Privacy Policy

1. Introduction

ROCC Global Mineral Trading Limited ("ROCC Global", "we", "us" or "our") is committed to protecting and respecting your privacy.

This Privacy Policy explains how we collect, use, store, disclose and otherwise process personal data when you visit our website, contact us, request information from us, engage with us as a customer, supplier, intermediary, consultant or business contact, or otherwise interact with us in the course of our business.

This Privacy Policy is intended to satisfy our transparency obligations under applicable data protection law, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where relevant to cookies and electronic communications, the Privacy and Electronic Communications Regulations 2003 (as amended).

2. Who we are

For the purposes of data protection law, ROCC Global Mineral Trading Limited is the data controller in relation to the personal data described in this Privacy Policy. This means we decide how and why your personal data is used.

If you have any questions about this Privacy Policy or our data protection practices, you may contact us at:

3. The types of personal data we collect

We may collect and process the following categories of personal data, depending on the nature of your interaction with us.

We do not intentionally seek to collect special category personal data through our public website unless it is necessary, lawful and appropriate. If you provide such data to us, you must ensure it is strictly relevant and lawful for you to share.

4. How we collect personal data

We collect personal data in several ways, including:

• when you complete a form on our website;
• when you contact us by email, telephone or post;
• when you request information, documents, quotations or proposals;
• when you engage with us as a customer, supplier, logistics partner, consultant, agent or other business contact;
• when you subscribe to updates or marketing communications;
• when you browse our website and interact with cookies or similar technologies;
• from publicly available sources, company registries, sanctions lists, watchlists and professional networking sources;
• from your employer or organisation where you act on its behalf; and
• from third parties involved in transactions, onboarding, logistics, payment processing, compliance screening or corporate introductions.

Where we receive personal data indirectly, we will process it in accordance with applicable legal requirements and provide privacy information where required.

5. Purposes for which we use personal data

We may use personal data for the following purposes:

• to respond to enquiries and provide requested information;
• to administer and manage our relationship with customers, prospective customers, suppliers and other business contacts;
• to assess and process tenders, quotations, orders, contracts and supply arrangements;
• to source, procure, sell, transport and administer products and services in the ordinary course of our business;
• to carry out onboarding, account opening, due diligence and compliance checks;
• to maintain records of communications, transactions and commercial relationships;
• to manage accounts, invoicing, credit control, payment processing and financial administration;
• to operate, monitor, maintain and improve our website, systems and services;
• to ensure the security of our systems, website, staff, operations and premises;
• to prevent fraud, bribery, corruption, abuse, misuse and other unlawful conduct;
• to comply with legal, regulatory, tax, audit, sanctions, anti-money laundering, trade and governance obligations;
• to establish, exercise or defend legal claims; and
• to send relevant business communications and, where permitted, marketing communications.

6. Lawful bases for processing

We only process personal data where we have a lawful basis for doing so. Depending on the circumstances, we rely on one or more of the following lawful bases.

7. If you fail to provide personal data

Where we need personal data by law, or under the terms of a contract, and you fail to provide it when requested, we may be unable to enter into a contract with you, perform our obligations, progress an enquiry, or comply with legal and compliance requirements.

8. Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that another use is compatible with the original purpose and permitted by law.

If we need to use personal data for a materially different purpose, we will update this Privacy Policy and, where required, notify you.

9. Marketing communications

We may send you business updates, service communications, market-related information or marketing communications where we are entitled to do so under applicable law.

Where consent is required, we will obtain it before sending marketing. Where we rely on another lawful basis permitted by law, we will provide you with a clear means to opt out.

You may opt out of marketing communications at any time by clicking any unsubscribe link included in the message or by contacting us at [email protected].

Please note that opting out of marketing will not prevent us from sending non-marketing communications where these are necessary for contractual, transactional, administrative or legal purposes.

10. Cookies and similar technologies

Our website may use cookies and similar technologies to:

• enable core website functionality;
• remember settings and preferences;
• analyse website traffic and usage;
• measure website performance; and
• improve security and user experience.

Where required, we will request your consent for non-essential cookies through our cookie controls. You can also manage cookies through your browser settings, although disabling certain cookies may affect website functionality.

If ROCC operates a separate Cookie Policy or Cookie Notice, this Privacy Policy should be read together with that document.

