InstaXchange
Shield

Privacy Policy

Introduction

This Privacy Policy (“Policy”) explains how the relevant Platform Operator within the Instaxchange group of companies processes personal data of users (“Users”) when they access or use the Website and/or the Services.

For the purposes of this Policy, the Platform Operator means the legal entity within the Instaxchange group that provides Services to the User, depending on the User’s jurisdiction, residence, and the Services used.

This Policy describes the principles governing the collection, use, storage, disclosure, and protection of Personal Data and outlines the rights of Users under applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

By using the Website and/or the Services, the User acknowledges that their Personal Data will be processed in accordance with this Policy. If the User does not agree with this Policy, the User must discontinue use of the Website and the Services.

The Services are not intended for persons under the age of eighteen (18). If the Platform Operator becomes aware that Personal Data of a minor has been collected without appropriate consent, such data will be deleted and access to the Services may be terminated.

Data Controller

The Data Controller of the User’s Personal Data is the relevant Platform Operator within the Instaxchange group that provides Services to the User.

Information identifying the applicable Platform Operator acting as Data Controller is made available to the User through the Website, during onboarding, or in the relevant contractual documentation.

Definitions

"Data controller" means the entity that determines the purposes and means of processing Personal Data.

"Data processor" means an entity that processes Personal Data on behalf of the Data Controller.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data, whether automated or not, including collection, storage, use, disclosure, or deletion

Categories of Personal Data Processed

The Platform Operator may process the following categories of Personal Data:

Customer Due Diligence and Compliance Data

  • identification data (name, date and place of birth, address, photograph);
  • identity document data (document type, number, validity);
  • financial and transactional data (payment details, transaction amounts, counterparties);
  • source of funds and, where required, source of wealth;
  • sanctions, PEP, and adverse media screening data.

Usage and Technical Data

  • IP address, browser type and version, device identifiers;
  • operating system, time zone, and location data;
  • login and access logs.

Website Interaction Data

  • URLs visited, clickstream data, page response times;
  • interaction data such as scrolling, clicks, and navigation paths.

Marketing and Communication Data

  • communication preferences;
  • subscription or opt-out status for marketing communications.

Correspondence

  • communications between the User and the Platform Operator via email, support tickets, or other channels.

Purposes and Legal Bases of Processing

Personal Data is processed for the following purposes and on the following legal bases:


  • performance of a contract and provision of the Services;
  • execution of transactions and account administration;
  • compliance with legal and regulatory obligations (including AML/CFT, sanctions, and fraud prevention);
  • customer support and communications;
  • security, risk management, and prevention of unlawful activity;
  • improvement and optimisation of the Website and Services;
  • marketing communications, where permitted by law or based on User consent.

Where processing is based on legitimate interests, the User has the right to object to such processing.

Disclosure of Personal Data

The Platform Operator may disclose Personal Data only where lawful and necessary, including to:


  • Data Processors (e.g. technology providers, verification providers, payment partners);
  • competent authorities, regulators, or auditors where required by law;
  • professional advisers acting under confidentiality obligations;
  • successors or acquirers in the event of a corporate transaction.

The Platform Operator does not sell Personal Data to third parties.

Data Retention

Personal Data is retained only for as long as necessary to fulfil contractual, legal, and regulatory obligations.

Where applicable:

  • AML/CFT and transaction records are retained for statutory periods;

  • Personal Data is securely deleted or anonymised once retention obligations expire.

Cookies

Information about the use of cookies and similar technologies is available in the Cookies Policy published on the Website.

International Data Transfers and Security

Personal Data is generally processed within the European Economic Area (EEA). Where transfers outside the EEA occur, they are carried out in accordance with applicable data protection laws and subject to appropriate safeguards.

The Platform Operator implements appropriate technical and organisational measures to protect Personal Data against unauthorised access, loss, or misuse.

Data Subject Rights

Subject to applicable law, the User has the right to:

  • access their Personal Data;
  • rectify inaccurate or incomplete Personal Data;
  • request erasure of Personal Data;
  • restrict or object to processing;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with a competent supervisory authority.

Requests may be submitted via the contact details provided below and will be addressed within statutory time limits.

Users may lodge complaints with the supervisory authority in their Member State of habitual residence, place of work, or place of the alleged infringement.

Legal Obligations and Limitations

The Platform Operator may preserve or disclose Personal Data where required to comply with legal obligations, protect vital interests, prevent fraud, or safeguard the rights and security of Users or the Platform.

The Platform Operator is not responsible for Personal Data disclosures resulting from User actions or interactions with third-party platforms.

Third-Party Links

The Website may contain links to third-party websites. The Platform Operator is not responsible for the privacy practices of such websites, and Users are encouraged to review their policies independently.

Changes to This Policy

This Policy may be updated to reflect changes in law, regulatory guidance, or data processing practices. The updated version will be made available on the Website.

Contact Information

Questions regarding this Policy or the processing of Personal Data may be addressed to the relevant Platform Operator via the contact channels available on the Website or by email at [email protected].