XB2BX | Global Business Expansion & Market Strategies

01

Introduction & Scope

This Privacy Policy ("Policy") applies to all products, services, websites, and applications operated by XB2BX LTD including www.xb2bx.com, www.xb2bx.co.uk, our mobile applications, APIs, and any affiliated portals (collectively, the "Platform").

This Policy governs the personal data of all individuals and business representatives who access or use our Platform, regardless of their geographic location. By using XB2BX services, you acknowledge that you have read and understood this Policy.

⚖ Important Legal Notice If you are a business customer, a separate Data Processing Agreement (DPA) governs the processing of any personal data you submit on behalf of your employees, customers, or end-users. Please contact legal@xb2bx.com to execute a DPA.

02

Who We Are

Data Controller

XB2BX LTD is registered in England and Wales. We act as the Data Controller for personal data processed through our Platform. Where we process data on behalf of business customers, we act as a Data Processor under the terms of the applicable DPA.

Detail	Information
Company Name	XB2BX LTD
Registration	England & Wales
Platforms	www.xb2bx.com · www.xb2bx.co.uk
DPO Contact	dpo@xb2bx.com
General Privacy	privacy@xb2bx.com

03

Data We Collect

We collect data through multiple channels. The table below sets out each category, specific data types, and the basis on which it is collected.

Category	Examples	Source	Basis
Identity Data	Name, username, company name, job title	Directly from you	Contract
Contact Data	Email, phone, business address, country	Directly from you	Contract
Account Data	Username, encrypted password, KYB/KYC documents	Directly from you	ContractLegal Obligation
Transaction Data	Orders, invoices, payment records, trade history	Platform activity	ContractLegal Obligation
Technical Data	IP address, device ID, browser type, OS, log files	Automated	Legitimate Interest
Usage Data	Page views, search queries, click-path, time on platform	Automated	Legitimate Interest
Communication Data	Messages, support tickets, live chat transcripts	Platform activity	Contract
Geolocation Data	Country, city (approximate); GPS (opt-in only)	Device / Automated	Consent
Marketing Data	Email preferences, campaign responses, opt-in records	Directly from you	Consent
Verification Data	Business registration docs, tax IDs, trade licences	Directly from you	Legal Obligation

✓ We Do Not Collect We do not collect sensitive special-category personal data (health, biometric, racial, political, or religious data) unless explicitly required by law and with your express consent.

04

How We Use Your Data

Platform Operations

Create and manage your account; authenticate your identity
Facilitate B2B trade connections, RFQ matching, and order management
Process payments, issue invoices, and manage trade finance services
Operate supplier verification and KYB/KYC compliance checks
Deliver customer support, dispute resolution, and escrow services
Maintain platform uptime, security monitoring, and fraud prevention

Improvement & Analytics

Analyse usage patterns to improve platform features and performance
Conduct internal research and development on marketplace dynamics
Generate anonymised aggregate market intelligence reports
A/B testing of new features and interface improvements

Marketing & Communications (with Consent)

Send newsletters, trade alerts, and product updates where you have opted in
Personalise recommendations for suppliers, products, and trade opportunities
Notify you of policy updates, regulatory changes, and service announcements

Legal & Compliance

Comply with applicable trade, AML, and sanctions regulations
Respond to lawful requests from regulatory or law enforcement authorities
Enforce our Terms of Service and protect the rights of platform users
Maintain records required under financial services and commerce laws

05

Legal Basis for Processing

Under UK GDPR and EU GDPR, we must have a lawful basis for processing personal data. We rely on the following bases:

Basis	When We Rely On It
Performance of a Contract	Creating your account, processing transactions, fulfilling marketplace services
Legal Obligation	AML/KYC checks, tax reporting, regulatory submissions, data breach notification
Legitimate Interest	Platform security, fraud detection, internal analytics, improving services — where not overridden by your rights
Consent	Marketing emails, precise geolocation, non-essential cookies, special-category data
Vital Interest	Emergency situations requiring disclosure to protect the safety of individuals
Public Task	Cooperation with regulatory investigations in the public interest

✎ Right to Object Where we rely on Legitimate Interest, you have the right to object. We will carry out a balancing test and cease processing unless we can demonstrate compelling legitimate grounds that override your rights.