11. Disclosure of personal data

We may share personal data where necessary, lawful and proportionate with the following categories of recipients:

• our directors, employees and authorised personnel;
• our professional advisers, including lawyers, accountants, auditors, insurers and compliance advisers;
• IT service providers, hosting providers, software providers, cloud service providers and cybersecurity providers;
• payment processors, banks and financial institutions;
• logistics providers, shipping agents, customs brokers, warehouses, inspectors and operational partners;
• credit reference, identity verification and due diligence providers;
• regulators, public authorities, courts, tribunals and law enforcement agencies;
• prospective purchasers, investors, funders or advisers in connection with a proposed reorganisation, financing, acquisition or sale of all or part of our business; and
• other third parties where disclosure is necessary to perform a contract, comply with law, or protect our rights.

Where third parties process personal data on our behalf, we require them to process it only on documented instructions and to apply appropriate confidentiality and security measures.

We do not sell personal data.

12. International transfers

Because our business may involve international trade, logistics, counterparties and service providers, personal data may be transferred to, stored in, or accessed from countries outside the United Kingdom.

Where we transfer personal data internationally, we will ensure an appropriate level of protection is in place, using safeguards recognised under UK data protection law where required. These may include adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to standard contractual clauses, or other lawful transfer mechanisms.

13. Data security

We have implemented appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access and other unlawful or improper processing.

These measures may include:

• access controls and restricted permissions;
• authentication controls;
• secure hosting and infrastructure protections;
• device and network security measures;
• staff confidentiality obligations;
• document handling procedures;
• contractual controls with processors and service providers;
• monitoring and incident response procedures; and
• encryption or pseudonymisation where appropriate.

We also have procedures in place to deal with suspected personal data breaches and will notify affected individuals and regulators where required by law.

14. Data retention

We retain personal data only for as long as necessary for the purpose for which it was collected, including to satisfy legal, regulatory, tax, accounting, contractual, insurance, record-keeping and dispute-resolution requirements.

Retention periods vary depending on the type of information and the reason we hold it. By way of general policy:

• general enquiries and contact form submissions are typically retained for up to 24 months from the date of last meaningful contact, unless they lead to an ongoing commercial relationship;
• quotation, tender and pre-contract correspondence may be retained for up to 6 years after the relevant opportunity concludes, where necessary to maintain a record of commercial dealings and defend potential claims;
• customer, supplier and contract records are typically retained for up to 6 years after the end of the relevant contractual relationship, and longer where required by law, insurance conditions or dispute considerations;
• financial, invoicing, accounting and tax records may be retained for up to 6 years or longer where required by applicable legal or regulatory obligations;
• compliance and due diligence records may be retained for as long as necessary to demonstrate legal and regulatory compliance and, where appropriate, for a reasonable period afterwards;
• marketing preference and suppression records may be retained for as long as necessary to honour opt-out requests and maintain compliant communication practices; and
• technical logs, analytics and security records may be retained for periods appropriate to operational, security and evidential requirements.

In some circumstances we may retain personal data for longer, for example where required to establish, exercise or defend legal claims, or to comply with legal obligations, investigations or enforcement requirements.

15. Your legal rights

Subject to applicable law, you may have the right to:

• request access to the personal data we hold about you;
• request correction of inaccurate or incomplete personal data;
• request erasure of your personal data;
• request restriction of processing;
• object to processing where we rely on legitimate interests;
• object at any time to processing for direct marketing;
• request transfer of your personal data to you or another organisation in a structured, commonly used and machine-readable format, where the right to data portability applies; and
• withdraw consent at any time where processing is based on consent.

These rights are not absolute and may be subject to legal exceptions.

If you wish to exercise any of your rights, please contact us at [email protected]. We may request information to verify your identity before responding.

16. Automated decision-making

We do not currently envisage that decisions producing legal effects or similarly significant effects on individuals will be taken solely by automated means. If this changes, we will update this Privacy Policy and provide any required information.

17. Third-party websites

Our website may contain links to third-party websites, applications or services. We do not control those third-party resources and are not responsible for their privacy practices. You should review their privacy notices before providing any personal data to them.

18. Complaints

If you have any concerns about how we process your personal data, please contact us first so that we can try to resolve the issue.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters.

19. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time to reflect changes in our legal obligations, business operations, website functionality, technology or data handling practices.

Any updated version will be posted on our website with a revised "Last updated" date.

20. Contact us

If you have any questions about this Privacy Policy or our handling of personal data, please contact: