Privacy Policy

1. Introduction and Scope

This Privacy Policy (this “Policy”) describes how ONG Trades, Inc., a Texas corporation (“ONG Trades,” “we,” “our,” or “us”), collects, uses, discloses, stores, and protects the personal information and data of individuals and entities who access or use our AI-powered digital marketplace for physical energy commodity trading (the “Platform”), including the website located at www.ongtrades.com (the “Site”) and all related services, applications, tools, and features (collectively, the “Services”).

ONG Trades operates a technology platform facilitating the trading of physical energy commodities, including but not limited to crude oil, ultra-low sulfur diesel (ULSD), Jet A1, EN590, D6 renewable identification numbers, and refined petroleum products. Our Platform incorporates artificial intelligence trade matching, BSV blockchain-based settlement and recordkeeping, multi-layer compliance verification, voice risk analytics, vessel tracking, and carbon emissions monitoring. The nature of these Services requires the collection and processing of significant personal and commercial data from Platform participants.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Policy. If you do not agree with this Policy, you must not access or use our Services.

1.1 Applicability

This Policy applies to all users of the Platform, including but not limited to registered traders, brokers, corporate entities, inspection agents, logistics providers, financial institutions, investors, and any other individuals or entities who interact with the Services. This Policy also governs information collected through our marketing activities, investor relations communications, demo request processes, and customer support interactions.

1.2 Controlling Entity and Contact Information

The controller of your personal data is:

2. Information We Collect

We collect information through multiple channels as you interact with our Platform and Services. The categories of information we collect depend on how you use the Services and the nature of your participation in energy commodity transactions.

2.1 Information You Provide Directly

2.1.1 Account Registration and Identity Verification

When you register for an account or undergo our Know Your Customer (KYC) and Know Your Business (KYB) verification processes, we collect:

• Full legal name, date of birth, nationality, and government-issued identification documents (passport, driver's license, national ID)
• Business entity information, including legal entity name, jurisdiction of formation, employer identification number (EIN), beneficial ownership structure, and ultimate beneficial owner (UBO) information
• Contact information, including email address, telephone number, mailing address, and business address
• Tax identification numbers and tax residency information
• Professional credentials, trading licenses, and regulatory registrations
• Authorized representative information, including name, title, and delegated authority documentation

2.1.2 Transaction and Trading Data

When you engage in trading activities on the Platform, we collect:

• Trade orders, bids, offers, counterparty selections, and transaction terms including Incoterms (FOB/CIF), pricing, volume, and delivery specifications
• Payment and settlement information, including bank account details, SWIFT codes, wire transfer instructions, letters of credit (LC/SBLC) documentation, and escrow account information
• Proof of product (POP), proof of funds (POF), and standby letter of credit (SBLC) documentation
• Inspection reports, certificates of quality, certificates of origin, and bills of lading
• Cargo and shipping documentation, vessel nominations, terminal assignments, and logistics coordination data

2.1.3 Compliance and Due Diligence Data

As part of our six-layer compliance verification architecture, we collect:

• OFAC, EU, UK, and UN sanctions screening results and related compliance documentation
• Politically Exposed Person (PEP) screening data and enhanced due diligence documentation
• Anti-money laundering (AML) and counter-terrorist financing (CTF) verification records
• Voice risk analytics data processed through our Clearspeed integration, including audio recordings and derived trust risk assessment scores
• Corporate compliance certifications and self-attestation forms

2.1.4 Communications

We collect information you provide through Platform messaging, customer support requests, feedback submissions, demo requests, and investor inquiries, as well as any correspondence with our team.

2.2 Information Collected Automatically

2.2.1 Device and Usage Data

When you access our Services, we automatically collect:

• IP address, browser type and version, operating system, device identifiers, and hardware configuration
• Access times, pages viewed, referral URLs, clickstream data, and session duration
• Login history, authentication events, and access patterns
• API call logs, webhook events, and integration activity data

2.2.2 Cookies and Tracking Technologies

We use cookies, web beacons, pixel tags, and similar technologies to collect information about your interactions with our Services. For details, see our Cookie Policy, which is incorporated into this Policy by reference. You may manage your cookie preferences through the cookie settings interface available on the Site.

