PRIVACY POLICY

1. INTRODUCTION AND SCOPE

1.1 Purpose of This Policy.

IDBX Corporation Ltd (hereinafter "IDBX," "we," "us," or "our") is committed to the responsible and lawful handling of personal data in connection with the operation of its website at https://www.idbx.com (hereinafter "the Website") and in the course of its institutional business activities. This Privacy Policy sets out the categories of personal data collected, the purposes for which such data is processed, the legal bases relied upon, the periods for which data is retained, and the rights available to individuals under applicable law.

1.2 Legal Framework

The processing activities described in this Policy are governed by the UK General Data Protection Regulation (UK GDPR), as retained in domestic law pursuant to the European Union (Withdrawal) Act 2018, and as supplemented and amended by the Data Protection Act 2018 and the Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025. Where this Policy refers to "applicable data protection law," such reference encompasses all of the foregoing instruments as in force from time to time, together with any binding guidance issued by the Information Commissioner's Office (ICO).

1.3 Distinction Between UK GDPR and EU GDPR

Following the United Kingdom's departure from the European Union, the UK GDPR and the EU GDPR operate as separate and increasingly divergent legal regimes. The Data (Use and Access) Act 2025 introduced further material distinctions, including a new "recognised legitimate interest" lawful basis, modified consent requirements for certain categories of non-intrusive processing, and a revised framework governing automated decision-making. This Policy reflects exclusively the requirements of the UK GDPR as amended by the 2025 Act and does not address obligations arising under the EU GDPR, which fall within the jurisdiction of EU supervisory authorities and are governed by separate instruments.

1.4 Institutional Context

IDBX operates exclusively as a B2B financial services platform and does not provide services to retail consumers. The personal data processed in connection with the Website pertains principally to authorised representatives, employees, and business contacts of institutional counterparties. This context is directly relevant to the proportionality of processing activities and the determination of the applicable legal bases described in this Policy.

2. DATA CONTROLLER IDENTITY AND CONTACT DETAILS

2.1 Identity of the Controller

The data controller responsible for personal data collected and processed in connection with the Website is:

IDBX Corporation Ltd
‍Registered Office: 128 City Road, London, United Kingdom, EC1V 2NX
Company Registration Number: 16186625 (England and Wales)
Email: legal@idbx.com
Website: https://www.idbx.com

2.2 Data Protection Enquiries

All formal communications relating to this Policy, including requests to exercise data subject rights, complaints, and general data protection enquiries, should be addressed to IDBX Corporation Ltd at legal@idbx.com, clearly marked for the attention of the Data Protection function. Postal correspondence may be sent to the registered office address stated above.

2.3 Response Timescales

IDBX will acknowledge all written data protection communications within five (5) business days of receipt. A substantive response will be provided within the timescales prescribed by applicable data protection law, and in any event no later than one (1) calendar month from the date of receipt, subject to any permissible extension under Article 12 of the UK GDPR where the request is complex or multiple requests have been submitted concurrently.

2.4 ICO Registration

IDBX Corporation Ltd is registered with the Information Commissioner's Office, the supervisory authority for data protection matters in the United Kingdom. Further information about the ICO and its regulatory remit is available at https://ico.org.uk.

3. PERSONAL DATA COLLECTED

3.1 Data Collected Directly

IDBX collects personal data directly from individuals who contact the company through the Website or through other official channels. The categories of data collected include:

• Identity Data: Full name, job title, and professional designation of the individual making contact.
• Contact Data: Business email address, business telephone number, and professional postal address.
• Communication Data: The content of any enquiry, message, or correspondence submitted through the Website or transmitted by email to official IDBX addresses.
• Compliance and Verification Data: Where required for the fulfilment of regulatory obligations, nationality, date of birth, and identity document details such as passport numbers.
• Technical Data: IP address, browser type and version, operating system, pages visited, session duration, and referral source, collected automatically through the Website's server infrastructure.

3.2 Data Collected from Third Parties

In connection with its institutional activities, IDBX may obtain personal data relating to business contacts from publicly available professional directories, LinkedIn profiles, and other legitimate commercial sources, where such collection is necessary for the establishment or maintenance of a business relationship. All such collection is conducted in compliance with the lawful bases identified in Section 4 of this Policy

3.3 Categories of Data Not Processed

IDBX does not collect or process special category personal data as defined under Article 9 of the UK GDPR, including information revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or data concerning sexual orientation. The Website is not directed at minors, and IDBX does not knowingly collect personal data from individuals under the age of eighteen (18).

4. PURPOSES OF PROCESSING AND LAWFUL BASES

All processing of personal data by IDBX is grounded in at least one of the lawful bases established under Article 6 of the UK GDPR, as amended by the Data (Use and Access) Act 2025. The table below sets out the principal processing purposes together with their corresponding lawful bases.

4.1 Legitimate Interests Assessment

Where processing is founded on Article 6(1)(f), IDBX has conducted the requisite balancing assessment and is satisfied that its institutional interests in maintaining secure and compliant operations, managing business relationships, and improving the Website do not override the rights and fundamental freedoms of the individuals concerned, having regard to the professional B2B context in which personal data is collected.

4.2 Recognised Legitimate Interest

Pursuant to the new lawful basis introduced by the Data (Use and Access) Act 2025, IDBX may rely on "recognised legitimate interest" for processing activities falling within the categories prescribed by that Act, where the nature of the processing is predefined and the balancing test is not required by reason of its proportionate character.

5. DATA RETENTION

5.1 Retention Principles

Personal data is held by IDBX only for as long as is necessary to fulfil the purpose for which it was originally collected, to comply with applicable legal or regulatory requirements, or to protect the legitimate interests of the company. Upon expiry of the applicable retention period, data is securely deleted or irreversibly anonymised.

5.2 Specific Retention Periods

The following retention periods apply to the principal categories of personal data processed by IDBX:

5.3 Extended Retention for Legal Proceedings

Where personal data is relevant to actual, threatened, or anticipated legal proceedings, a regulatory investigation, or an internal compliance review, IDBX reserves the right to retain such data beyond the standard periods specified above, for the duration of such proceedings or review and for a reasonable period thereafter.

6. DISCLOSURE OF PERSONAL DATA

6.1 Internal Access Controls

Access to personal data within IDBX is restricted to employees, officers, and authorised personnel who require such access for the performance of their professional responsibilities. All such individuals are bound by contractual or statutory confidentiality obligations.

6.2 Third-Party Processors

IDBX engages third-party service providers who process personal data on its behalf in the capacity of data processors, including providers of IT infrastructure, cloud hosting services, legal counsel, and compliance consultancy. All processors are engaged under written data processing agreements in accordance with Article 28 of the UK GDPR, which require them to process personal data solely on documented instructions from IDBX and to maintain appropriate security measures.

6.3 Regulatory and Law Enforcement Disclosure

IDBX may disclose personal data to the Financial Conduct Authority, the ICO, law enforcement authorities, or other public bodies where required to do so by law, by court order, or in connection with the lawful exercise of regulatory powers. All such disclosures are made only to the extent strictly necessary and proportionate to the purpose of the disclosure.

6.4 Corporate Transactions

In the event of a merger, acquisition, business reorganisation, or transfer of assets involving IDBX Corporation Ltd, personal data may form part of the transferred assets. Any successor entity would be required to adhere to privacy standards at least equivalent to those set out in this Policy, and affected individuals would be notified in advance where required by applicable law.

6.5 No Sale of Personal Data.

IDBX does not sell, rent, or trade personal data to any third party for commercial, advertising, or marketing purposes. No personal data is transmitted to social media platforms for profiling or targeting purposes. The LinkedIn and Instagram presences maintained by IDBX serve exclusively institutional branding functions and operate independently of the Website, with no tracking integration.

7. INTERNATIONAL DATA TRANSFERS

7.1 Transfer Safeguards

Where personal data is transferred to a recipient located outside the United Kingdom, IDBX ensures that such transfers comply with the requirements of Chapter V of the UK GDPR. The safeguards relied upon include:

• Adequacy Regulations: Transfer to countries covered by an adequacy regulation made under Section 17A of the Data Protection Act 2018, confirming an essentially equivalent level of data protection.
• International Data Transfer Agreements (IDTAs): Use of the standard contractual clauses approved by the ICO under the UK IDTA framework, applicable where no adequacy decision covers the destination country.
• Binding Corporate Rules: Reliance on binding corporate rules approved by the ICO, where transfers occur within a group of undertakings operating under a common and verifiable compliance framework.

8. DATA SUBJECT RIGHTS

8.1 Rights Available Under Applicable Law

Individuals whose personal data is processed by IDBX are entitled to exercise the following rights under the UK GDPR and the Data Protection Act 2018, subject to applicable exemptions:

• Right of Access (Article 15): The right to obtain confirmation of whether personal data is being processed and, where so, to receive a copy of that data along with the supplementary information specified in Article 15.
• Right to Rectification (Article 16): The right to require correction of inaccurate or incomplete personal data without undue delay.
• Right to Erasure (Article 17): The right to request deletion of personal data where one of the grounds specified in Article 17 is satisfied and no overriding legitimate interest or legal obligation requires continued retention.
• Right to Restriction of Processing (Article 18): The right to request that IDBX restrict its processing activities in circumstances such as those where the accuracy of the data is disputed or an objection has been lodged.
• Right to Data Portability (Article 20): The right to receive personal data in a structured, commonly used, machine-readable format where processing is based on consent or contractual necessity and is carried out by automated means.
• Right to Object (Article 21): The right to object at any time to processing based on legitimate interests, including institutional marketing communications, whereupon IDBX shall cease such processing unless compelling grounds are demonstrated.
• Rights in Relation to Automated Decision-Making (Article 22, as amended by DUAA 2025): The right to obtain human review of, to express a point of view regarding, and to contest the outcome of any automated decision that produces a legal or similarly significant effect. For decisions not involving special category data, the revised framework introduced by the Data (Use and Access) Act 2025 applies, requiring IDBX to provide intelligible notice, access to a representation mechanism, and a documented review process.

8.2 How to Exercise Rights

Requests to exercise any of the rights listed above must be submitted in writing to legal@idbx.com. IDBX will provide a substantive response within one (1) calendar month of receipt. Where a request is complex or concurrent requests are received, this period may be extended by up to two (2) additional months, in which case the individual will be informed of the extension and the reasons therefor within the initial one-month period.

8.3 Identity Verification

IDBX reserves the right to request reasonable verification of the identity of any individual submitting a data subject rights request before acting upon it, in order to safeguard against unauthorised disclosure or access.

8.4 Right to Complain

Any individual who considers that IDBX has processed their personal data in a manner inconsistent with applicable law has the right to lodge a complaint with the Information Commissioner's Office:

Website: https://ico.org.uk/make-a-complaint
Telephone:  0303 123 1113

9. DATA SECURITY

9.1 Technical and Organisational Measures

IDBX implements appropriate technical and organisational security measures to protect personal data against unauthorised access, disclosure, accidental loss, alteration, or destruction. Such measures are reviewed and updated regularly in light of evolving technological standards, the nature of the data processed, and the risks to individuals. Measures in place include, without limitation, encrypted data transmission via TLS protocols, role-based access controls, regular security assessments, and staff training on data protection responsibilities.

9.2 Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, IDBX will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR. Where the breach is likely to result in a high risk, affected data subjects will also be notified directly pursuant to Article 34, unless an applicable exemption applies.

9.3 Processor Accountability

All third-party data processors engaged by IDBX are required, under the terms of their processing agreements, to maintain security standards commensurate with those of IDBX and to notify IDBX without undue delay upon becoming aware of any personal data breach affecting data processed on IDBX's behalf.

9.3 Processor Accountability

All third-party data processors engaged by IDBX are required, under the terms of their processing agreements, to maintain security standards commensurate with those of IDBX and to notify IDBX without undue delay upon becoming aware of any personal data breach affecting data processed on IDBX's behalf.

10. COMMUNICATIONS MONITORING

IDBX may monitor electronic communications, including emails transmitted to and from official IDBX addresses, for the purposes of security, regulatory compliance, fraud prevention, and the detection of malicious content. Such monitoring is conducted in accordance with the Investigatory Powers Act 2016 and the Regulation of Investigatory Powers Act 2000 as applicable, and only to the extent necessary and proportionate for the purposes stated. Where individuals correspond with IDBX through official channels, they are taken to have acknowledged the possibility of such monitoring.

11. COOKIES AND TRACKING TECHNOLOGIES

A full description of the cookies and similar technologies used on the Website, including their categories, purposes, durations, and legal bases, is contained in the IDBX Cookie Policy, available at https://www.idbx.com/cookie-policy. The Cookie Policy forms part of the legal framework governing use of the Website and should be read in conjunction with this Privacy Policy. IDBX does not deploy advertising, behavioural profiling, or cross-site tracking technologies on the Website, consistent with the institutional character of the platform and the requirements of the Privacy and Electronic Communications Regulations 2003 (PECR).

12. AMENDMENTS TO THIS POLICY

IDBX reserves the right to revise this Privacy Policy at any time to reflect changes in applicable law, regulatory guidance issued by the ICO, or internal data processing practices. Any revised version will be published on the Website with an updated effective date. Where an amendment is material in nature, IDBX will take reasonable steps to bring it to the attention of individuals likely to be affected, whether through a prominent notice on the Website or by direct communication. Continued use of the Website following publication of a revised Policy constitutes acknowledgement of the changes made.

13. GOVERNING LAW

This Privacy Policy is governed by the laws of England and Wales. Any dispute arising from or connected with this Policy shall be subject to the exclusive jurisdiction of the courts of England and  Wales, without prejudice to any statutory rights that a data subject may have to bring a claim before the ICO or another competent supervisory authority.