A complete, legally robust framework governing how XB2BX LTD collects, uses, protects, and respects the personal and business data of every User, partner, and visitor across our global marketplace in 180+ countries — fully aligned with GDPR, UK GDPR, CCPA, PDPL, PIPL, and all applicable international data protection law.
XB2BX LTD ("XB2BX", "we", "us", "our", "the Platform") is incorporated in England & Wales and operates XB2BX.COM — a global business-to-business (B2B) digital marketplace connecting buyers, suppliers, manufacturers, and trading agents across 180+ countries. This Privacy & Data Protection Policy ("Policy") governs all personal data and business data processed by XB2BX in connection with its Platform, websites, mobile applications, APIs, and related services.
XB2BX LTD acts as a Data Controller in respect of personal data collected directly from Users and visitors. As Data Controller, XB2BX determines the purposes and means of processing and bears primary responsibility for compliance with applicable data protection law.
Where XB2BX processes personal data on behalf of business Users for specific platform functions (e.g., processing customer lists uploaded by Sellers), XB2BX acts as a Data Processor. In such cases, a Data Processing Agreement (DPA) governs the arrangement.
This Policy is designed to comply with and exceed the requirements of: EU GDPR (2016/679), UK GDPR and the Data Protection Act 2018, California Consumer Privacy Act (CCPA) as amended by the CPRA, Brazil LGPD, Saudi Arabia PDPL, China PIPL, Thailand PDPA, and all other applicable national and regional data protection laws. Where local law imposes stricter requirements, those requirements shall prevail. Data Processing Agreements are available upon request to dpo@xb2bx.com.
XB2BX applies the principle of data minimisation: we collect only information strictly necessary to provide Platform services, meet legal obligations, and protect platform security. We do not sell, rent, or trade personal data for commercial purposes.
XB2BX does not intentionally collect special category data (including racial or ethnic origin, political opinions, religious beliefs, biometric data, health data, genetic data, or data concerning sexual orientation or criminal convictions) unless strictly required for compliance obligations (e.g., identity document processing for KYC). Where such data is incidentally received, it is deleted immediately unless legally mandated for retention. Any processing of special category data is conducted under GDPR Article 9 with appropriate safeguards and documented justification.
XB2BX processes personal data only where a valid lawful basis exists under applicable data protection law. We do not rely on consent where another basis applies, ensuring our obligations are robust and independent of User preference withdrawal. Where we rely on legitimate interests, we have conducted and documented a balancing test.
| Processing Activity | Lawful Basis (GDPR Art. 6) | Details & Justification |
|---|---|---|
| Account registration & management | Contract — Art. 6(1)(b) | Necessary to provide contracted Platform services to the User |
| KYC/KYB identity verification | Legal Obligation — Art. 6(1)(c) | AML/CTF regulations, FATF Recommendations, and applicable law require identity verification |
| Payment processing & invoicing | Contract — Art. 6(1)(b) | Required to execute, settle, and record commercial transactions |
| Fraud prevention & sanctions screening | Legal Obligation + Legitimate Interests — Art. 6(1)(c)(f) | Regulatory compliance; protecting the Platform and its Users from financial crime |
| Platform analytics & performance improvement | Legitimate Interests — Art. 6(1)(f) | Improving services and user experience; subject to objection rights; balanced against User interests |
| Marketing & promotional communications | Consent — Art. 6(1)(a) | Only where explicit, freely given, specific, and informed opt-in consent has been obtained; withdrawable at any time |
| Legal claims & dispute resolution | Legitimate Interests — Art. 6(1)(f) | Establishing, exercising, or defending legal claims; maintaining records of disputes |
| Tax, accounting & statutory records | Legal Obligation — Art. 6(1)(c) | Companies Act, HMRC requirements, and equivalent international accounting obligations |
| Platform security monitoring | Legitimate Interests — Art. 6(1)(f) | Protecting users, data, and platform integrity from cyber threats and unauthorised access |
| Customer support & communications | Contract + Legitimate Interests — Art. 6(1)(b)(f) | Responding to support requests and maintaining business relationships |
Where processing is based on consent (e.g., marketing emails), you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal. Withdrawal does not affect processing based on other lawful bases (e.g., contract or legal obligation). To withdraw consent, use the unsubscribe link in any marketing email, update your Platform preferences, or contact privacy@xb2bx.com.