2.2.3 Blockchain and Settlement Data

Transactions settled through our BSV blockchain integration generate immutable on-chain records, including:

• Transaction hashes, timestamps, and settlement confirmation data
• Tokenized trade reference identifiers linked to on-chain records
• Smart contract execution logs and settlement status data

Please note that data recorded on a public blockchain is immutable by design and cannot be altered or deleted. We take steps to minimize personally identifiable information stored on-chain, using tokenized references and pseudonymous identifiers where feasible.

2.2.4 Vessel Tracking and Logistics Data

Our Platform integrates Automatic Identification System (AIS) vessel tracking data, which may include:

• Vessel identification, flag state, IMO number, and Maritime Mobile Service Identity (MMSI)
• Real-time and historical vessel position data, speed, heading, and draft
• Port call data, terminal assignments, and estimated arrival/departure times
• Geofence event logs and anomaly detection alerts

2.3 Information from Third-Party Sources

We may receive information about you from third-party sources, including:

• Identity verification and sanctions screening providers (including Chainalysis and World-Check)
• Credit reporting agencies and financial data providers
• Clearspeed voice risk analytics results and trust scoring data
• Blockchain for Energy (B4E) consortium data, including logistics workflow information and digital identity verification data processed through the Hyperledger FireFly infrastructure
• B4E Carbon, LLC carbon emissions data, including vessel-level carbon footprint calculations, digital measurement, reporting, and verification (dMRV) records, and carbon-attributed fuel lifecycle data
• Third-party inspection companies (such as SGS and Bureau Veritas), terminals, and logistics providers
• Public records, regulatory databases, and commercially available data sources

2.4 Sensitive Information

Certain information we collect may be classified as sensitive under applicable data protection laws, including government-issued identification numbers, financial account information, biometric voice data (processed through Clearspeed), and precise geolocation data. We process sensitive information only as necessary to provide the Services, comply with legal obligations, and protect against fraud and financial crime, and we apply enhanced security measures to such data.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Platform Operations and Service Delivery

• Creating, maintaining, and securing your Platform account
• Facilitating energy commodity trade matching using our AI-powered systems, including Claude API and LangGraph multi-agent orchestration
• Processing and settling transactions, including BSV blockchain-based settlement and escrow management
• Providing compliance verification across all six layers of our compliance architecture
• Executing KYC/KYB identity verification and ongoing monitoring
• Conducting sanctions screening against OFAC, EU, UK, and UN sanctions lists
• Processing Clearspeed voice risk analytics assessments for transaction participants
• Facilitating vessel tracking, logistics coordination, and cargo inspection workflows
• Tracking and reporting carbon emissions data through our B4E Carbon integration, including vessel-level carbon footprint calculations and carbon-attributed fuel lifecycle data
• Managing payment processing, escrow, letters of credit, and SWIFT messaging (MT700/MT103)
• Generating and delivering Trade Compliance Scores and risk assessments

3.2 Compliance and Legal Obligations

• Complying with applicable anti-money laundering (AML) and counter-terrorist financing (CTF) laws and regulations
• Meeting Know Your Customer (KYC) and Know Your Business (KYB) requirements under applicable financial regulations
• Satisfying sanctions compliance obligations administered by OFAC, the EU, the UK, and the UN
• Fulfilling reporting obligations under applicable commodity trading regulations, including CFTC reporting requirements
• Responding to lawful requests from regulatory authorities, law enforcement agencies, and courts of competent jurisdiction
• Meeting EU maritime carbon reporting mandates under the EU Emissions Trading System (EU ETS) and the IMO Net-Zero Framework, as applicable
• Complying with MiFID II, FCA, MAS, and DFSA regulatory requirements as applicable in relevant jurisdictions
• Maintaining records as required by applicable tax, corporate, and securities laws

