Privacy Policy

1. Introduction

This Privacy Policy explains how BiomassX ("we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our biomass trading platform and related services. By accessing or using our services, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy should be read in conjunction with our Terms of Service, which govern your use of our platform. Together, these documents explain your rights and our responsibilities regarding your personal data and use of our services.

2. Data Controller Information

BiomassX operates as the data controller for the personal information we collect. For questions about your data or this privacy policy, please contact us using the information provided in the "Contact Us" section below.

3. Information We Collect

3.1 Information You Provide Directly

When you register for an account or use our services, we collect:

• Account Information: Name, email address, phone number, company name, business registration details
• Profile Information: Business type (buyer/seller), location, preferred biomass products, trading preferences
• Financial Information: Payment details, billing address, tax identification numbers
• Transaction Data: Order history, contracts, pricing information, delivery details
• Communication Data: Messages sent through our platform, support inquiries, feedback
• Identity Verification: Documents submitted for KYC (Know Your Customer) compliance

3.2 Information Collected Automatically

When you access our platform, we automatically collect:

• Device Information: IP address, browser type and version, operating system, device identifiers
• Usage Data: Pages visited, timestamps, referral sources, click patterns, search queries
• Location Data: Approximate geographic location based on IP address
• Cookies and Similar Technologies: See our Cookie Policy section below
• Network Activity: Traffic patterns for security monitoring and performance analysis

3.3 Information from Third Parties

We may receive information from:

• Business verification services for identity and credibility checks
• Payment processors for transaction completion
• Analytics providers to understand platform usage
• Public databases for business information validation

4. How We Use Your Information

We process your personal information for the following purposes:

4.1 Service Provision

• Create and manage your account
• Facilitate biomass trading transactions between buyers and sellers
• Process orders, contracts, and payments
• Provide customer support and respond to inquiries
• Match buyers with suitable sellers and vice versa

4.2 Platform Improvement

• Analyze usage patterns to enhance user experience
• Develop new features and services
• Conduct research and analytics on market trends
• Optimize platform performance and reliability

4.3 Security and Fraud Prevention

• Detect and prevent unauthorized access and fraudulent activities
• Monitor for security threats and vulnerabilities
• Verify user identities and business credentials
• Enforce our Terms of Service

4.4 Communication

• Send transactional emails (order confirmations, contract updates)
• Notify you of platform updates and new features
• Provide market insights and relevant opportunities (with consent)
• Respond to your requests and communications

4.5 Legal Compliance

• Comply with applicable laws and regulations
• Respond to legal requests and prevent illegal activities
• Maintain records for tax and accounting purposes
• Enforce legal rights and obligations

5. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

Processing Purpose	Legal Basis
Account creation and service provision	Contract performance
Payment processing and order fulfillment	Contract performance
Security and fraud prevention	Legitimate interests
Platform improvement and analytics	Legitimate interests
Marketing communications	Consent (can be withdrawn)
Legal compliance and tax reporting	Legal obligation

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We may share your information in the following circumstances:

6.1 With Trading Partners

When you engage in transactions, we share necessary information (company name, contact details, order specifications) with the other party to facilitate the trade.

6.2 Service Providers

We work with trusted third-party service providers who assist us in operating our platform:

• Cloud hosting and infrastructure providers
• Payment processors and financial institutions
• Email and communication services
• Analytics and performance monitoring tools
• Customer support platforms

These providers are contractually obligated to protect your data and use it only for the specified purposes.

6.3 Business Transfers

If BiomassX is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

6.4 Legal Requirements

We may disclose your information when required by law or in response to:

• Court orders or legal processes
• Government or regulatory requests
• Enforcement of our Terms of Service
• Protection of rights, property, or safety of BiomassX, users, or the public

6.5 With Your Consent

We may share your information with other parties when you have given us explicit permission to do so.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Active Accounts: Data is retained while your account is active
• Closed Accounts: Most data is deleted within 90 days of account closure, except:
• Transaction records: 7 years (for tax and legal compliance)
• Financial records: 7 years (accounting requirements)
• Dispute-related data: Until resolution + applicable limitation period
• Analytics Data: Aggregated and anonymized data may be retained indefinitely
• Security Logs: Retained for 2 years for security and fraud prevention

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 Access and Portability

You have the right to request a copy of your personal information in a structured, machine-readable format.

8.2 Correction

You can request correction of inaccurate or incomplete personal information. You can also update most information directly in your account settings.

8.3 Deletion (Right to be Forgotten)

You may request deletion of your personal data, subject to certain exceptions (e.g., legal obligations, pending transactions).

8.4 Restriction of Processing

You can request that we limit how we use your data in certain circumstances.

8.5 Object to Processing

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

8.6 Withdraw Consent

Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

8.7 Opt-Out of Marketing

You can unsubscribe from marketing emails using the unsubscribe link in any marketing message or by adjusting your account preferences.

8.8 How to Exercise Your Rights

To exercise any of these rights, please contact us at the email address provided in the Contact Us section. We will respond to your request within 30 days as required by GDPR.

9. Data Security

We implement industry-standard security measures to protect your personal information:

9.1 Technical Measures

• Encryption: Data is encrypted in transit (TLS/SSL) and at rest
• Access Controls: Role-based access restrictions and multi-factor authentication
• Secure Infrastructure: Regular security updates and patch management
• Intrusion Detection: Continuous monitoring for unauthorized access
• Firewall Protection: Network-level security controls

9.2 Organizational Measures

• Regular security audits and penetration testing
• Employee training on data protection and privacy
• Confidentiality agreements with staff and contractors
• Incident response and breach notification procedures
• Privacy by design principles in system development

9.3 Your Responsibilities

You are responsible for:

• Maintaining the confidentiality of your account credentials
• Using strong, unique passwords
• Notifying us immediately of any unauthorized account access
• Keeping your contact information up to date

10. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience on our platform.

10.1 Types of Cookies We Use

• Essential Cookies: Required for basic platform functionality (login, security)
• Performance Cookies: Help us understand how users interact with our platform
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Collect data about platform usage and performance

10.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling certain cookies may limit platform functionality. Most browsers allow you to:

• View and delete cookies
• Block third-party cookies
• Block all cookies (may affect functionality)
• Clear cookies when you close the browser

11. International Data Transfers

BiomassX operates globally, and your information may be transferred to and processed in countries other than your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions recognizing equivalent data protection
• Privacy Shield certification (where applicable)
• Binding Corporate Rules for intra-group transfers

12. Children's Privacy

BiomassX is a business-to-business platform and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately, and we will delete such information.

13. Third-Party Links and Services

Our platform may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices of external websites. We encourage you to review their privacy policies before providing any personal information.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to Know: Request information about categories and specific pieces of personal information collected
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: We do not sell personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, please contact us using the information in the Contact Us section.

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will:

• Post the updated policy on this page with a new "Last Updated" date
• Notify you via email of material changes (if you have an account)
• Provide notice on our platform for significant changes
• Obtain your consent where required by law

Your continued use of our services after changes become effective constitutes acceptance of the updated Privacy Policy.

16. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our privacy and data protection practices. You can contact our DPO regarding any questions about this Privacy Policy or our data handling practices.

17. Supervisory Authority

If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with applicable data protection laws.