The following definitions apply throughout this Policy and all related XB2BX LTD documentation:

"Platform"

The XB2BX.COM website, mobile applications, APIs, and all associated digital services operated by XB2BX LTD.

"User"

Any individual, business representative, company, or automated system that accesses, registers with, or interacts with the Platform in any capacity.

"Personal Data"

Any information relating to an identified or identifiable natural person, including but not limited to: name, email address, IP address, device identifiers, transaction records, and behavioural data.

"Business Data"

Corporate registration details, trade documents, product listings, pricing information, and any commercially sensitive data submitted by registered companies.

"Controller"

XB2BX LTD, which determines the purposes and means of processing personal data.

"Processor"

Any third party that processes personal data on behalf of XB2BX LTD under a formal Data Processing Agreement.

"Data Breach"

Any confirmed or suspected unauthorised access, disclosure, alteration, loss, or destruction of personal or business data.

"DPO"

Data Protection Officer — the designated officer responsible for overseeing compliance with this Policy and applicable data protection laws.

XB2BX LTD maintains a dedicated Security & Compliance function with clear executive accountability. Ultimate responsibility for data protection and cybersecurity rests with the Board of Directors, supported by the following roles:

Policy Review & Updates

This Policy is reviewed annually or upon any significant change to our operations, technology, or applicable legislation. Users will be notified of material changes via:

• Email notification to all registered account holders
• Prominent banner notice on the XB2BX.COM homepage for a minimum of 30 days
• In-platform notification upon next login
• Version history published in the Policy Archive section of the website

Continued use of the Platform following notification of changes constitutes acceptance of the updated Policy.

Legal Basis for Processing

XB2BX LTD uses collected data exclusively for the following defined and documented purposes:

Core Platform Operations

• Creating, managing, and authenticating user accounts
• Facilitating trade introductions between buyers, suppliers, and manufacturers
• Processing RFQs, orders, and commercial enquiries
• Providing customer support and dispute resolution services
• Delivering contracted services including verification badges and premium listings

Trust, Safety & Compliance

• Know Your Business (KYB) and identity verification
• Anti-Money Laundering (AML) and sanctions screening against international watchlists
• Fraud detection, abuse prevention, and account integrity monitoring
• Enforcement of platform Terms & Conditions and this Policy
• Compliance with court orders, regulatory investigations, and law enforcement requests (where legally required)

Platform Development & Analytics

• Aggregated, anonymised analytics to improve platform performance and user experience
• A/B testing and feature development (using pseudonymised data sets)
• Market intelligence reports for the global trade community (no individual-level data)

What We Will Never Do

• Sell, lease, or otherwise transfer personal data to third parties for their commercial benefit
• Use personal data to make fully automated decisions with significant legal effect without human review
• Share business-sensitive trade data between competing users without explicit consent
• Process data for purposes materially different from those stated without fresh consent or a valid legal basis
• Retain data beyond the periods specified in Section 13 of this Policy

Encryption Standards

• Data in Transit: All communications between users and the platform are encrypted using TLS 1.3 (minimum TLS 1.2). HTTP connections are automatically redirected to HTTPS.
• Data at Rest: All stored data is encrypted using AES-256 encryption. Database encryption keys are managed via a Hardware Security Module (HSM) with strict access controls.
• End-to-End Messaging: Private trade communications between platform members use end-to-end encryption protocols ensuring XB2BX LTD staff cannot access message contents except under legally compelled circumstances.
• Backups: All backup data is encrypted at the same standard as live data, stored in geographically separate locations with restricted access.

