LEGAL · PRIVACY POLICY

Privacy Policy

What personal data we collect, why we collect it, how we use and share it, and the rights you have under GDPR, CCPA, and equivalent laws. Written to be readable, designed to be auditable.

Version

v1.0

Effective from

25 May 2026

Last updated

23 May 2026

Status

v1.0 · subject to evolution

PLAIN-ENGLISH NOTE

This document is written to be readable. It is a live legal instrument — please read carefully. For clarification, write [email protected] with subject [Legal]. EDMA Group reserves the right to update this document; material changes will be announced at least 30 days in advance via email and posted at /newsroom.

01 Who we are

This Privacy Policy applies to personal data collected by EDMA Group (“EDMA”, “we”, “us”) through the TradeOS application, the Trade Marketplace, our websites at edma.trade and edma.co, and related services.

For most processing described in this policy, EDMA is the controller. Where EDMA processes personal data on behalf of a Customer using TradeOS (e.g. data about its own employees, suppliers, clients, or financiers), EDMA acts as the processor and the Customer is the controller. The terms of the Data Processing Agreement govern processor relationships.

Our registered office and contact details for privacy matters are at the bottom of this page.

02 What we collect

We collect personal data in the following categories.

Account & identity data

  • name, email, job title, organisation, country
  • account credentials (passwords are hashed; we do not store cleartext passwords)
  • profile image, if uploaded

Usage & technical data

  • IP address, user-agent string, device type, browser language, time zone
  • pages visited, features used, in-product actions, timestamps
  • error logs and crash reports
  • API request metadata (endpoints, status codes, latency)

Business & commercial data

  • operational records the Customer enters into TradeOS, which may include personal data of the Customer's employees, suppliers, clients, and financiers (controlled by the Customer; processed by us)
  • communications metadata (sender, recipient, timestamp, channel) for messages exchanged through TradeOS portals
  • document uploads and their metadata

Marketing & correspondence

  • messages submitted via our contact forms (edma.trade/contact)
  • subscription status for the operator briefing newsletter
  • marketing-event registrations and demo bookings

Cookies & similar technologies

See the Cookie Policy for the cookies we set, their purposes, and how to manage them.

03 How we use personal data

We use personal data to:

  • Provide the Service — authenticate users, render the right data to the right tenant, route documents and notifications between counterparties, compute settlement waterfalls, and operate the Trade Marketplace.
  • Improve the Service — analyse aggregated usage patterns, identify bugs, prioritise features, and train internal AI models on aggregated and anonymised data only (we do not train external AI providers on Customer Data; see §5).
  • Secure the Service — detect and prevent abuse, fraud, sanctions violations, malware, scraping, and unauthorised access; investigate incidents.
  • Respond to enquiries and provide support — answer messages submitted via contact forms or sent to [email protected]; route enquiries to the right internal team.
  • Send operational and marketing communications — service announcements, security notices, billing notices, and (with consent or where permitted by law) the operator briefing newsletter.
  • Comply with law — meet tax, accounting, sanctions, anti-money-laundering, and data-protection obligations; respond to lawful requests from authorities.

04 Legal bases (GDPR)

Where GDPR applies, our processing is based on one or more of the following:

  • Contract performance — to provide the Service the Customer has subscribed to, and to operate the Marketplace.
  • Legitimate interest — to secure the Service, prevent fraud and abuse, improve the product, and conduct business operations. We balance our interests against your rights and freedoms.
  • Consent — for non-essential cookies, marketing communications you opt into, and any other processing for which consent is the appropriate basis. You can withdraw consent at any time.
  • Legal obligation — to comply with tax, accounting, sanctions, AML, and data-protection law.

You have the right to object to processing based on legitimate interest. See §8 for how to exercise that right.

05 Who we share with

We share personal data only as set out below.

Service providers (sub-processors)

We use a small set of vetted sub-processors to host the Service, deliver email, and provide specific features. The current sub-processor list is maintained in the Data Processing Agreement. Sub-processors are bound by written agreements that meet GDPR Article 28 standards. We notify Customers of new sub-processors at least thirty (30) days before they begin processing Customer Data.

AI providers

Atlas Document Intelligence, the Accounting AI, the Bot Studio, and similar features use one or more third-party AI providers (e.g. Anthropic, OpenAI, Google) on a per-request basis. We send only the minimum data required for the requested task; we use enterprise zero-data-retention endpoints where available so prompts are not retained or used for training. The Customer can opt out of external AI providers in favour of the locally-hosted Gemma model on Sovereign and Air-Gapped tiers.

Marketplace counterparties

When a Customer (Operator) posts a Marketplace listing, anonymous summary data is visible to vetted Financiers. Identifying details (operator name, counterparty names, factory location) reveal only after the Operator approves a specific Financier's firm, under the two-step disclosure protocol described at edma.trade/network/how-financing-works.

