, email address, telephone number, mobile phone number, IP address, and social media handles.

Disclosed to Which Categories of Recipients for Operational Business Purposes:

  • EXL affiliates
  • Service providers that provide services to us, such as performing functions around provision of technical infrastructure, marketing services, general processing, and maintenance services
  • Third-party partners, such as partners offering co-branded services with us, selling or distributing our services, carrying out identity checks for our products and services, payment processing, event partners, or engaging in joint marketing activities with us (“Third-Party Partners”)
  • Government authorities, state institutions, or other parties pursuant to law

Sold and/or Shared for Cross-Contextual Behavioral Advertising? If so, to Which Categories of Third Parties:

  • Shared (not Sold): IP address, social media handles and other Technical Data
  • Advertising and marketing partners
  • Advertising technology vendors
  • Social media platforms

Category of Personal Information Collected and Processed:

  • Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as name, address, telephone number, driver’s license or state identification card number, or financial information such as payment or billing information.

Disclosed to Which Categories of Recipients for Operational Business Purposes:

  • EXL affiliates
  • Service providers that provide services to us, such as performing functions around provision of technical infrastructure, marketing services, general processing and maintenance services
  • Third-Party Partners
  • Government authorities, state institutions, or other parties pursuant to law

Sold and/or Shared for Cross-Contextual Behavioral Advertising? If so, to Which Categories of Third Parties:

  • Shared (not Sold):  Name, address and telephone number:

  • Advertising and marketing partners
  • Advertising technology vendors
  • Social media platforms

Category of Personal Information Collected and Processed:

  • Commercial information, such as records of personal property, history of products or services purchased, obtained or considered.

Disclosed to Which Categories of Recipients for Operational Business Purposes:

  • EXL affiliates
  • Third Party Partners
  • Service providers that provide services to us, such as performing functions around provision of technical infrastructure, marketing services general processing and maintenance services

Sold and/or Shared for Cross-Contextual Behavioral Advertising? If so, to Which Categories of Third Parties:

  • No

Category of Personal Information Collected and Processed:

Internet or other similar network activity, such as information on a consumer’s interaction with a website, application, or advertisement.

Disclosed to Which Categories of Recipients for Operational Business Purposes:

  • EXL affiliates
  • Service providers that provide services to us, such as performing functions around provision of technical infrastructure, marketing services, general processing and maintenance services

Sold and/or Shared for Cross-Contextual Behavioral Advertising? If so, to Which Categories of Third Parties:

  • Shared (not Sold): Yes

  • Advertising and marketing partners
  • Advertising technology vendors
  • Social media platforms

Category of Personal Information Collected and Processed:

  • Sensory data, such as audio, electronic, visual, or similar information.

Disclosed to Which Categories of Recipients for Operational Business Purposes:

  • EXL affiliates
  • Service providers that provide services to us, such as performing functions around provision of technical infrastructure, marketing services, general processing and maintenance services
  • Government authorities, state institutions, or other parties pursuant to law

Sold and/or Shared for Cross-Contextual Behavioral Advertising? If so, to Which Categories of Third Parties:

  • No

Category of Personal Information Collected and Processed:

  • Professional or employment-related information, such as company name, occupation contact details, occupation, employment history, areas of expertise, and your experience with our services or products.

Disclosed to Which Categories of Recipients for Operational Business Purposes:

  • EXL affiliates
  • Third Party Partners
  • Service providers that provide services to us, such as performing functions around provision of technical infrastructure, marketing services general processing, and maintenance services

Sold and/or Shared for Cross-Contextual Behavioral Advertising? If so, to Which Categories of Third Parties:

  • Shared (not Sold):  Yes

  • Advertising and marketing partners
  • Social media platforms

Category of Personal Information Collected and Processed:

  • Education information, such as information about your educational attainments (this category is defined to exclude any publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)), registrations for courses, assessments, and the results of courses and assessments.

Disclosed to Which Categories of Recipients for Operational Business Purposes:

  • EXL affiliates
  • Service providers that provide services to us, such as performing functions around provision of technical infrastructure, marketing services, general processing and maintenance services
  • Your employer or the applicable entity through which you applied for training or certification.