3.3 Security and Fraud Prevention

• Detecting, preventing, and investigating fraud, unauthorized access, and other illegal activities
• Maintaining and improving our zero-trust security architecture
• Conducting risk assessments using AI-powered fraud detection models
• Performing voice risk analytics through our Clearspeed integration to assess transaction integrity
• Monitoring for suspicious transaction patterns and anomalous trading behavior
• Protecting the integrity of our BSV blockchain settlement records

3.4 Platform Improvement and Analytics

• Analyzing usage patterns to improve Platform functionality, performance, and user experience
• Training and refining our AI trade matching and fraud detection models using aggregated and de-identified data
• Conducting internal research and development to enhance our compliance and security capabilities
• Performing data analytics to understand market trends and optimize Platform offerings

3.5 Communications

• Sending transaction confirmations, compliance notifications, and account alerts
• Providing customer support and responding to inquiries
• Delivering marketing communications and platform updates (with your consent where required)
• Distributing investor relations communications, where applicable

4. Legal Bases for Processing

We process your personal information based on the following legal grounds, as applicable under the laws of your jurisdiction:

• Contractual Necessity: Processing necessary for the performance of our agreement with you, including the Terms of Service, to facilitate trades, settle transactions, and deliver the Services.
• Legal Obligation: Processing necessary to comply with applicable laws and regulations, including AML/CTF laws, sanctions requirements, tax obligations, and regulatory reporting mandates.
• Legitimate Interests: Processing necessary for our legitimate business interests, including fraud prevention, platform security, risk management, and internal analytics, provided such interests are not overridden by your fundamental rights and freedoms.
• Consent: Processing based on your freely given, specific, informed, and unambiguous consent, where required by applicable law (such as for certain marketing communications or optional data processing activities). You may withdraw consent at any time by contacting us at privacy@ongtrades.com.
• Vital Interests: In rare circumstances, processing necessary to protect the vital interests of any natural person.
• Public Interest: Processing necessary for the performance of a task carried out in the public interest, such as preventing financial crime.

5. Disclosure of Your Information

We may share your information with the following categories of recipients:

5.1 Service Providers and Technology Partners

• Cloud infrastructure providers (Amazon Web Services) for hosting and data storage
• Chetu, Inc. (contracted software development firm) for platform development and maintenance under applicable data processing agreements
• Authentication and identity verification providers (Auth0, Chainalysis, World-Check)
• Clearspeed for voice risk analytics processing
• Blockchain for Energy (B4E) consortium and its Hyperledger FireFly infrastructure for digital identity verification and logistics workflow processing
• B4E Carbon, LLC for vessel-level carbon emissions tracking, dMRV processing, and carbon-attributed fuel lifecycle data
• Payment processors, escrow agents, and banking partners
• DocuSign for electronic signature and document management services
• Mapbox for geospatial visualization services
• Inspection companies, including SGS and Bureau Veritas
• Analytics and monitoring service providers

5.2 Transaction Counterparties

In the course of facilitating energy commodity transactions, we share relevant information with your transaction counterparties, including identity verification confirmations, Trade Compliance Scores, and transaction-specific data necessary to complete the trade. We share only the minimum information necessary to facilitate the transaction.

5.3 Regulatory and Legal Disclosures

We may disclose your information to regulatory authorities, law enforcement agencies, government bodies, and courts of competent jurisdiction when required by applicable law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to comply with legal obligations, protect our rights or property, prevent fraud or financial crime, or protect the safety of any person.

5.4 Blockchain Disclosures

Transaction records settled on the BSV blockchain are recorded on a distributed public ledger. While we use tokenized references and pseudonymous identifiers to minimize personal data exposure, certain transaction metadata recorded on-chain is publicly accessible and immutable. By using our blockchain settlement features, you acknowledge and consent to this inherent characteristic of blockchain technology.

5.5 Corporate Transactions

In the event of a merger, acquisition, reorganization, bankruptcy, or other corporate transaction involving ONG Trades, your information may be transferred to the surviving entity or acquiring party, subject to the commitments made in this Policy.