XB2BX uses cookies and similar tracking technologies (including web beacons, pixel tags, and local storage) to operate the Platform, remember your preferences, understand how the Platform is used, and to deliver relevant communications. Your use of the Platform is subject to this Cookie Policy.
Cookies are small text files placed on your device when you visit a website. They allow the website to recognise your device on subsequent visits. Some cookies are essential for the Platform to function; others are used to improve your experience or support analytics and marketing. XB2BX uses both session cookies (deleted when you close your browser) and persistent cookies (which remain on your device until they expire or you delete them).
Certain third-party tools integrated into the Platform (e.g., maps, video players, payment widgets) may set their own cookies when their content is loaded. XB2BX does not control these third-party cookies and you should refer to the relevant third party's cookie policy. We minimise third-party cookie use and conduct regular audits of all cookies present on the Platform. A full list of cookies in use is available via the Cookie Preference Centre.
XB2BX retains personal and business data only for as long as necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable law. Retention periods are defined in our Records Retention Schedule, reviewed annually, and enforced by automated deletion routines.
| Data Category | Retention Period | Legal Basis for Retention | Deletion Method |
|---|---|---|---|
| Transaction records & invoices | 7 years from transaction date | Tax law, Companies Act, accounting obligations (HMRC & equivalents) | Secure wipe + certificate |
| KYC/KYB verification documents | 5 years after end of business relationship | AML/CTF Regulations, FATF Recommendation 11, local AML law | Secure wipe + certificate |
| AML records & SARs | 5 years (extensible by regulatory order) | Proceeds of Crime Act 2002; AML Regulations; FATF | Secure wipe + regulator consent |
| Platform messages & communications | 3 years after last interaction | Dispute resolution; legitimate interests; contract claims period | Automated secure deletion |
| Account & profile data | Duration of account + 2 years post-closure | Contract; statute of limitations; legal claims | Automated deletion + audit log retained |
| Technical & server log data | 12 months | Security monitoring; legitimate interests; incident investigation | Rolling automated deletion |
| Marketing consent records | Until consent withdrawn + 3 years (proof of consent) | Demonstrating lawful basis for marketing (GDPR accountability principle) | Secure wipe of consent record only |
| Cookie & analytics data | Maximum 13 months | ePrivacy Directive; GDPR; ICO guidance | Automated expiry + deletion |
| Support & dispute correspondence | 3 years from resolution | Legitimate interests; legal claims period | Automated secure deletion |
| DSAR records & responses | 3 years from response date | Demonstrating GDPR compliance; defending supervisory authority investigations | Secure wipe |
Upon expiry of the applicable retention period, or upon receipt of a valid and verified erasure request, XB2BX permanently deletes personal data using NIST SP 800-88 compliant data destruction methods. Physical storage media is degaussed and physically destroyed before disposal by certified contractors. All deletions are logged in our Records Management System and certificates of destruction are retained for a minimum of 3 years. Where automated deletion is not technically possible within the same timeframe (e.g., archived backups), the data is quarantined and access restricted until the next deletion cycle.
Your right to erasure (see §09) does not override legal obligations to retain data. Where we are required by law to retain data (e.g., AML records, tax records), we will inform you and explain the applicable legal obligation. We will, however, suppress the data from active processing and restrict access to only those with a legal need to access it.
As a global marketplace operating in 180+ countries, XB2BX may need to transfer personal data to countries outside the UK and European Economic Area (EEA) to provide Platform services. All international transfers are governed by strict legal mechanisms to ensure data remains protected to the standard required under UK/EU GDPR.
XB2BX does not transfer personal data to countries where adequate protection cannot be ensured, nor to countries subject to comprehensive international sanctions. Where a User's business operations involve territories subject to specific data sovereignty laws (e.g., Russia's Federal Law No. 242-FZ on data localisation, China's PIPL requirements, or India's DPDP Act), XB2BX will apply appropriate localisation and cross-border transfer measures. Users in such jurisdictions should contact legal@xb2bx.com for details of specific measures applied to their data.
XB2BX is committed to making it straightforward to exercise your data protection rights. Submit all rights requests to privacy@xb2bx.com or use the self-service rights portal within your Account Settings. We respond within the legally required timeframe — typically one calendar month under GDPR (extendable by two further months for complex or numerous requests, with written notification).
