Version 1.0—Last Updated 9th August 2024
1.1. We are Biodiversity Exchange Limited (BNGx, we, our or us) and we operate the website BNGx.com which is an online platform to facilitate the sale and purchase of Biodiversity Units (as defined in the Terms of Use) between land developers and landowners (Exchange). Our address of business is c/o BDO LLP, Two Snowhill, 7th Floor, Birmingham, United Kingdom, B4 6GA.
1.2. This privacy policy (Policy) outlines the types of data we collect when you use our Exchange, the purposes they serve and how your personal data is protected.
1.3. This Policy, along with the following additional policies, are the rules governing your rights and obligations on the Exchange:
2.1. This Policy outlines the types of data we collect through the use of our Exchange, including any data you may provide when you register for an account or purchase a product. This Policy pertains to all users engaging with the Exchange, by continuing to browse our Exchange, you are consenting to the terms of this Policy. We are dedicated to keeping you informed when it comes to your online privacy and focus on promoting transparency between you and us and upholding compliance in respect of privacy laws.
2.2. In addition to this Policy, users are advised to review and be aware of several other applicable terms that govern their use of our Exchange, including our Cookies Policy, Terms of Use, , and the Seller Policy for Exchange sellers.
3.1. By engaging with and using the Exchange, you consent to us collecting, receiving, processing, storing and transferring the following information for the purposes listed below:
| Information Category | Purpose / Activity | Lawful Basis |
|---|---|---|
| Personal Identification Information - this may include names, email addresses, company affiliations and phone numbers and any other data which you submit through the use of the Exchange. | To facilitate user engagement, account management and communication. This includes processing to administer our relationship with you and communicate with you and your use of the Exchange. | (a) the processing is necessary to our performance of
a contract with you; and
(b) it is our legitimate interest to review and respond to any correspondence or queries you send to us, and to send service information regarding our Exchange and/or services that you have used on our Exchange. |
| Demographic Information - this may include user location address, and other background information that you consent to providing through the use of our Exchange. | To enhance user experience and tailor services to specific geographic preferences with user consent. | (a) your consent or where
information is solicited; and
(b) the processing is necessary to our performance of a contract with you. |
| Product/Service Details - this may include details about the biodiversity products being marketed on our Exchange, including metric file information and gain site details. | Are collected and processed to accurately represent and manage transactions and interactions within the Exchange and to allow the Exchange to function. | The processing is necessary to our performance of a contract with you. |
| Transaction Data - this may include details about payments to and from you and other details of Biodiversity Units or Availability Certificates (as defined in the Terms of Use) you have purchased using our Exchange as well as any payment information which is transferred directly to Stripe. | This information is collected, processed and transferred to enable you use the Exchange and use Stripe. We use such information to facilitate the buying and selling of Biodiversity Units on the Exchange and the generation of Availability Certificates (as defined in the Terms of Use). | The processing is necessary to our performance of a contract with you. |
| Technical Data - this may include IP addresses, browser types and operating system. | To allow the seamless and secure operation of our Exchange and enhance user security. To help us keep the Exchange available and improve your experience when you visit it. We use this information to help us understand how people visit our Site and access the services on our Site and ensure that we can continue to maintain and improve the Site to service your needs. | (a) necessary to comply with relevant legal
obligations (for example, applicable data protection/privacy laws).
(b) necessary for our legitimate interests to act in, and protect, the interests of our business. Exchange users should also read our Cookies Policy which is available on the Exchange. |
| Usage Data – this may include pages visited and previous website addresses including any search terms used and links clicked and the date and time you access the Exchange and how you use the Exchange. | In order to analyse user engagement patterns and
improve the overall user experience, with user consent. To help us to
keep the Exchange available and improve your experience when you visit
it. This includes: (a) statistical analysis to improve, test and monitor
the effectiveness of the Exchange;
(b) to monitor metrics such as total number of visitors and traffic data (including demographic patterns); and (c) to ensure content on the Exchange is presented in the most effective manner for you and to enhance your use of the Exchange. |
(a) your consent or where
information is solicited;
(b) our legitimate interest to measure the use of our Exchange and/or services on it and your interactions to inform and improve service direction and development and to enable provision of accurate and reliable reporting; and/or (c) the processing is necessary to our performance of a contract with you. |
| Marketing and Communications Preferences – this may include frequency or method of communications which are sought from you and also includes the Personal Identification Information. | Enable us to control the frequency and nature of communications you receive from us. To send you marketing material, newsletters and other related information, and to send solicited information (e.g. in response to an enquiry). | (a) our legitimate interest to send you
communications related to the services on the Exchange to which you have
previously used, where permitted by privacy laws; or
(b) your consent or where information is solicited. |
| Third-Party Data – information collected from external sources. | This information is collected from external sources or third parties and used strictly for disclosed purposes. | The processing is necessary to our performance of a contract with you. |
| Aggregated Data - this may include statistical or demographic data but is not considered personal data as it does not reveal individual identities and is used for analytical purposes, Exchange improvement and industry insights. | This data is not considered personal data. But we intend to use such data to enable us to continue and grow our Exchange and business. | Necessary for our legitimate interests to ensure we can protect and grow our business. |
3.2. In limited circumstances we may process any of the Personal Data we hold to the extent necessary to defend, establish and exercise legal claims or to comply with legal or regulatory obligations.
3.3. Where we need to collect personal data due to a legal or regulatory obligation, or for performance of a contract, and you do not provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with the use of the Exchange). We will notify you of this at the time.
We use various methods to collect data from and about you which includes through:
5.1. Our information practices are embedded in transparency and legal compliance. Information is utilised to facilitate secure transactions, enhance user experience, and meet legal obligations. We prioritise your privacy, ensuring data use aligns with the Exchange’s commitment to transparency and legal standards, particularly concerning biodiversity-related products. To the extent required by applicable law, we rely on a number of legal bases to use your information in the ways set out in this Policy.
5.2. We use certain information that is necessary for us to provide you with the services and perform our Terms of Use and any other relevant contracts with you.
5.3. We may use your personal data where it is necessary to conduct our business and pursue our legitimate interests, for example to prevent fraud and enable us to give you the most secure experience on our Exchange. We will ensure to consider and balance any potential impact on you and your rights before we process your data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you unless we have your consent or are required to do so by law.
5.4. Your data is utilised to deliver and continuously improve our services.
5.5. We process information to provide customer support, address queries, and facilitate communication with our users. This ensures a seamless and responsive interaction between you and our Exchange.
5.6. We may, in cases where it is relevant, share data with regulatory authorities and environmental organisations to comply with legal obligations and contribute to environmental initiatives, fostering accountability and transparency.
5.7. We employ data for targeted advertising, promotions, and marketing activities. This allows us to share relevant content, offers, and updates, enhancing user engagement while respecting your preferences and choices.
5.8. Data is utilised to maintain the security of our Exchange. This includes monitoring, detecting, and preventing security threats, ensuring the confidentiality and integrity of user information.
5.9. We process data to fulfil legal requirements, ensuring compliance with applicable laws and regulations. Our services and Exchange are subject to laws and regulations that require us to collect, use and store your personal information in certain ways. This may involve responding to legal requests, investigations, or exercising legal rights and remedies.
5.10. Our usage of data is grounded in various legal bases, including user consent, contractual necessity, legal obligations, and legitimate interests.
6.1. We may share your data with third parties where necessary to perform the services on our Exchange, comply with our legal obligations or for the purposes set out in this Policy, including:
6.2. Our commitment to transparency guides our information sharing practices. For example, sellers agree to disclose details related to the biodiversity-related products listed on our Exchange, including metrics and gain site commitments and buyers also agree to disclose details related to their metric and biodiversity gain objectives.
6.3. We may share your information with trusted service providers and partners who assist in providing and enhancing our services. These entities have limited access to your information, adhere to strict confidentiality and data security standards to ensure the protection of your information, and may only use your information to help us operate, provide and advertise the Exchange and our services in accordance with our instructions to them.
6.4. In the event of certain business transfers which includes mergers, acquisitions and other relevant transfers, your information may be transferred as part of the business assets to ensure continuity of service and maintain a seamless user experience.
6.5. We may disclose information in response to requests by the courts of a competent jurisdiction, or as a result of other regulatory requirements, including situations where disclosure is necessary to comply with applicable laws or regulations, safeguard the rights, privacy, and security of our users.
6.6. In circumstances not covered by 6.5 above, we share information only with your consent, allowing you control over the sharing of their information, respecting individual choices and preferences.
7.1. In certain instances, your information may be transferred across international borders as part of our operations. This includes scenarios where our service providers, partners, or servers are located in different countries. These are for the purposes outlined above.
7.2. To safeguard your information during international transfers, we implement protective measures consistent with data protection standards. These measures may include the use of encryption, contractual agreements with data processors, or reliance on internationally recognised frameworks that ensure an adequate level of protection for your data.
7.3. Should we transfer personal data to countries outside the EEA and the UK that do not benefit from an adequacy decision, we put in place appropriate safeguards to protect your personal data – e.g. the standard contractual clauses as amended by the UK Addendum, unless a relevant exemption applies.
7.4. We are committed to compliance with international data protection laws governing cross-border data transfers. This commitment extends to adhering to applicable frameworks, regulations, and mechanisms that ensure the lawful and secure transfer of user information across borders.
Our use of cookies and other tracking technologies is governed by our Cookies Policy. We are committed to transparency in our data practices, and you can find detailed information about the types of cookies used, their purposes, and your control options in our Cookies Policy. Please take a moment to review our Cookies Policy. Your continued use of our site indicates your acceptance of the terms outlined in our Cookies Policy.
9.1. Our Exchange may integrate and use third-party services, such as Stripe, to provide the Exchange’s functionalities and the privacy and security of your data remain a priority in these collaborations. These third parties may have their own privacy policies and terms of service, and we encourage you to review them to understand how they collect, use, and handle your information.
9.2. You have the option to choose whether to engage with third-party products and services integrated into our platform. Your decision to interact with these third-party services is voluntary, and you can exercise control over your engagement with them. We respect your choice and provide clear pathways for you to opt-in or opt-out of interactions with third-party links and services.
We prioritise the security of your information by implementing robust security measures including encryption, access controls, and other industry-standard protocols. These measures are designed to safeguard your data from unauthorised access, disclosure, alteration, and destruction, ensuring the confidentiality and integrity of your information. Measures involve:
11.1. We only store your information for the duration necessary to fulfil its intended purpose. The determination of the retention period is based on the necessity of processing the information for the services provided and other legitimate business purposes. Most of our retention periods are determined on the basis of this general rule.
11.2. The specific timeframes for retaining various data types are established by taking into consideration our legal requirements, contractual obligations, and user consent. These retention periods are outlined below and are periodically reviewed to ensure continued relevance and compliance.
| Purpose of Processing | Retention |
|---|---|
| Information which is used to provide you with our services | Retained for the lifetime of your account with us. |
| Information which is used for regulatory and legal compliance and obligations | Retained to extent necessary to comply with our legal obligations. |
| Information which is used for other legitimate purposes | Retained for other legitimate purposes such as investigating potential violations for our policies or Terms of Use, promoting safety, security and integrity and protect us and our rights, property or the Exchange. |
11.3. Upon expiration of the data retention period, we employ secure methods for data handling, which may include deletion or anonymisation. This ensures that data no longer needed for its original purpose is responsibly managed, reducing the risk of unnecessary exposure and aligning with privacy principles.
We do not undertake automated decision-making.
13.1. Data collected via our services may be anonymised, where applicable, and aggregated for statistical analysis or other lawful purposes. This may include collaboration with research institutions and environmental agencies if applicable and the sale of such anonymised personal data and related analysis conducted in respect of such.
13.2. We take all reasonable measures to ensure that, where applicable, once data is anonymised or aggregated, it cannot be used to identify an individual.
14.1. Certain privacy laws (which includes the General Data Protection Regulation) provide users with rights and choices related to their personal information. In consistency with those laws, we give you the choice of accessing, editing, or removing certain information as well as choices about our communications with you. Subject to applicable law, you may have some rights with respect to your personal information such as:
| Right | What you can do |
|---|---|
| Right to be informed | You have the right to be informed about the collection and use of your personal data, as detailed in this Policy and by contacting us at gdpr@bngx.com. You can access and update your personal information through your Account settings when logged into your account on our Exchange. |
| Right to access | You have the right to access and receive a copy of your personal data and supplementary information by contacting us at gdpr@bngx.com. |
| Right to portability | You have the right to data portability, which allows individuals to obtain and reuse their personal data for their own purposes across different services by contacting us at gdpr@bngx.com. |
| Right to rectification | You have the right to have inaccurate personal data rectified, or completed if it is incomplete by reference to your Account settings or by contacting us at gdpr@bngx.com. |
| Right to restrict processing | You have the right to request the restriction or suppression of your personal data by contacting us at gdpr@bngx.com. |
| Right to deletion/erasure | You have the right to have personal data erased by contacting us at gdpr@bngx.com . |
| Right to object | You have the right to object to the processing of your personal data in certain circumstances by contacting us at gdpr@bngx.com . |
| Right relating to automated decision making | You have rights in relation to automated decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual), this could be part of the automated decision-making process. |
14.2. We try to respond to all legitimate requests within one month of receiving the request. Occasionally, it may take longer if the request is complex or you have made a number of requests. In this case we will ensure to communicate this to you and keep you updated. If you wish to make a request or exercise any of your rights mentioned above, you should contact us at the address set out in the “How You & We Communicate” section of this Policy.
14.3. As part of your rights afforded under the UK GDPR, you are entitled to file a complaint with the Information Commissioner's Office (ICO) if you believe that your data protection rights have been violated.
15.1. We emphasise the importance of keeping your personal information current and correct. You are encouraged to regularly review and update your information to ensure its accuracy and relevance.
15.2. You must prioritise the safeguarding of your account credentials and must refrain from sharing your credentials with unauthorised users of your account and adopt secure password practices, such as using strong, unique passwords and enabling multi-factor authentication when available.
15.3. We urge you to familiarise yourself with the privacy policies and terms of relevant third parties associated with our Exchange. This includes external services, partners, and integrated functionalities. Reviewing third-party policies ensures that you are aware of how your information may be handled beyond our platform.
15.4. If you are a seller on our Exchange, you may receive certain personal data and will have legal obligations in respect of such data. Your privacy responsibilities, including when you act as an independent data controller, are laid out in the Seller Policy.
This Policy is subject to change at any time, we will revise the “Last Updated” date at the top of this Policy. By continuing to use the Exchange, you acknowledge and agree that you it is your responsibility to review this Policy and we encourage you to do so to stay informed about how we are helping to protect the information we collect. It is your responsibility to be aware of any changes and your continued use of the Exchange shall constitute your agreement to this Policy and any updates.
17.1. For enquiries related to this Policy, you can reach out to us at gdpr@bngx.com. We value open communication and are committed to addressing any concerns or questions you may have regarding our terms.
17.2. Additionally, for data protection requests and concerns, users have the right to contact the ICO, the UK's supervisory authority for data protection matters. Information about the ICO, including contact details, can be found at Information Commissioner's Office (ICO) website https://ico.org.uk/for-the-public/.
17.3. For queries specifically related to cookies and their usage, users are encouraged to refer to our Cookies Policy.