Data Processing & Retention Policy 

Last updated: August 28, 2025 

1) Purpose 

This policy outlines how VXL manages personal data across the engagement lifecycle (inquiry → consultation → application support → post-arrival services). 

2) Roles 

• Controller: VXL for Site interactions and client services. 

• Processors/Sub-processors: Hosting, CRM/AMS, communications, analytics, and document storage providers; education/migration partners as independent controllers for their activities. 

3) Data categories & examples 

• Identity & contact: name, email, phone, WhatsApp handle, chosen office/location. 

• Application data: demographics, education/work history, financial evidence, passport/visa information, dependent details. 

• Operational data: booking metadata, case notes, internal IDs. 

• Technical data: IP addresses, device info, cookies/analytics. 

4) Lawful bases 

• Contract (pre-contractual steps and service delivery), legitimate interests (efficient operations, security), consent (where required, e.g., marketing), legal obligation (immigration/compliance). 

5) Transfers & storage 

• Data may be stored/processed in multiple regions due to our international operations and partner network. Appropriate contractual and technical safeguards are applied. 

6) Retention schedule (guideline) 

• Leads & inquiries: 24 months after last meaningful contact. 

• Client engagement files: 7 years after case closure (or statutory requirement). 

• Rejected/withdrawn applications: 3 years from decision/withdrawal. 

• Consent records: life of consent + 7 years. 

• Analytics logs: per Cookie Policy/tool configuration. 

7) Security controls 

• Access control by role; MFA where available; encryption in transit; periodic backups; vendor risk checks; incident response process. 

8) Data subject requests (DSRs) 

• Requests are logged and actioned within statutory timelines (e.g., 30 days under GDPR). Identity verification is required. Responses may be limited where disclosure would infringe others’ rights or legal obligations. 

9) Third-party systems 

• When users follow links to Agent Login or Student Portal, those platforms act under their own policies and may be independent controllers. Users should review those policies before use.