Sold and/or Shared for Cross-Contextual Behavioral Advertising? If so, to Which Categories of Third Parties:

  • No

Category of Personal Information Collected:

  • Inferences drawn from other Personal Information to create a consumer’s profile reflecting personal or professional preferences, characteristics, or predispositions.

Disclosed to Which Categories of Recipients for Operational Business Purposes:

  • EXL  affiliates
  • Service providers that provide services to us, such as performing functions around provision of technical infrastructure, marketing services, general processing and maintenance services
  • Government authorities, state institutions, or other parties pursuant to law

Sold and/or Shared for Cross-Contextual Behavioral Advertising? If so, to Which Categories of Third Parties:

  • Shared (not Sold):  Yes

  • Advertising and marketing partners

  • Advertising technology vendors

  • Social media platforms

Category of Personal Information Collected and Processed:

  • Personal Information that reveals a consumer’s driver’s license, state identification card, or passport number

Disclosed to Which Categories of Recipients for Operational Business Purposes:

  • EXL affiliates
  • Third-party service partners that provide services to us, such as performing functions around technical infrastructure and processing, maintenance, and payment processing carrying out identity checks for our self-serve products payment processing and identity verification when signing up for one of our AIP Now products and services.
  • Government authorities, state institutions, or other parties pursuant to law

Sold and/or Shared for Cross-Contextual Behavioral Advertising? If so, to Which Categories of Third Parties:

  • Shared (not Sold):  No

We may use Personal Information to generate de-identified data sets. To the extent we treat data as de-identified under the US State Privacy Laws, we will maintain and use that data solely in de-identified form and will not attempt to re-identify that data with any individuals, other than to assess whether the de-identification process complies with applicable law or as otherwise permitted by applicable law. 

Retention Period

We use the following criteria to determine the period of time for which we retain each category of Personal Information and Sensitive Personal Information:

  • for as long as our services to which this Policy applies;
  • as long as we anticipate you may be interested in our products;
  • to fulfill the purpose(s) for which we collected the Personal Information or Sensitive Personal Information;
  • to provide and secure our products and services to you;
  • to resolve disputes, establish legal defenses, enforce our agreements and comply with applicable laws;
  • to conduct audits; and
  • to comply with our internal policy requirements which are designed to comply with applicable laws and our Code of Conduct.

Sources of Personal Information

We obtain the categories of Personal Information listed above (including Sensitive Personal Information) directly from consumers or from devices on which our products or services are installed, as well as from the following categories of sources: our affiliates, publicly-available databases, third-party business partners, social media sites, and other third-party sources.

Use of Sensitive Personal Information

Sensitive Personal Information is only used or disclosed to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services; to prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted Personal Information or other information; to resist malicious, deceptive, fraudulent, harmful or illegal actions directed at the business and to prosecute those responsible for those actions; to ensure the physical safety of natural persons; short-term, transient use; or perform services on behalf of the business.

Disclosure

Any disclosures of your information to third parties over the preceding 12 months have been in accordance with the permitted categories in the When Do We Disclosure Your Personal Data section of the Privacy Policy above.

Your Consumer Rights

 

Residents of California, Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia (collectively known as “US Residents”) may make the following types of requests under the US State Privacy Laws:

Requests to Know, Delete, Correct, or Obtain a Copy:

Request to Know: You may request that we confirm whether or not we are processing your Personal Information. Where applicable, you may request that we disclose the following information to you about our collection and use of your Personal Information, in each case including Sensitive Personal Information: (1) the categories of Personal Information we collected or processed about you; (2) the categories of sources from which we collected this Personal Information; (3) the categories of Personal Information that we have sold, shared, or disclosed, (4) the categories of recipients to whom this information was sold, shared, or disclosed; (5) the business or commercial purpose for selling, sharing, or disclosing Personal Information; and (6) the specific pieces of information we collected about you, unless doing so would require us to reveal a trade secret.

Request to Delete: Where applicable, you may request that we delete Personal Information and Sensitive Personal Information that we have collected from you. We may limit or deny your deletion request in certain cases, in accordance with exceptions specified in the US State Privacy Laws.

