Privacy Policy

Last Updated: 25/6/2025

This Privacy Policy describes how XPharms Xchange Pty, a company established under the laws of Thailand ("XPharms Xchange," "we," "us," or "our"), collects, uses, stores, discloses, and protects personal and business information when you access or use our blockchain-powered B2B marketplace platform (the "Platform") and our services.

Your privacy is critically important to us. We are committed to protecting the information you share with us and ensuring compliance with applicable data protection laws, including the Personal Data Protection Act (PDPA) of Thailand B.E. 2562 (2019), and where relevant (e.g., if processing data of individuals in the European Economic Area), the EU General Data Protection Regulation (GDPR).

By accessing, browsing, registering for an account, or otherwise using the Platform, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Platform.

We collect various types of information from and about our Users to provide, maintain, and improve our Platform and services, and to comply with legal and regulatory obligations.

Registration and Account Information: When you register for an account, we collect information necessary to identify your business entity and key individuals, such as:

Business Details: Company legal name, business registration number, tax identification number, registered address, operational address, and industry.

Contact Persons: Full name, job title, email address, and phone number of authorized representatives or contact persons within your organization.

Digital Wallet Information: Your designated digital wallet addresses for receiving or sending payments via our Smart Contracts.

KYC/AML and Licensing Documentation: To comply with legal requirements and our ACRE Framework, we collect sensitive information and documents, including:

Identity Verification: Copies of national ID cards, passports, or other government-issued identification for beneficial owners and key personnel.

Proof of Address: Utility bills, bank statements, or other documents to verify addresses.

Business Licenses & Permits: Copies of all relevant and valid licenses, permits, and certifications required by your local, national, and international jurisdictions for your specific role in the medicinal cannabis trade.

Financial Information: Bank statements or other financial records, particularly for enhanced verification or liquidity solutions.

Transaction Information: Details related to your activities on the Platform, including:

Offers made, orders placed, products listed, prices, quantities, and transaction histories.

Details of Milestone-Based Payments, including amounts, dates, and status.

Communication Content: Records of your communications with XPharms Xchange support, or messages exchanged through the Platform's internal messaging system.

User-Generated Content: Product listings, descriptions, images, COAs, and any other content you upload or post to the Platform.

Feedback and Suggestions: Any feedback, comments, or suggestions you provide regarding the Platform or services.

When you access and use the Platform, we may automatically collect certain information about your equipment, browsing actions, and patterns, including:

Device Information: IP address, browser type and version, operating system, device type, and unique device identifiers.

Usage Details: Pages viewed, features accessed, time spent on pages, search queries, referral sources, and interaction patterns on the Platform.

Blockchain Transaction Data: While direct wallet-to-wallet links are obscured via our Smart Contracts for pseudonymity, transaction data on the Hedera public ledger (e.g., smart contract interactions, transaction amounts, timestamps) is publicly available. We use this data to verify milestone achievement and for internal auditing.

We may receive information about you from third-party service providers, such as:

Identity Verification and AML Screening Providers: Data to assist with KYC/AML compliance.

Logistics Partners: Shipment tracking information, delivery confirmations.

Testing Laboratories: Official COAs for Medicinal Cannabis Products.

Publicly Available Sources: Business registries, government databases, sanctions lists.

We use the information we collect for various purposes, primarily to operate, maintain, and improve our Platform and services, and to fulfill our legal obligations.

To create and manage your User account.

To enable you to access and use the Platform's features, including product listing, order placement, negotiation, and contract management.

To process and facilitate Milestone-Based Payments via Smart Contracts.

To provide customer support and respond to your inquiries.

To monitor and ensure the proper functioning of the Platform.

To perform mandatory KYC/AML verification checks on all Users and to verify business licenses and permits as part of our ACRE Framework.

To monitor for and prevent fraudulent, illegal, or prohibited activities on the Platform.

To enforce our Terms and Conditions and other policies.

To comply with applicable laws, regulations, and governmental requests, including those related to anti-money laundering, sanctions, and cannabis trade.

To establish, exercise, or defend legal claims.

To facilitate mandatory dual-point product testing and integrate COA information to ensure product integrity and verify quality.

To support our internal dispute resolution protocols for transactional issues between Buyers and Sellers.

To provide pseudonymity for financial transactions on the public Hedera ledger as described in our Terms and Conditions.

To analyze Platform usage trends, user behavior, and market insights to improve our services, features, and user experience.

To conduct research and development for new features and value-added services (e.g., Phase II liquidity solutions, AI-driven compliance).

To personalize your experience on the Platform.

To send you service-related communications (e.g., account notifications, transaction updates, compliance alerts, security notices).

To send you marketing communications about new features, services, or industry insights that may be of interest to you, where you have provided consent or where otherwise permitted by law. You can opt-out of marketing communications at any time.

If you are a User located in the European Economic Area (EEA), our legal basis for collecting and using your information will depend on the information concerned and the specific context in which we collect it. We generally collect information from you where:

We need the information to perform a contract with you (e.g., to provide the Platform services, manage your account, process payments).

The processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms (e.g., for security, fraud prevention, Platform improvement, analytics, direct marketing if legally permissible).

We have your consent to do so (e.g., for certain marketing activities or non-essential cookies).

We need to comply with a legal obligation (e.g., KYC/AML, tax reporting).

We may share your information with third parties in the following circumstances:

With Other Users (for Transaction Facilitation): Limited necessary information is shared between transacting Buyers and Sellers to facilitate a Contract of Sale (e.g., Seller's contact details to Buyer, Buyer's delivery address to Seller and logistics provider). We do not directly share your sensitive KYC/AML documents or full financial transaction history with other Users.

With Service Providers: We engage trusted third-party service providers to perform functions on our behalf, such as:

Cloud hosting and infrastructure (e.g., Google Cloud).

Identity verification and AML screening services.

Payment processing facilitators (for fiat-to-crypto gateways, if applicable).

Logistics and shipping partners (e.g., Beam Logistics).

Accredited testing laboratories for COA verification.

Customer support tools, analytics providers.

Professional advisors (e.g., legal, accounting, audit). These service providers are authorized to use your information only as necessary to provide these services to us and are contractually obligated to protect its confidentiality and security.

For Legal Reasons and Compliance: We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe in good faith that such action is necessary to:

Comply with a legal obligation.

Protect the rights, property, or safety of XPharms Xchange, our Users, or the public.

Prevent or investigate possible wrongdoing in connection with the Platform.

Enforce our Terms and Conditions.

Business Transfers: In connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company, your information may be transferred as a business asset.

With Your Consent: We may disclose your information for any other purpose with your explicit consent.

Aggregated or Anonymized Data: We may share aggregated or de-identified information that cannot reasonably be used to identify you with third parties for analytics, research, marketing, or other business purposes.

As stated in our Terms and Conditions, XPharms Xchange leverages Hedera Network for Smart Contract automation of Milestone-Based Payments. While the Hedera public ledger records transaction data, we utilize smart contracts as intermediaries to help obscure direct wallet-to-wallet links. Transactions will primarily show interactions with the smart contract's address, rather than directly revealing the wallet address of the counterparty to the public or other Platform Users.

Users acknowledge that, despite our pseudonymity measures, sophisticated blockchain analytics, especially when combined with off-chain public information, may potentially infer connections over time. XPharms Xchange does not guarantee absolute anonymity of blockchain transactions.

As XPharms Xchange operates globally and may utilize international service providers, your information may be transferred to, stored, and processed in countries outside of Thailand, including countries that may have different data protection laws than your country of residence.

When we transfer your information outside of Thailand, we will take appropriate measures to ensure that your information receives an adequate level of protection, in accordance with applicable data protection laws. This may include reliance on:

Adequacy decisions by the relevant authorities (e.g., if transferring to countries deemed to have adequate data protection laws).

Standard Contractual Clauses (SCCs) or other appropriate legal mechanisms.

Your explicit consent.

We implement and maintain reasonable administrative, physical, and technical security measures designed to protect your information from unauthorized access, use, alteration, and disclosure. These measures include:

Encryption of data in transit and at rest where appropriate.

Access controls and authentication mechanisms.

Regular security assessments and vulnerability testing.

Employee training on data protection and security.

However, no method of transmission over the internet or method of electronic storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

We retain your information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The retention period will vary depending on the type of information and the purpose for which it is used. For example, information related to financial transactions and KYC/AML compliance is typically retained for longer periods as required by law.

Depending on your jurisdiction and the applicable data protection laws (e.g., PDPA of Thailand, GDPR if applicable), you may have the following rights regarding your information:

Right to Access: You may request access to the personal and business information we hold about you.

Right to Rectification: You may request that we correct any inaccurate or incomplete information we hold about you.

Right to Erasure (Right to Be Forgotten): You may request that we delete your information, subject to certain legal obligations or legitimate business interests (e.g., retaining data for KYC/AML compliance, dispute resolution, or tax purposes).

Right to Object to Processing: You may object to the processing of your information for certain purposes (e.g., direct marketing).

Right to Restriction of Processing: You may request that we restrict the processing of your information in certain circumstances.

Right to Data Portability: You may request to receive your information in a structured, commonly used, and machine-readable format, or to have it transmitted directly to another controller.

Right to Withdraw Consent: Where we rely on your consent to process your information, you have the right to withdraw that consent at any time.

Right to Lodge a Complaint: You have the right to lodge a complaint with the relevant data protection supervisory authority (e.g., the Personal Data Protection Committee in Thailand).

To exercise any of these rights, please contact us using the contact details provided in Section 11. We will respond to your request in accordance with applicable laws.

Our Platform may contain links to third-party websites or services (e.g., logistics partners, external testing labs, payment gateways). This Privacy Policy applies only to information collected by XPharms Xchange. We are not responsible for the privacy practices or content of any third-party websites or services. We encourage you to review the privacy policies of any third-party sites you visit.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or new features. We will notify you of any material changes by posting the updated Privacy Policy on our Platform with a new "Last Updated" date. We encourage you to review this Privacy Policy periodically.

If you have any questions about this Privacy Policy, our data practices, or if you wish to exercise your data protection rights, please contact us at:

Email: [email protected] Website: https://www.xpharmsxchange.com/