Privacy Policy

BangoPure Limited is incorporated in England and Wales under company registration number 12066344, with its principal place of business in the United Kingdom. BangoPure Europe Limited is incorporated in the Republic of Ireland under the Companies Act 2014 with company registration number 814142.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, BangoPure Limited is the Data Controller for users located in the United Kingdom.

For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679), BangoPure Europe Limited is the Data Controller for users located within the European Economic Area, including the Republic of Ireland.

Contact

This Privacy Policy applies to all personal data processed by BangoPure across its public services. The BangoPure services described on our website include:

• TRACE — Digital Product Passport
• TRANSFORM — Waste-to-Wealth
• MARKET — Eco Marketplace
• VERIFY — ESPR Verify
• LEARN — ReMaterial Academy
• CATALYST — Events

This Policy also applies to communications and interactions between BangoPure and any individual, whether or not registered. References to 'you', 'your', or 'User' refer to any such individual.

Terms used in this Policy carry the meanings set out below:

BangoPure collects personal data only as necessary to deliver the Services you use, to comply with applicable law, and to operate the platform securely. The categories of personal data we may collect include:

Identity and Account Data

• Name and any preferred or trading name
• Date of birth where required for age verification
• Country of residence
• Government-issued identification where required for regulatory verification
• Proof of address documentation where required
• Company registration details for business accounts

Contact Data

• Email address
• Telephone number
• Postal address
• Contents of communications you send to BangoPure

Financial and Transaction Data

• Payment instrument details (encrypted and tokenised by our payment partners; BangoPure does not store full card numbers)
• Bank account details where provided for invoicing or payout
• Transaction records and reference numbers
• Tax identification numbers where required for invoicing

Platform Usage and Technical Data

• IP address and device identifiers
• Browser, operating system and device type
• Session activity, page views and navigation patterns
• Search queries entered within BangoPure platforms
• Error logs and diagnostics

Service-Specific Data

• TRACE — product data submitted for Digital Product Passport generation, including material composition inputs, supplier information and lifecycle evidence
• TRANSFORM — listing data, buyer and seller transaction records
• MARKET — marketplace listing data and purchase records
• VERIFY — the data necessary to perform an independent re-verification check against a passport anchor
• LEARN — enrolment, assessment and certification records for the ReMaterial Academy
• CATALYST — event registration, attendance and delegate data

BangoPure processes personal data only for specific, explicit, and legitimate purposes. The following table summarises the processing purposes and the lawful bases relied upon:

BangoPure does not routinely collect special category personal data. Where such data is collected, it is processed only on the lawful bases set out in Article 9 of the applicable GDPR regime, and only in narrow circumstances such as:

• Accessibility or dietary information disclosed voluntarily for event participation — processed on the basis of explicit consent (Art. 9(2)(a)) and, where necessary for safety, vital interests (Art. 9(2)(c)).
• Biometric data arising from identity verification by a regulated verification partner — processed on the basis of explicit consent (Art. 9(2)(a)).

Special category data is subject to enhanced security and access controls and is never used for marketing or profiling.

Data anchored on-chain is limited, as far as technically possible, to non-personally-identifying elements such as cryptographic content hashes, system-generated product identifiers and pseudonymous wallet addresses. BangoPure does not anchor names, email addresses, physical addresses or directly identifying personal data on a public ledger.

Where on-chain data is linked to an identifiable individual, BangoPure will apply reasonable technical obfuscation upon receiving a valid erasure request, acknowledging that full deletion of on-chain records is not technically possible. By using a service that incorporates on-chain anchoring, you acknowledge and accept this characteristic.

Some BangoPure services use automated processing, including artificial intelligence components, to assess submitted materials, support fraud and abuse detection, and moderate user-submitted content.

Where an automated decision produces legal or similarly significant effects on you — for example, restricting an account or rejecting a submission — you have the right to request human review of that decision. Requests should be sent to the relevant review address published on our website.

BangoPure operates its automated systems with documentation, oversight and transparency consistent with its obligations under the EU AI Act (Regulation (EU) 2024/1689) and the applicable GDPR regime.

BangoPure does not sell personal data. We share personal data with third parties only in the following categories, and subject to contractual data-protection safeguards:

Service Delivery Partners

BangoPure engages third-party service providers as data processors under data-processing agreements compatible with Article 28 of the UK GDPR and EU GDPR. These categories include:

• Regulated payment processors for payment facilitation
• Cloud infrastructure providers for platform hosting
• Public distributed-ledger and content-addressed storage networks for Digital Product Passport anchoring
• Regulated identity verification providers
• Event registration and ticketing providers
• Transactional email and communications providers
• Security, content-delivery and abuse-prevention providers

We do not name individual third-party processors in this public Policy; current processors are disclosed to corporate customers and pilot partners under their applicable agreement.

Marketplace Counterparties

Where you enter into a marketplace transaction on the MARKET or TRANSFORM service, BangoPure shares the fulfilment data necessary to complete the transaction (such as name and delivery address) with the counterparty, solely for that purpose.

Regulatory and Legal Disclosures

BangoPure may disclose personal data to tax authorities, company registries, data-protection supervisory authorities, law enforcement agencies, and courts where required by valid legal process. We notify affected users where permitted by law.

Corporate Transactions

In the event of a merger, acquisition or restructuring, personal data may be transferred to a successor entity, which will be bound by equivalent data-protection obligations.

BangoPure operates across the United Kingdom, the Republic of Ireland and the European Economic Area, and may transfer personal data to other jurisdictions where its service partners are located.

Where personal data is transferred outside the UK or the EEA, BangoPure relies on one or more of the following safeguards as applicable:

• An adequacy decision recognised by the UK Government or the European Commission
• The UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs)
• Binding Corporate Rules where applicable
• Other safeguards permitted under the UK GDPR or EU GDPR

BangoPure retains personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Where the law specifies a minimum retention period — for example, in respect of tax, anti-money-laundering or product-passport records — BangoPure retains the relevant data for at least that period.

On-chain records anchored as part of the TRACE service are not deletable by design; the immutability notice above applies.

More detailed retention schedules are available to corporate customers and pilot partners under their applicable agreement.

Under the UK GDPR, EU GDPR and applicable national data-protection laws, you have the following rights in respect of your personal data:

To exercise any of these rights, contact privacy@bangopure.com. BangoPure may need to verify your identity before processing a request. Rights requests are handled within the statutory timeframes.

BangoPure operates an information-security programme designed to protect personal data against unauthorised access, alteration, disclosure or loss. Our safeguards include:

• Transport encryption (TLS) on all platforms
• Encryption of personal data at rest
• Encrypted backups
• Token-based authentication with multi-factor options for sensitive accounts
• Role-based access control and least-privilege internal access
• Rate limiting, abuse detection and platform monitoring
• Mandatory data-protection training for personnel
• Independent security testing on a recurring basis
• Documented incident response and breach-notification processes

Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, BangoPure will notify the relevant supervisory authority within the timeframe required by law and, where the breach is likely to result in a high risk, will notify affected individuals directly.

BangoPure uses cookies and similar storage technologies across its platforms. This Section forms part of our Cookie Policy for the purposes of the Privacy and Electronic Communications Regulations 2003 (PECR) and the EU ePrivacy Directive.

You can manage cookie preferences through the cookie controls offered on our websites or through your browser settings.

BangoPure's services are not directed at children under the age of sixteen, and BangoPure does not knowingly collect personal data from such children. Where the age of digital consent is higher in a particular jurisdiction, the local threshold applies. If you believe BangoPure has inadvertently collected personal data from a child, please contact privacy@bangopure.com.

Where you are located outside the UK or the EEA, BangoPure processes personal data in a manner consistent with the local data-protection regime applicable to you, including, where relevant, the Protection of Personal Information Act (POPIA) in South Africa, the Nigeria Data Protection Act (NDPA), the California Consumer Privacy Act (CCPA/CPRA), Canada's PIPEDA, and the Australian Privacy Act.

BangoPure may amend this Policy from time to time. Material changes will be announced in advance through the BangoPure website. The current version is always available at the same URL.