📌
01 / Policy Overview

Policy Overview & Scope of Application

Who this Policy applies to, how it was created, and the legal framework governing it

XB2BX LTD ("XB2BX", "we", "us", "our", "the Platform") is incorporated in England & Wales and operates XB2BX.COM — a global business-to-business (B2B) digital marketplace connecting buyers, suppliers, manufacturers, and trading agents across 180+ countries. This Privacy & Data Protection Policy ("Policy") governs all personal data and business data processed by XB2BX in connection with its Platform, websites, mobile applications, APIs, and related services.

1.1 — Who This Policy Covers
  • All registered Users of XB2BX.COM: Buyers, Sellers, Agents, Manufacturers, and business representatives
  • Visitors to the Platform or website who have not registered an account
  • Business entities and individuals whose data is processed in connection with KYC/KYB verification or onboarding
  • Employees and contractors of XB2BX who handle personal data in the course of their duties
  • Third-party service providers ("Data Processors") processing data on behalf of XB2BX
  • Any person who corresponds with XB2BX by any means, including email, telephone, or chat
1.2 — XB2BX as Data Controller

XB2BX LTD acts as a Data Controller in respect of personal data collected directly from Users and visitors. As Data Controller, XB2BX determines the purposes and means of processing and bears primary responsibility for compliance with applicable data protection law.

1.3 — XB2BX as Data Processor

Where XB2BX processes personal data on behalf of business Users for specific platform functions (e.g., processing customer lists uploaded by Sellers), XB2BX acts as a Data Processor. In such cases, a Data Processing Agreement (DPA) governs the arrangement.

1.4 — Regulatory Framework

This Policy is designed to comply with and exceed the requirements of: EU GDPR (2016/679), UK GDPR and the Data Protection Act 2018, California Consumer Privacy Act (CCPA) as amended by the CPRA, Brazil LGPD, Saudi Arabia PDPL, China PIPL, Thailand PDPA, and all other applicable national and regional data protection laws. Where local law imposes stricter requirements, those requirements shall prevail. Data Processing Agreements are available upon request to dpo@xb2bx.com.

💾
02 / Data Inventory

Data We Collect & How We Use It

Categories of personal and business data collected, their sources, and processing purposes

XB2BX applies the principle of data minimisation: we collect only information strictly necessary to provide Platform services, meet legal obligations, and protect platform security. We do not sell, rent, or trade personal data for commercial purposes.

👤
Identity & Contact Data
  • Full name, job title, professional role
  • Business email address and phone number
  • Billing and correspondence address
  • Government-issued ID (KYC / account verification)
  • Profile photograph (optional)
🏢
Business & Corporate Data
  • Company name, registration number & jurisdiction
  • Beneficial ownership information (UBOs)
  • VAT / Tax identification numbers
  • Business certificates, licences & accreditations
  • Directors and authorised representatives
💳
Financial & Transaction Data
  • Payment method details (tokenised, never stored in plain text)
  • Transaction history, invoices, and receipts
  • Bank account details for payouts and remittances
  • Source of funds declarations (AML compliance)
  • Credit and trade reference data (where applicable)
📱
Technical & Device Data
  • IP address, browser type, and device identifiers
  • Operating system and screen resolution
  • Pages visited, session duration, and click paths
  • Search queries and browsing behaviour on Platform
  • Error logs, crash reports, and performance data
💬
Communications & Interaction Data
  • Messages sent via Platform messaging system
  • Dispute communications and support correspondence
  • Product enquiries, RFQ submissions, and negotiations
  • Reviews, ratings, feedback, and testimonials
  • Marketing preferences and opt-in/opt-out records
🕵️
Compliance & Verification Data
  • KYC/KYB verification documents and results
  • Sanctions and PEP screening outcomes
  • Adverse media and risk assessment records
  • Enhanced Due Diligence (EDD) files
  • SARs (Suspicious Activity Reports — where applicable)
2.1 — Special Categories of Personal Data

XB2BX does not intentionally collect special category data (including racial or ethnic origin, political opinions, religious beliefs, biometric data, health data, genetic data, or data concerning sexual orientation or criminal convictions) unless strictly required for compliance obligations (e.g., identity document processing for KYC). Where such data is incidentally received, it is deleted immediately unless legally mandated for retention. Any processing of special category data is conducted under GDPR Article 9 with appropriate safeguards and documented justification.

2.2 — Sources of Personal Data
  • Directly from you — when you register, complete your profile, place orders, or contact us
  • Automatically — technical and usage data collected via cookies, server logs, and tracking technologies as you use the Platform
  • Third parties — KYC/AML verification providers, credit reference agencies, public registers, and sanctions databases used to verify your identity and business
  • Business partners — referral partners or agents who introduce Users to the Platform, subject to their own privacy obligations
  • Publicly available sources — company registries, LinkedIn profiles, and other professional directories for business verification
🍪
04 / Cookie Policy

Cookie Policy & Tracking Technologies

What cookies we use, why, how long they last, and how to manage your preferences

XB2BX uses cookies and similar tracking technologies (including web beacons, pixel tags, and local storage) to operate the Platform, remember your preferences, understand how the Platform is used, and to deliver relevant communications. Your use of the Platform is subject to this Cookie Policy.

4.1 — What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They allow the website to recognise your device on subsequent visits. Some cookies are essential for the Platform to function; others are used to improve your experience or support analytics and marketing. XB2BX uses both session cookies (deleted when you close your browser) and persistent cookies (which remain on your device until they expire or you delete them).

Cookie Categories Used by XB2BX
4.2 — Cookie Consent & Preferences
  • On first visit, you will be presented with our Cookie Consent Banner allowing granular selection of cookie categories
  • Strictly necessary cookies are activated without consent (legal basis: legitimate interests / contract)
  • All non-essential cookies require your explicit, informed consent before activation
  • You may change your preferences at any time via the Cookie Preference Centre accessible from the Platform footer
  • Consent records are stored and dated; they expire after 12 months and you will be asked to renew
4.3 — Managing Cookies via Browser
  • Google Chrome: Settings → Privacy & Security → Cookies
  • Mozilla Firefox: Options → Privacy & Security → Cookies and Site Data
  • Apple Safari: Preferences → Privacy → Manage Website Data
  • Microsoft Edge: Settings → Privacy, Search & Services → Cookies
  • Note: blocking all cookies may affect Platform functionality. Strictly necessary cookies cannot be disabled via browser if Platform access is desired.
4.4 — Third-Party Cookies & Embedded Content

Certain third-party tools integrated into the Platform (e.g., maps, video players, payment widgets) may set their own cookies when their content is loaded. XB2BX does not control these third-party cookies and you should refer to the relevant third party's cookie policy. We minimise third-party cookie use and conduct regular audits of all cookies present on the Platform. A full list of cookies in use is available via the Cookie Preference Centre.

🔐
05 / Technical Safeguards

Technical Security Measures

Industry-leading technical and organisational security controls protecting all Platform data
Data at Rest
AES-256
Data in Transit
TLS 1.3+
API Security
OAuth 2.0
Uptime SLA
99.9%
Pen Testing
Quarterly
Backups
Daily + GEO
Monitoring
24/7 SOC
🔑
Encryption at Rest
  • AES-256 encryption for all stored databases and file systems
  • Encryption keys managed in Hardware Security Modules (HSMs)
  • Key rotation on a documented schedule per security policy
  • Payment card data tokenised — never stored in plain text
🌐
Encryption in Transit
  • TLS 1.2 minimum; TLS 1.3 enforced for all endpoints
  • HTTPS across all Platform domains with HSTS enforcement
  • Certificate pinning applied to mobile API communications
  • Perfect Forward Secrecy (PFS) enabled on all TLS connections
🛡️
Infrastructure Security
  • ISO 27001-certified cloud hosting infrastructure
  • Web Application Firewall (WAF) protecting all endpoints
  • DDoS protection with real-time traffic scrubbing
  • Zero-trust network architecture and micro-segmentation
🤖
AI Threat Detection
  • ML-powered anomaly and intrusion detection (24/7)
  • Real-time behavioural analysis of all account activity
  • Automated blocking of suspicious IP ranges and patterns
  • Continuous vulnerability scanning and SIEM integration
📋
Security Audits & Testing
  • Quarterly independent penetration testing (OWASP methodology)
  • Annual third-party ISO 27001 security audit
  • Bug bounty programme for responsible disclosure
  • Code security reviews for every major Platform release
🔄
Backup & Business Continuity
  • Daily automated encrypted backups to geographically separate locations
  • Recovery Point Objective (RPO): < 4 hours
  • Recovery Time Objective (RTO): < 8 hours
  • Business Continuity Plan reviewed and tested annually
🔓
06 / Access Management

Access Control & Authentication

Controls governing who can access personal data and under what conditions
6.1 — User Authentication Standards
  • Multi-Factor Authentication (MFA) is mandatory for all Seller accounts and high-value Buyer accounts; strongly recommended for all Users
  • Passwords must meet minimum complexity requirements (length, character diversity) enforced at creation and reset
  • Sessions are automatically terminated after inactivity (default: 30 minutes; configurable by User)
  • Concurrent session limits enforced to prevent credential sharing
  • Brute force protection via rate limiting, CAPTCHA, and account lockout after repeated failed attempts
  • Account takeover prevention using device fingerprinting and anomaly detection
6.2 — Internal Access Controls (Staff)
  • Role-Based Access Control (RBAC): staff access only data strictly necessary for their role (principle of least privilege)
  • All internal access to production data is logged, timestamped, and auditable by the DPO and Security team
  • Privileged access to production systems requires additional authentication and separate managerial approval
  • Access rights reviewed quarterly and immediately revoked upon role change, departure, or disciplinary action
  • Zero-trust architecture: no implicit trust, all access requires authentication regardless of network location
6.3 — Employee & Contractor Security Requirements
  • Mandatory data protection and cybersecurity training upon onboarding and at least annually thereafter; records kept
  • Background checks (DBS/CRB equivalent or local equivalent) conducted for all roles with access to sensitive personal or financial data
  • All staff and contractors sign binding confidentiality and data protection agreements before any data access is granted
  • Clear Desk and Clear Screen policies enforced for all on-site personnel; no personal data on unsecured devices
  • Security incidents caused by employee negligence or deliberate misconduct subject to disciplinary action including summary dismissal and potential criminal referral
  • Bring-Your-Own-Device (BYOD) policy prohibits storage of personal data on personal devices; MDM controls applied to approved devices
🕐
07 / Data Lifecycle

Data Retention & Secure Deletion

How long we hold different categories of data and how it is securely destroyed at end of life

XB2BX retains personal and business data only for as long as necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable law. Retention periods are defined in our Records Retention Schedule, reviewed annually, and enforced by automated deletion routines.

Data Category Retention Period Legal Basis for Retention Deletion Method
Transaction records & invoices 7 years from transaction date Tax law, Companies Act, accounting obligations (HMRC & equivalents) Secure wipe + certificate
KYC/KYB verification documents 5 years after end of business relationship AML/CTF Regulations, FATF Recommendation 11, local AML law Secure wipe + certificate
AML records & SARs 5 years (extensible by regulatory order) Proceeds of Crime Act 2002; AML Regulations; FATF Secure wipe + regulator consent
Platform messages & communications 3 years after last interaction Dispute resolution; legitimate interests; contract claims period Automated secure deletion
Account & profile data Duration of account + 2 years post-closure Contract; statute of limitations; legal claims Automated deletion + audit log retained
Technical & server log data 12 months Security monitoring; legitimate interests; incident investigation Rolling automated deletion
Marketing consent records Until consent withdrawn + 3 years (proof of consent) Demonstrating lawful basis for marketing (GDPR accountability principle) Secure wipe of consent record only
Cookie & analytics data Maximum 13 months ePrivacy Directive; GDPR; ICO guidance Automated expiry + deletion
Support & dispute correspondence 3 years from resolution Legitimate interests; legal claims period Automated secure deletion
DSAR records & responses 3 years from response date Demonstrating GDPR compliance; defending supervisory authority investigations Secure wipe
7.1 — Secure Deletion Procedure

Upon expiry of the applicable retention period, or upon receipt of a valid and verified erasure request, XB2BX permanently deletes personal data using NIST SP 800-88 compliant data destruction methods. Physical storage media is degaussed and physically destroyed before disposal by certified contractors. All deletions are logged in our Records Management System and certificates of destruction are retained for a minimum of 3 years. Where automated deletion is not technically possible within the same timeframe (e.g., archived backups), the data is quarantined and access restricted until the next deletion cycle.

7.2 — Retention Where Erasure Is Restricted

Your right to erasure (see §09) does not override legal obligations to retain data. Where we are required by law to retain data (e.g., AML records, tax records), we will inform you and explain the applicable legal obligation. We will, however, suppress the data from active processing and restrict access to only those with a legal need to access it.

🌍
08 / Cross-Border Data

International Data Transfers

How we protect your data when it is transferred internationally, and the safeguards we apply

As a global marketplace operating in 180+ countries, XB2BX may need to transfer personal data to countries outside the UK and European Economic Area (EEA) to provide Platform services. All international transfers are governed by strict legal mechanisms to ensure data remains protected to the standard required under UK/EU GDPR.

📄
Standard Contractual Clauses (SCCs)
  • UK International Data Transfer Agreements (IDTAs) and EU SCCs (2021 version) applied to all transfers
  • Transfer Impact Assessments (TIAs) conducted for each transfer destination
  • Supplementary technical measures applied where TIA identifies elevated risk
Adequacy Decisions
  • Transfers to adequacy-approved countries proceed without additional safeguards
  • Approved countries include: EU/EEA, UK, Switzerland, Israel, Japan, South Korea, New Zealand, and others as updated by the ICO/EC
  • Adequacy status monitored and transfers reviewed if adequacy is revoked
📋
Binding Corporate Rules & Other Mechanisms
  • Intra-group transfers covered by internal data transfer agreements aligned to BCR principles
  • All group entities bound to equivalent data protection standards
  • Derogations under Art. 49 GDPR applied only in specific, documented circumstances
8.1 — High-Risk Country Transfers

XB2BX does not transfer personal data to countries where adequate protection cannot be ensured, nor to countries subject to comprehensive international sanctions. Where a User's business operations involve territories subject to specific data sovereignty laws (e.g., Russia's Federal Law No. 242-FZ on data localisation, China's PIPL requirements, or India's DPDP Act), XB2BX will apply appropriate localisation and cross-border transfer measures. Users in such jurisdictions should contact legal@xb2bx.com for details of specific measures applied to their data.

👥
09 / Data Subject Rights

Your Data Protection Rights

All rights available to individuals under GDPR, UK GDPR, CCPA and equivalent international law

XB2BX is committed to making it straightforward to exercise your data protection rights. Submit all rights requests to privacy@xb2bx.com or use the self-service rights portal within your Account Settings. We respond within the legally required timeframe — typically one calendar month under GDPR (extendable by two further months for complex or numerous requests, with written notification).

🔍 Right of Access
Obtain confirmation that your personal data is being processed; receive a full copy of all personal data held about you along with information about purposes, recipients, retention periods, and your rights. GDPR Art. 15 / UK GDPR / CCPA
1 month
✏️ Right to Rectification
Correct inaccurate or incomplete personal data held about you. We will also notify third-party processors of the correction where technically feasible. GDPR Art. 16
1 month
🗑️ Right to Erasure
Request deletion of personal data in defined circumstances: where consent is withdrawn, where data is no longer necessary, or where processing was unlawful. Does not apply where retention is required by law (e.g., AML records, tax records). GDPR Art. 17
1 month
▶️ Right to Portability
Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV). Transmit it to another controller where technically feasible. Applies to data processed on consent or contract basis only. GDPR Art. 20
1 month
🚫 Right to Object
Object to processing based on legitimate interests or for direct marketing. Marketing objections take effect immediately; other objections are assessed against our legitimate interests. Includes the right to object to automated decision-making and profiling. GDPR Art. 21
Immediate (marketing)
⏸️ Right to Restriction
Pause or restrict processing while accuracy is contested, an objection is pending, or processing was unlawful but you do not want erasure. Data remains stored but is not actively processed. GDPR Art. 18
1 month
🤖 Automated Decisions
Not to be subject to solely automated decisions that produce legal or similarly significant effects, including profiling. Where such processing occurs, you have the right to human review, to express your point of view, and to contest the decision. GDPR Art. 22
1 month
9.1 — CCPA Rights (California Residents)

California residents additionally have the right to: (i) know what personal information is collected and how it is used; (ii) delete personal information (with exceptions); (iii) opt-out of the sale or sharing of personal information (XB2BX does not sell personal information); (iv) non-discrimination for exercising privacy rights; (v) correct inaccurate personal information; and (vi) limit use of sensitive personal information. Submit CCPA requests to privacy@xb2bx.com with "CCPA Request" in the subject line.

9.2 — Identity Verification for Rights Requests

To protect your data, XB2BX must verify your identity before processing any rights request. We will ask you to confirm information associated with your account. Where verification is not possible, we may be unable to fulfil the request. We will never use data collected for verification purposes for any other purpose. Requests on behalf of another person must include written authorisation or proof of legal authority.

📬
10 / DSAR Process

Data Subject Access Request (DSAR) Process

Step-by-step guide to submitting a DSAR and what to expect from XB2BX

A Data Subject Access Request (DSAR) is your right to obtain a copy of the personal data XB2BX holds about you, along with supporting information. XB2BX provides this information free of charge in the majority of cases and responds within one calendar month of receiving a valid, verified request.

01
Submit Your Request
Email privacy@xb2bx.com with subject "DSAR Request", or use the self-service form in your Account Settings under Privacy & Data. Include your full name, registered email address, and the specific data or information you are requesting.
02
Identity Verification
We will confirm receipt within 3 business days and may ask for additional information to verify your identity. This step protects your data from being disclosed to an unauthorised third party.
03
Request Processing
Our DPO team searches all relevant systems, databases, and archives for personal data associated with your identity. Third-party processors are also contacted where necessary.
04
Review & Redaction
Data is reviewed to ensure third-party personal data (e.g., other Users' information) is appropriately redacted, and to identify any legal exemptions that may apply to withholding specific data.
05
Secure Response
Your data is delivered securely within one calendar month via an encrypted, password-protected file or a secure access link. The response will include a summary of processing activities, data categories, retention periods, and recipients.
06
Follow-Up & Escalation
If you are unsatisfied with the response, you may request a review by our DPO. If still unsatisfied, you have the right to lodge a complaint with the ICO (UK) or relevant supervisory authority in your jurisdiction.
10.1 — Timeframes & Fees
  • Standard DSAR: Response within 1 calendar month from date of valid request
  • Complex/Numerous requests: Extension of up to 2 further months with written notification within 1 month
  • Fee: Free of charge in all standard cases. A reasonable administrative fee may be charged only for manifestly unfounded or excessive requests (documented justification provided)
  • Refusal: Where XB2BX refuses a request (in full or part), we will inform you in writing with reasons and your right to complain to the ICO
10.2 — DSAR Exemptions

Certain data may be withheld or redacted where it would: reveal personal data of another identifiable individual; disclose legally privileged information; prejudice the prevention or detection of crime; disclose information that XB2BX is legally prohibited from disclosing (e.g., tipping-off restrictions under AML law); or where the request is considered manifestly unfounded or excessive. All exemptions are documented and communicated to the Data Subject.

🚨
11 / Breach Management

Security Incident & Breach Response

How XB2BX detects, contains, investigates, and notifies data security incidents and personal data breaches

XB2BX maintains a documented Incident Response Plan (IRP), reviewed and tested annually, to ensure rapid, effective, and legally compliant responses to all data security incidents. The IRP is aligned with NIST SP 800-61, GDPR Article 33–34, and UK ICO guidance on personal data breach notification.

