Privacy Policy
Last updated: July 10, 2026
CoinExchange.Cash ("Platform", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Platform. Where processing relies on consent, including optional analytics, we ask for that choice separately.
1. Our Privacy Principles
CoinExchange.Cash is designed with privacy as a core principle:
- Non-custodial by design: We never have access to your private keys, seed phrases, or wallet funds.
- Minimal data collection: We collect only the information necessary to operate the Platform and comply with applicable laws.
- Privacy-preserving storage: Sensitive identifiers are hashed using one-way cryptographic functions where possible.
- No selling of data: We never sell, rent, or trade your personal information to third parties for marketing purposes.
- User control: You can request access to, correction of, or deletion of your personal data at any time.
2. Information We Collect
2.1 Information You Provide
- Account information: Email address, display name, and password (stored as a bcrypt hash, never in plaintext).
- Wallet addresses: Public cryptocurrency wallet addresses you connect to the Platform. We never request or store private keys.
- Identity verification (KYC): If you choose to verify your identity or are required to do so, we collect government-issued ID documents, selfie photos, and related information. This data is processed by our third-party KYC provider (Sumsub) and is subject to their privacy policy in addition to ours.
- Communication data: Messages sent through the Platform's trade chat, dispute evidence, support requests, and feedback.
- Trade and offer data: Details of trades, offers, loan agreements, and prediction market positions you create or participate in.
- Payment method suggestions: Names and descriptions of payment methods or countries you suggest for the Platform.
- Notification preferences: Your chosen notification channels (email, Telegram, WhatsApp, push) and per-event settings.
2.2 Information Collected Automatically
- Device and browser information: Browser type and version, operating system, device type, and screen resolution.
- Usage data: If you explicitly allow optional analytics, Google Analytics may process pages visited, features used, timestamps, approximate device/browser information, and completed-trade conversion events. Conversion events contain a pseudonymous trade identifier and limited trade dimensions, not chat, payment evidence, wallet keys, or identity documents.
- IP address: Used for security purposes (rate limiting, fraud detection, geographic restriction enforcement). IP addresses are not stored long-term and are not linked to your identity except during active security investigations.
- Cookies and local storage: We use essential cookies and browser local storage to maintain your session, remember preferences, and ensure security. Optional Google Analytics storage is disabled until you consent, and advertising storage remains disabled.
2.3 Blockchain Data
Blockchain transactions are publicly visible by their nature. When you interact with blockchain networks through the Platform (e.g., funding escrow, releasing funds), those transactions are recorded on-chain and are publicly accessible. We may index and display relevant on-chain data related to your Platform activity.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Platform operation: To create and manage your account, facilitate trades, loans, and other transactions, and provide customer support.
- Security and fraud prevention: To detect, prevent, and investigate fraud, unauthorized access, and other security threats. This includes rate limiting, CAPTCHA verification, and suspicious activity monitoring.
- Legal compliance: To comply with applicable laws, regulations, and legal processes, including KYC/AML requirements, tax reporting obligations, and law enforcement requests.
- Dispute resolution: To facilitate the resolution of disputes between users, including providing relevant evidence to arbitrators.
- Communications: To send you trade notifications, security alerts, system updates, and other service-related messages through your chosen channels.
- Platform improvement: To analyze usage patterns and improve the Platform's features, performance, and user experience. This analysis is performed on aggregated, anonymized data wherever possible.
- Banned user enforcement: Sensitive identifiers (such as email addresses) are compared using privacy-preserving hashes to prevent banned users from creating new accounts.
4. Data Storage and Security
We use the following technical and organizational measures to protect data:
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS).
- Encryption at rest: Selected sensitive fields are encrypted. Passwords are hashed using bcrypt and are not stored in plaintext.
- Access controls: Access to user data is restricted by application roles and authorization checks. Administrative actions are recorded in platform audit logs; those database logs are not an immutable public ledger.
- Infrastructure security: The Platform uses managed cloud infrastructure, network controls, dependency updates, and operational monitoring. These controls reduce risk but do not guarantee security or availability.
- Session management: Authentication uses signed access and refresh tokens with server-side validation and revocation controls. Users should protect any browser or device where a session is active.
- Two-factor authentication: We support TOTP-based 2FA to add an extra layer of security to your account.
While we take every reasonable precaution to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
5. Data Sharing and Third Parties
We may share your information with the following categories of third parties, only as necessary:
- KYC/Identity verification provider (Sumsub): If you undergo identity verification, your documents and selfie are transmitted to our KYC provider for processing. They are bound by their own privacy policy and data processing agreements with us.
