Cookie Policy
Cookie Policy
How XB2BX uses cookies and tracking technologies across its global marketplace — for businesses, individual consumers, and digital service users — transparently, lawfully, and in compliance with applicable international law.
● Carried forward ● Added in v2.0 ● New in v3.0 (B2C & Digital Services)
Introduction & Scope
This Cookie Policy (“Policy”) is issued by XB2BX LTD, a company incorporated in England and Wales (“we”, “us”, “our”, “XB2BX”). It governs the use of cookies and similar tracking technologies on xb2bx.com and all sub-domains and associated applications operated by XB2BX (collectively the “Platform”).
XB2BX is a multi-sector global marketplace serving businesses and individual consumers across: wholesale trade (B2B), direct consumer purchases (B2C), dropshipping, brokerage, supplier onboarding, international trade facilitation, financial introductions, and digital/SaaS services. This Policy covers all Platform users regardless of their capacity.
Where you access the Platform as a business representative, this Policy applies to both you personally and the entity you represent. Where you access as a private individual consumer, you benefit from additional consumer protections set out in Sections 8 and 9.
B2B Users: Even when acting on behalf of a company, your browser-level data (IP address, device identifiers) may constitute personal data under applicable law. Corporate access does not waive individual data protection rights.
Consumer (B2C) Users: If you are accessing the Platform as an individual rather than on behalf of a business, you are a consumer and benefit from enhanced protections under the UK Consumer Rights Act 2015, EU Consumer Rights Directive 2011/83/EU, and the EU Digital Services Act. These are detailed in Sections 8 and 9.
What Are Cookies?
Cookies are small text files placed on your device when you visit a website. They cannot execute code, deliver malware, or access other files on your device. We also use the following related tracking technologies, all of which are subject to the same consent requirements as cookies under this Policy.
Name-value pairs stored in your browser. Session cookies expire on browser close; persistent cookies remain for a defined period.
Invisible images in pages or emails that register views. Used for engagement and conversion tracking.
Browser-side storage for preference and state data. Session storage clears when the tab closes.
Limited use of browser/OS attributes for fraud prevention, AML screening, and sanctions compliance only. Deployed under legal obligation grounds.
Supplier, payment, and logistics integration scripts that interact with browser storage as part of trade and order workflows.
If you access XB2BX via a mobile app or PWA, equivalent identifiers (device IDs, push tokens) are governed by this Policy and the same consent rules apply.
Categories of Cookies We Use
We use six cookie categories. Only Strictly Necessary cookies are set without consent. All others require active opt-in via our Cookie Consent Manager. This applies equally to B2B and B2C users. You may update your preferences at any time via Cookie Settings in the page footer.
Essential for Platform operation. Cannot be disabled without impairing core functionality. No consent required under PECR Reg. 6(4) or equivalent law.
- User authentication & secure sessions
- CSRF & API request protection
- Cookie consent preference storage
- Load balancing & infrastructure routing
- Fraud, bot & rate-limit enforcement
- AML/KYC & sanctions screening
- B2C checkout & cart integrity
- Subscription billing state (Digital)
Aggregated, anonymised data on Platform usage. No individuals identified. Covers B2B trade flows and B2C shopping journeys.
- Page views, sessions, bounce rate
- B2B supplier & trade-flow funnels
- B2C product discovery & checkout funnels
- Error logging & performance diagnostics
- A/B testing & staged feature rollout
Enhanced features for business and consumer users. Disabling reduces usability but does not block access to the Platform.
- Language, locale & currency preferences
- B2B dashboard layout & filter settings
- B2C wishlist & saved items
- Live chat & support widgets
- Timezone & order timestamp accuracy
For personalised advertising and retargeting. Opt-out stops personalised ads but generic ads may continue. Consumer opt-in is mandatory before any profiling for direct marketing.
- LinkedIn B2B campaign retargeting
- Google Ads conversion tracking
- Meta Pixel (B2C product audiences)
- Email campaign performance tracking
- Affiliate & referral attribution
Set by external partners integrated into the Platform. XB2BX does not directly control these. Review each provider’s own privacy policy.
- Payment gateways (Stripe, PayPal, etc.)
- Logistics & freight-tracking APIs
- Supplier KYC verification platforms
- Embedded review & ratings widgets
- Trade finance introduction services
Specific to XB2BX’s subscription-based tools, API access plans, and SaaS features for business and individual users.
