Verification Infrastructure — Operational Industrial Recycling  ·  Agriculture  ·  Carbon Removal CSRD  ·  DPP  ·  PPWR / EPR  ·  CBAM  ·  Article 6 Independent VVB — Control Union Verification Infrastructure — Operational Industrial Recycling  ·  Agriculture  ·  Carbon Removal CSRD  ·  DPP  ·  PPWR / EPR  ·  CBAM  ·  Article 6 Independent VVB — Control Union
Legal

Privacy Policy

How Xworks Holdings Ltd collects, uses, stores, and protects personal data in connection with its verification infrastructure and associated platforms.

Xworks Holdings Ltd  ·  xworks.systems  ·  Version 2.0  ·  2026

1. Introduction

Welcome to the Privacy Policy of Xworks Holdings Ltd and its affiliated entities, including Xworks Trading Ltd and the MSR-X platform (together, “Xworks”, “we”, “us”, or “our”).

Xworks operates digital infrastructure for the verification, documentation, and monetisation of environmental and circular-economy activities, including through Digital Product Passports (DPPs), monitoring, reporting and verification (MRV) systems, and tokenised environmental data.

We are committed to protecting your personal data and respecting your privacy in accordance with the UK GDPR, the Data Protection Act 2018, and other applicable data-protection laws.

This Privacy Policy explains how we collect, use, store, and share personal data when you:

  • Visit our websites (including xworks.systems, xworkstech.com, xworksai.com, and related domains)
  • Interact with our platforms, APIs, dashboards, or verification tools
  • Onboard as a customer, supplier, verifier, partner, or counterparty
  • Communicate with us
  • Otherwise engage with Xworks or MSR-X

This policy is not intended for children, and we do not knowingly collect data relating to children.

2. Important Information and Who We Are

This Privacy Policy provides information on how Xworks collects and processes personal data through your use of our websites, platforms, tools, and services, including where you:

  • Create an account
  • Submit data for verification or reporting
  • Purchase or sell environmental data, materials, or related services
  • Participate in pilots, programmes, or token issuance workflows
  • Subscribe to communications

This policy supplements other notices, contractual terms, or fair-processing notices provided in specific contexts and does not override them.

3. Data Controller and Processor Roles

Depending on the context:

  • Xworks Holdings Ltd acts as data controller where we determine the purposes and means of processing personal data.
  • Xworks Trading Ltd may act as a data processor where we process data on behalf of customers, partners, or verification bodies under contract.

Contact Details

Legal entityXworks Holdings Ltd
Email[email protected]
Address66 Paul Street, London EC2A 4NE, United Kingdom
Telephone+44 2045 384 245
ICO NumberZB039948

We have appointed a data-privacy lead responsible for overseeing compliance and handling data-subject requests. You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk. We encourage you to contact us first so we can address your concerns directly.

4. Changes to This Policy

We keep this Privacy Policy under regular review. Please ensure that the personal data we hold about you is accurate and up to date and notify us of any changes.

5. Third-Party Links

Our websites and platforms may include links to third-party websites, services, or tools. We do not control those third parties and are not responsible for their privacy practices. Please review their privacy policies before providing any personal data.

6. The Data We Collect About You

“Personal data” means information relating to an identifiable individual. We may collect, use, store, and transfer the following categories:

  • Identity Data — name, title, role, organisation, identifiers
  • Contact Data — email address, phone number, business address
  • Account & Profile Data — usernames, access credentials, roles, preferences
  • Transaction Data — contractual records, invoices, payments, allocations
  • Technical Data — IP address, browser type, device information, logs
  • Usage Data — interaction data relating to platforms, dashboards, APIs
  • Compliance & Verification Data — licences, registrations, attestations, KYC/KYB outputs
  • Communications Data — correspondence, support requests, audit queries

We may also process aggregated or anonymised data, which does not identify individuals and is not personal data under law.

Special Category Data — We do not intentionally collect special-category personal data or criminal-offence data, except where legally required for compliance (e.g. regulated KYC checks), and only with appropriate safeguards.

7. How Your Personal Data Is Collected

We collect data through:

  • Direct interactions (forms, onboarding, contracts, correspondence)
  • Automated systems (logs, cookies, access records)
  • Third parties, including compliance and verification providers (e.g. KYC/KYB services), analytics and infrastructure providers, and publicly available sources (e.g. Companies House)

8. How We Use Your Personal Data

We only process personal data where we have a lawful basis, including:

  • Performance of a contract
  • Compliance with legal obligations
  • Legitimate business interests
  • Consent (where required, e.g. marketing)

Key purposes include:

  • Onboarding customers, suppliers, and partners
  • Operating verification, MRV, and DPP systems
  • Compliance, fraud prevention, and auditability
  • Billing, payments, and contractual management
  • Platform security, monitoring, and improvement
  • Communications and support

9. Blockchain & Immutable Records

Certain Xworks and MSR-X services involve cryptographic hashing, distributed ledgers, or immutable audit logs.

  • Personal data is not intentionally written to public blockchains
  • Where identifiers or hashes are recorded, they are designed to be non-reversible and used for integrity, auditability, and anti-tampering purposes
  • Underlying personal data remains subject to GDPR protections where applicable

10. Disclosures of Your Personal Data

We may share personal data with:

  • Group companies
  • Service providers acting under our instructions
  • Professional advisers and regulators
  • Verification and assurance partners
  • Successors in the event of restructuring, sale, or merger

All third parties are required to protect data and process it lawfully.

11. International Transfers

Some service providers are located outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place, including standard contractual clauses.

12. Data Security

We implement technical and organisational measures to protect personal data, including access controls, encryption, and audit logging.

We maintain incident-response procedures and will notify affected parties and regulators where legally required.

13. Data Retention

We retain personal data only for as long as necessary for:

  • Contractual performance
  • Legal and regulatory compliance
  • Audit and dispute resolution

Data may be anonymised and retained for analytical or statistical purposes.

14. Your Legal Rights

You have the right to:

  • Access your data
  • Correct inaccuracies
  • Request erasure (where applicable)
  • Restrict or object to processing
  • Data portability
  • Withdraw consent (where relied upon)

Requests can be made to [email protected] or by writing to 66 Paul Street, London EC2A 4NE.

15. Cookies

We use cookies and similar technologies for functionality, analytics, and security. Please see our Cookie Policy for full details.

16. Lawful Bases Reference

Legitimate Interests Performance of Contract Legal Obligation UK GDPR Data Protection Act 2018

Definitions remain consistent with UK GDPR.