Cookie Policy
Cookie Policy
How XB2BX uses cookies and tracking technologies to operate the global B2B marketplace — transparently, lawfully, and in compliance with applicable international law.
Introduction & Scope
This Cookie Policy (“Policy”) is issued by XB2BX LTD, a company incorporated in England and Wales (“we”, “us”, “our”, “XB2BX”). It explains how cookies and similar tracking technologies are used on xb2bx.com and any sub-domains or associated platforms operated by XB2BX (collectively the “Platform”).
XB2BX is not a standard e-commerce website. It is a multi-sector international B2B marketplace operating across wholesale, dropshipping, brokerage, supplier onboarding, international trade facilitation, potential financial introductions, digital services, and cross-border transactions. This operational complexity informs the breadth of this Policy and the legal bases on which we process data collected through cookies.
This Policy applies to all users of the Platform — including individual business operators, registered suppliers, buyers, brokers, and institutional users. Where you access the Platform as an authorised representative of a corporate entity, references to “you” include both you personally and that entity.
Important for B2B Users: Even where you use the Platform on behalf of a business, your individual browser-level data (including IP address and device identifiers collected via cookies) may constitute personal data under applicable law and is protected accordingly. Corporate access does not exempt users from individual data protection rights.
What Are Cookies?
Cookies are small text files placed on your device (computer, tablet, or mobile) when you visit a website. They are widely used to make websites operate correctly, remember your preferences, measure traffic, and deliver tailored content. Cookies alone cannot execute code, deliver malware, or access other files on your device.
In addition to standard HTTP cookies, we may use the following similar tracking technologies. All are covered by this Policy and subject to the same consent requirements:
Name-value text files set in your browser. Session cookies expire when you close your browser; persistent cookies remain for a defined period.
Transparent images (1×1 px) embedded in pages or emails that signal when content is viewed. Used for email engagement tracking and conversion attribution.
Browser-side storage mechanisms that hold preference and state data beyond standard cookie capacity. Session storage clears when the tab closes.
A limited-use technique combining browser configuration, OS attributes, and network signals for fraud prevention, AML screening, and sanctions compliance. Applied strictly under legal obligation grounds.
Supplier and logistics integration scripts may interact with browser storage as part of inventory, shipment tracking, and order status workflows embedded in the Platform.
Unique tokens embedded in transactional and marketing emails to track open rates and click-through for platform communications. Subject to separate email consent where required.
Categories of Cookies We Use
We classify cookies into five functional categories. Only Strictly Necessary cookies are placed without your explicit consent. All other categories require a positive opt-in through our Cookie Consent Manager. You may change your preferences at any time via Cookie Settings in the page footer.
These cookies are indispensable to the operation of the Platform and cannot be switched off without fundamentally impairing functionality. No consent is required under PECR Regulation 6(4) or equivalent law.
- Authenticated user sessions & secure login
- CSRF protection & API request validation
- Cookie consent preference storage
- Load balancing & server routing
- Fraud, bot & rate-limit enforcement
- AML/KYC & sanctions-screening workflows
- Supplier onboarding identity verification
Collect aggregated, anonymised or pseudonymised data about Platform usage. No individual user is identified. Helps us improve reliability and the B2B user experience.
- Page views, sessions, bounce rate
- Supplier & buyer journey mapping
- Trade-flow conversion funnels
- Error logging & performance diagnostics
- A/B testing & feature rollout measurement
Enable enhanced features and personalisation important to our global user base. Disabling these may reduce Platform usability but will not block access.
- Language, locale & currency preferences
- Dashboard layout & filter settings
- Live chat & B2B support widgets
- Saved supplier searches & watchlists
- Timezone & trade-timestamp accuracy
Set by XB2BX and our B2B advertising partners to build interest profiles and deliver relevant trade-sector content. Opting out stops personalised advertising but does not reduce generic advertising.
- LinkedIn B2B campaign manager
- Google Ads conversion & remarketing
- Meta Pixel (business audiences)
- Email campaign performance tracking
- Affiliate & referral attribution
Set by external services integrated into the Platform. XB2BX does not control these cookies. We recommend reviewing the privacy policies of all listed third parties directly.
- Payment gateway providers
- Logistics & freight-tracking APIs
- Mapping & geolocation services
- Supplier verification & KYC platforms
- Trade finance introduction services
Cookie Register
The register below lists the primary cookies currently active on xb2bx.com. This register is audited quarterly. Cookie names prefixed with an underscore or containing random identifiers may vary by session; those listed represent the representative set as of this Policy version.
Strictly Necessary
| Cookie Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
| session_id | XB2BX | Necessary | Maintains authenticated user session across the Platform | Session |
| csrf_token | XB2BX | Necessary | Protects all form submissions and API calls against cross-site request forgery | Session |
| xb2bx_consent | XB2BX | Necessary | Stores your cookie consent choices and policy version reference | 12 months |
| __Secure-auth | XB2BX | Necessary | Encrypted authentication token; Secure & HttpOnly flags enforced | Session |
| rate_limit_id | XB2BX | Necessary | Throttles excessive API calls; prevents scraping and abuse | 1 hour |
| kyc_session | XB2BX | Necessary | Supports identity verification and AML onboarding workflow state | Session |
| sanctions_flag | XB2BX | Necessary | Records outcome of sanctions screening check for session continuity | Session |
Performance & Analytics
| Cookie Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
| _ga | Analytics | Distinguishes unique users; data anonymised before processing | 2 years | |
| _ga_[ID] | Analytics | Maintains Google Analytics session and campaign state | 2 years | |
| _gid | Analytics | Stores and updates page view count per 24-hour period | 24 hours | |
| _gat | Analytics | Throttles Analytics request rate to prevent server overload | 1 minute | |
| _hjid | Hotjar | Analytics | Assigns a unique user ID for heatmap and session recording | 365 days |
| _hjSessionUser | Hotjar | Analytics | Tracks whether Hotjar data has been collected for current session | 365 days |
Functional
| Cookie Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
| xb2bx_lang | XB2BX | Functional | Stores preferred language and locale (critical for international B2B) | 12 months |
| xb2bx_currency | XB2BX | Functional | Stores preferred display currency for trade pricing | 12 months |
| xb2bx_prefs | XB2BX | Functional | Saves dashboard layout, column preferences and search filters | 6 months |
| intercom_id | Intercom | Functional | Identifies returning users in the live chat support system | 9 months |
| tz_offset | XB2BX | Functional | Stores timezone for correct order, shipment and trade timestamps | Session |
Targeting & Marketing
| Cookie Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
| li_fat_id | Marketing | LinkedIn ad conversion tracking and B2B audience retargeting | 30 days | |
| _fbp | Meta | Marketing | Meta Pixel — ad delivery optimisation for business audiences | 3 months |
| _gcl_au | Marketing | Google Ads conversion tracking and campaign attribution | 3 months | |
| xb2bx_ref | XB2BX | Marketing | Tracks referral source and affiliate partner attribution | 30 days |
| IDE | Google DoubleClick | Marketing | Cross-site tracking for Display Network campaigns | 13 months |
This register is reviewed and updated quarterly. If a cookie is discovered on the Platform that is not listed here, please notify privacy@xb2bx.com and we will investigate and update the register within 14 days.
Legal Basis for Processing
The legal grounds for processing personal data collected through cookies are set out below by jurisdiction. XB2BX has conducted a Legitimate Interests Assessment (LIA) for all processing based on that ground; a summary is available on request.
Strictly Necessary cookies are deployed on the basis of our legitimate interests in: providing a secure and functional platform; preventing fraud and abuse; maintaining infrastructure stability; and fulfilling our obligations as a marketplace operator. We have assessed that these interests are not overridden by your fundamental rights and freedoms.
Performance, Functional, and Marketing cookies are only placed following your freely given, specific, informed, and unambiguous consent via our Cookie Consent Manager. Consent is granular by category. You may withdraw consent at any time without detriment (see Section 10). Pre-ticked boxes and bundled consent are not used.
Cookies used in connection with AML/KYC identity verification, sanctions screening, fraud-reporting obligations, and regulatory compliance workflows are deployed to fulfil mandatory legal obligations under the Proceeds of Crime Act 2002, Money Laundering Regulations 2017, and applicable international equivalents. These cannot be disabled by users.
Where cookies are necessary to fulfil a contract with you — for example, session management during a live trade transaction, dropshipping order processing, or supplier API integration — processing is based on contract performance. This applies only to registered users engaged in active transactions.
California Residents (CCPA / CPRA): Our use of certain targeting cookies may constitute a “sale” or “sharing” of personal information under California law. You have the right to opt out at any time by: (1) selecting Do Not Sell or Share My Personal Information in Cookie Settings; or (2) broadcasting a Global Privacy Control (GPC) browser signal, which we honour automatically.