- Subscription plan & billing state
- API authentication & rate-limit tokens
- Free trial tracking & conversion
- Feature flag & rollout management
- In-app notification preferences
Cookie Register
All primary cookies active on xb2bx.com are listed below, audited quarterly. Cookie names containing random identifiers may vary by session; the list represents the full register as of this Policy version.
Strictly Necessary
| Cookie Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
| session_id | XB2BX | Necessary | Authenticated session — B2B accounts, B2C checkout, digital subscriptions | Session |
| csrf_token | XB2BX | Necessary | CSRF protection for all form submissions and API calls | Session |
| xb2bx_consent | XB2BX | Necessary | Stores cookie consent choices and policy version reference | 12 months |
| __Secure-auth | XB2BX | Necessary | Encrypted auth token; Secure + HttpOnly flags enforced | Session |
| cart_token | XB2BX | Necessary | Preserves B2C shopping cart state across pages | 7 days |
| sub_state | XB2BX | Necessary | Digital subscription plan status and billing cycle | Session |
| kyc_session | XB2BX | Necessary | AML/KYC identity verification workflow state | Session |
| sanctions_flag | XB2BX | Necessary | Records sanctions screening outcome for session continuity | Session |
| rate_limit_id | XB2BX | Necessary | Throttles API calls; prevents scraping and abuse | 1 hour |
Performance & Analytics
| Cookie Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
| _ga | Analytics | Distinguishes unique users (data anonymised) | 2 years | |
| _ga_[ID] | Analytics | Maintains GA4 session and campaign state | 2 years | |
| _gid | Analytics | Page view count per 24-hour period | 24 hours | |
| _hjid | Hotjar | Analytics | Unique user ID for heatmaps and session recordings | 365 days |
| _hjSessionUser | Hotjar | Analytics | Tracks whether Hotjar data has been collected this session | 365 days |
Functional
| Cookie Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
| xb2bx_lang | XB2BX | Functional | Language and locale preference — critical for international users | 12 months |
| xb2bx_currency | XB2BX | Functional | Preferred currency for B2B pricing and B2C checkout | 12 months |
| xb2bx_prefs | XB2BX | Functional | Dashboard layout, filters (B2B) and wishlist (B2C) | 6 months |
| intercom_id | Intercom | Functional | Live chat session identity and support history | 9 months |
| tz_offset | XB2BX | Functional | Timezone for accurate trade, order, and delivery timestamps | Session |
Targeting & Marketing
| Cookie Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
| li_fat_id | Marketing | B2B ad conversion and retargeting | 30 days | |
| _fbp | Meta | Marketing | Ad delivery for B2C and B2B product audiences | 3 months |
| _gcl_au | Marketing | Google Ads conversion and campaign attribution | 3 months | |
| xb2bx_ref | XB2BX | Marketing | Referral source and affiliate partner attribution | 30 days |
| IDE | Marketing | Google Display Network cross-site campaign tracking | 13 months |
Digital Services & SaaS
| Cookie Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
| xb2bx_trial | XB2BX | Digital | Tracks free-trial status and days remaining for digital service plans | 30 days |
| api_token_ref | XB2BX | Digital | References API authentication token for developer integrations | Session |
| feature_flags | XB2BX | Digital | Controls feature visibility during staged product rollouts | Session |
This register is reviewed and updated quarterly. If you discover an unlisted cookie on the Platform, notify privacy@xb2bx.com — we treat undisclosed cookies as a compliance incident and will investigate within 14 days.
Legal Basis for Processing
XB2BX has conducted a Legitimate Interests Assessment (LIA) for all processing on that ground; a summary is available on request from dpo@xb2bx.com.
Strictly Necessary cookies are placed on the basis of our legitimate interests in: providing a secure and functional platform; preventing fraud and abuse; maintaining infrastructure stability; and fulfilling our obligations as a marketplace operator. We have assessed these interests are not overridden by your fundamental rights and freedoms. Applies to both B2B and B2C users.
All non-essential cookies require freely given, specific, informed, and unambiguous consent via our Cookie Consent Manager. Consent is granular by category. Pre-ticked boxes, bundled consent, and consent walls are never used. For B2C users, consent is always obtained before any profiling for direct marketing.
AML/KYC, sanctions screening, fraud-reporting, and regulatory compliance cookies are deployed under mandatory legal obligations: Proceeds of Crime Act 2002, Money Laundering Regulations 2017, and applicable international equivalents. These cannot be disabled by users.