Request to Correct: Where applicable, you may request that we correct inaccurate Personal Information and Sensitive Personal Information that we maintain about you, taking into account the nature of the information and the purposes of the processing of the information.

Request to Obtain a Copy: Where applicable, you may request that we provide a copy of your Personal Information that you have previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another controller without hindrance. Colorado residents may exercise this right no more than two times per calendar year. We are not required to provide such information to Connecticut, Colorado, and Oregon residents if doing so would require us to reveal a trade secret.

List of specific third parties: Oregon, Minnesota, and Delaware consumer may request a list of specific third parties to whom we have disclosed your Personal Information.

Sensitive Information: For Virginia, New Hampshire, New Jersey, Colorado, Connecticut, Delaware, Nebraska, Utah, Texas, and Oregon consumers, we will not process your Sensitive Personal Information without obtaining your consent. California consumers will have the right, at any time, to limit the use of their Sensitive Personal Information.  California consumers can exercise this right by sending an email titled  “Limit the Use of My Sensitive Personal Information” to Privacy@exlservice.com.  These requests will be processed in accordance with California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”).

Request to Opt-Out of the Sale or Sharing: Where applicable, you may opt out of our “sale” of Personal Information or “sharing” of Personal Information for the purposes of (i) targeted advertising or (ii) “sale” of Personal Information. Opt-out preference signals will be processed in accordance with applicable laws.

How to Submit Requests to Opt-Out of Sale or Sharing

To opt-out of sale or sharing, click on “Do Not Sell or Share My Personal Information” which can be found at the bottom left of the web page, or by emailing us at  Privacy@exlservice.com Opt-out preference signals will be processed in accordance with the US State Privacy Laws.

How to Submit Requests to Know, Delete, or Correct, or Obtain a Copy

If you would like to exercise a right under US State Privacy Laws with respect to EXL, you may submit a request by emailing Privacy@exlservice.com. 

For a “Request to Know,” please specify what details you would like to know, including any specific pieces of Personal Information you would like to access. 

For a “Request to Delete,” please specify what information you would like to have deleted (which may be all your information). 

For a “Request to Correct,” please specify what information you would like to have corrected.

If you submit a request, we may ask for information necessary to verify your identity and eligibility to assert this right, and we will respond to verified requests in accordance with the US State Privacy Laws.

If your request relates to Personal Information that we process about you as a service provider or contractor on behalf of a customer, please direct your request to our relevant customer.  If you wish to make your request directly to us, please provide the name of our customer on whose behalf we processed your Personal Information. We will refer your request to that customer and will support them to the extent required by applicable law in responding to your request.

Authorized Agent. You may also utilize an authorized agent to exercise your US State Privacy Law rights on your behalf. As part of our verification process, we may request that an authorized agent provide, as applicable, proof concerning status as an authorized agent to act on your behalf. If an authorized agent is making a “Request to Know”, “Request to Delete”, “Request to Obtain a Copy”, or “Right to Correct” on behalf of a US Resident and has not provided a power of attorney from the resident pursuant to applicable US laws, we may also require the resident to verify their own identity directly with us, or directly confirm with us that they provided you permission to submit the request.

Right to appeal. You may also appeal to our refusal to take action on a consumer request. Within 45 days of receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written application of the reasons for the decision.

Under the CPPA, we may extend the 45-day period to response to an appeal by another 60 days, where reasonably necessary, taking into account the complexity and number of requests serving as the basis of appeal. We will inform Colorado consumers of any extension within 45 days after receipt of an appeal, together with the reasons for delay.

If the appeal is denied, Virgina, Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, and Texas consumers may contact their state Attorney General and submit a complaint.

Right to non-discrimination. You may not be discriminated against because you exercise any of your rights under the US State Privacy Laws, and EXL is committed to this principle.

Contact Us

If you have any questions or requests in connection with the US State Privacy Laws, please contact us at Privacy@exlservice.com. 

Depending on your country of residence, you may have additional rights to those listed in this section. See below for further sections that may apply to you:

 

Residents of Australia:

We recognize that individuals must have the option to not identify themselves, or to use a pseudonym when liaising with us. We seek to provide this option to the extent possible. However, due to the nature of our business operations, it is impracticable in most cases for us to deal with individuals who have not identified themselves or who use a pseudonym.

As a resident of Australia, you have the following rights:

  • The right to have your personal data de-identified and/or destroyed.
  • The right to require that any personal data held and processed by us is accurate, up-to-date, and complete. If the information is inaccurate, incomplete and/or out-of-date, you have the right to request that it is corrected.
  • The right to be informed regarding when and how your personal data is collected, used and disclosed.
  • The right to “opt out” of your personal data being used for direct marketing purposes.
  • The right to request Data Holders and accredited bodies to share information relating to yourself, with consent, in a standardized machine-readable format.

Residents of the Philippines:

  • The right to be informed about your personal data being collected and processed.
  • The right to access to your personal data.
  • The right to object to processing of your personal data if the personal data processing involved is based on consent or legitimate interest.
  • The right to erasure or blocking of your personal data under certain circumstances.
  • The right to file a complaint with the National Privacy Commission (NPC) if your personal data has been misused, maliciously disclosed, or improperly disposed, or that any of your data privacy rights have been violated.
  • The right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of their personal data.
  • The right to rectify your personal data under certain circumstances.
  • The right to data portability.

Residents of South Africa:

  • Request access to your personal data and request details of the processing activities conducted by us and third parties, within a reasonable time and at a prescribed fee, if any.
  • Request that your personal data is rectified if it is inaccurate or incomplete, irrelevant, excessive, out of date, misleading or obtained unlawfully.
  • Request the destruction or de-identification of your personal data where we are no longer authorized to retain the information.
  • Right to Request restriction of the processing of your personal data by us in certain circumstances.
  • Right to object to the processing of your personal data in certain circumstances.
  • Receive your personal data in a structured, commonly used and machine-readable format in certain circumstances.
  • Lodge a complaint with the Information Regulator.
  • Right to Object to, and not to be subject to a decision based solely on, automated processing (including profiling), which produces legal effects or significantly affects you.
  • Right to withdraw any consent you have provided to us at any time by contacting us.

Residents of India:

  • Request details/summary of the processing activities conducted by us and third parties, within a reasonable time and at a prescribed fee, if any.
  • Request that your personal data is rectified if it is inaccurate or incomplete, irrelevant, excessive, out of date, misleading or obtained unlawfully.
  • Request the identity of all the third parties with whom the personal data has been shared by us, along with a description of the personal data so shared, unless prohibited by applicable law.
  • Request the erasure of your personal data where we are no longer legally authorized to retain the information.
  • If you are below the age of 18, the consent should be provided by your parent/ legal guardian.
  • Right to withdraw any consent you have provided to us at any time by contacting us at Privacy@exlservice.com .
  • Any complaints or concerns with regard to these terms may be immediately escalated to the designated Grievance Officer as mentioned below either by hard copy or through email:
    • Grievance Redressal Officer
    • Name: []
    • Email: []
    • Address: []

Residents of Colombia:

  • The right to be informed about the use of your personal data.
  • The right to access (includes right to data portability).
  • Under certain circumstances, you have the right to have your personal data rectified.
  • Right to revoke authorisation and/or request the deletion of data when processing is not compliant with principles, rights, and constitutional guarantees. The revocation and/or deletion shall proceed when the SIC determines that the processing by the data controller or data processor was contrary to the law and the Constitution
  • To request evidence of the consent granted to the data controller, except when consent is not required for the processing; and
  • To submit to the SIC claims for violations of the provisions contained in the Data Protection Law and other rules that modify, amend, or complement it.

Residents of Canada:

  • The right to be informed of the existence, use, and disclosure of their personal data.
  • The right to access your personal data.
  • Individuals have the right to challenge the accuracy and completeness of that information and have it amended/rectified as appropriate.
  • Individuals can withdraw their consent to the collection, use and disclosure of their PI, including for marketing purposes.
  • Right to file a complaint with relevant privacy regulator(s).

8. Contact us and information regarding complaints.

If you have any questions or requests in connection with how we access or process your personal data, please contact us at Privacy@exlservice.com. 

 

Version: 25th September 2025

Try EXL’s new Gen AI search!
Enter the terms you wish to search for.
AI Search is experimental; hallucinations may occur.