Access Control & Authentication

• Multi-Factor Authentication (MFA) is available and strongly recommended for all accounts; mandatory for verified business accounts and API access
• Role-Based Access Control (RBAC) governs all internal staff access to production systems and user data
• Privileged Access Management (PAM) with just-in-time provisioning for administrative access
• All internal access to personal data is logged, monitored, and subject to quarterly access reviews
• Automated session timeout and suspicious login detection with real-time user notification
• Password policies enforcing minimum 12-character complexity; bcrypt hashing for stored credentials

Infrastructure & Network Security

• Cloud infrastructure hosted on enterprise-grade providers with Tier IV data centre certifications
• Web Application Firewall (WAF) protecting against OWASP Top 10 vulnerabilities
• DDoS mitigation at network and application layers with automatic traffic scrubbing
• Intrusion Detection and Prevention Systems (IDS/IPS) with 24/7 Security Operations Centre (SOC) monitoring
• Network segmentation separating production, staging, and development environments
• Regular automated vulnerability scanning and quarterly third-party penetration testing
• Software Composition Analysis (SCA) for all open-source dependencies

Application Security

• Secure Software Development Lifecycle (SSDLC) with security review gates at each stage
• Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) integrated into CI/CD pipelines
• Content Security Policy (CSP) headers protecting against cross-site scripting (XSS) attacks
• SQL injection prevention through parameterised queries and ORM usage
• CSRF token protection on all state-changing operations
• Bug Bounty programme enabling responsible disclosure by security researchers

Operational Security

• All XB2BX staff complete mandatory security awareness training upon onboarding and annually thereafter
• Background screening conducted on all staff with access to production systems or personal data
• Supplier and contractor security assessments before granting any system access
• Formal change management process with security sign-off for all infrastructure modifications
• Disaster Recovery (DR) and Business Continuity Plans (BCP) tested bi-annually with documented RTO/RPO targets

XB2BX LTD fully recognises and upholds all rights afforded to data subjects under the GDPR, UK DPA 2018, CCPA, and equivalent legislation in other jurisdictions. You may exercise any of the following rights at no cost:

How to Submit a Request

Submit a Data Subject Access Request (DSAR) through any of the following channels:

• Online: Via the Privacy Dashboard in your account settings (authenticated users)
• Email: privacy@xb2bx.com — include full name, account email, and nature of request
• Post: Data Protection Officer, XB2BX LTD, [Registered Address], England

XB2BX LTD engages third-party service providers strictly as data processors, bound by Data Processing Agreements (DPAs) that enforce equivalent or higher data protection standards. Categories of processors include:

International Data Transfers

As a global marketplace serving 180+ countries, data may be transferred to and processed in countries outside the United Kingdom and European Economic Area (EEA). All such transfers are safeguarded by one or more of the following mechanisms:

• UK Adequacy Regulations: Transfers to countries deemed adequate by the UK Secretary of State
• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs incorporated into all DPAs with non-adequate country processors
• UK International Data Transfer Agreements (IDTAs): For transfers from the UK under the Data Protection Act 2018
• Binding Corporate Rules (BCRs): Where applicable within group structures
• Adequacy Decisions: Where the destination country has received an adequacy decision

XB2BX LTD maintains a formally documented Incident Response Plan (IRP) aligned with NIST SP 800-61 and tested through bi-annual tabletop exercises. The following timeline governs our response to any confirmed data breach:

All users of XB2BX.COM agree to comply with this Acceptable Use Policy as a binding condition of platform access. Violations may result in immediate account suspension, permanent ban, civil legal proceedings, and/or referral to law enforcement authorities.

Permitted Use

• Legitimate B2B trade enquiries, negotiations, and commercial transactions
• Accurate representation of your company, products, capabilities, and credentials
• Responding truthfully to buyer enquiries and providing accurate product specifications
• Using the platform's messaging and RFQ tools for genuine commercial communication
• Accessing your own account data and exercising your data subject rights

Strictly Prohibited Activities

• Fraudulent Misrepresentation: Creating false or misleading listings, fake company profiles, or impersonating other businesses
• Sanctions Violations: Trading with sanctioned individuals, entities, or countries in violation of UK, EU, US OFAC, or UN sanctions regimes
• Cybersecurity Attacks: Attempting to hack, scrape, reverse-engineer, introduce malware, conduct DDoS attacks, or otherwise interfere with platform infrastructure
• Unauthorised Data Harvesting: Using automated bots, scrapers, or crawlers to extract user data, contact information, or commercial intelligence from the platform
• Money Laundering & Fraud: Using the platform to facilitate financial crime, trade-based money laundering, or payment fraud
• Counterfeit & Prohibited Goods: Listing, promoting, or trading in counterfeit, stolen, or legally prohibited products
• Spam & Unsolicited Contact: Bulk unsolicited messaging, phishing attempts, or using platform data to contact users outside the platform
• Intellectual Property Infringement: Uploading content that infringes the IP rights of third parties, including copyrighted images, trademarks, or trade secrets
• Account Sharing & Multi-Accounting: Sharing login credentials, operating multiple accounts for the same entity, or creating accounts on behalf of sanctioned parties