Cookies necessary to fulfil a contract — live trade sessions (B2B), checkout and order processing (B2C), or active digital service subscriptions — are placed on the basis of contract performance for registered users in active transactions.
In exceptional circumstances involving participant safety or compliance with public authority requests, data from cookies may be processed on the basis of vital interests or public task. This ground is narrow and will be documented each time it is invoked.
California Residents (CCPA/CPRA): Targeting cookies may constitute a “sale” or “sharing” of personal information. Opt out via Do Not Sell or Share My Personal Information in Cookie Settings, or by broadcasting a GPC signal, which we honour automatically. We do not knowingly sell data of individuals under 16.
Brazilian Users (LGPD Art. 7): Processing is based on consent (I), legitimate interest (IX), or legal obligation (II) as applicable. Rights under Art. 18 (access, correction, portability, deletion, revocation) are exercisable via privacy@xb2bx.com.
International Jurisdiction & Transfers
XB2BX facilitates cross-border trade. Cookie-generated data may be processed in multiple countries. All international transfers are covered by one of the following safeguards:
- UK ICO-approved International Data Transfer Agreements (IDTAs) for transfers from the UK
- EU Commission-approved Standard Contractual Clauses (SCCs) for transfers from the EEA
- Adequacy decisions where the recipient country has been designated adequate by the UK Secretary of State or the European Commission
- Supplementary technical measures including TLS 1.3+ encryption, pseudonymisation, and strict access controls
Primary jurisdiction. ICO (Ref: C1651490) is the lead supervisory authority. B2C users benefit from full UK consumer law protections.
Full GDPR and Digital Services Act compliance. SCCs govern onward transfers. B2C users retain 14-day withdrawal rights for digital services.
California opt-out rights honoured. GPC signals detected automatically. No data sales to users under 16.
Art. 18 rights available to Brazilian residents. ANPD is the relevant supervisory authority.
Trade participants in Singapore, Thailand, Malaysia, and Indonesia served under applicable PDPA and local regulatory frameworks.
Where laws conflict, the stricter standard applies. Contractual governing law is England and Wales, without prejudice to statutory data protection and consumer rights in any jurisdiction.
B2B Platform-Specific Disclosures
Brokerage & Financial Introduction Services
XB2BX may facilitate introductions for trade finance, escrow, or credit facilities. Cookies in connection with these workflows do not constitute financial advice, a credit assessment, or a binding financial offer. XB2BX is not FCA-authorised for regulated financial services and acts solely as an introducer or facilitator.
Disclaimer: XB2BX does not guarantee the completion of any trade or financial transaction. Financial-introduction workflow data is held under FCA introducer guidance and AML obligations, and is not used for credit scoring or profiling by XB2BX.
Dropshipping & Supplier Data Flows
Session tokens may be shared with participating suppliers or logistics providers strictly for order fulfilment. Such parties act as data processors under Article 28 UK/EU GDPR data processing agreements. XB2BX remains the data controller for all end-user data.
Supplier API Integrations
Registered suppliers connecting via the XB2BX API may deploy their own scripts or SDKs that interact with browser storage. API partners must comply with this Policy as a condition of integration. Suppliers bear independent data controller liability for data they collect through their own scripts.
Sanctions Screening & AML Compliance
Automated sanctions and adverse-media screening uses session cookies and limited device fingerprinting under legal obligation. This processing cannot be opted out of. Screening records are retained for a minimum of 5 years per OFSI, OFAC, and UN sanctions record-keeping requirements.
Corporate & Institutional Users
Entities accessing XB2BX on behalf of a corporate may bear independent data processing obligations. Contact dpo@xb2bx.com to arrange data processing agreements and controller-to-controller arrangements under Article 26 UK/EU GDPR.
B2C & Consumer Protections
This section applies to individual consumers using the Platform for personal purchases, product discovery, or any non-business purpose. If you are a consumer, you benefit from the following additional protections beyond those in Section 10.
Stricter Consumer Consent Standard
For B2C interactions, we apply the strictest available consent standard. Consent banners are designed so that “Reject All” is at least as prominent as “Accept All”. We do not use dark patterns, misleading designs, or consent walls that deny access to content.
No Profiling for Direct Marketing Without Opt-In
Under PECR Regulation 6 and the EU ePrivacy Directive, we do not use cookies to profile consumers for direct marketing without a prior, active opt-in. This means no pre-ticked boxes, no inferred consent, and no email marketing cookies until you have affirmatively opted in.
Right to Cancel — Digital Services & Subscriptions
EU/UK consumers purchasing a digital service or subscription have a 14-day right of withdrawal (UK Consumer Rights Act 2015; EU CRD 2011/83/EU) unless immediate commencement is expressly requested. Cookies tracking subscription status are deleted upon valid cancellation. Contact hello@xb2bx.com to exercise this right.
Protection of Minors
XB2BX does not knowingly collect data from users under 16 (or applicable digital consent age in your jurisdiction). Targeting and marketing cookies are not used for users we know or reasonably believe to be under 16. If a minor’s data has been collected without appropriate consent, contact privacy@xb2bx.com for prompt deletion.
Automated Decision-Making & Profiling
Where cookies feed into automated decisions with a legal or significant effect on a consumer (e.g. dynamic pricing, access restrictions, or credit-related introductions), we will: (1) inform you at the time of the decision; (2) provide a lawful basis; and (3) offer the right to human review on request.
EU Digital Services Act — Transparency Notice
As a platform accessible to EU users, XB2BX operates in accordance with the EU Digital Services Act (Regulation 2022/2065). This includes: transparent advertising identifiers; no targeted advertising to minors; no targeting based on sensitive personal data; and access to our advertising parameter registry upon request. DSA enquiries: compliance@xb2bx.com.
B2C Shopping Cart & Checkout Cookies
The cart_token cookie preserves your shopping cart for up to 7 days as a Strictly Necessary cookie (no consent required). Cart data is not used for profiling or shared with third parties outside of payment processing. No purchase is completed without your active confirmation.
Digital Services & SaaS
XB2BX offers software-as-a-service features, API access plans, developer tools, and subscription-based digital products. The following disclosures apply to all digital service users, whether business or consumer.
Free Trials & Freemium Tiers
The xb2bx_trial cookie tracks free-trial eligibility and remaining days. It is set upon trial activation and deleted upon expiry or conversion to a paid plan. It is not used for marketing profiling. Trial users are notified of trial status via in-app notices rather than tracking-based advertising.
API Access & Developer Integrations
Developers and business users accessing XB2BX services via API keys receive a session-scoped api_token_ref cookie to reference authentication state without transmitting credentials in URLs. This is strictly necessary and cannot be disabled. API partners operating under an XB2BX developer agreement are separately bound by our API Terms of Service, which incorporate this Policy by reference.
Feature Flags & Staged Rollouts
The feature_flags cookie controls which features are visible during staged product rollouts or beta programmes. No personal data is encoded in this cookie. It is used solely to maintain a consistent experience during gradual feature releases and is reset on session close.
Subscription Billing State
The sub_state cookie records your current subscription tier and billing cycle status to ensure correct access controls are applied. It contains no financial data; it references server-side records only. It is classified as Strictly Necessary and cannot be disabled while a paid subscription is active.
In-App Notifications & Preferences
Notification preferences set within the Platform dashboard (e.g. trade alerts, shipment updates, compliance reminders) are stored server-side and synchronised to your session via functional cookies. These can be managed in your account notification settings at any time without affecting core Platform access.
Your Choices & Rights
Cookie Consent Manager
On first visit, our Cookie Consent Banner presents granular category controls. You may accept all, reject non-essential, or configure each category independently. Choices are saved for 12 months. Update preferences at any time via Cookie Settings in the page footer.
Browser Controls
Your browser allows direct cookie management. Note: blocking Strictly Necessary cookies will prevent login, transactions, and AML/compliance checks from functioning.
- Google Chrome — Cookie Management
- Mozilla Firefox — Enhanced Tracking Protection
- Apple Safari — Manage Cookies
- Microsoft Edge — Delete Cookies
- AllAboutCookies.org — General Guide
Industry Opt-Out Tools
- Google Analytics Opt-Out Browser Add-on
- Network Advertising Initiative (NAI) Opt-Out
- Digital Advertising Alliance (DAA) Opt-Out
- Your Online Choices (UK & EU)
Global Privacy Control (GPC)
XB2BX honours the Global Privacy Control (GPC) signal as an opt-out from the sale or sharing of personal data for California residents. GPC is detected automatically on each visit. Do Not Track (DNT) signals are not currently responded to due to the absence of a universal technical standard.
Your Data Subject Rights
Request a copy of personal data collected through cookie processing.
Request correction of inaccurate or incomplete personal data we hold.
Request deletion where we have no continuing lawful basis for processing.
Object to processing based on legitimate interests, including profiling for direct marketing.
Receive your data in structured, machine-readable format where processing is consent-based.
Request restriction of processing while a complaint or accuracy dispute is in progress.
Withdraw any cookie consent at any time without affecting the lawfulness of prior processing.
Not to be subject to solely automated decisions with significant legal effect. Human review is available on request for all automated decisions.
Submit rights requests to privacy@xb2bx.com. We respond within 30 days (UK/EU GDPR) or 45 days (CCPA), extendable by a further 30 days on notice.
Data Retention
Cookie lifespans are as stated in the Register at Section 4. Session cookies expire when you close your browser. Persistent cookies remain for their stated duration or until manually deleted. The following retention periods apply to data generated by cookies:
We conduct quarterly cookie audits. Cookies no longer in use or exceeding their stated lifespan are removed. A copy of the current audit report is available on request via privacy@xb2bx.com.
Consent Withdrawal Procedure
You may withdraw or modify cookie consent at any time. Withdrawal is effective immediately for future processing and does not affect the lawfulness of processing carried out before withdrawal.
- Step 1Click Cookie Settings in the footer of any page to open the Consent Manager. Update your preferences by category and save. Changes take effect immediately.
- Step 2Delete existing cookies via your browser’s cookie management tools (see Section 10). This removes all xb2bx.com cookies currently stored on your device.
- Step 3Email privacy@xb2bx.com to withdraw specific consents or request deletion of identifiable data collected via cookies. We will confirm withdrawal in writing within 72 hours.
- Step 4Enable Global Privacy Control (GPC) in your browser. XB2BX will automatically detect and honour GPC as an opt-out from sale/sharing on your next visit (California residents).
Withdrawal of consent for non-essential cookies does not restrict access to the Platform’s core trading, purchasing, or digital service functions. However, some personalisation features (saved searches, language preferences, live chat history) may be reset. Strictly Necessary cookies, including those used for AML/KYC and sanctions compliance, cannot be disabled.
Policy Updates & Version History
XB2BX reviews this Cookie Policy at least every six months and whenever material changes occur in: the cookies deployed; applicable law or regulatory guidance; our business model; or enforcement action by a supervisory authority.
When material changes are made, we will:
- Display a prominent notice on the Platform for 30 days
- Re-present the Cookie Consent Banner where new consent is legally required
- Notify registered users by email for changes materially affecting their rights
- Increment the policy version number and update the effective date below
Version History
| Version | Date | Key Changes | Consent Reset |
|---|---|---|---|
| v3.0 | 20 May 2026 | Added: B2C consumer protections (Sections 8 & 9); Digital Services Act (DSA) notice; SaaS/subscription cookie disclosures; free trial cookie; mobile/app SDK notice; right to cancel for digital services; automated profiling safeguards; minor protections; purple audit category; cart_token and sub_state added to register; 25 named cookies total. | Yes — new categories |
| v2.0 | 20 May 2026 | Full legal audit. Added: LGPD/PDPA coverage; B2B-specific disclosures (brokerage, dropshipping, sanctions, supplier APIs); corporate user clause; consent withdrawal procedure; jurisdiction conflict clause; version history; registered address and ICO reference confirmed. Cookie register expanded to 21 named cookies. | Yes — new categories |
| v1.0 | 19 Mar 2025 | Initial policy. Basic GDPR/PECR/CCPA coverage. Four cookie categories. Functional cookie register. DPO contact added. | Original |
Prior versions are available on request from privacy@xb2bx.com.
Contact, DPO & Complaints
For questions, data subject requests, or concerns about this Policy or XB2BX’s cookie practices, contact us via the channels below. We acknowledge all enquiries within 48 hours and respond substantively within the applicable statutory timeframe.
Supervisory Authorities — Right to Complain
If you are not satisfied with our response, or believe we are processing your data unlawfully, you have the right to lodge a complaint with your local supervisory authority. You are not required to contact us first.
XB2BX is committed to resolving all cookie and data protection complaints at first instance. You are always entitled to escalate directly to a supervisory authority — this is your statutory right and is not conditional on first contacting us.
