Data Protection Policy






Data Protection Policy – FrozenB2B


Legal

Data Protection Policy

Our commitment to GDPR compliance and the protection of personal data on the FrozenB2B platform.

Last updated: April 30, 2026  |  Effective: April 30, 2026

Table of Contents

  1. Introduction & Scope
  2. Data Protection Principles
  3. Personal Data We Process
  4. Legal Bases & Purposes
  5. Data Minimisation
  6. Data Processors & Sub-processors
  7. International Transfers
  8. Retention Schedule
  9. Your GDPR Rights
  10. Data Breach Procedure
  11. Contact & DPO

1.Introduction & Scope

FrozenB2B is committed to protecting the personal data of all individuals who interact with our platform. This Data Protection Policy sets out our approach to compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Israeli Privacy Protection Law 5741-1981 (as amended), and other applicable data protection legislation.

This policy applies to all personal data processed by FrozenB2B in connection with:

  • Buyer RFQ submissions and follow-up communications
  • Supplier and exporter applications and onboarding
  • Website usage and analytics data
  • Newsletter subscriptions and trade communications
  • Any other services offered through www.frozenb2b.com

🛡️ FrozenB2B operates as a Data Controller for personal data collected through our website, and as a Data Processor where we handle personal data on behalf of trade partners.

2.Data Protection Principles

We adhere to the following core data protection principles in all our processing activities:

  • Lawfulness, fairness, and transparency: We process data on a clear legal basis and are transparent about how it is used.
  • Purpose limitation: Data collected for a specific purpose is not used for incompatible purposes.
  • Data minimisation: We only collect data that is necessary for the stated purpose.
  • Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date.
  • Storage limitation: We retain data only as long as necessary (see Section 8).
  • Integrity and confidentiality: We implement appropriate technical and organisational security measures.
  • Accountability: We can demonstrate compliance with these principles.

3.Personal Data We Process

The following categories of personal data are processed by FrozenB2B:

Category Data Elements Source
Business contact data Contact name, business email, company name, country Form submissions
Trade data Product specifications, quantities, pricing, port preferences, payment terms Buyer RFQ forms
Supplier profile data Export experience, production capacity, certifications, BOL capability Supplier applications
Usage data IP address, browser type, pages visited, session duration Automatic collection
Cookie data Session identifiers, preference cookies, analytics cookies Browser cookies
Communication data Email correspondence, trade desk interactions Direct communications

We do not intentionally collect special category data (e.g., health data, biometric data, political opinions) or personal data relating to children under 18.

4.Legal Bases & Purposes

Processing Purpose Legal Basis (GDPR Art. 6)
Processing buyer RFQs and matching with suppliers Article 6(1)(b) – Performance of a contract / pre-contractual steps
Processing supplier applications and onboarding Article 6(1)(b) – Performance of a contract / pre-contractual steps
Sending trade match notifications and follow-ups Article 6(1)(f) – Legitimate interests
Website analytics and performance monitoring Article 6(1)(f) – Legitimate interests (with consent for non-essential cookies)
Newsletter and trade intelligence communications Article 6(1)(a) – Consent
Compliance with legal obligations Article 6(1)(c) – Legal obligation
Fraud prevention and platform security Article 6(1)(f) – Legitimate interests

Where processing is based on legitimate interests, we have conducted and documented a Legitimate Interest Assessment (LIA) to ensure that our interests are not overridden by the rights and freedoms of data subjects.

5.Data Minimisation

Our forms are designed to collect only the minimum data required to deliver our matching service. We regularly review our data collection practices to ensure:

  • Optional fields are clearly marked and not required for service delivery.
  • No sensitive financial, banking, or payment card data is collected through our platform.
  • Data collected for one purpose is not repurposed without a compatible legal basis.
  • Users can submit enquiries with minimal mandatory fields (company name, email, country, product, and quantity for buyers).

6.Data Processors & Sub-processors

FrozenB2B engages the following categories of data processors:

Processor Purpose Location
Google LLC (Google Workspace) Form data storage, email communications, spreadsheet management USA / EU (SCCs in place)
Google Analytics Website analytics and performance measurement USA / EU (SCCs in place)
WordPress / Web host Website infrastructure and content management EU/US

All processors are subject to data processing agreements (DPAs) requiring them to process data only on our documented instructions, implement appropriate security measures, and assist with data subject rights requests.

7.International Data Transfers

FrozenB2B is based in Israel. Israel has been recognised by the European Commission as providing an adequate level of personal data protection for commercial transfers under GDPR Article 45.

Where we transfer data to processors in third countries without an adequacy decision, we rely on:

  • Standard Contractual Clauses (SCCs): The European Commission’s approved module-specific SCCs for controller-to-processor transfers.
  • Supplementary measures: Including encryption in transit and at rest, and access controls.

Data transfers to Google are covered by Google’s Data Processing Addendum incorporating the EU Standard Contractual Clauses.

8.Retention Schedule

Data Type Retention Period Basis
Buyer RFQ records 3 years from submission Legitimate interests / legal basis
Supplier application records 3 years from submission or end of relationship Legitimate interests
Active trade partner correspondence Duration of relationship + 5 years Legal obligation (commercial records)
Newsletter subscriber data Until unsubscription + 1 month Consent
Website usage / analytics data 26 months (aggregated) Legitimate interests
Security / access logs 12 months Legitimate interests (security)

After retention periods expire, data is securely deleted or anonymised in a manner that makes re-identification impossible.

9.Your GDPR Rights

If you are located in the EU/EEA, UK, or a jurisdiction with equivalent data protection rights, you have the following rights which you can exercise at any time:

  • Right of access (Art. 15): Obtain a copy of personal data we hold about you, plus information about how it is processed.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data where it is no longer necessary, consent is withdrawn, or other grounds apply.
  • Right to restrict processing (Art. 18): Request we limit processing while accuracy is contested or objection is pending.
  • Right to data portability (Art. 20): Receive data in a structured, commonly used, machine-readable format (applies to consent-based or contract-based processing).
  • Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
  • Rights related to automated decision-making (Art. 22): We do not use solely automated decision-making that produces legal or similarly significant effects.

To exercise any right, submit your request to [email protected]. We will acknowledge receipt within 72 hours and respond within 30 days (extendable to 3 months for complex requests with notification).

We do not charge a fee for reasonable requests but may charge for manifestly unfounded or excessive requests.

10.Data Breach Procedure

In the event of a personal data breach, FrozenB2B will:

  • Identify, contain, and assess the breach as quickly as possible.
  • Notify the relevant supervisory authority within 72 hours of becoming aware, where the breach is likely to result in a risk to the rights and freedoms of individuals.
  • Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
  • Document all breaches, including those not requiring notification, in our breach register.
  • Implement corrective measures to prevent recurrence.

If you believe your personal data has been compromised, please contact us immediately at [email protected].

11.Contact & Data Protection Officer

For all data protection enquiries, requests, and complaints:

EU/EEA-based users who are not satisfied with our response have the right to lodge a complaint with their local data protection supervisory authority.

This Data Protection Policy is reviewed annually and updated when required by changes in law or our processing activities. Material changes will be communicated via our website.