T+0
Detection & Immediate Triage
Incident detected via automated SIEM alerts, anomaly detection, third-party notification, or internal report. Security team immediately triages severity, scope, and categories of data potentially affected. Incident Response Team activated within 1 hour of confirmed detection. Incident log opened.
T+4h
Containment & Evidence Preservation
Affected systems isolated to prevent further data loss. Forensic investigation commenced to determine root cause, attack vector, extent of breach, and data subjects potentially affected. Legal team and DPO engaged. Evidence chain of custody established. Affected credentials and access tokens revoked.
T+24h
Investigation, Risk Assessment & Escalation
Full incident report prepared for senior management and DPO. Formal GDPR breach risk assessment conducted per ICO four-factor test. Preliminary determination made whether breach triggers notification obligations. Remediation plan drafted and approved. Affected Users identified where possible.
T+72h
Regulatory Notification (Where Required)
Where the breach is likely to result in risk to individuals' rights and freedoms, mandatory notification submitted to the relevant supervisory authority (ICO for UK; relevant DPA for EU) within 72 hours of becoming aware, per GDPR Article 33. Notification includes: nature of breach; categories and approximate number of individuals affected; likely consequences; measures taken or proposed. If 72 hours is not yet reached, an initial notification is submitted with a commitment to provide further details.
ASAP
Individual Notification (High-Risk Breaches)
Where the breach is likely to result in high risk to affected individuals (e.g., risk of identity fraud, financial loss, or significant harm), those individuals are notified directly, without undue delay, per GDPR Article 34. Notification includes: plain language description of the breach; likely consequences; measures taken; and DPO contact details. XB2BX will never delay notification to manage reputational concerns.
Post
Post-Incident Review & Remediation
Full root-cause analysis conducted within 30 days. Security controls updated to prevent recurrence. Lessons learned documented and shared with relevant teams. Regulatory authority kept updated on remediation progress. Incident Report retained in the ROPA for supervisory authority inspection. User-facing communications issued where appropriate.
11.1 — Report a Security Concern

If you discover or suspect a security vulnerability, data breach, or unauthorised access to XB2BX systems or your account, report it immediately to security@xb2bx.com. XB2BX operates a responsible disclosure policy and will not take legal action against researchers or users who report vulnerabilities in good faith. Do not attempt to exploit any vulnerability — report it and we will respond within 24 hours.

🤝
12 / Vendors & Partners

Third-Party & Vendor Data Management

How XB2BX manages data shared with third-party service providers and sub-processors

XB2BX engages carefully selected third-party service providers ("Data Processors") to deliver specific Platform functions. We impose strict contractual data protection obligations on all processors and conduct due diligence assessments before engagement and annually thereafter.

12.1 — Processor Contractual Requirements
  • All processors must execute a Data Processing Agreement (DPA) compliant with GDPR Art. 28 before any data is shared
  • Processors may only process data on documented written instructions from XB2BX; they may not use data for their own purposes
  • Processors must implement appropriate technical and organisational security measures as a contractual obligation
  • Sub-processor engagement by our processors requires prior written approval from XB2BX; sub-processors are bound to the same standards
  • Processors must assist XB2BX in fulfilling DSAR and data subject rights requests within required timeframes
  • Processors must notify XB2BX of any personal data breach within 24 hours of discovery
  • Processors must cooperate with audits and make available all necessary compliance evidence upon request
12.2 — Categories of Third-Party Processors
  • Payment processors (PCI-DSS Level 1 certified)
  • KYC/KYB identity verification and AML screening services
  • Cloud infrastructure providers (ISO 27001 certified)
  • Email, SMS, and communications delivery platforms
  • Analytics and fraud detection services
  • Customer support and CRM platforms
  • Translation and localisation services (where relevant)
  • Legal, compliance, and audit service providers
  • Logistics and trade finance integration partners
12.3 — Our Absolute Commitment: No Sale of Personal Data

XB2BX does not and will never sell, rent, lease, broker, or otherwise transfer personal data to any third party for commercial, marketing, or advertising purposes. Data is shared with processors solely to deliver contracted Platform services. Any sharing for purposes beyond those described in this Policy requires explicit, specific, and informed consent from the Data Subject. All third-party processors are contractually prohibited from using XB2BX User data for any independent purpose, including profiling, advertising targeting, or sale to further parties.