California residents additionally have the right to: (i) know what personal information is collected and how it is used; (ii) delete personal information (with exceptions); (iii) opt-out of the sale or sharing of personal information (XB2BX does not sell personal information); (iv) non-discrimination for exercising privacy rights; (v) correct inaccurate personal information; and (vi) limit use of sensitive personal information. Submit CCPA requests to privacy@xb2bx.com with "CCPA Request" in the subject line.
To protect your data, XB2BX must verify your identity before processing any rights request. We will ask you to confirm information associated with your account. Where verification is not possible, we may be unable to fulfil the request. We will never use data collected for verification purposes for any other purpose. Requests on behalf of another person must include written authorisation or proof of legal authority.
A Data Subject Access Request (DSAR) is your right to obtain a copy of the personal data XB2BX holds about you, along with supporting information. XB2BX provides this information free of charge in the majority of cases and responds within one calendar month of receiving a valid, verified request.
Certain data may be withheld or redacted where it would: reveal personal data of another identifiable individual; disclose legally privileged information; prejudice the prevention or detection of crime; disclose information that XB2BX is legally prohibited from disclosing (e.g., tipping-off restrictions under AML law); or where the request is considered manifestly unfounded or excessive. All exemptions are documented and communicated to the Data Subject.
XB2BX maintains a documented Incident Response Plan (IRP), reviewed and tested annually, to ensure rapid, effective, and legally compliant responses to all data security incidents. The IRP is aligned with NIST SP 800-61, GDPR Article 33–34, and UK ICO guidance on personal data breach notification.
If you discover or suspect a security vulnerability, data breach, or unauthorised access to XB2BX systems or your account, report it immediately to security@xb2bx.com. XB2BX operates a responsible disclosure policy and will not take legal action against researchers or users who report vulnerabilities in good faith. Do not attempt to exploit any vulnerability — report it and we will respond within 24 hours.
XB2BX engages carefully selected third-party service providers ("Data Processors") to deliver specific Platform functions. We impose strict contractual data protection obligations on all processors and conduct due diligence assessments before engagement and annually thereafter.
XB2BX does not and will never sell, rent, lease, broker, or otherwise transfer personal data to any third party for commercial, marketing, or advertising purposes. Data is shared with processors solely to deliver contracted Platform services. Any sharing for purposes beyond those described in this Policy requires explicit, specific, and informed consent from the Data Subject. All third-party processors are contractually prohibited from using XB2BX User data for any independent purpose, including profiling, advertising targeting, or sale to further parties.
XB2BX may be required to disclose personal data to law enforcement agencies, regulatory authorities, courts, or other public bodies in response to: (i) a valid legal order, court order, or statutory demand; (ii) a request from a regulatory authority with jurisdiction over XB2BX; (iii) circumstances where disclosure is necessary to prevent or detect crime or protect national security. XB2BX will, where legally permitted, notify the Data Subject of any such disclosure. We review all requests carefully and will resist overbroad or legally deficient demands.
XB2BX only sends marketing and promotional communications where you have given explicit, freely given, informed, and specific consent (GDPR Art. 6(1)(a)). We will never add you to marketing lists without your affirmative opt-in. Each marketing communication contains a clear and easily accessible one-click unsubscribe link. Withdrawing consent does not affect Platform services.
Certain service-related communications (e.g., order confirmations, KYC updates, security alerts, policy updates, transaction receipts, and Account notifications) are sent on the basis of contract or legitimate interests and cannot be opted out of while you maintain an active Account. These are not marketing communications and are strictly functional.
XB2BX may use automated processing (including profiling based on browsing behaviour, transaction history, and platform interactions) to personalise your experience, recommend relevant products and suppliers, detect fraud, and assess creditworthiness (where applicable). Where such profiling produces legal or similarly significant effects, you have the right to request human review, to express your point of view, and to contest the automated decision. Profiling for marketing purposes is only conducted with your explicit consent and can be withdrawn at any time.
XB2BX is a business-to-business (B2B) platform intended exclusively for adults aged 18 years or over, acting in a legitimate commercial capacity. XB2BX does not knowingly collect, process, or store personal data of any individual under the age of 18. If XB2BX becomes aware that personal data of an individual under 18 has been collected — whether through registration, KYC, or any other means — that data will be deleted immediately and permanently without exception.
