Privacy Policy

Last Modified:   05/31/2019
Last Reviewed: 01/01/2020

All of us at Xact Data Discovery (Xcellence Inc., d/b/a Xact Data Discovery and our subsidiaries), are committed to protecting your privacy and want you to feel secure when using our services and providing information to us. This notice applies to all XDD websites that display or link to this privacy notice (www.xactdatadiscovery.com, www.orangeresearchgroup.com). This Privacy Policy governs our data collection, processing and usage practices. It also describes your choices regarding use, access and correction of your personal information. If you do not agree with the data practices described in this Privacy Policy, you should not use the Websites or our XDD email Marketing Campaigns.

This privacy policy has been developed in conjunction with PrivacyTrust, a leading online privacy organization to inform you of the information we collect and how it is used.

We periodically update this Privacy Policy. We will post any privacy policy changes on this page and, if the changes are significant, we will provide a more prominent notice by sending you an email notification, or if you subscribe to the XDD Marketing Campaigns, through periodic subscriber emails.

While we will notify you of any material changes to this Privacy Policy, we encourage you to review this Privacy Policy periodically. We will also keep prior versions of this Privacy Policy in an archive for your review.

If you have questions about our Privacy Policy or our treatment of the information you provide us, please write to us by email at privacy@xactdatadiscovery.com or by mail to Xact Data Discovery, 5800 Foxridge Drive, Suite 406, Mission, KS 66202, Attn: Privacy.


You may have heard a lot of buzz around the GDPR (General Data Protection Regulation). The GDPR is a series of laws approved by the European Union (“EU”) Parliament to align legislation with the way data is used today. The GDPR’s intent is to allow individuals greater control over their data. With the GDPR come several requirements of companies like XDD. You can learn more about the GDPR here: www.privacytrust.com/gdpr/. Now, excuse us while we get some legalize out of the way.


We reserve the right to change our Privacy Policy at any time. If we modify our Privacy Policy, we will provide notification of the changes on our website at least thirty (30) days prior to the date the change becomes effective. It is our policy to post any changes we make to our Privacy Policy on this page with a notice that the Privacy Policy has been updated on the website home page. If we make material changes to how we treat Personal Data, we will notify you through a notice on the Website home page. The date the Privacy Policy was last revised is set forth above. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Website and this Agreement to check for any changes.


The terms set forth in this Privacy Shield Policy portion of the Agreement (“Privacy Shield Policy”) extend to Xact Data Discovery’s collection, use and retention of Personal Data transferred from European Union member countries to the United States (“EU Personal Data”) and supplements the terms set forth elsewhere in the Terms and Conditions with respect to such EU Personal Data. The Federal Trade Commission has jurisdiction and enforcement authority over Xact Data Discovery’s compliance with this Privacy Shield Policy and the EU-U.S. Privacy Shield Framework. This Privacy Shield Policy also applies to the following US subsidiary of Xact Data Discovery: Orange Research Group.

Compliance with EU-US Privacy Shield Framework:

Xact Data Discovery complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union to the United States. Xact Data Discovery has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  Xact Data Discovery, in reliance on the Privacy Shield, commits to subject all EU Personal Data to the Privacy Shield Principles.  To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov. The Privacy Shield List is available at www.privacyshield.gov/list.

Inquiries and Complaints (EU-US Privacy Shield):

In compliance with the EU-U.S. Privacy Shield Principles, Xact Data Discovery commits to resolve complaints about your privacy and our collection or use of your EU Personal Data. European Union individuals with inquiries or complaints regarding this Privacy Policy or our collection, use, disclosure, storage, maintenance, or other processing of your EU Personal Data should first contact Xact Data Discovery at:

Kate Mortensen
Chief Legal Officer
5800 Foxridge Drive, Suite 406
Mission, KS 66202
Phone: 913.229.9106
E-mail:   kmortensen@xactdatadiscovery.com

Xact Data Discovery has further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles to Privacy Trust, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.privacytrust.com/privacyshield/disputeresolution for more information and to file a complaint. This body is designated to address complaints and provide appropriate recourse free of charge to affected individuals.

EU Personal Data Collection, Use, and Disclosure:

The EU Personal Data we receive may include, but is not limited to, your email address, name, phone number, postal address, and other information. We will only process EU Personal Data in ways that are compatible with the purpose for which we collected it, or for purposes the individual later authorizes. We process sensitive EU Personal Data for the following purposes: forensic collections, eDiscovery processing, hosting, review, and traditional litigation support services. When we collect sensitive EU Personal Data, we will obtain your opt-in consent where the Privacy Shield requires, including if we disclose your sensitive EU Personal Data to non-agent third parties, or before we use your sensitive EU Personal Data for a different purpose than we collected it for or than you later authorized.