5.6 With Your Consent

We may share your information with third parties when you have provided your explicit consent to such sharing.

6. International Data Transfers

ONG Trades is headquartered in Highland Park, Texas, United States. Your information may be transferred to, stored in, and processed in the United States and other jurisdictions where our service providers, technology partners, and consortium members operate, including jurisdictions that may not provide the same level of data protection as your home jurisdiction.

Where we transfer personal data outside your jurisdiction, we implement appropriate safeguards, including standard contractual clauses approved by applicable regulatory authorities, binding corporate rules, or other legally recognized transfer mechanisms, to ensure that your data receives an adequate level of protection.

For individuals located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, we ensure that data transfers comply with applicable requirements under the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, or analogous local legislation.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, accounting, and reporting requirements.

7.1 Retention Periods

• Account and identity data: Retained for the duration of your account plus a minimum of five (5) years following account closure, or longer as required by applicable AML/CTF regulations.
• Transaction records: Retained for a minimum of seven (7) years from the date of the transaction, or longer as required by applicable commodity trading, tax, or regulatory requirements.
• KYC/KYB and compliance documentation: Retained for a minimum of five (5) years following the termination of the business relationship, or longer as required by applicable law.
• Blockchain settlement records: Immutable on-chain records cannot be deleted. Off-chain metadata linked to blockchain records is retained in accordance with the transaction records retention period.
• Voice risk analytics data: Audio recordings processed through Clearspeed are retained for the minimum period necessary for the specific assessment, after which raw audio data is deleted. Derived risk scores are retained as part of the transaction compliance record.
• Carbon emissions data: Retained for the duration required by applicable environmental reporting regulations, including EU ETS obligations.
• Communications and support records: Retained for three (3) years from the date of the communication.
• Log and usage data: Retained for twelve (12) months unless a longer period is required for security investigation or legal proceedings.

7.2 Criteria for Extended Retention

We may retain your data beyond the standard retention periods where required by ongoing legal proceedings, regulatory investigations, dispute resolution, or where necessary to establish, exercise, or defend legal claims.

8. Data Security

We implement robust technical and organizational security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Our security posture includes:

• Zero-trust security architecture with continuous verification of all users and system components
• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Multi-factor authentication (MFA) enforced on all user accounts via Auth0 integration
• Role-based access controls (RBAC) with principle of least privilege
• Web Application Firewall (WAF) and DDoS mitigation through AWS CloudFront
• Continuous security monitoring, intrusion detection, and incident response capabilities via CloudWatch and PagerDuty integration
• SOC 2 Type I certification for infrastructure security controls (in progress)
• Regular security audits, penetration testing, and vulnerability assessments
• Secure software development lifecycle practices and code review processes
• Physical security controls at data center facilities through AWS shared responsibility model
• HSM-based key management with FIPS 140-2 Level 3 compliance (Phase 5)

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining industry-leading security practices commensurate with the sensitivity of the data we process.

9. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

9.1 General Rights

• Right of Access: You may request a copy of the personal information we hold about you.
• Right to Rectification: You may request correction of inaccurate or incomplete personal information.
• Right to Erasure: You may request deletion of your personal information, subject to legal retention obligations and blockchain immutability constraints.
• Right to Restriction: You may request that we restrict the processing of your personal information in certain circumstances.
• Right to Data Portability: You may request that we provide your personal information in a structured, commonly used, and machine-readable format.
• Right to Object: You may object to the processing of your personal information based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your data protection rights.

9.2 Limitations on Rights

Certain rights may be limited where we are required by law to retain information (for example, under AML/CTF regulations), where data is recorded on an immutable blockchain ledger, or where exercising a right would adversely affect the rights and freedoms of others. We will inform you of any limitations when responding to your request.

9.3 How to Exercise Your Rights

To exercise any of the above rights, please submit a verifiable request to privacy@ongtrades.com. We will respond to your request within the timeframe required by applicable law (generally thirty (30) days, with extensions as permitted). We may require verification of your identity before processing your request.

9.4 U.S. State Privacy Rights

Residents of California, Virginia, Colorado, Connecticut, Utah, and other U.S. states with comprehensive privacy legislation may have additional rights under applicable state law, including the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination. We do not sell personal information as defined under applicable state privacy laws. For California residents, this Policy serves as the notice required under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

9.5 European and International Rights

If you are located in the EEA, United Kingdom, or another jurisdiction with comprehensive data protection legislation, you may have additional rights under the GDPR, the UK Data Protection Act 2018, or analogous local legislation, including the right to lodge a complaint with your local supervisory authority.

10. Artificial Intelligence and Automated Decision-Making

Our Platform employs artificial intelligence and machine learning technologies in several aspects of the Services:

10.1 AI Trade Matching

We use AI-powered systems, including the Claude API and LangGraph multi-agent orchestration, to analyze trade parameters and match buyers with sellers. These systems process trade specifications, counterparty profiles, compliance data, and market conditions to generate trade recommendations. AI-generated matches are subject to human review and confirmation by both counterparties before any binding commitment.

10.2 Fraud Detection and Risk Scoring

We employ AI and machine learning models to detect potentially fraudulent activity, assess transaction risk, and generate Trade Compliance Scores. These systems analyze patterns in transaction data, counterparty behavior, and external risk indicators. While automated systems may flag transactions for additional review, final compliance determinations involve human oversight.

10.3 Voice Risk Analytics

Our Clearspeed integration processes voice recordings to generate trust risk assessments. These assessments are used as one factor within our broader compliance evaluation and do not serve as the sole basis for any decision with legal or similarly significant effects. Participants are notified and must provide consent before voice risk analytics are conducted.

10.4 Your Rights Regarding Automated Decisions

Where applicable law provides, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects concerning you. You may request human intervention, express your point of view, and contest any automated decision by contacting us at privacy@ongtrades.com.

11. Children's Privacy

Our Services are not directed to individuals under the age of eighteen (18), and we do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe that a child under 18 has provided us with personal information, please contact us at privacy@ongtrades.com.

12. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve our Services. Our use of cookies falls into the following categories:

• Strictly Necessary Cookies: Essential for the operation of the Platform, including authentication, session management, and security features. These cookies cannot be disabled.
• Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences and display settings.
• Analytics Cookies: Help us understand how users interact with the Platform, measure performance, and identify areas for improvement.
• Marketing Cookies: Used to deliver relevant advertising and track the effectiveness of our marketing campaigns. These cookies are only set with your consent.

You may manage your cookie preferences through the cookie settings interface available on the Site, or through your browser settings. Disabling certain cookies may affect the functionality of the Services.

13. Third-Party Links and Services

Our Services may contain links to third-party websites, services, or applications that are not operated or controlled by ONG Trades. This Policy does not apply to the privacy practices of such third parties. We encourage you to review the privacy policies of any third-party services you access through our Platform. We are not responsible for the content, privacy practices, or data security of third-party websites or services.

14. Do Not Track Signals

At this time, our Services do not respond to “Do Not Track” signals transmitted by web browsers. We will update this Policy if our practices change in the future with respect to Do Not Track signals.

15. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by posting the revised Policy on the Site with an updated effective date and, where required by applicable law, by providing notice through the Platform or via email. Your continued use of the Services following the posting of a revised Policy constitutes your acceptance of the changes. We encourage you to review this Policy periodically.

16. Contact Us

If you have questions, concerns, or complaints about this Policy or our data practices, or if you wish to exercise any of your data protection rights, please contact us at:

For individuals in the EEA or UK, if you are not satisfied with our response to your inquiry or complaint, you have the right to lodge a complaint with your local data protection supervisory authority.

17. Governing Law

This Policy shall be governed by and construed in accordance with the laws of the State of Texas, United States, without regard to its conflict of laws principles, except where mandatory data protection laws of your jurisdiction require otherwise (such as the GDPR for individuals in the EEA).