- Email service provider (Resend): Your email address is shared with our email delivery service to send transactional emails (password resets, trade notifications, etc.).
- Error monitoring (Sentry): Anonymous error reports and performance data may be sent to our error monitoring service. These do not include personal information.
- Optional analytics (Google Analytics 4): GA4 loads only after explicit consent and is configured with advertising storage, ad-user-data, ad-personalization, and Google Signals disabled. Google processes consented analytics data under its own terms and privacy policy.
- On-ramp/off-ramp providers: If you use buy/sell crypto features, you interact directly with third-party providers (e.g., Onramper) under their own terms and privacy policies.
- Swap aggregators (0x Protocol): Token swap requests are routed through decentralized exchange aggregators. Only your public wallet address and transaction data are shared.
- Law enforcement: We may disclose your information if required by law, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
- Dispute arbitrators: In the event of a trade dispute, relevant trade data, chat logs, and submitted evidence may be shared with the assigned arbitrator to facilitate resolution.
We do not sell, rent, or share your personal information with third parties for advertising or marketing purposes.
6. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected:
- Account data: Retained for the duration of your account and for a reasonable period after account closure to handle any outstanding issues, legal obligations, or dispute resolution.
- Trade and transaction data: Retained for a minimum of 5 years after the transaction date to comply with AML record-keeping requirements.
- KYC documents: Retained for the period required by applicable regulations (typically 5 years after the end of the business relationship), then securely deleted.
- Audit logs: Retained for security and compliance purposes for a minimum of 2 years.
- Communication data: Trade chat messages are retained for the life of the associated trade plus 1 year for dispute reference.
- Session and security logs: IP addresses and session data are retained for up to 90 days for security monitoring, then purged.
7. Your Rights (GDPR, CCPA, and Global Privacy Laws)
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Right of access: You can request a copy of the personal data we hold about you.
- Right to rectification: You can request that we correct any inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): You can request that we delete your personal data, subject to legal retention requirements.
- Right to data portability: You can request a machine-readable export of your personal data.
- Right to restrict processing: You can request that we limit how we use your data in certain circumstances.
- Right to object: You can object to the processing of your data for certain purposes.
- Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
- Right to non-discrimination (CCPA): We will not discriminate against you for exercising your privacy rights.
To exercise any of these rights, please contact us through the Help Center. We will respond to your request within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request.
Note: Certain data may be exempt from deletion requests due to legal retention requirements (e.g., AML compliance records, active trade or loan data, and blockchain transactions which are immutable by nature).
8. Cookies and Tracking Technologies
We use the following types of cookies and browser storage:
- Essential cookies: Required for the Platform to function (session tokens, CSRF protection, security tokens). These cannot be disabled.
- Preference cookies: Remember your settings (theme preference, notification preferences, language). Stored in browser local storage.
- Security cookies: Used for CAPTCHA verification (Cloudflare Turnstile) to protect against automated abuse.
- Optional analytics storage: If you select "Allow analytics", GA4 may set first-party
_gacookies and we store your consent choice in browser local storage. Selecting "Decline" prevents GA4 from loading.
We do not use advertising cookies or social-media tracking pixels. We honor the browser's "Do Not Track" signal by keeping GA4 disabled. You can withdraw consent at any time through the Analytics Preferences control in the site footer; this disables future analytics collection and removes accessible GA cookies from the current browser.
9. International Data Transfers
Our servers and third-party service providers may be located in different countries. By using the Platform, you consent to the transfer of your data to countries that may have different data protection laws than your own jurisdiction. We ensure that appropriate safeguards are in place (such as standard contractual clauses or equivalent mechanisms) when transferring data internationally.
10. Children's Privacy
The Platform is not intended for use by anyone under 18 years of age (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If we discover that we have collected data from a child, we will promptly delete it. If you believe a child has provided us with personal information, please contact us immediately.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. We will post the updated policy on this page with a new "Last updated" date. For material changes, we will notify you via email or in-app notification. Your continued use of the Platform after changes are posted constitutes your acceptance of the revised policy.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through the Help Center or via our support channels. We take all privacy inquiries seriously and will respond promptly.
Note: This Privacy Policy is designed to be comprehensive and transparent about our data practices. For jurisdiction-specific requirements (such as GDPR Data Protection Officer designation or CCPA-specific disclosures), please contact us. We recommend reviewing this policy periodically for updates.