AceChange Privacy Policy | Non-KYC, Non-Custodial

Operator Information

Service: AceChange — a non-custodial cryptocurrency swap aggregator.

Governing Jurisdiction: Republic of Costa Rica.

⚠ Binding Privacy Agreement

This Privacy Policy forms an integral part of the relationship between you and AceChange. By accessing or using the Website or Service in any way, you irrevocably accept this Privacy Policy together with the Terms of Use. If you do not agree, you must immediately cease using the Service.

🔐 Non-Custodial Aggregator

AceChange operates as a non-custodial digital-asset trading aggregator. For most operations, AceChange acts solely as a technical intermediary between you and independent Third-Party Providers. We do not collect, store, or process your sensitive personal data (such as KYC documents, biometric data or full financial records) for our own purposes. Any such data submitted through our Interface is collected on behalf of the specific Third-Party Provider you have selected to fulfil your transaction and is transmitted encrypted to that Provider’s API.

🛡 Regulator & Law-Enforcement Cooperation

AceChange is committed to full and good-faith cooperation with any competent regulator, financial-intelligence unit, court, prosecutor, supervisory authority or law-enforcement agency upon lawful request. Authorities may contact us at [email protected] (subject line: Law Enforcement, Regulator, Privacy or Compliance) and we will respond promptly within the bounds of applicable law. We maintain audit-grade logs, geo-block records and compliance evidence sufficient to support GDPR-equivalent, AML, sanctions-screening, OFAC/UN/EU/UK and FATF-equivalent inquiries.

1. Scope and Updates to this Privacy Policy

AceChange respects your privacy and is committed to protecting your personal data. This Privacy Policy aims to give you information on what personal data we collect, how we process and protect it, and to tell you about your privacy rights and how the law protects you as we provide you with access and utility through our digital-asset trading platform — including software, API (application programming interface), technologies, products and/or functionalities (the “Service“).

Please read this Privacy Policy carefully as it explains our practices regarding your personal data and how we will treat it, and the basis on which any personal data will be processed by us. References in this Privacy Policy and on our Website to “we“, “our” or “us” are references to AceChange as a data controller. References to “you” and “your” mean each person who interacts with us, uses our Website or the products and services we provide.

By accessing our Website and Service, or otherwise providing us with your Personal Data, you are agreeing to our collection of your information pursuant to this Privacy Policy. Should you disagree with any clause stated herein, please immediately cease your access to, participation in and use of our Website and our Service.

The processing of Personal Data is regulated by the European Union General Data Protection Regulation EU 2016/679 (GDPR) and any other applicable privacy laws. We will not divulge any of your private information unless you approve in writing such disclosure or unless such disclosure is required under applicable law or is required in order to verify your identity.

AceChange operates as a non-custodial digital-asset trading aggregator. Please be advised that:

For most operations, AceChange acts solely as a technical intermediary (an aggregator) between you and Third-Party Providers (the “Providers“).
We do not collect, store or process your sensitive personal data (such as KYC documents, biometric data or full financial records) for our own purposes. Any such data requested through our Interface is collected on behalf of the specific Provider you have selected to fulfil your transaction.
While you may enter information via our Interface to ensure a seamless user experience, this data is encrypted and transmitted directly to the selected Provider’s API. AceChange does not retain or “use” this data beyond the technical necessity of facilitating the transmission and providing you with transaction status updates.
Once your data is transmitted to a Provider, their respective privacy policy and terms of service apply. We strongly encourage you to review the privacy practices of the specific Provider before initiating a transaction.

If you would like more information about how we collect, use and store your personal data, you can contact us at any time by emailing [email protected].

Updates. We may revise this Privacy Policy from time to time in our sole discretion. The updated version of this Privacy Policy will be indicated on our Website with the exact date and the sign “Last updated“. If there are any material changes to this Privacy Policy, we will notify you to the extent required by applicable law. We encourage you to review this Privacy Policy frequently to be informed of how we are protecting your data.

2. Data Collection

The term “Personal Data” refers to any information relating to an identified or identifiable natural person, such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, economic, cultural or social identity of you as a natural person. We collect Personal Data that you directly provide to us when registering at the Website, expressing an interest in using our Service, complying with our Know-Your-Customer procedures or when participating in our activities or otherwise contacting us. Personal Data we collect depends on the context of your interactions with us, the choices you make and the products and features you use.

2.1 Data provided by you directly

Category	Examples
Identification Data	Full name, e-mail address, gender, home address, country of residence, phone number, date of birth, nationality, signature, utility bills, government-issued identity document.
Biometric Data	Where required by a Third-Party Provider, sensitive biometric information such as a video recording of you or a selfie to verify your identity by comparing it with the photo in your identity document. Collected on behalf of and processed by the Provider — not retained by AceChange.
Transaction Data	Information about the transactions including the names of the sender and the recipient, the amount of the transaction, payment method, date and other data.
Financial Data	Source of funding and source of wealth as part of a Provider’s KYC procedure.
Wallet Data	Your sending wallet address, recipient wallet address, recipient memo, deposit memo and related information.
Credentials Data	Passwords and similar security data used for authentication and account access, where applicable.
Survey and Feedback Data	Information that you provide when you participate in our user surveys, market research or feedback regarding your experience with the Service. This may include information about your trading habits, transaction frequency, duration of platform usage and your interaction with other digital-asset services or financial tools.

2.2 Data provided by third parties

We will use the information we receive only for the purposes that are described in this Policy or that are otherwise made clear to you on the Website. Please note that we are not responsible for the ways in which any third-party service provider processes any of your Personal Data and we encourage you to read their privacy notices and policies for further information on how they process your Personal Data.

All Personal Data that you provide to us must be true, complete and accurate, and you must notify us of any changes to such Personal Data.

Category	Examples
Third-Party Service Providers Data	Where you log in using a service provider’s account details (such as a Google or Apple account), we will receive certain profile information about you from that provider. The profile information we receive may vary, but typically includes your name, e-mail address, profile picture and other information you choose to make public.
Blockchain Data	Public blockchain data, including timestamps of transactions or events, transaction IDs, digital signatures, transaction amounts and wallet addresses.
Marketing, Analytics and Advertising Data	Identifiers (IP address, online identifiers, e-mail address if used for direct marketing, name); browser/web history and preferences expressed through selection / viewing of content; information about your device including (where available) type of device, device identification number, mobile operating system; analytics and inferred profiles; marketing preferences. For more information see our Cookie Policy at the end of this document.
Merchant / Counterparty Data	If you conduct a transaction with a third-party merchant via the Service, the merchant may provide us with data about you, such as your name and contact details and your transaction with that merchant.

2.3 Data collected automatically

We automatically collect certain information through cookies and similar technologies when you visit, use or navigate the Website. This information does not reveal your specific identity (like your name or contact information) and does not allow us to identify you, but helps us address customer support issues, improve the performance of our sites and services, maintain or improve your user experience, and protect access from fraud by detecting unauthorised access.

Category	Examples
Browsing Data	Information about the device, operating system and browser you are using; other device characteristics or identifiers (e.g. plugins, the network you connect to); IP address; device name; country; coarse location derived from IP.
Usage Data	Activity information — what you view or click on while visiting our Website and how you use our Service; diagnostic and troubleshooting information — service-related diagnostic and performance information including timestamps, crash data, website performance logs and error messages or reports.
Cookies & similar technologies	See the Cookie Policy at the end of this document.

3. Data Usage and Legal Basis

We use your Personal Data primarily for the following purposes on the following legal basis.

Purpose	Categories of Data	Legal Basis
To verify and maintain access to the Service	Identification, Biometric, Credentials, Third-Party Service Providers Data	Performance of the contract
To provide the Service to you	Identification, Biometric, Transaction, Financial, Wallet, Credentials, Blockchain, Merchant, Usage, Third-Party Service Providers Data	Performance of the contract
To send communications relating to your Transaction	Identification, Transaction Data	Performance of the contract
To verify your identity (where required by a Provider)	Identification, Biometric, Transaction Data	Legal obligation
To provide legal and regulatory compliance (AML, sanctions, CTF, Travel Rule)	Identification, Biometric, Transaction, Financial, Wallet, Usage, Blockchain Data	Legal obligation
To provide marketing communications and promotions	Identification, Usage, Transaction, Marketing & Analytics Data	Legitimate interest / Consent
To conduct market research and customer surveys	Identification, Usage, Transaction, Marketing & Analytics Data	Legitimate interest / Consent
To provide customer support	Identification, Transaction, Financial, Wallet Data	Performance of the contract / Legitimate interest
To maintain safety, security and integrity of the Service	Identification, Biometric, Transaction, Financial, Wallet, Browsing, Usage, Blockchain Data	Performance of the contract / Legitimate interest
To improve our Service	Identification, Transaction, Browsing, Usage, Marketing Data	Legitimate interest
To customise your experience	Identification, Transaction, Browsing, Usage, Cookie data	Legitimate interest
To enable device-based settings (cookies)	Information from cookies and similar technologies	Consent

Consent. If the processing of Personal Data is carried out based on your specific consent, you have the right to withdraw it at any time by sending us a request to [email protected] or following the instruction given in our Cookie Policy.

Legitimate interest. We may process your Personal Data when it is reasonably necessary to achieve our legitimate business interests such as developing and improving our Service, marketing communication and making our Service safe and secure.

Legal obligation. We may process and disclose your Personal Data where we are legally required to do so in order to comply with applicable law, governmental requests, judicial proceedings, court orders and similar requests.

Performance of the contract. Where we have entered into a contract with you, we may process your Personal Data to fulfil the terms of our contract.

We may combine all the information we collect from or receive about you for the outlined purposes. We may aggregate or de-identify your information and may use or share aggregated or de-identified information for any purpose; such information is not subject to this Privacy Policy.

4. Cookies

We may use cookies and similar tracking technologies to access or store Personal Data. You may refuse the use of cookies by selecting the appropriate settings on your browser. Note however that this may affect your experience of our Website. Please read our Cookie Policy below to understand how we collect data via cookies technology.

For Website analytics we use Matomo, a privacy-friendly, self-hosted analytics platform. Matomo is used for basic statistics purposes only.

5. Data Sharing

We do not sell your Personal Data as the term “sell” is traditionally understood. However, your Personal Data may be transmitted to third parties that we use to provide our Services; these parties have been assessed and offer a guarantee of compliance with the legislation on the processing of personal data. These parties have been designated as data processors and carry out their activities according to the instructions given by us and under our control.

We may share your Personal Data with the following categories of third parties:

Service Providers. Third-party service providers and vendors that assist us with the provision of our Service and with conducting customer surveys, market research and data analysis. This includes service providers and vendors that provide us with IT support, KYC procedures, authentication, security, hosting, payment processing, analytics, alerting, customer service and related services.
Third-Party Services you share or interact with. Certain features and functionalities of our Service may link to or allow you to interface, interact or share information with third-party websites, services, products and technology (collectively, “Third-Party Services”). Any information shared with or otherwise collected by a Third-Party Service may be subject to the Third-Party Service’s privacy policy. We are not responsible for the processing of personal information by Third-Party Services.
Business Partners. We may share your personal information with business partners to provide you with a product or Service. We may also share your personal information with business partners with whom we jointly offer products or services.
Affiliates. We may share your personal information with our company affiliates, if any.
Legal authorities. We may be required by law or by judicial authorities to disclose certain information about you or any engagement we may have with you to relevant regulatory, law-enforcement and/or other competent authorities. We will disclose information about you to legal authorities to the extent we are obliged to do so according to the law. We may also need to share your information to comply with Anti-Money Laundering, Counter-Terrorism Financing and Transfer of Funds laws, to prevent fraud, to enforce an agreement we have with you, or to protect our rights, property or safety, or the rights, property or safety of others.

6. Cross-border Transfer

To facilitate our global operations, we may transfer, process and store your Personal Data anywhere in the world, including countries that may have data-protection laws that are different from the laws where you live. Where applicable, we rely upon a variety of legal mechanisms to facilitate these transfers of your Personal Data. In cases where we intend to transfer your Personal Data to a third country that has not been found to provide an adequate level of protection under applicable data-protection laws, we use suitable technical, organisational and contractual safeguards including Standard Contractual Clauses (SCCs) adopted by the European Commission as a mechanism to transfer data in compliance with applicable data-protection rules.

7. Data Retention

We will retain your Personal Data only for as long as it is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, where we are required to retain data to comply with AML / CFT regulations and applicable laws), resolve disputes and enforce our legal agreements and policies.

We will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.

As soon as information stops serving these purposes, we delete it. Upon your request we will delete and/or anonymise your Personal Data without undue delay, but no later than thirty (30) days, except where we are required to retain data for longer periods to comply with legal (AML / CFT) obligations.

Sanctions-screening and compliance-evidence records may be retained for up to ten (10) years in accordance with the OFAC Reporting, Procedures and Penalties Regulations (31 CFR § 501.601, March 2025 amendment), the FATF Recommendations and applicable AML record-keeping rules.

8. Data Protection

We have implemented a robust set of security measures to safeguard the Personal Data we process and protect it from unauthorised access, disclosure, alteration or destruction. Our commitment to data security includes ongoing updates and rigorous testing of our security technology.

To ensure a high level of data protection, we adhere to industry-leading practices. We employ TLS encryption (HTTPS) to safeguard data during transmission. Our infrastructure is hosted with reputable global cloud providers and primary servers are located in jurisdictions that offer an adequate level of data protection.

The internet is not entirely immune to security risks. While we take every precaution to protect your Personal Data, the transmission of such data to and from our Website carries inherent risks. We strongly advise you to access our Services within a secure environment.

We maintain strict access controls to limit access to your Personal Data to only those personnel who require it. Personnel undergo regular training to emphasise the significance of confidentiality and the need to uphold the privacy and security of your personal data. We are dedicated to enforcing privacy responsibilities through appropriate measures.

9. Privacy Rights

Depending on where you live, you may be able to exercise certain privacy rights in relation to your personal information.