12.4 — Legal Disclosures to Authorities

XB2BX may be required to disclose personal data to law enforcement agencies, regulatory authorities, courts, or other public bodies in response to: (i) a valid legal order, court order, or statutory demand; (ii) a request from a regulatory authority with jurisdiction over XB2BX; (iii) circumstances where disclosure is necessary to prevent or detect crime or protect national security. XB2BX will, where legally permitted, notify the Data Subject of any such disclosure. We review all requests carefully and will resist overbroad or legally deficient demands.

📣
13 / Marketing Communications

Marketing, Communications & Profiling

How XB2BX communicates with Users for marketing purposes and how to manage your preferences
13.1 — Consent-Based Marketing Only

XB2BX only sends marketing and promotional communications where you have given explicit, freely given, informed, and specific consent (GDPR Art. 6(1)(a)). We will never add you to marketing lists without your affirmative opt-in. Each marketing communication contains a clear and easily accessible one-click unsubscribe link. Withdrawing consent does not affect Platform services.

13.2 — Legitimate Interest Communications

Certain service-related communications (e.g., order confirmations, KYC updates, security alerts, policy updates, transaction receipts, and Account notifications) are sent on the basis of contract or legitimate interests and cannot be opted out of while you maintain an active Account. These are not marketing communications and are strictly functional.

13.3 — Managing Your Communication Preferences
  • Update all marketing preferences at any time via Account Settings → Notifications & Privacy
  • Click the one-click unsubscribe link in any marketing email to opt out of that specific campaign type
  • Email privacy@xb2bx.com with "Unsubscribe" and your registered email to be removed from all marketing lists within 48 hours
  • SMS opt-outs: reply STOP to any XB2BX SMS message
  • Note: unsubscribing from marketing does not affect transactional or service communications which are required for your Account to function
13.4 — Profiling & Automated Decision-Making

XB2BX may use automated processing (including profiling based on browsing behaviour, transaction history, and platform interactions) to personalise your experience, recommend relevant products and suppliers, detect fraud, and assess creditworthiness (where applicable). Where such profiling produces legal or similarly significant effects, you have the right to request human review, to express your point of view, and to contest the automated decision. Profiling for marketing purposes is only conducted with your explicit consent and can be withdrawn at any time.

🧒
14 / Minors

Children's Data & Age Restriction Policy

Platform restrictions regarding minors and XB2BX's absolute prohibition on processing children's data
14.1 — Absolute Age Restriction

XB2BX is a business-to-business (B2B) platform intended exclusively for adults aged 18 years or over, acting in a legitimate commercial capacity. XB2BX does not knowingly collect, process, or store personal data of any individual under the age of 18. If XB2BX becomes aware that personal data of an individual under 18 has been collected — whether through registration, KYC, or any other means — that data will be deleted immediately and permanently without exception.

By registering on or using the Platform, all Users confirm and warrant that they are at least 18 years of age and are acting in a lawful commercial capacity. Age verification may be required as part of mandatory KYC/KYB processes. If you have reason to believe that a minor has registered on the Platform or that a minor's data is being processed, please notify us immediately and urgently at dpo@xb2bx.com with the subject line "Child Data — Urgent". We will investigate and act within 24 hours.

14.2 — Parental and Guardian Notification

If we discover that personal data belonging to a child under 18 has been processed, we will: (i) delete all such data immediately; (ii) notify the parent or guardian if contact details are available; (iii) investigate how the data was received; and (iv) take appropriate steps to prevent recurrence. We will also notify the relevant supervisory authority where required by applicable law.

🏛️
15 / Accountability

Governance, Accountability & DPO

XB2BX's data protection governance structure, DPO responsibilities, and accountability framework
Data Protection Officer (DPO)

XB2BX has appointed a qualified Data Protection Officer (DPO) who operates independently and reports directly to senior management. The DPO's responsibilities include: overseeing compliance with this Policy and applicable law; providing advice and guidance on data protection obligations; monitoring compliance and conducting internal audits; acting as the primary point of contact for supervisory authorities; managing DSARs; and conducting and documenting DPIAs. The DPO is accessible to all Users and staff.

Contact DPO: dpo@xb2bx.com

Privacy by Design & by Default

XB2BX embeds data protection into all new products, services, and system changes from the earliest design stage ("Privacy by Design and by Default", GDPR Art. 25). Data Protection Impact Assessments (DPIAs) are mandatory for all high-risk processing activities before implementation. Privacy considerations are a gate in our product development lifecycle — no high-risk processing feature may launch without a completed DPIA approved by the DPO.

DPIA Register available to supervisory authorities on request

15.1 — Record of Processing Activities (ROPA)

XB2BX maintains a comprehensive Record of Processing Activities (ROPA) as required by GDPR Article 30, documenting all categories of data processing, data flows, third-party processors, retention periods, legal bases, and security measures. The ROPA is reviewed quarterly and is available for inspection by supervisory authorities upon request. A summary of our processing activities is available to Data Subjects upon written request to the DPO.

15.2 — Policy Review & Updates

This Policy is reviewed at least annually and following any significant change to Platform operations, applicable law, regulatory guidance, or a material data incident. Minor clarifications and administrative updates may be made without notice. Material changes (those affecting your rights or the legal basis for processing) will be communicated to all registered Users by email at least 30 days before taking effect, with a summary of the changes. The current version of this Policy is always available at xb2bx.com/legal/privacy. Continued use of the Platform following notification of material changes constitutes acceptance of the revised Policy. If you do not accept a material change, you may close your account and exercise your data rights.

15.3 — UK ICO Registration

XB2BX LTD is registered as a Data Controller with the UK Information Commissioner's Office (ICO) under the Data Protection Act 2018. Our ICO registration number is available on request. We pay the applicable data protection fee annually and maintain our registration in good standing. Users may verify our registration via the ICO's Data Protection Register at ico.org.uk/ESDWebPages/Search.

📞
16 / Contact & Complaints

Contact, Complaints & Supervisory Authorities

How to reach XB2BX on data protection matters and how to escalate a complaint if you are not satisfied

XB2BX takes all data protection enquiries and complaints seriously. Please contact us in the first instance using the appropriate channel below — we aim to resolve all matters promptly, professionally, and fairly. If you are not satisfied with our response, you have the absolute right to escalate to the relevant supervisory authority.

16.1 — Postal Address

XB2BX LTD — Data Protection Officer
XB2BX Global Marketplace
England & Wales, United Kingdom
Registered company: England & Wales
Email: dpo@xb2bx.com  |  Web: xb2bx.com/legal/privacy

16.2 — UK Supervisory Authority (ICO)

If you are a UK resident and are not satisfied with how XB2BX has handled your personal data or responded to a rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time:

🌐 ico.org.uk
📞 0303 123 1113
📮 ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We encourage you to contact us first so we can resolve your concern directly.

16.3 — EU Supervisory Authorities

EU residents may lodge a complaint with their national data protection authority (DPA). A full list of EU DPAs is available at:

🌐 edpb.europa.eu/about-edpb/board/members_en

For international residents, equivalent local supervisory authorities apply. XB2BX will cooperate fully with any supervisory authority investigation and will not impede or delay any regulatory process.

Our Unwavering Commitment to Privacy

XB2BX is built on trust. Every buyer, seller, manufacturer, and partner operating across our global marketplace can be confident that their personal and business data is handled with the utmost integrity, protected by world-class security, and governed by the highest international standards of data protection. Privacy is not a compliance checkbox at XB2BX — it is a fundamental business value and a promise to every User we serve.