By registering on or using the Platform, all Users confirm and warrant that they are at least 18 years of age and are acting in a lawful commercial capacity. Age verification may be required as part of mandatory KYC/KYB processes. If you have reason to believe that a minor has registered on the Platform or that a minor's data is being processed, please notify us immediately and urgently at dpo@xb2bx.com with the subject line "Child Data — Urgent". We will investigate and act within 24 hours.
If we discover that personal data belonging to a child under 18 has been processed, we will: (i) delete all such data immediately; (ii) notify the parent or guardian if contact details are available; (iii) investigate how the data was received; and (iv) take appropriate steps to prevent recurrence. We will also notify the relevant supervisory authority where required by applicable law.
XB2BX has appointed a qualified Data Protection Officer (DPO) who operates independently and reports directly to senior management. The DPO's responsibilities include: overseeing compliance with this Policy and applicable law; providing advice and guidance on data protection obligations; monitoring compliance and conducting internal audits; acting as the primary point of contact for supervisory authorities; managing DSARs; and conducting and documenting DPIAs. The DPO is accessible to all Users and staff.
Contact DPO: dpo@xb2bx.com
XB2BX embeds data protection into all new products, services, and system changes from the earliest design stage ("Privacy by Design and by Default", GDPR Art. 25). Data Protection Impact Assessments (DPIAs) are mandatory for all high-risk processing activities before implementation. Privacy considerations are a gate in our product development lifecycle — no high-risk processing feature may launch without a completed DPIA approved by the DPO.
DPIA Register available to supervisory authorities on request
XB2BX maintains a comprehensive Record of Processing Activities (ROPA) as required by GDPR Article 30, documenting all categories of data processing, data flows, third-party processors, retention periods, legal bases, and security measures. The ROPA is reviewed quarterly and is available for inspection by supervisory authorities upon request. A summary of our processing activities is available to Data Subjects upon written request to the DPO.
This Policy is reviewed at least annually and following any significant change to Platform operations, applicable law, regulatory guidance, or a material data incident. Minor clarifications and administrative updates may be made without notice. Material changes (those affecting your rights or the legal basis for processing) will be communicated to all registered Users by email at least 30 days before taking effect, with a summary of the changes. The current version of this Policy is always available at xb2bx.com/legal/privacy. Continued use of the Platform following notification of material changes constitutes acceptance of the revised Policy. If you do not accept a material change, you may close your account and exercise your data rights.
XB2BX LTD is registered as a Data Controller with the UK Information Commissioner's Office (ICO) under the Data Protection Act 2018. Our ICO registration number is available on request. We pay the applicable data protection fee annually and maintain our registration in good standing. Users may verify our registration via the ICO's Data Protection Register at ico.org.uk/ESDWebPages/Search.
XB2BX takes all data protection enquiries and complaints seriously. Please contact us in the first instance using the appropriate channel below — we aim to resolve all matters promptly, professionally, and fairly. If you are not satisfied with our response, you have the absolute right to escalate to the relevant supervisory authority.
XB2BX LTD — Data Protection Officer
XB2BX Global Marketplace
England & Wales, United Kingdom
Registered company: England & Wales
Email: dpo@xb2bx.com | Web: xb2bx.com/legal/privacy
If you are a UK resident and are not satisfied with how XB2BX has handled your personal data or responded to a rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time:
🌐 ico.org.uk
📞 0303 123 1113
📮 ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
We encourage you to contact us first so we can resolve your concern directly.
EU residents may lodge a complaint with their national data protection authority (DPA). A full list of EU DPAs is available at:
🌐 edpb.europa.eu/about-edpb/board/members_en
For international residents, equivalent local supervisory authorities apply. XB2BX will cooperate fully with any supervisory authority investigation and will not impede or delay any regulatory process.
XB2BX is built on trust. Every buyer, seller, manufacturer, and partner operating across our global marketplace can be confident that their personal and business data is handled with the utmost integrity, protected by world-class security, and governed by the highest international standards of data protection. Privacy is not a compliance checkbox at XB2BX — it is a fundamental business value and a promise to every User we serve.