.avif)
Owner and Data Controller
Commercium Mundi Ltd, trading as Procurement Institute, a company registered in England and Wales under company number [TO BE INSERTED POST-INCORPORATION], with registered office at 71–75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ.
Contact for all data protection inquiries and data subject requests: team@procurementinstitute.io
Commercium Mundi Ltd, trading as Procurement Institute (referred to in this policy as “Procurement Institute”, “we”, “us”, or “the Owner”), is the Data Controller for personal data processed through procurementinstitute.io and its associated domains.
What we do not do with your data
Before describing our data processing in detail, we state our position on three categories of activity explicitly.
We do not sell your personal information. Sale is defined under US state privacy laws (including the California Consumer Privacy Act) as the disclosure of personal information to a third party for monetary or other valuable consideration. Procurement Institute does not sell personal information under this or any equivalent definition in any jurisdiction.
We do not share your personal information for cross-context behavioural advertising. We do not participate in advertising networks, do not engage in audience profiling for advertising purposes, and do not disclose visitor data to third parties for the purpose of serving targeted advertisements across other websites or applications.
We do not process your personal information for targeted advertising. We do not run advertising campaigns, do not profile visitors for advertising purposes, and do not engage advertising platforms.
The preferences panel we make available for visitors resident in the United States presents toggles for “Sale”, “Sharing”, and “Targeted advertising” because these are rights required to be exposed under applicable US state privacy laws. The toggles are available for visitors who wish to exercise the statutory rights, but the underlying activities do not occur at Procurement Institute regardless of the toggle position.
We do disclose personal information to third-party processors (named in Section 6) strictly for the purpose of operating our service, under contractual protections that meet the requirements of applicable law. Under UK, EU, and US privacy law, this type of disclosure is not a “sale” or “sharing” for advertising purposes.
Scope of this policy
This Privacy Policy applies to personal data processed through:
- procurementinstitute.io and its subdomains
- procurementintel.io, procurementmundi.com, and commerciummundi.com
- Intake forms submitted through the site (buyer requirement, supply position, intelligence access, book-a-call, and general contact)
- Email correspondence with team@procurementinstitute.io
It applies to all visitors, prospective clients, engaged clients, counterparties whose data is disclosed to us in the course of engagements, and subjects of our published intelligence content.
Categories of personal data we collect
Directly from you, when you interact with our forms or correspondence: identity data (name, job title, company, role); contact data (email, phone, timezone, postal address where provided); commercial context (commodity interests, corridor focus, sourcing requirements, supply positions, transaction context); survey responses; and correspondence data (the content of emails, messages, and documents you share with us).
Third-party personal data, where you disclose it to us in the course of our work: named individuals at counterparties (directors, commercial contacts, beneficial owners) that you share with us in buyer requirement briefs, supply position briefs, or verification requests; and data from public registers (Companies House and equivalents), sanctions lists (OFAC, UK HMT, EU, UN), and adverse media that we consult in the course of counterparty verification.
Automatically, when you visit the site: usage data (IP address, browser information, device information, page views, clicks, browsing history within the site, session duration, referrer URL, country of origin) and tracker data (cookies and similar technologies set by our hosting, analytics, and performance services; see our Cookie Policy for full details).
We do not knowingly collect Sensitive Personal Data (as defined under UK GDPR) unless it is strictly necessary for a specific verification engagement and covered by a separate engagement letter and lawful basis.
How we share your data
We share personal information only in the following specific circumstances.
With third-party processors named in Section 6, strictly for the purpose of operating our service. Each processor operates under a contract requiring them to handle data only on our instructions and to maintain security standards equivalent to ours.
Within engaged services, where you are a client or counterparty to an engagement, disclosure to other parties to the engagement happens only under a fully executed Non-Disclosure and Non-Circumvention Agreement (NDNCA) or equivalent. No party receives another party’s information outside those contractual terms.
Where legally required, in response to valid legal process, regulatory inquiry, or enforcement action.
Outside these three categories, we do not disclose personal information to any third party. Specifically, we do not sell, rent, or disclose personal information for advertising or marketing purposes, and we do not use personal information for any purpose unrelated to the service you have engaged us for.
Third-party services and sub-processors
The following services process personal data on our behalf or as independent controllers, as part of the operation of the site and our services.
Platform and hosting.Webflow, Inc. provides website hosting and native form handling. Place of processing: United States. Personal data processed: trackers, usage data, IP address, form submission content. Transfer mechanism: EU–US Data Privacy Framework and Standard Contractual Clauses. See Webflow’s Privacy Policy.