06

Sharing & Disclosure

We do not sell your personal data. We do not trade your information for advertising revenue. Data is shared only in the following strictly controlled circumstances:

With Other Platform Users

Business profile information (company name, country, product categories) visible to verified buyers/suppliers
Contact details shared only when you explicitly initiate a trade connection
Verified badge and trade history displayed to build marketplace trust

With Service Providers (Data Processors)

Cloud infrastructure (e.g. AWS, Azure) — hosting and data storage
Payment processors — transaction handling under PCI-DSS compliance
Identity verification providers — KYB/KYC document verification
Email delivery services — transactional and marketing communications
Analytics platforms — anonymised usage analysis
Fraud detection and cybersecurity vendors

All Third-Party Processors

All third-party processors are bound by written Data Processing Agreements (DPAs) requiring them to process data only on our documented instructions, maintain appropriate security measures, and notify us promptly of any data incidents. We maintain a complete ROPA as required by Article 30 of UK/EU GDPR.

With Authorities

Regulatory, tax, or law enforcement authorities where required by applicable law
Courts and legal advisors in connection with legal proceedings
Sanctions screening bodies as required under trade compliance regulations

🚫 We Never Sell or Rent Your Data XB2BX does not and will never sell, rent, lease, or license your personal data to third parties for their own marketing or commercial purposes.

07

International Data Transfers

As a global marketplace operating in 180+ countries, XB2BX may transfer personal data outside the United Kingdom and European Economic Area (EEA). All such transfers use the following safeguards:

Transfer Mechanisms

UK Adequacy Decisions — transfers to countries approved by the UK Secretary of State
UK IDTAs — contractual protections for transfers to non-adequate countries
EU Standard Contractual Clauses (SCCs) — for transfers from EU/EEA users to third countries
Binding Corporate Rules (BCRs) — where applicable within group structures
Explicit Consent — where required and appropriate for one-off transfers

📄 Transfer Impact Assessments We conduct Transfer Impact Assessments (TIAs) for all international transfers to assess risk and ensure appropriate supplementary safeguards, particularly for high-risk jurisdictions.

08

Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy, or as required by applicable law.

Data Category	Retention Period	Rationale
Account & Identity Data	Account life + 7 years	Legal obligation / AML
Transaction & Financial Records	7 years post-transaction	Tax & accounting law
KYB/KYC Verification Documents	5 years post-relationship end	AML regulations
Communications & Support Records	3 years	Dispute resolution
Technical & Log Data	12 months	Security & fraud detection
Marketing Preferences	Until consent withdrawn + 3 years	Consent records
Anonymised Analytics	Indefinitely	No personal data involved
Deleted Account Data	90 days then purged	Account recovery / legal hold

Upon expiry of the relevant retention period, data is securely deleted or irreversibly anonymised. We perform annual data audits to ensure compliance with our retention schedules.

09

Cookies & Tracking

We use cookies and similar tracking technologies on our Platform. You can manage your preferences at any time via our Cookie Preference Centre accessible in the footer of every page.

Cookie Type	Purpose	Duration	Can Be Disabled?
Strictly Necessary	Authentication, security, session management, CSRF protection	Session / 2 days	No (essential)
Functional	Language, display preferences, "Remember Me" login	2 weeks	Yes
Analytics	Platform usage analysis, performance monitoring (anonymised)	13 months	Yes
Marketing	Personalised recommendations, remarketing, campaign attribution	90 days	Yes

✓ No Third-Party Advertising Cookies We do not place third-party advertising cookies or allow external ad networks to track our users for their own purposes.

10

Your Data Rights

Depending on your jurisdiction, you hold the following rights. We respond to all verifiable requests within 30 days (extendable to 90 days for complex requests).

👁

Right of Access

Request a copy of all personal data we hold about you (Subject Access Request / SAR).

✏️

Right to Rectification

Correct inaccurate or incomplete personal data held in your account at any time.

🗑

Right to Erasure

Request deletion of your personal data where it is no longer necessary or lawfully retained.

⛔

Right to Restrict

Request restriction of processing while accuracy is contested or an objection is pending.