Enforcement & Consequences

XB2BX Platform IP

All intellectual property rights in the XB2BX platform, including but not limited to: software code, interface design, algorithms, trade marks, logos, database structures, and compiled data analytics products, are the exclusive property of XB2BX LTD. No licence is granted to any user to reproduce, distribute, or create derivative works without express written permission.

User-Submitted Content

• Users retain ownership of all original content they upload (product images, descriptions, company profiles)
• By uploading content, users grant XB2BX LTD a non-exclusive, worldwide, royalty-free licence to display, distribute, and use that content solely for platform operation and promotion
• Users warrant that all uploaded content does not infringe the IP rights of any third party
• XB2BX LTD will remove infringing content promptly upon receipt of a valid takedown notice under the applicable jurisdiction's safe harbour provisions

IP Infringement Reporting

To report IP infringement on the platform, submit a formal notice to legal@xb2bx.com including: your contact details, identification of the infringing content and its URL, identification of the original work, a statement of good faith belief, and a declaration of accuracy. We will acknowledge valid notices within 5 business days.

Trade Secrets & Confidential Information

XB2BX LTD will not disclose trade secrets, confidential pricing, supplier lists, or proprietary technical specifications shared by users in the course of trade to any competing party. Our staff are bound by strict confidentiality agreements, and all such data is marked and handled under our Information Classification Policy.

Platform's Liability

XB2BX LTD's aggregate liability to any user arising from or in connection with use of the Platform shall not exceed the greater of: (a) the total fees paid by that user to XB2BX LTD in the 12 months preceding the event giving rise to the claim; or (b) £500 GBP.

XB2BX LTD shall not be liable for:

• Indirect, special, consequential, or punitive damages of any kind
• Loss of revenue, profit, business, or contracts arising from use of the platform
• Acts, omissions, or fraudulent conduct of other platform users
• Service interruptions resulting from force majeure events, including cyberattacks beyond reasonable control
• Accuracy of information submitted by third-party users in their listings or profiles
• Trade disputes, delivery failures, or quality issues between buyers and sellers

User Indemnification

Users agree to indemnify, defend, and hold harmless XB2BX LTD, its directors, officers, employees, and agents from and against any claims, liabilities, damages, and costs (including legal fees) arising from: (a) user's breach of this Policy or the platform Terms & Conditions; (b) user's violation of any applicable law or third-party rights; (c) content submitted by the user to the platform; or (d) user's fraudulent or wilfully harmful conduct.

Exclusions

Nothing in this Policy limits XB2BX LTD's liability for: death or personal injury caused by our negligence; fraud or fraudulent misrepresentation; or any other liability that cannot be excluded or limited under applicable law.

Users can manage their cookie preferences at any time via the Cookie Preference Centre accessible in the platform footer. Withdrawing consent for non-essential cookies will not affect platform functionality. We do not use fingerprinting or persistent tracking technologies that bypass standard browser controls.

XB2BX.COM is a professional B2B marketplace platform intended exclusively for business use by individuals aged 18 years or older acting in a commercial capacity on behalf of registered business entities.

• We do not knowingly collect, process, or store personal data of individuals under 18 years of age
• Age verification is conducted as part of the account registration and KYC/KYB process
• If we become aware that an account has been created by or on behalf of a minor, we will immediately suspend the account and securely delete all associated personal data
• Parents or guardians who believe a minor has registered on the platform should contact privacy@xb2bx.com for immediate remediation
• We apply additional care in our communications and security processes for users who have self-identified as operating in high-risk jurisdictions or industries

If you are not satisfied with our response to a privacy complaint, you have the right to escalate to the relevant data protection supervisory authority: