Blue Bond Accelerator

This Privacy Policy is issued by Blue Bond Accelerator (“BBA”, “we”, “us”, or “our”). We are committed to protecting your personal data and respecting your privacy. This Policy explains what personal information we collect, how we use it, how we protect it, and your rights.

This Policy should be read in conjunction with the Professional Liability & Disclaimer found in the Code of Conduct and Ethics included in this Handbook.

Introduction and Commitment

The Blue Bond Accelerator (BBA) is a global not-for-profit initiative dedicated to unlocking the potential of the blue bond market to finance ocean and coastal resilience. By combining technical assistance, market expertise, and risk mitigation strategies, we empower issuers, investors, and policymakers to develop financial solutions that protect and restore aquatic ecosystems.

Legal Framework: This policy is designed to ensure compliance with the UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR).
Scope of Application: This policy applies to all individuals whose personal data we process, including visitors to our website, participants in our advisory programs, donors, and partners.
Our Role: For the purposes of data protection law, BBA acts as the Data Controller, meaning we determine the purposes and means of processing your personal data.
Ethical Standard: Our commitment to data privacy is an extension of the core values outlined in our Code of Conduct, ensuring that integrity and accountability guide every digital interaction.

What Personal Data We Collect

We collect, use, store, and transfer different kinds of personal data depending on your interaction with us. We adhere to the principle of Data Minimisation, ensuring we only collect what is necessary to fulfill our mission.

Identity and Contact Data: This includes your first name, last name, job title, and the organisation you represent. It also includes contact details such as your email address, telephone number, and any specific information you submit through our inquiry forms.
Technical and Usage Data: When you visit our site, we may automatically collect your Internet Protocol (IP) address, browser type and version, time zone setting, location, and device information. We also track “Usage Data” regarding how you navigate and interact with our website and cookies.
Marketing and Communications Data: This includes your preferences in receiving updates from us, your subscription status for our mailing lists, and your professional affiliation for the purpose of tailored updates.
Engagement and Event Data: If you participate in our programs or events, we collect your contact details, organisational role, and specific access or dietary requirements. This also includes photos or video recordings taken during events for reporting and promotional purposes, unless you opt out.
Due Diligence Data: For formal partners, funders, and bond issuers, we may collect identification documents and financial audit records required to fulfill our Anti-Money Laundering (AML) and Donation Acceptance compliance obligations.

How and Why We Use Your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we use your personal data in the following circumstances and for the following purposes:

Performance of a Contract or Service

We use Identity and Contact Data to deliver the technical assistance, advisory services, and resources you have requested from the BBA. This includes managing your registration for events and ensuring any specific access or dietary requirements are met in line with our Safeguarding and Inclusion standards.

Legitimate Interests for Growth and Security

We process Technical and Usage Data to analyse website performance, improve user experience, and ensure the security of our digital platforms. It is in our legitimate interest to ensure that the BBA site remains a safe and effective tool for the global blue finance community.

Consent for Communications

We use Mailing List Data to send newsletters, climate finance updates, and BBA program news. We only do this where you have provided explicit consent or where a “soft opt-in” applies through an existing professional relationship. You may withdraw this consent at any time.

Impact Reporting and Showcasing

To promote ocean resilience and satisfy our obligations to donors and stakeholders, we use Engagement Data to produce anonymised impact reports. We may also use Photos and Video Recordings from events to showcase our work and the progress of the accelerator.

Note: We will always provide a clear opportunity to opt-out of media capture at the point of collection.

Legal and Regulatory Compliance

We process Due Diligence Data to comply with mandatory Anti-Money Laundering (AML) and Donation Acceptance laws. This is a “Legal Obligation” that overrides individual deletion requests in certain circumstances.

Cookies and Digital Tracking

BBA uses cookies and similar tracking technologies to ensure our website functions correctly and to understand how visitors interact with our content.

Strictly Necessary Cookies: These are essential for the operation of our website, such as those that allow you to navigate between pages or access secure areas.
Analytical and Performance Cookies: We use Google Analytics 4 (GA4) to collect information about how visitors use our site (e.g., which pages are most popular). This data is typically aggregated and anonymised, helping us improve our resources for the blue finance community.
Managing Cookies: Most web browsers allow you to control cookies through their settings. However, if you disable strictly necessary cookies, some parts of the BBA website may not function as intended.

Lawful Bases for Processing

To ensure total transparency, BBA processes your personal data under one of the following “Lawful Bases” as defined by the UK GDPR:

Purpose / Activity	Type of Data	Lawful Basis for Processing
Service Delivery: To provide technical assistance, project reports, and advisory services.	Identity, Contact	Performance of a Contract or taking steps to enter into one.
Platform Optimisation: To analyse website usage and ensure digital security.	Technical, Usage	Legitimate Interests (to keep our site updated and secure).
Communications: To send newsletters and BBA program updates.	Marketing, Identity	Consent (which you may withdraw at any time).
Compliance: To perform AML and ESG risk screenings on partners.	Due Diligence, Identity	Legal Obligation (to comply with financial and ethical regulations).
Safeguarding: To ensure event access and inclusive participation.	Engagement (Health/Dietary)	Substantial Public Interest (Ensuring the safety and inclusion of all participants).

Data Sharing and Disclosure

BBA does not sell your personal data. We only share information in the following limited circumstances to support our mission and comply with legal obligations:

Service Providers and Vendors: We share data with trusted third-party vendors who provide essential services such as IT support, cloud storage, payment processing, and email distribution. All such providers are strictly bound by the BBA Vendor Code of Conduct and must sign the Annex B: Vendor Compliance Declaration, ensuring they maintain data protections equivalent to our own.
Strategic Business Partners: We may share information with affiliated partners and technical advisors to deliver the specific advisory services or joint initiatives you have requested. These partners are required to process data only in accordance with our instructions and subject to strict confidentiality.
Legal and Regulatory Compliance: We may disclose your information to law enforcement, government bodies, or regulatory authorities (such as the ICO) where we are legally required to do so. This includes reporting related to our Anti-Money Laundering (AML) and Donation Acceptance obligations.
Business Transactions: In the event of a merger, restructuring, or asset sale involving BBA, your personal data may be transferred to the successor entity as part of our ongoing operational records.
With Your Explicit Consent: We may disclose your data to other third parties if you have provided clear, affirmative consent for us to do so.

International Data Transfers and Security

As a global initiative, BBA may transfer and store your data in locations outside of your home country, primarily within the UK, EU, or US.

Transfer Safeguards: When we transfer data outside the UK or the European Economic Area (EEA), we ensure a similar degree of protection is afforded to it. This is achieved by utilising Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), which are legally binding templates approved by regulators to protect your privacy rights.
Security Measures: We implement robust technical and organisational measures to prevent your personal data from being accidentally lost, altered, or accessed without authorisation. This includes the use of encryption, secure access controls, and regular security audits of our digital infrastructure.
Breach Notification: In the event of a suspected personal data breach, we follow the strict protocols outlined in our Internal Data Protection Policy, including notification to the ICO within 72 hours where legally required.

Data Security

BBA takes the security of your personal information seriously. We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed.

Our security framework is built on the following pillars:

Role-Based Access Controls (RBAC): We limit access to your personal data to those employees, agents, contractors, and other third parties who have a strictly defined business “need to know”. They are required to process your data only on our explicit instructions and are subject to a formal duty of confidentiality.
Encryption and Secure Storage: We utilise industry-standard encryption protocols for data both at rest and in transit. This ensures that sensitive information remains protected even in the event of intercepted communications or unauthorised hardware access.
Regular Audits and Security Testing: We conduct periodic reviews and testing of our digital infrastructure to identify vulnerabilities and ensure our defenses remain effective against evolving cyber threats.
Incident Response and Recovery Protocols: We maintain robust procedures to deal with any suspected personal data breach. This includes clear internal escalation paths to our Compliance Team and established protocols for notifying you and the ICO within the mandatory 72-hour window where legally required.

Data Retention

BBA retains your personal data only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements.

Marketing and Communications Data: We will retain your identity and contact information for the purpose of sending newsletters and updates until you unsubscribe or request deletion. Once you unsubscribe, we may keep your details on a “suppression list” to ensure we do not contact you again in the future.
Contractual and Operational Data: Data related to the delivery of advisory services, technical assistance, or funding agreements is typically retained for the duration of the relationship plus seven (7) years following the completion of the project. This ensures we can meet our legal and audit obligations.
Event Participation Data: We retain attendee lists and access requirements only for the duration of the event and the subsequent impact reporting period, after which sensitive health or dietary data is securely destroyed.
Analytics and Technical Data: Website usage data is retained in an anonymised and aggregated form for long-term performance tracking. Because this data no longer identifies you personally, it may be kept indefinitely to help us understand BBA's historical growth and impact.
Due Diligence and AML Records: Records related to Anti-Money Laundering and ESG risk screenings must be kept for a minimum of seven (7) years by law, even if a relationship is terminated or a deletion request is made.

For a detailed breakdown of our specific retention periods for different categories of information, please refer to Annex A: Data Retention Schedule of this Handbook.

Children's Data

BBA's mission often involves engaging with coastal communities and educational initiatives. However, we do not intentionally collect or process personal data from children under the age of 16 without explicit parental or guardian consent.

Consent Requirement: Where children are involved in BBA-supported events, workshops, or activities, we will obtain verifiable parental or guardian consent before collecting any personal information.
Protections: If we discover that we have inadvertently collected personal data from a child under 16 without proper consent, we will take immediate steps to delete that information from our servers.
Inquiries: If you believe we might have any information from or about a child under 16, please contact us at compliance@bluebondaccelerator.org.

Your Legal Rights

Under UK GDPR, you have significant rights regarding your personal information:

The Right to be Informed: You have the right to be told clearly how we collect and use your data (as outlined in this policy).
The Right of Access: You may request a copy of the personal data we hold about you (a “Subject Access Request”).
The Right to Rectification: You can ask us to correct inaccurate or incomplete information.
The Right to Erasure: Also known as the “Right to be Forgotten,” you can request data deletion when there is no compelling legal reason for its continued use.
The Right to Restrict Processing: You can ask us to “pause” the use of your data while keeping it in storage.
The Right to Data Portability: You can request your data in a structured, machine-readable format to move it to another service.
The Right to Object: You can object to our processing of your data based on legitimate interests or for direct marketing.
Rights Related to Automated Decision-Making: You have protections against the risk of potentially damaging decisions being made without human intervention.

Third-Party Links

BBA's digital platforms and publications may include links to third-party websites (e.g., implementation partners, technical advisors, or international donors).

No Control: We do not control these third-party websites and are not responsible for their privacy practices, security protocols, or content.
Due Diligence: We strongly encourage you to review the privacy policy of every website you visit before providing them with any personal information.

Complaints and Contact Information

If you have any questions, concerns, or wish to exercise your legal rights regarding this Privacy Policy or the handling of your personal information, please use the following channels:

Data Compliance Inquiry: Email our specialised team at compliance@bluebondaccelerator.org. This dedicated channel ensures that technical data requests are triaged with the necessary speed and expertise to meet regulatory windows.

Acknowledgement: By using the BBA website and services, you acknowledge that you have read and understood the terms of this Privacy Policy.

Regulatory Oversight: You have the right to lodge a complaint at any time with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

Policy Updates

BBA will review and update this Privacy Policy periodically to reflect changes in our practices, service offerings, or legal requirements.

Notification: Any changes will be posted on this page with an updated “Last updated” date.

Version Control: This version constitutes a significant update to align BBA's external privacy commitments with the 2026 BBA Policy Handbook.

Last updated: April 2026