Brazilian Users (LGPD — Lei 13.709/2018): Processing is based on consent (Art. 7(I)), legitimate interest (Art. 7(IX)), or legal obligation (Art. 7(II)) as applicable. Brazilian residents have the rights enumerated in Art. 18, including confirmation, access, correction, portability, deletion, and revocation of consent. Requests may be submitted to privacy@xb2bx.com.
International Jurisdiction & Transfers
XB2BX facilitates cross-border B2B trade. Cookie-generated data may be processed by us or our third-party providers in multiple countries. Where such transfers occur outside the UK or EEA, we implement the following safeguards:
- UK ICO-approved International Data Transfer Agreements (IDTAs) for transfers from the UK
- EU Commission-approved Standard Contractual Clauses (SCCs) for transfers from the EEA
- Adequacy decisions where the recipient country has been designated adequate by the UK Secretary of State or the European Commission
- Supplementary technical measures including end-to-end encryption in transit (TLS 1.3+), pseudonymisation, and access controls
Jurisdiction Coverage Map
Primary jurisdiction. ICO is the lead supervisory authority. All data processing activities are registered with the ICO.
EU users are served under full GDPR compliance. SCCs govern any onward transfers. EU supervisory authorities retain jurisdiction for EU residents.
California residents may exercise opt-out rights under CCPA/CPRA. GPC signals are honoured. We do not knowingly collect data from users under 16.
Brazilian residents hold rights under Art. 18 LGPD. Processing is consent- or legitimate-interest based. ANPD is the relevant authority.
Cross-border trade participants in Singapore, Thailand, and other SE Asian markets are served under applicable PDPA frameworks.
Where jurisdictions conflict, the stricter applicable standard is applied. XB2BX’s contractual governing law is England and Wales, without prejudice to statutory data protection rights in any jurisdiction.
B2B Platform-Specific Disclosures
The following disclosures are specific to XB2BX’s multi-sector B2B operations and are not typically found in generic cookie policies. They are included to provide full transparency and legal protection for all platform participants.
Brokerage & Financial Introduction Services
XB2BX may facilitate introductions between parties for trade finance, escrow arrangements, or credit facilities. Cookies used in connection with these workflows do not constitute financial advice, a credit assessment, or a binding financial offer. XB2BX is not a bank, is not FCA-authorised to provide regulated financial services, and acts solely as an introducer or facilitator.
Disclaimer: XB2BX does not guarantee the completion of any trade, funding, or financial transaction. Cookie data relating to financial introduction workflows is held in accordance with FCA guidance on record-keeping for introducers and applicable AML obligations, and is not used for credit scoring or profiling by XB2BX.
Dropshipping & Supplier Data Flows
Where users engage with dropshipping or supplier-integration features, cookies and session tokens may be shared with participating suppliers or logistics providers strictly for order fulfilment purposes. Such suppliers act as independent data processors under written data processing agreements that comply with Article 28 UK/EU GDPR. XB2BX remains the data controller for all end-user data.
Supplier API Integrations
Registered suppliers connecting via the XB2BX API may deploy their own scripts or SDKs that interact with browser storage. XB2BX requires all API partners to comply with this Cookie Policy and applicable data protection law as a condition of integration. Suppliers bear independent data controller responsibility for data they collect via their own scripts.
Sanctions Screening & AML Compliance
In compliance with UK, EU, US, and UN sanctions regimes, certain session-level cookies and device fingerprints are used to facilitate automated sanctions and adverse-media screening of platform participants. This processing is carried out under legal obligation and cannot be opted out of. Screening data is retained for the minimum period required by applicable regulatory guidance.
Corporate & Institutional Users
Where XB2BX is accessed by individuals acting on behalf of a corporate entity, the corporate entity may itself be subject to data processing obligations depending on the services used. Corporate procurement officers or legal representatives should contact dpo@xb2bx.com to discuss data processing agreements.
Your Choices & Rights
Cookie Consent Manager
On first visit, our Cookie Consent Banner presents granular category controls. You may accept all, reject non-essential, or configure each category independently. Choices are saved to the xb2bx_consent cookie for 12 months. Update preferences at any time via Cookie Settings in the footer.
Browser Controls
Your browser allows direct cookie management. Note: blocking Strictly Necessary cookies will prevent login, transactions, and AML/compliance checks.
- Google Chrome — Cookie Management
- Mozilla Firefox — Enhanced Tracking Protection
- Apple Safari — Manage Cookies
- Microsoft Edge — Delete Cookies
- AllAboutCookies.org — General Guide
Industry Opt-Out Tools
- Google Analytics Opt-Out Add-on
- Network Advertising Initiative (NAI)
- Digital Advertising Alliance (DAA)
- Your Online Choices (UK & EU)
Global Privacy Control (GPC) & Do Not Track
XB2BX honours the Global Privacy Control (GPC) signal as an opt-out from the sale or sharing of personal data for California residents. GPC is detected automatically. Do Not Track (DNT) signals are not currently responded to due to the absence of a universally accepted standard.
Your Data Subject Rights
Request a copy of personal data collected about you through cookie processing.
Request correction of inaccurate personal data we hold.
Request deletion where we have no continuing lawful basis for processing.
Object to processing based on legitimate interests, including profiling for direct marketing.
Receive your data in structured, machine-readable format where processing is consent-based.
Request restriction of processing while a complaint or accuracy dispute is in progress.
Withdraw any cookie consent at any time without affecting lawfulness of prior processing.
Not to be subject to solely automated decisions with significant legal effect, including automated sanctions screening results (human review available on request).
To exercise any right, contact privacy@xb2bx.com. We will respond within 30 days (UK/EU GDPR) or 45 days (CCPA), extendable by a further 30 days on notice.
Data Retention
Cookie lifespan periods are as stated in the Register at Section 4. Session cookies expire when you close your browser. Persistent cookies remain for their stated duration or until manually deleted.
We conduct quarterly cookie audits. Cookies no longer in use, exceeding their stated lifespan, or lacking a valid legal basis are removed. Users may request a copy of the current audit report via privacy@xb2bx.com.
Consent Withdrawal Procedure
You may withdraw or modify your cookie consent at any time. Withdrawal is effective immediately for future processing; it does not affect the lawfulness of processing carried out before withdrawal.
Click Cookie Settings in the footer of any page to open the Consent Manager and update your preferences by category.
Delete existing cookies using your browser’s cookie management tools. This removes all cookies currently stored on your device from xb2bx.com.
Email privacy@xb2bx.com to withdraw specific consents or request deletion of identifiable data collected via cookies. We will confirm in writing within 72 hours.
Enable Global Privacy Control in your browser. XB2BX will automatically detect and honour GPC as an opt-out from sale/sharing on your next visit.
Withdrawal of consent for non-essential cookies will not restrict your access to the Platform’s core B2B trading functions. However, some personalisation features (saved searches, language preferences, live chat history) may be reset. Strictly Necessary cookies, including those used for AML/KYC and sanctions compliance, cannot be disabled.
Policy Updates & Version History
XB2BX reviews this Cookie Policy at least every six months and whenever material changes occur in: the cookies deployed on the Platform; applicable law or regulatory guidance; our business model or data processing activities; or enforcement action by a supervisory authority.
When material changes are made, we will:
- Display a prominent notice on the Platform for 30 days
- Re-present the Cookie Consent Banner where new consent is legally required
- Notify registered users by email for changes materially affecting their rights
- Increment the policy version number and update the effective date
Version History
| Version | Date | Changes | Consent Reset Required |
|---|---|---|---|
| v2.0 | 20 May 2026 | Full legal audit. Added: LGPD/PDPA coverage; B2B-specific disclosures (brokerage, dropshipping, sanctions, supplier APIs); corporate user clause; consent withdrawal procedure; jurisdiction conflict clause; version history; registered address confirmed. Cookie register expanded to 21 named cookies. | Yes — new categories |
| v1.0 | 19 Mar 2025 | Initial policy. Basic GDPR/PECR/CCPA coverage. Four cookie categories. Functional cookie register. DPO contact added. | Original |
Prior versions of this policy are available on request from privacy@xb2bx.com.
Contact, DPO & Complaints
For any questions, data subject requests, or concerns about this Policy or XB2BX’s cookie practices, please use the following channels. We aim to acknowledge all enquiries within 48 hours and provide a substantive response within the applicable statutory timeframe.
Supervisory Authorities — Right to Complain
If you are not satisfied with our response, or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with your local data protection authority.
XB2BX is committed to resolving all cookie and data protection complaints at the first instance. If you are unsatisfied with our response, you are always entitled to escalate to the relevant supervisory authority without first contacting us — this is your statutory right and is not conditional on raising the matter with us first.