📦

Data Portability

Receive your data in a structured, machine-readable format to transfer to another controller.

🚫

Right to Object

Object to processing based on legitimate interest or direct marketing at any time.

🤖

Automated Decision-Making

Request human review of automated decisions that significantly affect you.

↩️

Withdraw Consent

Withdraw any previously given consent at any time without affecting prior processing.

How to Exercise Your Rights

Submit a request via your Account Privacy Dashboard, or email privacy@xb2bx.com. We may need to verify your identity before processing your request. There is no charge for most requests. If requests are manifestly unfounded or excessive, we reserve the right to charge a reasonable fee or refuse, with explanation.

If you are dissatisfied with our response, you have the right to lodge a complaint with your supervisory authority — in the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

11

Security Measures

XB2BX applies technical and organisational security measures appropriate to the risk of processing. Our programme includes:

Technical Controls

AES-256 encryption for all data at rest; TLS 1.3 for all data in transit
Multi-factor authentication (MFA) enforced for all privileged accounts
Role-based access control (RBAC) with least-privilege principles
Continuous intrusion detection, SIEM logging, and 24/7 security monitoring
Regular penetration testing and vulnerability assessments by accredited third parties
Web Application Firewall (WAF) and DDoS mitigation
Isolated production environments with air-gapped backup systems

Organisational Controls

Mandatory data protection training for all staff with access to personal data
Data Protection Impact Assessments (DPIAs) for high-risk processing activities
Incident Response Plan with 72-hour breach notification (UK GDPR Art. 33)
Annual ISO 27001-aligned information security audits
Supplier security assessments and contractual security requirements

⚠ Data Breach Notification In the event of a personal data breach likely to result in risk to your rights, we will notify you without undue delay and no later than 72 hours after becoming aware, in accordance with our regulatory obligations.

12

Children's Privacy

XB2BX is a business-to-business (B2B) platform intended exclusively for use by adults aged 18 years or older acting in a professional or commercial capacity. We do not knowingly collect personal data from individuals under 18.

If you believe that a minor has provided personal data through our Platform, please contact us immediately at privacy@xb2bx.com. We will promptly investigate and take steps to delete such data.

13

Business User Obligations

If you are a business using XB2BX, you acknowledge the following obligations when you submit personal data of third parties to our Platform:

You confirm you have a lawful basis for sharing such personal data with XB2BX
You have provided the relevant individuals with appropriate privacy notices regarding this sharing
You will execute a Data Processing Agreement (DPA) with XB2BX where required
You are responsible for ensuring the accuracy and currency of data you submit
You will promptly notify XB2BX of any data subject rights requests from individuals whose data you have shared
You will comply with applicable data protection laws in your jurisdiction, including those of your customers

14

AI, Automation & Profiling

XB2BX uses artificial intelligence and automated processing to enhance marketplace operations. This section explains how automated decisions may affect you.

Uses of Automated Processing

Supplier-buyer matching and RFQ recommendation algorithms
Fraud risk scoring and anomalous transaction detection
Account verification screening against sanctions lists (automated with human review)
Search ranking and personalised content surfacing
Spam and abuse detection in platform communications

🤖 Significant Automated Decisions Where automated processing produces decisions with significant legal or similarly significant effects (e.g. account suspension, trade restriction), a qualified human reviews the decision before it takes effect. Contact appeals@xb2bx.com to request human review.

15

Policy Changes

We may update this Privacy Policy periodically to reflect changes in our practices, services, or applicable law. When we make material changes, we will:

Publish the revised Policy with an updated effective date and version number
Notify registered users via email and/or in-Platform notice at least 30 days prior to changes taking effect
Where required, seek renewed consent for any materially new processing activities
Maintain an archive of all previous Policy versions accessible on our website

Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

16

Contact & DPO

Get in Touch

For any privacy enquiries, data subject rights requests, or concerns, contact our team. We are committed to responding within 72 hours.

✉privacy@xb2bx.com 🛡dpo@xb2bx.com (DPO) ⚖legal@xb2bx.com 🌐www.xb2bx.com

🏛 Supervisory Authority — UK You have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk · Helpline: 0303 123 1113. For EU users, contact the supervisory authority in your EU member state of residence.