Authorities

We disclose personal data to courts, regulators, or law-enforcement agencies where required by valid legal process or to protect our legal rights. Where lawfully possible, we notify affected Customers in advance.

Corporate transactions

If EDMA undergoes a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the successor entity. The new entity will be bound by this Privacy Policy or a successor with materially equivalent protections.

We do not sell or rent personal data.

06 International transfers

EDMA operates across multiple jurisdictions, including the European Economic Area, the United Kingdom, and other regions. Personal data may be transferred to and processed in countries other than the one in which it was collected.

Where personal data is transferred outside the EEA or UK to a country not deemed to provide adequate protection, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (and the UK equivalent), supplementary technical measures (encryption in transit and at rest), and supplementary contractual measures with the receiving processor.

The list of regions in which Customer Data is hosted is documented in the DPA.

07 Retention

We retain personal data only as long as needed for the purposes set out in §3, then delete or anonymise it. Specifically:

  • Account data — for the duration of the account, plus a reasonable archival period for legal claims.
  • Customer Data in TradeOS — for the duration of the Subscription Term plus a 30-day export window, after which we delete it (subject to retention obligations imposed by law on the Customer, e.g. tax records).
  • Usage logs & security logs — typically 12 months, longer where needed for investigations.
  • Marketing data — until the subscriber unsubscribes, plus a suppression list to honour the unsubscribe.
  • Financial records & invoices — for the period required by tax and accounting law (typically 6–10 years depending on jurisdiction).

08 Your rights

If GDPR or an equivalent law applies to you, you have the following rights with respect to personal data we hold about you:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete personal data where there is no overriding legal basis to keep it.
  • Restriction — ask us to suspend processing while a dispute is resolved.
  • Portability — request a machine-readable copy of data you provided, in a structured commonly-used format.
  • Objection — object to processing based on legitimate interest, including profiling and direct marketing.
  • Withdraw consent — where processing is based on consent, you can withdraw at any time without affecting prior lawful processing.
  • Complain — lodge a complaint with your supervisory authority. See §14.

To exercise these rights, write to [email protected] with subject [Privacy]. We respond within thirty (30) days. We may ask for proof of identity before acting on a request. Where the data is Customer Data (processed by us on behalf of a Customer), we forward your request to the relevant Customer-controller.

09 CCPA / US state-law notices

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) give you additional rights:

  • Right to know what categories of personal information we have collected about you, the sources, the purposes, and to whom we disclose it.
  • Right to delete personal information, subject to applicable exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under CCPA/CPRA.
  • Right to limit use of sensitive personal information, where applicable.
  • Right to non-discrimination for exercising these rights.

To exercise these rights, contact us as set out in §8. We do not knowingly collect personal information of consumers under 16.

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, or another US state with comprehensive privacy legislation, you have rights substantially similar to those above. We apply the same procedures regardless of jurisdiction.

10 Cookies & tracking

We use a small number of cookies and similar technologies on our websites and in the Service. See the Cookie Policy for the full inventory and how to manage them.

We do not use third-party advertising cookies. We do not participate in cross-site advertising networks.

11 Security

We protect personal data with administrative, technical, and physical safeguards appropriate to the risk, including encryption in transit (TLS 1.2+) and at rest, role-based access control, least-privilege production access, audit logging, vulnerability management, backup and disaster-recovery procedures, and staff training. The technical and organisational measures we apply are set out in detail in the DPA.

No system is perfectly secure. If you become aware of a vulnerability or suspect a breach, write to [email protected] with subject [Security].

12 Children

The Service is intended for business use by adults. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided personal data to us, please contact us and we will delete it.

13 Changes

We may update this Privacy Policy from time to time. The current version is always posted at edma.trade/legal/privacy with the “Last updated” date at the top. Material changes — those that meaningfully reduce your rights or add new categories of processing — will be notified to account administrators by email at least 30 days before they take effect.

14 Contact & complaints

For privacy questions, requests, or complaints, contact us at [email protected] with subject [Privacy]. We respond within one business day on first acknowledgement and within thirty (30) days on substantive resolution.

If you are in the EEA, UK, or Switzerland and you are not satisfied with our response, you have the right to lodge a complaint with your local data-protection supervisory authority.

QUESTIONS

Write us.

Clarifications, complaints, or to exercise a data right under this document — write [email protected] with subject [Legal]. We respond within one business day.

LEGAL ENTITY

EDMA Group

The entity behind TradeOS, the marketplace, and EDMA Group's broader operations. Registered company details available on request at the address above. edma.co →

ARCHIVE

Previous versions.

Older versions of this document are archived. To request a specific version, write [email protected] with subject [Legal archive].

Privacy Policy | TradeOS