Global Privacy Policy

BangoPure Limited is a company incorporated and registered in England and Wales under company registration number 12066344, with its principal place of business at Barnsley, South Yorkshire, United Kingdom. BangoPure Europe Limited is incorporated in the Republic of Ireland with NACE Code 62.01, with its registered office in Dublin, Republic of Ireland.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, BangoPure Limited is the Data Controller in respect of personal data processed in connection with services delivered to users located in the United Kingdom.

For the purposes of the EU General Data Protection Regulation (EU GDPR) (Regulation (EU) 2016/679), BangoPure Europe Limited is the Data Controller in respect of personal data processed in connection with services delivered to users located within the European Economic Area, including the Republic of Ireland.

Data Controller Contact Details

This Privacy Policy applies universally and without exception to all personal data processed by BangoPure across every service, platform, application, website, mobile application, event, training programme, conference, and digital environment operated under the BangoPure brand. The services covered include, without limitation, the following:

Market 1 — Core Ecosystem Services

• Service 1: Eco Products Marketplace (ecoproducts.bangopure.com)
• Service 2: Waste-to-Wealth Marketplace (wastetowealthmarket.bangopure.com)
• Service 3: Eco Services Hub (ecoservices.bangopure.com)
• Service 4: EcoConnect Communities (community.bangopure.com)
• Service 5: Catalyst Events Platform (catalyst2026.bangopure.com)
• Service 6: Eco Ticketing Services (tickets.bangopure.com)
• Service 7: AI Assessment Engine (aiassessment.bangopure.com)
• Service 8: Eco Logistics Services (logistics.bangopure.com)

Market 2 — B2B SaaS Services

• Service 9: Digital Bridge / Inventory-as-a-Service (IaaS)
• Service 10: AI Procurement Optimisation
• Service 11: Dropshipping & VAT Logic Support
• Service 12: Digital Product Passport (DPP) Platform (dpp.bangopure.com)

Additional High-Value Services

• Service 13: ReMaterial Academy (academy.bangopure.com)
• Service 14: Corporate ESG Solutions
• Service 15: Trust Badge Programme
• Service 16: Africa Delegate Programme
• Service 17: Blockchain Provenance Tracking Infrastructure
• Service 18: BangoPure Catalyst 2026 Global Eco-Artisan Summit (Barnsley, South Yorkshire)
• Service 19: BangoPure DPP Conference Cork (Cork, Ireland)
• Service 20: BangoPure Ireland Summit 2027 (Dublin, Ireland)
• Service 21: API Access & Developer Integration Services
• Service 22: White-Label Enterprise Platform Licensing

This Policy further applies to all communications, correspondence, and interactions between BangoPure and any individual, whether or not that individual is a registered user. References to 'you', 'your', or 'User' throughout this Policy refer to any such individual.

In this Privacy Policy, the following terms carry the meanings set out below:

BangoPure collects personal data across multiple categories depending upon the specific services you use, the nature of your relationship with BangoPure, and the technical and operational requirements of the relevant platform. The following sets out an exhaustive account of the personal data we may collect:

Identity and Account Data

• Full legal name, preferred name, and any professional name or trading name
• Date of birth (required for age verification and certain regulatory purposes)
• Gender (optional; collected only where you choose to provide it)
• Nationality and country of residence
• Government-issued photographic identification (for KYC/AML verification on paid tiers and VIP delegate programmes)
• Proof of address documentation (utility bills, bank statements, official correspondence)
• Company registration details, registered number, and jurisdiction (for business accounts)
• Director and beneficial owner details (for corporate accounts)

Contact and Communication Data

• Primary and secondary email addresses
• Telephone numbers (landline and mobile)
• Postal addresses (registered address, billing address, delivery address)
• Social media handles and professional networking profiles (where provided voluntarily)
• Contents of all communications you send to BangoPure, including support requests, enquiries, feedback, and complaints

Financial and Transaction Data

• Payment card details (encrypted and tokenised; BangoPure does not store full card numbers)
• Bank account details (where provided for invoicing or payout purposes)
• Transaction history, amounts, dates, and counterparty details
• VAT registration numbers and tax identification numbers (for B2B invoicing)
• Paystack, Flutterwave, Stripe, and pawaPay transaction identifiers and reference numbers
• Currency conversion records and international transfer details
• Refund, credit note, and dispute records

Platform Usage and Technical Data

• IP addresses (IPv4 and IPv6)
• Device identifiers (device fingerprint, hardware identifiers, advertising identifiers where lawfully collected)
• Browser type, version, and configuration
• Operating system and device type
• Session duration, click-paths, page views, and navigation patterns
• Search queries entered within BangoPure platforms
• Feature engagement metrics and interaction timestamps
• Referral source and campaign attribution data
• Error logs, crash reports, and performance diagnostics

Marketplace and Commercial Activity Data

• Product listings submitted by sellers (including product descriptions, images, material specifications, pricing, and inventory levels)
• Buyer purchase histories, wish lists, and product review submissions
• Seller verification documentation and sustainability credentials
• AI Assessment Engine results, material composition reports, and verification certificates
• Digital Product Passport generation records and blockchain transaction hashes
• Carbon footprint calculation inputs and outputs
• Waste content verification records

Professional and Certification Data (ReMaterial Academy)

• Educational and professional qualifications
• Prior circular economy experience and portfolio evidence
• Assessment submissions, examination responses, and practical project outcomes
• Certification records, grade histories, and competency achievements
• Blockchain-verified credential identifiers

Event and Delegate Data

• Event registration details, ticket tier selections, and attendance records
• Dietary requirements and accessibility needs (where voluntarily provided)
• Travel itinerary information (for Africa Delegate Programme participants)
• Visa application support documentation and visa letter records
• Hotel and accommodation preferences
• Workshop and session attendance records
• Speaker, exhibitor, and sponsor agreement details
• Photography and video footage captured at BangoPure events

Community and Communications Data (EcoConnect)

• Community profile information, including biography, professional focus areas, and portfolio
• Posts, comments, forum contributions, and direct messages on community platforms
• Mentorship matching data and interaction records
• Material sourcing enquiries and connection requests
• Impact credit balances and earning histories
• Community moderation records (where applicable)

Logistics and Supply Chain Data

• Sender and recipient name, address, and contact details
• Shipment contents, weights, dimensions, and declared values
• Customs documentation inputs, HS codes, and country of origin declarations
• Carrier tracking identifiers and delivery status data
• Import/export licence numbers and customs clearance records
• Dangerous goods declarations and restricted item notifications

B2B Client and Enterprise Data

• Organisation name, company registration details, and registered office
• Procurement preferences, supplier criteria, and spend analytics
• ESG reporting data submitted by corporate clients for verification
• Supplier audit results and performance metrics
• White-label platform configuration data
• API integration credentials and usage logs
• Dropshipping client identifiers and VAT treatment records

Automatically Collected Technical Data

BangoPure's platforms and services automatically collect certain technical data as a fundamental requirement of internet-based service delivery. This data is collected through the following mechanisms:

• Cookies and similar tracking technologies (governed by our Cookie Policy, which forms an integral part of this Privacy Policy)
• Server access logs maintained on AWS, Hostinger, DigitalOcean, and Contabo infrastructure
• Kafka event streaming records generated by platform interactions across all fourteen services
• Redis session caching data (held for the duration of user sessions)
• Elasticsearch search indexing data
• OAuth 2.0 JWT token records capturing authentication events across all BangoPure services

BangoPure processes personal data only for specific, explicit, and legitimate purposes and never in a manner incompatible with those purposes. The following table sets out the full range of processing activities, their purposes, and the legal bases upon which we rely:

BangoPure does not routinely collect or process special category personal data. Where such data is collected, it is processed only in the following limited circumstances and on the following legal bases:

• Health and accessibility data disclosed voluntarily in connection with event attendance (dietary requirements, mobility needs, medical conditions): processed on the basis of explicit consent (Art. 9(2)(a) UK/EU GDPR) and, where necessary for your health and safety, on the basis of vital interests (Art. 9(2)(c)).
• Biometric data arising from identity verification processes (facial recognition used by third-party KYC providers): processed on the basis of explicit consent (Art. 9(2)(a)).
• Nationality, ethnic origin, or country of origin data collected as part of visa application support for the Africa Delegate Programme: processed on the basis of explicit consent and, where required by immigration authorities, on the basis of substantial public interest (Art. 9(2)(g)).

BangoPure will never use special category data for marketing, profiling, or any purpose beyond the specific purpose for which consent was given. Special category data is subject to enhanced security measures, strictly limited access controls, and mandatory data minimisation protocols.

The data stored on the Polygon blockchain in connection with BangoPure's Digital Product Passport platform and provenance tracking infrastructure is limited, as far as technically possible, to the following non-personally-identifying data elements:

• Unique Product Identifiers (UPI) — a random system-generated reference code
• IPFS Content Identifiers (CID) — cryptographic hashes of off-chain documentation
• Manufacturer or seller wallet addresses (pseudonymous public keys, not names or email addresses)
• Transaction timestamps recorded in UTC
• Digital signature hashes confirming material verification outcomes

BangoPure does not record names, email addresses, physical addresses, financial data, government identification numbers, or any other directly identifying personal data on the Polygon blockchain. Where on-chain data is linked to an identifiable individual through a wallet address or other technical means, BangoPure will apply technical obfuscation measures upon receiving a valid erasure request, whilst acknowledging that complete deletion of on-chain records is not technically possible. BangoPure will document any such obfuscation measures and their limitations in its data processing records.

By using any BangoPure service that incorporates blockchain recording, you expressly acknowledge and accept the immutable nature of on-chain data as described in this Section.

BangoPure deploys proprietary artificial intelligence and machine learning systems across several of its services. The following AI systems process personal or commercially sensitive data:

AI Assessment Engine

BangoPure's AI Assessment Engine employs computer vision neural networks trained on in excess of 500,000 circular economy material images to achieve material composition identification with 95.3% accuracy. The Engine processes product images, written descriptions, and material specifications submitted by sellers and corporate clients. Assessment outputs are used to generate Digital Product Passports, calculate carbon footprints, and authenticate sustainability claims.

Where an AI Assessment result is used to accept, reject, or materially affect a seller's product listing or a corporate client's verification claim, the affected party has the right to request human review of the AI decision. Requests for human review must be submitted to ai-review@bangopure.com within fourteen (14) days of the AI determination. BangoPure undertakes to complete human review within five (5) working days of receipt of a valid review request.

AI Procurement Optimisation

The AI Procurement Optimisation service scans in excess of 50,000 global supplier sources to identify optimal procurement matches for corporate clients. This service processes procurement preferences, spend profiles, and supplier evaluation criteria to generate ranked recommendations. The processing is carried out on the basis of contract performance. Clients are free to disregard any AI recommendation and to request an explanation of the ranking methodology.

AI-Assisted Fraud Detection

BangoPure deploys machine learning-based fraud scoring across all marketplace and payment processing operations. This system assigns risk scores to transactions, accounts, and activities in real time. Where a risk score exceeds a defined threshold, the system may temporarily restrict account activity or flag a transaction for manual review. Any automated restriction imposed by the fraud detection system may be appealed by contacting fraud-review@bangopure.com within seven (7) days of the restriction notification.

AI Content Moderation

EcoConnect Community and Catalyst Events Platform employ AI-assisted content moderation to identify spam, prohibited content, and community guideline violations. AI moderation decisions are subject to human review upon request. Affected users may request review by contacting moderation@bangopure.com.

Compliance with the EU AI Act 2024

BangoPure acknowledges its obligations under Regulation (EU) 2024/1689 on Artificial Intelligence (the EU AI Act) and is committed to full compliance with all applicable provisions as they come into force across the implementation timeline. BangoPure's AI systems are designed and operated to meet the transparency, accuracy, human oversight, and robustness requirements applicable to their risk classification under the EU AI Act. BangoPure maintains comprehensive technical documentation for all AI systems deployed on behalf of EEA users, available upon request to regulators.

BangoPure does not sell personal data to any third party, under any circumstances, for any commercial purpose whatsoever. BangoPure shares personal data with third parties only in the following circumstances and subject to contractual data protection safeguards:

Service Delivery Partners (Data Processors)

BangoPure appoints certain third-party service providers as data processors under Article 28 UK/EU GDPR compliant data processing agreements. These processors are authorised to process personal data only on BangoPure's documented instructions and for no other purpose:

Marketplace Counterparties

Where you enter into a marketplace transaction on the Eco Products Marketplace or Waste-to-Wealth Marketplace, BangoPure will share the necessary fulfilment and contact data (name, delivery address, order details) with the seller or buyer counterparty solely for the purposes of completing that specific transaction. BangoPure does not share your data with marketplace counterparties beyond what is strictly necessary for transaction fulfilment.

Regulatory and Legal Disclosures

BangoPure may be required to disclose personal data to the following bodies in specific circumstances:

• His Majesty's Revenue and Customs (HMRC) and the UK Revenue Commissioners — in connection with VAT, corporation tax, and customs compliance obligations
• Companies House (UK) and the Companies Registration Office (CRO), Ireland — in connection with statutory filing obligations
• The Information Commissioner's Office (ICO), UK, and the Data Protection Commission (DPC), Ireland — in response to regulatory enquiries or enforcement action
• Law enforcement agencies — where compelled by a valid court order, warrant, or statutory obligation under applicable law
• Her Majesty's Courts and Tribunals Service — in connection with legal proceedings
• Immigration authorities — where visa support documentation is involved and disclosure is required by immigration law

BangoPure will, wherever permitted by law, notify affected users of any such compelled disclosure before making it.

Corporate Restructuring

In the event of a merger, acquisition, asset sale, restructuring, or insolvency of BangoPure, personal data may be transferred to a successor entity as part of the transaction. BangoPure will provide reasonable advance notice of any such transfer and will ensure that the successor entity is bound by data protection obligations equivalent to those set out in this Policy.

BangoPure's operations span the United Kingdom, the Republic of Ireland, the European Economic Area, Africa, and global markets. The following framework governs international transfers of personal data:

UK to EEA Transfers

Transfers from BangoPure Limited (UK) to BangoPure Europe Limited (Ireland) are governed by an intra-group data sharing agreement incorporating the UK International Data Transfer Agreement (IDTA) where applicable. The Republic of Ireland is subject to EU GDPR, ensuring an equivalent level of data protection.

UK and EEA to Third Countries

Where personal data is transferred to countries outside the UK and the EEA (including to cloud infrastructure providers, payment processors, or verification partners located in the United States or elsewhere), BangoPure ensures that appropriate transfer mechanisms are in place, including:

• UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) as approved by the European Commission under Decision 2021/914 (as applicable)
• Binding Corporate Rules where applicable
• Adequacy decisions made by the UK Secretary of State or the European Commission where the recipient country has been determined to provide an adequate level of data protection

Africa Delegate Programme and African Operations

BangoPure transfers personal data to and from African jurisdictions, including Francophone Africa, in connection with the Africa Delegate Programme and its wider mission to support African entrepreneurs. Such transfers are undertaken in compliance with the UK IDTA and, where applicable, the ECOWAS Supplementary Act on Personal Data Protection and the national data protection laws of the relevant country. BangoPure's Africa Representatives (Ms Yvette Kengne and Ms Adele Moukoko Kiki) are bound by data processing agreements governing their handling of personal data on BangoPure's behalf.

BangoPure retains personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The following retention schedule applies:

Under the UK GDPR, EU GDPR, and applicable national data protection laws, you enjoy the following rights in respect of your personal data. BangoPure takes these rights seriously and has established dedicated processes for handling all requests within the statutory timeframes:

To exercise any of the above rights, please submit a written request to privacy@bangopure.com or by post to the Data Controller at the relevant registered address. BangoPure may require verification of your identity before processing any request. All rights requests are processed free of charge except in cases of manifestly unfounded or excessive requests, in which case a reasonable administrative fee may be charged or the request may be refused, with written explanation provided.

BangoPure implements a comprehensive, multi-layered information security programme designed to protect personal data against unauthorised access, disclosure, alteration, destruction, or accidental loss. Our security measures include, without limitation:

Technical Measures

• Transport Layer Security (TLS 1.3 minimum) with HTTP Strict Transport Security (HSTS) enforcement across all BangoPure platforms
• AES-256 encryption for all personal data at rest across AWS, Hostinger, DigitalOcean, and Contabo infrastructure
• Column-level encryption for all personally identifiable information (PII) fields within PostgreSQL databases
• Encrypted backups to AWS S3 Glacier with 99.999999999% durability guarantees and separate key management
• OAuth 2.0 with JWT access tokens (15-minute expiry) and refresh tokens (7-day expiry) across all services
• Multi-factor authentication (MFA) via TOTP authenticator applications, mandatory for high-value accounts
• Role-based access control (RBAC) with granular permissions across all fourteen services
• Cloudflare Enterprise-grade DDoS protection and Web Application Firewall (WAF) with OWASP rule sets
• HashiCorp Vault for secrets management, API key rotation, and credential security
• Rate limiting: 100 requests per minute per IP address; 1,000 requests per hour per authenticated user
• ML-based fraud scoring with real-time risk assessment across all marketplace activities
• Device fingerprinting for account access verification and anomaly detection
• IP reputation monitoring with automated blocking of known malicious IP ranges

Organisational Measures

• Mandatory data protection training for all BangoPure personnel with documented completion records
• Principle of least privilege access controls: personnel access only the minimum data necessary for their role
• Quarterly third-party penetration testing conducted by independent security specialists
• Documented incident response plan with a 24-hour response SLA for confirmed security incidents
• Article 30 UK/EU GDPR compliant records of processing activities maintained and regularly reviewed
• Data Protection Impact Assessments (DPIAs) conducted for all high-risk processing activities
• All third-party data processors subject to Article 28-compliant data processing agreements
• Personnel background screening where required for roles involving access to sensitive personal data

Incident Response and Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, BangoPure will notify the relevant supervisory authority (ICO and/or DPC) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to affected individuals, BangoPure will also notify those individuals directly without undue delay, providing a clear and plain-language description of the nature of the breach, its likely consequences, and the measures taken or proposed to address it. Affected users will be contacted at the primary email address registered to their BangoPure account.

BangoPure uses cookies and similar technologies (including pixel tags, web beacons, and local storage) across its platforms. This Section, together with our standalone Cookie Notice accessible on each BangoPure website, constitutes our Cookie Policy for the purposes of the Privacy and Electronic Communications Regulations 2003 (PECR) and the EU ePrivacy Directive 2002/58/EC.

You may manage your cookie preferences at any time through the Cookie Preferences Centre available on each BangoPure website, or through your browser settings. Please note that disabling strictly necessary cookies will impair your ability to use certain platform features.

BangoPure's services are not directed at, and are not intended for use by, children under the age of 16 years. BangoPure does not knowingly collect personal data from children under 16. Where BangoPure discovers that personal data has been collected from a child under 16 without appropriate parental consent, it will take immediate steps to delete that data from its records. In jurisdictions where the age of digital consent is higher than 16 (for example, 18 in certain EU Member States), the higher local age threshold applies.

If you believe that BangoPure may have inadvertently collected personal data from a child, please notify us immediately at privacy@bangopure.com.

South Africa — POPIA Compliance

For data subjects located in the Republic of South Africa, BangoPure processes personal data in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA). BangoPure's processing of South African personal data is subject to the eight conditions for lawful processing set out in POPIA. South African data subjects may exercise their rights under POPIA by contacting privacy@bangopure.com. The South African Information Regulator may be contacted at inforeg@justice.gov.za.

Nigeria — NDPR Compliance

For data subjects located in the Federal Republic of Nigeria, BangoPure processes personal data in accordance with the Nigeria Data Protection Regulation 2019 (NDPR) and the Nigeria Data Protection Act 2023 (NDPA). Nigerian data subjects may exercise their rights under the NDPA by contacting privacy@bangopure.com. The Nigeria Data Protection Commission (NDPC) is the competent supervisory authority.

ECOWAS Region

BangoPure acknowledges the ECOWAS Supplementary Act A/SA.1/01/10 on Personal Data Protection and processes personal data relating to ECOWAS region residents in a manner consistent with its principles.

United States — CCPA/CPRA

For California residents, BangoPure complies with the California Consumer Privacy Act 2018 (CCPA) as amended by the California Privacy Rights Act 2020 (CPRA). California residents have the right to know what personal data is collected, the right to delete personal data, the right to opt-out of any sale of personal data (BangoPure does not sell personal data), the right to non-discrimination, and the right to correct inaccurate personal data. California residents may exercise these rights by contacting privacy@bangopure.com.

Canada — PIPEDA/Law 25

For users located in Canada, BangoPure processes personal data in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and the applicable provincial laws. BangoPure is accountable for all personal data in its custody and control.

Australia — Privacy Act 1988

For users located in Australia, BangoPure processes personal data in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Australian users may lodge complaints with the Office of the Australian Information Commissioner (OAIC) at enquiries@oaic.gov.au.

BangoPure reserves the right to update, amend, or replace this Privacy Policy at any time. All amendments will be published on the BangoPure website with the updated effective date clearly stated. For material changes (defined as changes that significantly affect the way we collect or use personal data, or changes that significantly affect your rights), BangoPure will provide a minimum of thirty (30) days advance notice to registered users by email. For non-material updates (such as typographical corrections or clarifications that do not change the substantive content of the Policy), the updated Policy will take effect on the date of publication.