Content delivery and performance.Cloudflare, Inc. provides traffic optimisation, DDoS protection, and content distribution. Place of processing: United States and distributed global edge network. Transfer mechanism: Standard Contractual Clauses. See Cloudflare’s Privacy Policy. Google Hosted Libraries (Google Ireland Limited) distributes common web libraries. Place of processing: Ireland. See Google’s Privacy Policy.
Display and typography.Google Fonts (Google Ireland Limited) delivers fonts. Place of processing: Ireland.
Analytics and product intelligence.PostHog product analytics (PostHog, Inc.) provides web analytics and behavioural measurement. Place of processing: United States. Transfer mechanism: Standard Contractual Clauses. See PostHog’s Privacy Policy. PostHog session replay provides visual recording of visitor sessions for usability analysis; input fields containing personal data are masked by default and not recorded; session recordings are retained for 30 days. PostHog feature flags and A/B testing support content variation testing. PostHog surveys collect in-app feedback when enabled. You can opt out of all PostHog processing through our cookie consent mechanism.
Contact and communication. Intake forms are handled through Webflow’s native form handling and delivered to Procurement Institute by email. Correspondence with team@procurementinstitute.io is processed through our email provider.
Compliance infrastructure.iubenda provides hosted privacy policy, cookie consent banner, and preferences panel services. Place of processing: Italy (EU). Personal data processed: consent records, IP address, cookie preferences. See iubenda’s Privacy Policy.
None of the services listed above are used for advertising, audience profiling, or cross-context behavioural advertising purposes. Each processes data strictly within the scope of the service function. A current list of third-party processors, including precise transfer mechanisms applicable at the date of your request, is available on written request to team@procurementinstitute.io.
Purposes and lawful basis for processing
We process personal data for the following purposes, on the following lawful bases under UK GDPR Article 6.
| Purpose | Lawful basis |
|---|---|
| Responding to intake submissions and inquiries | Art. 6(1)(b) — pre-contract steps at data subject’s request |
| Delivering engaged services (verification, facilitation, advisory) | Art. 6(1)(b) — performance of a contract |
| Records for tax, regulatory, and commercial dispute purposes | Art. 6(1)(c) — legal obligation |
| Counterparty verification, sanctions screening, adverse media checks on third parties named in client briefs | Art. 6(1)(f) — legitimate interest in verifying counterparties prior to engagement |
| Publishing commodity intelligence content referencing operators, companies, and public figures | Art. 6(1)(f) — legitimate interest in commentary on commodity markets, with Art. 85 UK GDPR |
| Operating, monitoring, and securing the website (analytics, heatmaps, session recording, A/B testing) | Art. 6(1)(f) — legitimate interest in providing and improving the service |
| Managing data collection through surveys and forms | Art. 6(1)(a) — consent where given, or 6(1)(b) where part of a contracted service |
| Contacting users in response to form submissions | Art. 6(1)(b) — performance of a contract or pre-contractual steps |
| Detecting and preventing fraud or abuse of the service | Art. 6(1)(f) — legitimate interest in protecting the service |
Where we rely on legitimate interest (Article 6(1)(f)), we have conducted a balancing assessment and determined that our interests are not overridden by data subject rights. Data subjects may object to processing on this basis at any time (see Section 9).
Retention periods
We retain personal data only for as long as necessary for the purpose for which it was collected, subject to legal and regulatory minimums.
| Data category | Retention period |
|---|---|
| Intake form submissions (unengaged inquiries) | 24 months from submission |
| Client engagement records (contracts, briefs, deliverables, correspondence) | 7 years from end of engagement (UK statutory) |
| Verification workspace materials (evidence folders, gap registers) | 7 years from end of engagement |
| Counterparty verification data on third parties | 7 years from end of engagement, then deleted |
| Marketing and outreach correspondence | 24 months from last contact, or until opt-out |
| Website analytics data (PostHog product analytics) | 12 months |
| Session recordings (PostHog session replay) | 30 days |
| Feature flag and A/B test data | 12 months |
| Survey responses | 24 months |
| Cookies and trackers | As specified in the Cookie Policy |
| Email correspondence | 7 years from date of correspondence |
Upon expiry of the retention period, data is deleted or anonymised. Where we are required to retain data longer by law, regulation, or an active legal claim, we will do so only for as long as required.
Your rights under UK GDPR
As a data subject, you have the following rights in respect of personal data we process about you:
- Right of access — to obtain confirmation of whether we process your data and receive a copy of it
- Right to rectification — to have inaccurate or incomplete data corrected
- Right to erasure — to have your data deleted, subject to exceptions including legal obligations, defence of legal claims, and processing for journalism under Article 85 UK GDPR
- Right to restriction of processing — to limit processing in specific circumstances
- Right to data portability — to receive your data in a structured, commonly used, machine-readable format where processing is based on consent or contract
- Right to object — to object to processing based on legitimate interest, including profiling
- Right to withdraw consent — where we process on the basis of consent, you may withdraw consent at any time
- Right to lodge a complaint — with the UK Information Commissioner’s Office at ico.org.uk
To exercise any of these rights, contact team@procurementinstitute.io. We will respond within one month of receiving your request. If we need to extend the response window for complex requests, we will tell you within the first month and explain why. We may ask for reasonable proof of identity before acting on a request, to protect the data subject from unauthorised disclosure.
Third-party counterparty data in client engagements
In the course of our verification and facilitation work, our clients disclose to us personal data relating to third parties — typically directors, commercial contacts, and beneficial owners at counterparty companies. This data is processed by Procurement Institute under specific conditions.
The client represents that they have a lawful basis to share this data with us (typically their own legitimate interest in conducting counterparty verification prior to commercial engagement). We process this data strictly for the purpose of the engagement and do not use it for any other purpose. We retain this data only within the engagement workspace, subject to the retention period in Section 8. We do not disclose this data to other clients or to any third party, except where necessary for the engagement (e.g. sanctions screening services, which operate as sub-processors under appropriate contractual protections).
Third parties whose data is processed have the same rights under UK GDPR as any other data subject, including the right of access, rectification, and erasure. Requests from such third parties should be sent to team@procurementinstitute.io and will be handled consistent with the rights and legitimate interests of all parties involved, including the client who disclosed the data. Where a third party exercises a right that would affect a client’s engagement, we will inform the client and manage the request in accordance with UK GDPR and our engagement letter with the client.
Published intelligence content
Procurement Institute publishes intelligence articles and analytical content on physical commodity markets through our intelligence platform. These articles may identify real companies, public figures, and named commercial operators, and may include factual analysis that is commentary on their commercial conduct or market position.
This content is published under the following basis. Processing is conducted in the legitimate interest of Procurement Institute and the public interest in informed commentary on commodity markets, consistent with Article 6(1)(f) UK GDPR. Where applicable, content may also rely on the journalism exemption under Article 85 UK GDPR and Section 124 of the Data Protection Act 2018, which limits the application of certain data protection rights to journalistic, academic, artistic, or literary processing. All content is researched against public sources, industry publications, and where relevant regulatory filings. We do not publish material we cannot substantiate.
Individuals named in published content who believe the content is inaccurate, misleading, or otherwise infringes their rights may contact team@procurementinstitute.io. We will review all such requests in good faith. Where correction, clarification, or removal is appropriate, we will act promptly. Where we determine the content is accurate and published in legitimate commentary, we will explain our position in writing and preserve the content. The right to erasure under UK GDPR Article 17 does not automatically extend to content lawfully published in journalism, commentary, or analysis.
International data transfers
Some of our sub-processors (named in Section 6) are based outside the UK and EEA, including in the United States. Where personal data is transferred to a country without an adequacy decision from the UK government, we rely on appropriate safeguards: the UK International Data Transfer Agreement, UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses where relevant; participation in the EU–US Data Privacy Framework (where the sub-processor is certified, including Webflow); and contractual protections requiring the sub-processor to maintain equivalent data protection standards.
In the course of verification and facilitation engagements, our work may involve processing data from counterparties in multiple jurisdictions, including jurisdictions outside the UK, EEA, or other adequacy-decision countries. Where this is necessary for the performance of an engagement, we rely on Article 49(1)(b) UK GDPR (transfer necessary for the performance of a contract concluded at the data subject’s request) where the data subject is the engaging party, and Article 49(1)(e) UK GDPR (transfer necessary for the establishment, exercise, or defence of legal claims) where relevant to commercial verification. We implement appropriate security measures including encrypted transmission, controlled-access workspaces, and contractual confidentiality protections. Full details of transfer mechanisms applicable to any specific engagement are available on written request.
Cookies and tracking technologies
This site uses cookies and similar tracking technologies. Full details are available in our separate Cookie Policy. Non-essential cookies (including analytics, session recording, feature flags, A/B testing, and survey trackers) are only set after you give consent through our cookie consent mechanism. You can change your preferences at any time through the “Your Privacy Choices” link in the site footer.