Xact Data Discovery acknowledges that EU individuals have the right to access their Personal Data that we maintain about them. Xact Data Discovery will also provide an individual opt-out choice before we share their Personal Data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate EU Personal Data, or who wishes to limit the use and disclosure of their Personal Data, should direct their questions to kmortensen@xactdatadiscovery.com. If requested to remove Personal Data, we will respond within a reasonable timeframe.

Xact Data Discovery limits disclosure of Personal Data to employees and other trusted third party business advisory and expert services firms that provide bibliographic coding, human/machine language translation, backup tape restoration, forensic collections/analysis, traditional litigation support, contract attorney review services and quality control services in whole or in part, on our behalf and who have a specific business purpose for collecting, maintaining, reviewing and processing such Personal Data.  Where required by the Privacy Shield Policies, we enter into written agreements with those third-party agents and service providers requiring them to provide the same level of protection the Privacy Shield Policies require and limiting their use of the EU Personal Data to the specified services provided on our behalf. We take reasonable and appropriate steps to ensure that third-party agents and service providers process EU Personal Data in accordance with our Privacy Shield obligations and to stop and remediate any unauthorized processing. Under certain circumstances, we may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of EU Personal Data that we transfer to them.

Xact Data Discovery may track and analyze non-identifying and aggregate usage and volume statistical information and provide such information to business partners. Xact Data Discovery shall ensure that any third party to whom EU Personal Data may be disclosed agrees in writing to provide the same level of privacy protection as described in this Privacy Policy. Individuals who have been granted access to EU Personal Data are aware of their responsibilities to protect the security, confidentiality and integrity of that information and have been provided training and instruction on how to do so. Xact Data Discovery takes measures to protect the security of EU Personal Data and to ensure the Personal Data is protected from loss, misuse and unauthorized access in accordance with the Privacy Shield.

Data We Collect and How We Collect It:

For personal information of individuals received from the EU, XDD is committed to handling such personal information in accordance with Privacy Shield as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries.

XDD Collects and Processes personal data of the following:

  • Business Clients: client representatives who act as a point of reference for business matters within the company who use XDD services – data is collected from XDD business clients during the contract phase and when provided access to software platforms hosted by XDD;
  • Targeted Persons: clients’ employees and other persons whose data is accessed by XDD for the fulfillment of business clients’ instructions – data is collected by XDD under the direction of its clients via forensic collection;
  • Website Users: XDD website users who contact XDD, register for webinars and request White Papers, Practice Guides and links to recorded webinars via the XDD website – data is collected when users request to register for a webinar or request access to other XDD material;
  • Website Visitors: XDD website visitors who access the website and are tracked by cookies – data is collected via cookies and Goggle analytics; and,
  • Social Media Users: Twitter and LinkedIn users who interact on XDD social media sites – data are collected when provided via interactions with XDD on social media sites.

When XDD collects data from business clients, website users and visitors, and social media users, it acts in a role of a data controller. However, XDD also acts in a role of a data processor when XDD processes personal data from targeted persons at the direction of XDD’s clients.

The data that XDD collects can include names, email addresses, home addresses, telephone numbers, state/province, country, information about products/services of interest, comments, organization name, job title, Relativity login credentials, Relativity access and usage analytics data, IP address and location, cookie ID, device ID, browser type and version, time zone, browser plug-in types and versions, operating system and platform, social media photos, social media comments and messages, and, other information disclosed in the course of general business practice.

With regard to data collected from Targeted Persons at the direction of an XDD client, XDD retains that data until advised to return or delete the data. XDD will not destroy or return data until a client completes a data destruction form.

With regard to business clients’ and website/social media users’ data, XDD maintains personal data indefinitely or until a user rescinds consent for the retention of or use of the data.

Use of Personal Data:

XDD will only use data in a way that is compatible with the reason for which it was collected and authorized by our client. Further:

  • We use cookies to track usage of our site for analytical purposes, and allow you to allow certain social media functions.
  • We do not knowingly collect information from people under the age of 16.
  • Any changes to this policy will be posted on our website: xactdatadiscovery.com
  • We do not collect payment information via our website.
  • In the event of a merger, the new entity will control the data covered by this policy.

Legal basis for processing Personal Information (EU visitors only): 

If you are a visitor/client located in the EU, Xact Data Discovery is the data controller of your personal information. Xact Data Discovery’s data protection personnel can be contacted at privacy@xactdatadiscovery.com.

Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. However, we will normally collect personal information from you only where we have your consent to do so, where we need the personal information to perform a contract with you, in compliance with a legal obligation, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal information from you.

If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information). Similarly, if we collect and use your personal information in reliance on our legitimate interests (or those of any third party), we will make clear to you at the relevant time what those legitimate interests are.

XDD Uses Cookies with Google Analytics:

  1. What we do:
    • XDD uses Google Analytics to track website traffic on the Xact Data Discovery website (xactdatadiscovery.com) and sister company Orange Research Group (www.orangeresearchgroup.com). Adhering to and using programming code provided directly by Google Analytics, all web pages contain tracking pixels/programming code or “cookies,” all of which tracks visitor information across multiple pages and categories. Cookies are small files which are stored on a user’s computer. They are designed to hold a modest amount of data specific to a particular client and website, and can be accessed either by the web server or the client computer.
  2. What we did to comply with GDPR:
    • Upon visiting the XDD website, via a slide in automated window, visitors will be served a notification about our use of cookies with link to our privacy policy;
    • The notification contains a checkbox from which users must click to consent/acknowledge XDD’s use of cookies;
    • Once clicked, the slide in window notification will disappear and not reappear again; and,
    • Regardless of where you enter the site, you will view the slide in window accordingly.

How to Unsubscribe from XDD Marketing Communications: 

XDD communicates with customers and prospects via email marketing campaigns on a periodic basis to share educational content and service information. Campaigns are sent via an email services provider and you always have the option to unsubscribe or opt-out. You may unsubscribe by clicking on the “unsubscribe” link located on the bottom of our emails. You may also rescind your consent to receive marketing communications by sending us an email at marketing@xactdatadiscovery.com, or by post to Xact Data Discovery, 5800 Foxridge Drive, Suite 406, Mission, Kansas 66202.

Notice and Choice:

To the extent permitted by the EU-U.S. Privacy Shield, XDD reserves the right to process personal information in the course of providing professional services to our clients without the knowledge of individuals involved. Where we collect, at the direction of our clients, personal information directly from individuals in the E.U. it remains the responsibility of our client to inform the individual of the purposes for which we collect and use it and the types of non-agent third parties to which the information is disclosed. It remains the responsibility of our client to inform those individuals about the choices and means, if any, offered the individuals for limiting the use or disclosure of their information.

How Can You Access This Information? 

XDD collects and processes data under the instruction and direction of our clients. If an individual becomes aware that information we maintain about that individual is inaccurate, or if an individual would like to update or review his or her information, the individual must contact and coordinate with our client and proceed according to that client’s personal information policy.

Will We Share Personal Information With Third Parties? 

XDD will not disclose an individual’s personal information to third parties unless directed by our client or when one or more of the following conditions are true:

  • We have the individual’s permission to make the disclosure;
  • The disclosure is required by law or professional standards;
    • As XDD is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement standards;
  • The disclosure is reasonably related to the sale or disposition of all or part of our business;
  • The information in question is publicly available;
  • The disclosure is reasonably necessary for the establishment or defense of legal claims;
  • The disclosure is to another XDD entity or to persons or entities providing services on our or our client’s behalf (“transferee”), consistent with the purpose for which the information was obtained, if the transferee, with respect to the information in question:
    • is subject to law providing an adequate level of privacy protection;
    • has agreed in writing to provide an adequate level of privacy protection; or,
    • subscribes to the EU-U.S. Privacy Shield Principles. 

Compliance with Law Enforcement:

Xact Data Discovery may be required to disclose EU Personal Data in response to a lawful request by public authorities, including the need to meet national security or law enforcement requirements.

Data Security: 

XDD’s intent is to strictly protect the security of your personal information, honor your choice for its intended use, and carefully protect your data from loss, misuse, unauthorized access or disclosure, alteration, or destruction. We have taken appropriate steps to safeguard and secure information we collect online including the use of encryption when collecting personal information.

Xact Data Discovery has policies, procedures, and processes to protect client data, which includes encryption of data at rest, transit and logical segregation.  All data is stored within our secured datacenter with redundant firewalls and network security systems utilizing threat intelligence from Cisco Talos. All external ports are disabled except for necessary 443 ports for encrypted channel communications and DMZ utilized for external facing web servers. Along with systems security, we have implemented annual security awareness training which includes GDPR awareness. Our incident response policy will include details necessary to ensure minimal disruption of corporate workflow and operations in the event of a major natural disaster, major systems interruption or other designated major corporate emergency.

If XDD transfers your information to a third-party (e.g. analytics or web hosting vendors), XDD will attempt to ensure the third-party maintains the same level of security as us. We can actively monitor their compliance using TrustBase. XDD is a participant in the U.S. Department of Commerce’s EU-U.S. Privacy Shield and has certified that we adhere to the EU-U.S. Privacy Shield Principles. XDD is subject to the investigatory and enforcement powers of the Federal Trade Commission.

Contacting Us: 

XDD welcomes your comments and/or questions regarding this privacy statement; please contact us by sending us your feedback to privacy@xactdatadiscovery.com, or writing to:

Xact Data Discovery
5800 Foxridge Drive, Suite 406
Mission, KS 66202

If however you are unhappy with our response to your concerns you can raise an issue with Privacy Trust, an independent third party dispute resolution service.

If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed, you can also submit your complaint to Privacy Trust, an independent third party. Visit www.privacytrust.com/drs/xactdatadiscovery to file a complaint.

Finally, as a last resort and in limited situations, EU individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.

Whether you prefer email, text or carrier pigeons, we’re always available.

Discovery starts with listening.

(877) 545-XACT / or / Email Us