1. Home
  2. Privacy Notice

Privacy Notice

Last Updated:  September 2025

ExlService Holdings, Inc. and its affiliates/ subsidiaries (collectively, “EXL”, “we”, “our”, or “us”) worldwide, are committed to respecting your online privacy and recognizing your need for appropriate protection and management of any personal data you share with us.
This privacy notice (referred to herein as the “Privacy Policy” or “Policy”) sets out how we collect and process your personal data when we act as “data controllers”.  This Policy does not cover our customers’ processing of personal data using our products or services, as we act solely as a “data processor” for such processing activities.  

Why You Should Read this Policy

As a commercial business, we may collect, use, and disclose personal data in the course of our standard operations. Where an EXL entity processes your personal data as controller (meaning that we determine why and how your personal data is used), this Privacy Policy sets out how we process that data in compliance with data protection and consumer privacy laws. This Policy also explains what rights you have relating to that personal data.

What does this Policy cover?

This Policy sets out how we use and protect personal data globally. If you live or work in certain countries, states or territories, there is additional information at the end of this Policy that relates to our use of your personal data.

It is important to note that this Policy does not apply to personal data we process on behalf of our customers. When we provide our products and services to our customers, in a majority of circumstances, we act as a data processor. This means it is our customers, and not EXL, who are in control of what personal data and other information they process using our products or services, and how they do so.  Where we are a data processor, we follow our customers’ instructions relating to that processing, in line with applicable laws.  We are not responsible for the privacy policies or the data collection, use, or disclosure practices of our customers or third-party sites. If you wish to understand how they process your personal data, we encourage you to review the privacy policies of each site you visit. 

In the limited circumstances that we act as a joint controller with our clients, we establish at the outset of our commercial relationship with our clients our respective roles in relation to the personal data.  This would involve an exchange of personal data between EXL and our client, authorizations on permitted uses of personal data, and an obligation to cooperate with each other to comply with certain regulatory requirements such as in handling data subject requests and incidents.   Due to the nature of our clients’ relationships with their customers, our clients typically handle disclosures to their customers, informing them that EXL may be required to process their data.

Updates to this Policy

We may make updates to this Policy from time to time. When we do so, we will post those changes here, so please check back periodically for any updates. Where we make changes to our processing that may affect the rights of individuals affected by those changes, we will inform those individuals where possible.

If you have any questions or concerns about this privacy notice or your personal data, please contact us at Privacy@exlservice.com.

Table of contents

1. What personal data we collect and how; why we collect this information.

2. Lawful basis for processing personal data.

3. Security.

4. Third Party Links.

5. To whom we share your information with.

6. International and group company transfers of personal data.

7. Data storage and retention.

8. Data Subject rights:

Residents of Europe/UK

Residents of Australia

Residents of Philippines

Residents of South Africa

Residents of India

Residents of Columbia

Residents of Canada

Residents of USA (Federal and State Laws)

9. Information that we collect using cookies

10. Do Not Track (DNT)

11. Contact us and information regarding complaints.

12. Modifications to Statement.

1. What personal data we collect and how we collect it.

Personal data, or personal information, means any information about an individual from which that person can be identified or identifiable. It does not include data where the identity has been irreversibly removed (anonymous data).

We collect personal data through three main sources:

1. Personal data you provide to us (for example, through forms or correspondence);
2. Personal data we collect automatically (for example, when you visit EXL websites and as described in the Technical Data as set out below);
3. Personal data from other sources (such as our service providers, business partners, and publicly available personal data as set out below):

  • Contact Data – Name, address, email address, telephone number, mobile phone number, country of residence and social media handles. We may collect this information directly from you, your employer, from publicly available sources, our third-party partners who provide networking contact information, or indirectly through a third-party partner such as if we have co-hosted an event with them.
  • Professional Data: Company name, occupation contact details, occupation, employment history, areas of expertise, your experience with EXL products and services. We may collect this information directly from you, your employer, from publicly available sources, our third-party partners who provide networking contact information, or indirectly through a third-party partner such as if we have co-hosted an event with them.
  • Transaction Data – Products and/or services purchased, licenses purchased, types of products or services of interest, information provided in the course of the purchase or attempted purchase of EXL products or services, eligibility information such as whether your company is a customer of EXL this can be collected when you purchase products and services from EXL.
  • Payment Data – Payment or billing information (including tokenized payment details, as necessary). We may collect this information in the course of signing up for an EXL product or service or through the use of our website to purchase our products or services.
  • Communications Data – Messages, correspondence and other data created, or generated, by you when communicating with us via post, SMS, e-mail, posts on EXL or third-party channels, forums, social media platforms, other third-party platforms, or other means of electronic communication. We may collect this information when you interact with us or our employees, contractor, agents, third-party service providers and partners- for example through providing feedback or sharing your experiences of our products and services with us.
  • Technical Data – IP address, operating system, browser information, user agent. identifiers such as cookie IDs (see Cookie and Tracking Technologies below, and our Cookie Policy), mobile device ID, Wi-Fi data, interactions with EXL websites, authentication credentials, communications and promotional materials are collected automatically when you interact with EXL websites or third-party platforms hosting EXL content. For example, when we send marketing communications, we may collect data on whether you have opened a marketing communication you have received, or whether you clicked on any links in the message.
  • Government Identifiers: Government or state issued photographic identification documentation such as passport or driver license – for example when you provide it in the course of verifying your identity.
  • Audiovisual Data: Image, voice – including photographs, images and audio and video recordings – collected through security and monitoring systems or recorded during events, for example, when you participate in a EXL or EXL -affiliated event, visit a EXL office or present at a seminar hosted by EXL.
  • Inferred Data: Preferences, likelihood of interest in our products and/or services. Data generated by combining data (such as Contact Data, Professional Data, Transaction Data, Technical Data and Communication Data) collected by EXL with information obtained from third parties (such as Contact Data, Professional Data, Transaction Data, Technical Data and Communication Data), including partners and publicly available sources, which assist with the sale of products or services, compliance with laws, and that detect, prevent and otherwise address fraudulent, deceptive, or illegal activity.
  • Contact Preference Data: Consents or preferences that you give us, such as how you would like us to contact you or what EXL products or services interest you.

Why and How We Use Your Personal Data

The following lets you know how and why we use the personal data we collect:

1. To conduct our business operations and provide our products and services:

  • To communicate with you: We use your information, including Contact Data, and Communications Data so that we can communicate with you, answer your queries, or get in touch to understand if you are interested in our products and services.
  • To provide you with our products and services: We use your information, including your Contact Data, Payment Data, Technical Data, Communications Data,  and Professional Data, depending on the services provided, for various reasons, including to:
    • Verify your identity;
    • Send communications relating to the product or service purchased;
    • Fulfil our contract with you;
    • Provide you with access to our platforms and services.
  • To process financial transactions: We use your information, including Contact Data, Communications Data, Payment Data and Transactional Data to process transactions and to provide you with our products and services.
  • To analyze activity on our websites, improve our public facing platforms and communications:  We use your information, including Technical Data and Communications Data to understand how you use our websites, forums or  platforms and to understand and improve your experience of those websites, forums, and platforms and the communications we send.
  • To ensure compliance with our obligations: We may access, preserve, process, or disclose your information, where required, to comply with a court order or legal requirement, including to respond to governmental or regulatory requests, verify your identity when purchasing our products and services, enforce our policies and contracts, collect amounts owed to us, or assist with an investigation or prosecution of suspected or actual illegal activity.
  • To protect the rights, property, life, health, safety or security: We process your information, where required, to protect the rights, property, life, health, safety or security of EXL, our employees, our users (including you) or others.
  • To measure, develop and improve our products and services: We process your information, including Contact Data, Technical Data, and Communication Data to develop, improve and measure the performance of our products and services.
  • To create de-identified and aggregated information. We may use personal information to create de-identified and/or aggregated information, such as demographic information, information about the device from which you assess our services, or other analysis we create.

2. To enable our sales and marketing functions to carry out marketing related to our products and services:

  • To send sales and marketing communications: We use your Contact Data, Professional Data, Technical Data, Communication Data, Transaction Data, Inferred Data and Contact Preference Data to send you marketing communications about Palantir products and services you have purchased or attempted to purchase, or communications about Palantir products and services we think you might be interested in purchasing or events you might wish to attend, and to carry out targeted marketing campaigns including posts to third party platforms such as social media platforms and networking websites.
  • To understand who would be most interested in our products and services and to personalize our communications: We use your Contact Data, Communication Data, Professional Data, Technical Data, Transaction Data, Inferred Data and Contact Preferences to understand who may be interested in our products and services to personalize our communications with you, including sending marketing communications.
  • To analyse the effectiveness of our communications: We use your Contact Data, Communication Data and Technical Data to understand the impact of our communications, for example to understand the effectiveness of our marketing campaigns and to improve them going forward.
  • To target advertising:  We use your Contact Data, Professional Data, Communication Data, Technical Data, Transaction Data, and Inferred Data to target advertisements and messages to you, this can include targeted advertising via third party advertising platforms including search engines and social media/networking platforms such as LinkedIn or Twitter.

3. To manage your visit to a EXL managed space or event:

  • To enable your visit to a EXL designated space: Depending on how you engage with EXL’s facilities when you visit our designated spaces or offices, we process your Contact Data, Communication Data, Professional Data, Technical Data and Audiovisual Data when you attend a EXL designated space such as offices or pop-ups.
  • Event management: Depending on the event or how you engage with us in the course of an event hosted, or co-hosted by EXL, we process your Contact Data, Professional Data, Communication Data, Audiovisual Data and Technical Data to enable your attendance at EXL hosted or affiliated events such as conferences or webinars. We may also process information we receive, including from our partners, during such events to understand whether you are interested in our products or services so that we can present you with the most relevant information on our products and services at the relevant event or in post event communications.
  • To protect our business, our affiliates, our visitors, and others: We process your personal data which can include Contact Data, Professional Data, Transaction Data, Technical Data, Audiovisual and Communication Data to monitor for, or detect, fraudulent, harmful or illegal activity.

4. To comply with legal obligations and maintain the physical and information security of our products and services, employees and partners:

  • To comply with legal obligations: Where necessary, we use your personal data, including Contact Data, Technical Data, Communication Data and Government Identifiers, where necessary, to comply with legal obligations such as tax reporting, regulatory requirements or fulfilling your rights request.
  • To help you exercise your rights and control over your personal data: Where you contact us to exercise your rights as a data subject or to opt-out from certain forms of communication, we may need to further process your personal data such as Contact Data, Communication Data and any applicable personal data together with any Government Identifiers you may provide, to comply with your request (for example, if you request a copy of your personal data and you provide your ID to confirm your identity).
  • To protect our business, our affiliates, and others: We process your personal data which can include Contact Data, Professional Data, Payment Data, Transaction Data, Technical Data, Audiovisual and Communication Data to monitor for, or detect, fraudulent, harmful or illegal activity.

2. Lawful basis for processing personal data.

EXL processes the personal data it has acquired from you based on any of the below mentioned legal bases:

  • Consent:  Where we process personal data based on consent, you have provided consent by opting in to our use.  If at any point you wish to withdraw your consent, unsubscribe from any of our communications, or in case of any queries/concerns with regards to your personal data processed by us, you may contact us at Privacy@exlservice.com.
  • Contract: When we need to carry out a contract with you that we are about to enter into or have already entered into. This applies in any case where we provide services to you pursuant to a contract. If you do not provide the personal data that we need in order to provide our services, we may not be able to provide our services to you.
  • Legal or regulatory obligation: This includes records keeping, performing compliance reviews (e.g., anti-money laundering, financial checks) and submission of regulatory updates to the local regulators. This includes automatic checks of the personal data you submit regarding your identification against appropriate databases, as well as contacting you to confirm your identity for compliance purposes or maintaining records of our communication for compliance purposes.
  • Legitimate interests: Wherever necessary for our legitimate interests, such as conducting and developing our business, meeting and anticipating the requirements of our current and prospective customers, appropriate controls to ensure our website, processes, and procedures are running effectively, for the prevention and detention of fraud, for Information Technology (IT) security purposes.

Third Party Links. Our websites and applications may have links to the websites/apps of other third parties and these third-party websites/apps may collect personal data about users for their own purpose. In such cases, our Privacy Policy does not extend to these external websites/apps of third parties. Please be aware that if you access these links, you will be leaving our website (s). We encourage users to read the privacy policies of those websites/apps, as we are not responsible for their content, links, or privacy procedures.

 

3. When do we share your personal data?   

 

We may share the Personal data collected from the Sites/Apps with third parties as outlined in this section.

Affiliates

Our parent business, subsidiaries, joint ventures, group of firms, and affiliated companies. These entities may use this information for the aforementioned purposes.

Business Partner

  • Service Providers who perform services on behalf of EXL and may require information about you in order to perform their functions, such as authorised service partners, payroll processors, call centre operators, marketing contractors, social media website providers, IT agencies handling or maintaining Sites/Apps, storing/processing information, overseas service providers who work for us, and so on.
  • Suppliers, research and development vendors, professional advisers, agents, representatives, and other EXL business associates

Legal Authorities

We may disclose your personal data in response to any notification, order, inquiry, demand, request, or other communication from a law enforcement agency that requires or mandates the disclosure of such personal data, or in accordance with applicable laws.

Changes in Corporate Structure

In the event that EXL is involved in a merger, acquisition, reorganisation, or sale of assets, or if it files for bankruptcy, your information may be transferred as part of such transaction. We keep a copy of such information.

We DO NOT use or disclose Information for purposes other than as mentioned in this Policy, except with the consent of user providing such Information or as required by law.

6. International transfers of your information.

In nearly all cases, the above-described data may be collected or processed by, and transferred to, the Company’s facilities in the United States and in other jurisdictions where the Company performs its business activities, such as India, South Africa, Australia, the Philippines, Canada, Colombia, Europe and UK; the data may then be subject to the legal systems of those countries. This may be done through the website’s internet service provider (ISP) or through the use of such tools as google analytics. This information is gathered to improve the quality of our services and our ability to market those products and services to specific individuals and organizations that could benefit from them.

We only transfer personal data to countries that provide an adequate level of protection and/or we ensure that we have appropriate safeguards (such as standard contractual clauses etc.) in place to cover these transfers, as permitted by the applicable data protection legislation.

You may contact us to find out more about the relevant safeguards in place for cross-border transfers (see “Contact information” below).

7. Data storage and retention.

Your personal data processed by EXL are kept in a form which permits your identification for no longer than is necessary for the purposes for which the personal data are processed in line with legal, regulatory, contractual or statutory obligations as applicable. At the expiry of such periods, your personal data will be deleted or archived to comply with legal/contractual retention obligations or in accordance with applicable statutory limitation periods.

8. Data Subject Rights.

You may have certain rights in relation to your personal data pursuant to data protection laws in your jurisdiction. To exercise such rights, please contact Privacy@exlservice.com. The rights for certain jurisdictions are explained in further detail below.

Residents of Europe and the UK:

  • The right to request access to your personal data and request details of the processing activities conducted by us.
  • The right to erasure of your personal data under certain circumstances.
  • The right to request for rectification of your personal data if it is inaccurate or incomplete.
  • The right to request restriction of the processing of your personal data in certain circumstances.
  • The right to object to the processing, including the sale or commercial use, of your personal data in certain cases.
  • You may opt-out of receiving non-essential (promotional, marketing-related) communications from us. If you want to opt-out from any such communication, then you may send an email to Privacy@exlservice.com.
  • The right to object to, and not to be subject to a decision based solely on, automated processing (including profiling), which produces legal effects or significantly affects you.
  • The right to withdraw your consent provided at any time by contacting us.

In accordance with the GDPR, we will respond to your request within one month upon receipt of your request. Provided we are unable to progress your response, we will contact you. In certain circumstances, we may extend the timeline of our response to 3 months in accordance with applicable law.

Residents of Australia:

We recognize that individuals must have the option to not identify themselves, or to use a pseudonym when liaising with us. We seek to provide this option to the extent possible. However, due to the nature of our business operations, it is impracticable in most cases for us to deal with individuals who have not identified themselves or who use a pseudonym.

As a resident of Australia, you have the following rights:

  • The right to have your personal data de-identified and/or destroyed.
  • The right to require that any personal data held and processed by us is accurate, up-to-date, and complete. If the information is inaccurate, incomplete and/or out-of-date, you have the right to request that it is corrected.
  • The right to be informed regarding when and how your personal data is collected, used and disclosed.
  • The right to “opt out” of your personal data being used for direct marketing purposes.
  • The right to request Data Holders and accredited bodies to share information relating to yourself, with consent, in a standardized machine-readable format.

Residents of the Philippines:

  • The right to be informed about your personal data being collected and processed.
  • The right to access to your personal data.
  • The right to object to processing of your personal data if the personal data processing involved is based on consent or legitimate interest.
  • The right to erasure or blocking of your personal data under certain circumstances.
  • The right to file a complaint with the National Privacy Commission (NPC) if your personal data has been misused, maliciously disclosed, or improperly disposed, or that any of your data privacy rights have been violated.
  • The right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of their personal data.
  • The right to rectify your personal data under certain circumstances.
  • The right to data portability.

Residents of South Africa:

  • Request access to your personal data and request details of the processing activities conducted by us and third parties, within a reasonable time and at a prescribed fee, if any.
  • Request that your personal data is rectified if it is inaccurate or incomplete, irrelevant, excessive, out of date, misleading or obtained unlawfully.
  • Request the destruction or de-identification of your personal data where we are no longer authorised to retain the information.
  • Right to Request restriction of the processing of your personal data by us in certain circumstances.
  • Right to object to the processing of your personal data in certain circumstances.
  • Receive your personal data in a structured, commonly used and machine-readable format in certain circumstances.
  • Lodge a complaint with the Information Regulator.
  • Right to Object to, and not to be subject to a decision based solely on, automated processing (including profiling), which produces legal effects or significantly affects you.
  • Right to withdraw any consent you have provided to us at any time by contacting us.

Residents of India:

  • Request details/summary of the processing activities conducted by us and third parties, within a reasonable time and at a prescribed fee, if any.
  • Request that your personal data is rectified if it is inaccurate or incomplete, irrelevant, excessive, out of date, misleading or obtained unlawfully.
  • Request the identity of all the third parties with whom the personal data has been shared by us, along with a description of the personal data so shared, unless prohibited by applicable law.
  • Request the erasure of your personal data where we are no longer legally authorised to retain the information.
  • Lodge a complaint with the grievance redressal mechanism set up by us.
  • Right to withdraw any consent you have provided to us at any time by contacting us.

Residents of Colombia:

  • The right to be informed about the use of your personal data.
  • The right to access (includes right to data portability).
  • Under certain circumstances, you have the right to have your personal data rectified.
  • Right to revoke authorisation and/or request the deletion of data when processing is not compliant with principles, rights, and constitutional guarantees. The revocation and/or deletion shall proceed when the SIC determines that the processing by the data controller or data processor was contrary to the law and the Constitution
  • To request evidence of the consent granted to the data controller, except when consent is not required for the processing; and
  • To submit to the SIC claims for violations of the provisions contained in the Data Protection Law and other rules that modify, amend, or complement it.

Residents of Canada:

  • The right to be informed of the existence, use, and disclosure of their personal data.
  • The right to access your personal data.
  • Individuals have the right to challenge the accuracy and completeness of that information and have it amended/rectified as appropriate.
  • Individuals can withdraw their consent to the collection, use and disclosure of their PI, including for marketing purposes.
  • Right to file a complaint with relevant privacy regulator(s).

Residents of USA (Federal and State Laws):

Virginia-

  • In accordance with §59.1-574(C) of the CDPA, you have the right to be informed about the categories of personal data collected and processed, information shared and sold to third parties, purpose, all uses and disclosures.
  • The right to access, rectify and erasure of your personal data.
  • The right to data portability.
  • The right to opt out of the processing of their personal data for purposes of:
    Targeted advertising; the sale of personal data; or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
  • The right to appeal against a controller's refusal to take action following a consumer's request to exercise their rights.

Colorado-

  • In accordance with §6-1-1308(1)(a) to (b) of the CPA, you have the right to be informed about the categories of personal data collected and processed, information shared and sold to third parties, purpose, all uses and disclosures.
  • The right to access, rectify and erasure of your personal data.
  • The right to data portability.
  • A consumer has the right to opt out of the processing of personal data concerning the consumer (§6-1-1306(1)(a) of the CPA) for the purposes of:
    Targeted advertising; the sale of personal data; or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

California-

  • The right to know what information the business collects, discloses, and if applicable, sells (as defined in section 1798.140(t) of the California Consumer Privacy Act (CCPA)).
  • The right to access what personal data has been collected about you by making a proper Verifiable Consumer Request (VCR). Through a VCR, you may request:
    1. the categories of personal data collected about you in the preceding 12 months;
    2. the categories of sources from which personal data is collected; the business or commercial purposes behind collecting personal data;
    3. the categories of third parties with whom we share personal data; and
    4. specific pieces of personal data collected about you.
  • If the business has “sold” (as that term is defined in section 1798.140(t) of the CCPA) or disclosed your personal data for a business purpose, you have the right to request an itemized list of the categories of personal data:
    1. Personal data collected about you
    2. Sold about you (this includes categories of third parties to whom information was sold and what categories of personal data for each third party); and
    3. Disclosed about you for a business purpose.
  • The right to opt out of the sale of your personal data to a third party at any time.
  • The right to request deletion of personal data that has been collected about you, subject to certain exceptions.
  • The right to non-discrimination against you for exercising any of the rights listed above.

We do not sell personal data as defined in section 1798.140(t) of the CCPA. We also do not sell the personal data of children under age 16 without affirmative authorization.

How to submit a request.

You may submit a request to exercise your rights through any one of three means:

  • By visiting the privacy page in your account portal, where you can request and download specific pieces of information we have collected. By logging in to your account to submit the request, you will be able to automatically verify your identity, which will result in faster processing of your request.
  • By filling out a consumer data request form available here.
  • By calling us at the applicable office or, if available, the designated 800 number as mentioned below.

9. Information that we collect using cookies

Please refer the https://www.exlservice.com/cookie-policy.

10. Do Not Track

Do Not Track (DNT) is a privacy preference that users can set in some web browsers, allowing users to opt out of tracking by websites and online services. At the present time, the World Wide Web Consortium (W3C) has not yet established universal standards for recognizable DNT signals and therefore, EXL Company and the Site do not recognize DNT.

11. Contact us and information regarding complaints.

Contact us:

Please contact us with any concerns you may have. You can contact us by writing to us at Privacy@exlservice.com

1855-760-3562

* For California residents only

# For individuals from other geographies

You may also have the right to complain about the use of your personal data to the applicable authority with oversight of applicable data protection laws. The European GDPR, give you the right to lodge a complaint with a supervisory authority, in the Member State where you particularly work, normally live, or where any alleged infringement of data protection laws has occurred. For other data protection laws, where applicable, you can contact the nominated data protection supervisory body in that jurisdiction.

12. Modifications to Statement.

The Company reserves the right to change, modify, or update this statement at any time. We indicate the date of the current statement below, so you know when it was last updated. Continued use of the website after any such revision or modification constitutes your acceptance of the privacy statement as so revised or modified, where permitted by law.

 

Version: 31st July 2024

Try EXL’s new Gen AI search!
Enter the terms you wish to search for.
AI Search is experimental; hallucinations may occur.