Security
We take appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include encrypted transmission (TLS) for all data in transit, access controls on engagement workspaces restricted to Procurement Institute personnel working on the relevant engagement, sub-processor contracts requiring equivalent security standards, and regular review of access permissions and security posture. No system is completely immune from risk, but we maintain security standards appropriate to the sensitivity of the data we process.
Users outside the UK
European Union. All rights described in Section 9 apply equally to users in the EU under EU GDPR. The UK and EU regimes are substantially aligned; the UK Information Commissioner’s Office is our lead supervisory authority, but EU users may also lodge complaints with their local supervisory authority via the European Data Protection Board.
Switzerland. Users in Switzerland have rights under the Swiss Federal Act on Data Protection (FADP) that are substantially equivalent to those listed in Section 9.
Brazil. Users in Brazil have rights under the Lei Geral de Proteção de Dados (LGPD), including rights of access, rectification, deletion, portability, and objection.
United States. Users resident in California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, and Montana have rights under applicable state privacy laws including the right to access, correct, delete, and opt out of the sale or sharing of personal information and the processing of personal information for targeted advertising. As stated in Section 2, Procurement Institute does not engage in sale, sharing, or targeted advertising. The preferences panel that presents these opt-outs is provided because these rights are required to be exposed under applicable law, not because the underlying activities occur. California residents have additional rights relating to Sensitive Personal Information and cross-context behavioural advertising under the California Consumer Privacy Act.
Other jurisdictions. If you are resident outside the jurisdictions listed above and believe your local law grants you additional data protection rights, contact team@procurementinstitute.io and we will respond consistent with applicable law.
Automated decision-making
We do not make decisions about data subjects based solely on automated processing. All verification verdicts, facilitation introductions, and commercial decisions are made by Procurement Institute personnel applying published methodology, not by automated systems. A/B testing and feature flagging through PostHog is used to optimise the website experience (e.g. layout variations, content presentation) and does not produce legal or similarly significant effects on visitors.
Changes to this policy
We may update this Privacy Policy from time to time. The current version is always available at this URL, with the last-updated date shown at the top. Material changes will be notified through the site or, where appropriate, by direct communication.
Contact
For all data protection inquiries, data subject requests, and questions about this policy:
Commercium Mundi Ltd, trading as Procurement Institute
71–75 Shelton Street, Covent Garden
London, United Kingdom, WC2H 9JQ
team@procurementinstitute.io
This policy has been prepared in accordance with UK GDPR, the Data Protection Act 2018, and related international privacy legislation. It should be read alongside our Cookie Policy and Terms of Use.
'%3e%3cg id='Final-Copy-2_2_' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st0' d='M7.4,12.8h6.8l3.1-11.6H7.4C4.2,1.2,1.6,3.8,1.6,7S4.2,12.8,7.4,12.8z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg id='final---dec.11-2020'%3e%3cg id='_x30_208-our-toggle' transform='translate(-1275.000000, -200.000000)'%3e%3cg id='Final-Copy-2' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st1' d='M22.6,0H7.4c-3.9,0-7,3.1-7,7s3.1,7,7,7h15.2c3.9,0,7-3.1,7-7S26.4,0,22.6,0z M1.6,7c0-3.2,2.6-5.8,5.8-5.8 h9.9l-3.1,11.6H7.4C4.2,12.8,1.6,10.2,1.6,7z'/%3e%3cpath id='x' class='st2' d='M24.6,4c0.2,0.2,0.2,0.6,0,0.8l0,0L22.5,7l2.2,2.2c0.2,0.2,0.2,0.6,0,0.8c-0.2,0.2-0.6,0.2-0.8,0 l0,0l-2.2-2.2L19.5,10c-0.2,0.2-0.6,0.2-0.8,0c-0.2-0.2-0.2-0.6,0-0.8l0,0L20.8,7l-2.2-2.2c-0.2-0.2-0.2-0.6,0-0.8 c0.2-0.2,0.6-0.2,0.8,0l0,0l2.2,2.2L23.8,4C24,3.8,24.4,3.8,24.6,4z'/%3e%3cpath id='y' class='st3' d='M12.7,4.1c0.2,0.2,0.3,0.6,0.1,0.8l0,0L8.6,9.8C8.5,9.9,8.4,10,8.3,10c-0.2,0.1-0.5,0.1-0.7-0.1l0,0 L5.4,7.7c-0.2-0.2-0.2-0.6,0-0.8c0.2-0.2,0.6-0.2,0.8,0l0,0L8,8.6l3.8-4.5C12,3.9,12.4,3.9,12.7,4.1z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
Privacy Choices