PRIVACY POLICY
Last updated: June 2026
Introduction
This Privacy Policy ('Policy') explains how NOOS sp. z o.o., operating the InstaXchange platform ('InstaXchange', 'we', 'us'), processes personal data of users ('Users') when they access or use the Website and/or the Services.
InstaXchange operates as a technology aggregation platform that enables Users to access independent, regulated crypto-asset service providers ('Licensed Providers') for fiat-to-crypto and crypto-to-fiat conversion transactions ('Conversion Transactions'). This Policy covers personal data processed by InstaXchange in connection with the operation of the Website and Platform. It does not cover personal data processed by a Licensed Provider in connection with a Conversion Transaction, including identity verification (KYC) and transaction monitoring data, which is governed by the privacy policy of the relevant Licensed Provider.
This Policy describes the principles governing the collection, use, storage, disclosure, and protection of Personal Data processed by InstaXchange, and outlines the rights of Users under applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ('GDPR').
By using the Website and/or the Services, the User acknowledges that their Personal Data will be processed by InstaXchange in accordance with this Policy. If the User does not agree with this Policy, the User must discontinue use of the Website and the Services.
The Services are not intended for persons under the age of eighteen (18). If InstaXchange becomes aware that Personal Data of a minor has been collected without appropriate consent, such data will be deleted and access to the Services may be terminated.
Data Controller
The Data Controller of the Personal Data processed by InstaXchange in connection with the operation of the Website and Platform is NOOS sp. z o.o., having its registered address at ul. Stefana Batorego 18, 02-591 Warszawa, Poland (KRS: 0001142087).
Where a User initiates a Conversion Transaction with a Licensed Provider, that Licensed Provider acts as an independent Data Controller in respect of the personal data it processes for KYC, AML/CFT, and transaction execution purposes. Information identifying the relevant Licensed Provider is made available to the User at the point of selecting a provider through the Platform.
Definitions
'Data controller' means the entity that determines the purposes and means of processing Personal Data.
'Data processor' means an entity that processes Personal Data on behalf of the Data Controller.
'Personal Data' means any information relating to an identified or identifiable natural person.
'Processing' means any operation performed on Personal Data, whether automated or not, including collection, storage, use, disclosure, or deletion.
Categories of Personal Data Processed by InstaXchange
InstaXchange processes only the following categories of Personal Data in connection with the operation of the Website and Platform. InstaXchange does not process identity documentation, source of funds/wealth data, or sanctions/PEP screening data, as these are processed exclusively by the relevant Licensed Provider in connection with a Conversion Transaction.
Account Data
- name, email address, and contact details provided upon registration;
- login credentials and account preferences.
Usage and Technical Data
- IP address, browser type and version, device identifiers;
- operating system, time zone, and approximate location data;
- login and access logs.
Website Interaction Data
- URLs visited, clickstream data, page response times;
- interaction data such as scrolling, clicks, and navigation paths.
Session and Platform Data
- session identifiers and merchant context generated when a User selects a Licensed Provider;
- transaction status updates received from Licensed Providers via secure technical channels, limited to status and aggregate volume information, for the purpose of platform operation, reporting, and fee calculation.
Marketing and Communication Data
- communication preferences;
- subscription or opt-out status for marketing communications.
Correspondence
- communications between the User and InstaXchange via email, support tickets, or other channels.
Merchant and Distribution Partner Onboarding Data
-
where applicable, business and ownership information collected as part of InstaXchange's own preliminary onboarding and risk-screening of merchants and Distribution Partners introduced to the Platform, in accordance with the InstaXchange AML Disclaimer.
Purposes and Legal Bases of Processing
Personal Data is processed by InstaXchange for the following purposes and on the following legal bases:
- performance of a contract and provision of the Services (operation of the Website and Platform);
- facilitating the User's access to and selection of Licensed Providers;
- compliance with InstaXchange's own legal and regulatory obligations, including preliminary risk screening of platform traffic and merchants, and fraud prevention;
- customer support and communications;
- security, risk management, and prevention of unlawful activity on the Platform;
- improvement and optimisation of the Website and Services;
- marketing communications, where permitted by law or based on User consent.
Where processing is based on legitimate interests, the User has the right to object to such processing.
Disclosure of Personal Data
InstaXchange may disclose Personal Data only where lawful and necessary, including to:
- Data Processors engaged by InstaXchange to support the operation of the Platform (e.g. hosting, analytics, and security providers);
- the Licensed Provider selected by the User, limited to the technical session information necessary to initiate a Conversion Transaction;
- competent authorities, regulators, or auditors where required by law;
- professional advisers acting under confidentiality obligations;
- successors or acquirers in the event of a corporate transaction.
InstaXchange does not sell Personal Data to third parties.
Data Retention
Personal Data processed by InstaXchange is retained only for as long as necessary to fulfil contractual, legal, and regulatory obligations relating to the operation of the Platform.
Personal Data is securely deleted or anonymised once retention obligations expire. AML/CFT and transaction records relating to a Conversion Transaction are retained by the relevant Licensed Provider in accordance with its own statutory retention obligations, and not by InstaXchange.
Cookies
Information about the use of cookies and similar technologies is available in the Cookies Policy published on the Website.
International Data Transfers and Security
Personal Data is generally processed within the European Economic Area (EEA). Where transfers outside the EEA occur, they are carried out in accordance with applicable data protection laws and subject to appropriate safeguards.
InstaXchange implements appropriate technical and organisational measures to protect Personal Data against unauthorised access, loss, or misuse.
Data Subject Rights
Subject to applicable law, the User has the right to:
- access their Personal Data;
- rectify inaccurate or incomplete Personal Data;
- request erasure of Personal Data;
- restrict or object to processing;
- withdraw consent where processing is based on consent;
- lodge a complaint with a competent supervisory authority.
Requests may be submitted via the contact details provided below and will be addressed within statutory time limits. Requests relating to personal data processed by a Licensed Provider in connection with a Conversion Transaction should be directed to that Licensed Provider in accordance with its own privacy policy.
Users may lodge complaints with the supervisory authority in their Member State of habitual residence, place of work, or place of the alleged infringement.
Legal Obligations and Limitations
InstaXchange may preserve or disclose Personal Data where required to comply with legal obligations, protect vital interests, prevent fraud, or safeguard the rights and security of Users or the Platform.
InstaXchange is not responsible for Personal Data disclosures resulting from User actions or interactions with Licensed Providers or other third-party platforms.
Third-Party Links
The Website may contain links to third-party websites, including the websites of Licensed Providers. InstaXchange is not responsible for the privacy practices of such websites, and Users are encouraged to review their policies independently.
Changes to This Policy
This Policy may be updated to reflect changes in law, regulatory guidance, or data processing practices. The updated version will be made available on the Website.
Contact Information
Questions regarding this Policy or the processing of Personal Data by InstaXchange may be addressed to NOOS sp. z o.o. via the contact channels available on the Website.
NOOS sp. z o.o. ul. Stefana Batorego 18, 02-591 Warszawa, Poland KRS: 0001142087 | NIP: 4660436409 | REGON: 540335260
