How We Protect Your Data
At QNC Exchange we process your personal data in compliance with GDPR and international data-protection standards.
Last updated: May 20, 2026
1. Overview
Your privacy is one of QNC Exchange's highest priorities. This Policy is designed to transparently explain when your personal data is collected, how it is used, who it is shared with, and what your rights are. QNC Exchange commits to comply with the following data-protection frameworks in the regions where it operates: GDPR (EU), UK GDPR (UK), CCPA (California), LGPD (Brazil), PIPEDA (Canada), APPI (Japan), PDPA (Singapore), POPIA (South Africa), Australia Privacy Act, and FATF Travel Rule.
2. Data Controller and Contact
Data Controller: QNC Exchange Contact: [email protected] Data Protection Officer (DPO): [email protected] You may submit any request regarding your personal data via the email addresses above. Statutory requests are resolved within 30 days.
3. Personal Data We Collect
Identity and Contact: Full name, date of birth, nationality, ID number, ID photo/document, email, phone, residential address. Financial Information: Bank account details, IBAN, payment card, crypto wallet addresses, transaction history, balance, receipts. KYC/AML Data: Selfie (liveness test), proof of address, tax ID, occupational info, source-of-funds declaration. Device and Session: IP address, device fingerprint, browser info, operating system, session logs, login/logout times, location (country level). Marketing and Preferences: Language, theme, favorite pairs, notification settings, email-open logs (only with your consent). Behavior and Security: Transaction patterns, suspicious-activity scores, failed login attempts, 2FA events.
4. Purposes and Legal Bases for Processing
Under GDPR Article 6 and equivalent international standards, we process your data on the following legal bases: Contract Performance: Account creation, trading services, customer support. Legal Obligation: KYC/AML requirements, FATF Travel Rule, tax reporting, requests from authorities. Legitimate Interest: Fraud prevention, security monitoring, platform improvement, analytics. Explicit Consent: Marketing communications, optional cookies, third-party integrations. Vital Interest: Notifying users in case of system breaches.
5. Data Sharing and International Transfers
Categories we share with: • Cloud infrastructure providers (AWS, Cloudflare, Hetzner) — server, CDN, DDoS protection • KYC/AML service providers (SumSub, Onfido, Chainalysis, TRM Labs) — identity verification and risk scoring • Payment / blockchain infrastructure (Fireblocks, Stripe, Brevo) — fund movements, email delivery • Analytics (Vercel Analytics, anonymized) — only anonymized usage data • Competent authorities — only upon legal requirement such as court order or FATF/AML request International transfers: Your data may be processed on global cloud infrastructures in the EU, US, and other regions. For EU residents, Standard Contractual Clauses (SCC) apply under GDPR Article 46. We do NOT sell data. Your personal data is never sold under any circumstance; the CCPA "do not sell" right is preserved by default.
6. Data Retention
Our retention periods are as follows: • Account-active: For the duration of the account — contract performance basis • KYC documents: 5 years after account closure (AML/FATF requirement) • Transaction records: 10 years (financial regulation) • Session/IP logs: 12 months (security) • Marketing consents: Until consent is withdrawn • Suspicious-activity reports: 10 years (AML requirement) When retention expires, data is deleted, destroyed, or anonymized.
7. Data Security and Breach Notification
Technical measures we apply: • All traffic is encrypted with TLS 1.3 • Passwords are hashed with bcrypt • 2FA, device approval, IP rate limit, Cloudflare Turnstile bot protection • Crypto assets are protected with cold storage and multi-sig • Penetration tests are performed regularly • Sensitive data is stored with additional encryption in the database In case of breach: Under GDPR Article 33, detected data breaches are reported to the relevant data-protection authority within 72 hours and affected users are notified directly via email.
8. Regional User Rights
Depending on the jurisdiction in which you reside, you have the following rights: EU / EEA (GDPR Articles 15-22): Access, rectification, erasure ("right to be forgotten"), restriction, portability, objection, objection to automated decisions. Right to lodge a complaint with the supervisory authority. United Kingdom (UK GDPR): Same rights as GDPR; right to complain to the ICO. California (CCPA/CPRA): Right to know, delete, "do not sell/share", non-discrimination. Brazil (LGPD Article 18): Consent, access, correction, anonymization, portability, deletion, sharing information, objection. Canada (PIPEDA): Access, correction, complaint (OPC). Japan (APPI): Disclosure, correction, suspension of use, disclosure. Singapore (PDPA): Access, correction, withdrawal. South Africa (POPIA): Access, correction, deletion, objection. Australia (Privacy Act): Access, correction, complaint (OAIC). To exercise your rights: contact [email protected]. Answered free of charge within 30 days.
9. Protection of Minors
QNC Exchange does not provide services to persons under the age of 18 and does not knowingly collect personal data from users under 18. If a false age declaration is detected, the account is immediately closed and all data deleted. Under GDPR, the digital-consent age in some EU member states is 16; however, QNC Exchange applies an 18-year minimum across the entire platform (as a financial service).
10. Policy Updates and Contact
QNC Exchange may revise this Policy due to legal changes or service updates. Material changes are communicated to users via email and in-platform notification. The current version of the Policy is always published on this page. Contact: • General: [email protected] • Data Protection Officer: [email protected]