Right of access — you may request a copy of your Personal Data and/or the way we store it;
Right to rectification — you may request us to change some of your Personal Data and/or correct it if it is incomplete or inaccurate;
Right to deletion / erasure — you may request to delete all or some of your Personal Data;
Right to object — you may object to the processing of your personal data on grounds relating to your particular situation and/or to object to processing for direct-marketing purposes;
Right to object to automated processing — you may object to a decision based on automated processing; you may request to review your Personal Data manually if you believe that automated processing may not consider your unique situation;
Right to data portability — you may request to provide a copy of your Personal Data in a structured, commonly used and machine-readable format (e.g. XML, CSV); you may also request to transmit the said personal data directly to another controller;
Right to withdraw your consent — to the extent the processing of your personal information is based on your consent, you may withdraw your consent at any time;
Right to non-discrimination — we will not discriminate against you for exercising any of your rights provided to you under law;
Right to lodge a complaint — you have the right to lodge a complaint with a supervisory authority. If you are resident in the EEA and you believe we are unlawfully processing your personal data, you have the right to complain to your local data-protection supervisory authority. You can find their contact details at ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

To protect your privacy and security, we may take steps to verify your identity before complying with your request and we may decline your request if we are unable to verify your identity. Please contact us by email at [email protected] to exercise your rights.

10. California Residents Privacy Notice

Although access to the Service from the United States, including California, is prohibited under our Terms of Use, this notice is provided as a precautionary statement of rights that would be available to California residents under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) in relation to personal information we have collected. These rights are not absolute and we may decline your request as permitted by law.

Right to know. You may request information about our collection, use and disclosure of your personal information over the prior 12 months — including categories and specific pieces of personal information we have collected, sold or shared about you; categories of sources; the business or commercial purposes for collecting the information; categories of third parties to whom personal information was disclosed; and categories of personal information disclosed.
Right to correct. You may request that we correct inaccurate personal information maintained about you.
Right to delete. You may request that we delete personal information, subject to certain exceptions.
Right to opt-out of Selling or Sharing. You may direct us to stop selling or sharing personal information about you to third parties (we do not sell personal information as that term is traditionally understood).
Right to non-discrimination. We will not discriminate against you for exercising any of these rights.

We do not knowingly process the personal data of users under sixteen (16) years of age. Please contact us by email at [email protected] to exercise your rights.

11. Children’s Privacy

We do not address anyone under the age of 18 and we do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from anyone under the age of 18 without verification of parental consent, we take steps to remove that information from our servers.

12. Blocked Jurisdictions

🚫 Strictly Prohibited — Jurisdictions Where Use Is Forbidden

The Service is strictly NOT available to, and use is expressly forbidden for, any person who is a national, citizen, resident or otherwise associated with, or physically located in, any of the jurisdictions listed below. Each country listed is blocked at the network edge and at the application layer; any attempt to access the Service from these jurisdictions constitutes a material breach of our Terms of Use and may be reported to competent authorities. Any Personal Data submitted from such a jurisdiction may be processed solely for the purposes of enforcing this restriction, evidencing the geo-block and cooperating with authorities.

Code	Country / Region	Status
AF	Afghanistan	Blocked
BY	Belarus	Blocked
CD	Democratic Republic of the Congo	Blocked
CF	Central African Republic	Blocked
CU	Cuba	Blocked
IR	Iran	Blocked
KP	North Korea (DPRK)	Blocked
LY	Libya	Blocked
MM	Myanmar (Burma)	Blocked
RU	Russian Federation	Blocked
SD	Sudan	Blocked
SO	Somalia	Blocked
SS	South Sudan	Blocked
SY	Syria	Blocked
US	United States of America (including all USA territories: Puerto Rico, American Samoa, Guam, the Northern Mariana Islands and the US Virgin Islands — St. Croix, St. John and St. Thomas)	Blocked
VE	Venezuela	Blocked
YE	Yemen	Blocked

The list above totals 17 ISO-3166-1 alpha-2 country codes and is enforced by Cloudflare WAF and our application-level geo-block. In addition, the Service is not available to any person located in, or a resident or citizen of, any jurisdiction subject to comprehensive sanctions imposed by the United Nations Security Council, the European Union, the U.S. Treasury Office of Foreign Assets Control (OFAC), the UK Office of Financial Sanctions Implementation (OFSI) or any equivalent regime, even where such jurisdiction is not explicitly listed above.

13. Cookie Policy

This Cookie Policy is an integral part of this Privacy Policy. Capitalised terms used herein without definition shall have the meanings assigned to them above. In this Cookie Policy we explain what cookies are and how we use them.

Cookies and similar technologies (e.g. web beacons, pixels, ad tags and device identifiers, together referred to as “cookies“) are files created by websites that you visit. Simply put, it is a technology that allows the collection of information about your device, location and your activity on the websites you visit.

Cookies set by AceChange are called “first-party cookies.” Cookies set by parties other than the website owner are called “third-party cookies.” Third-party cookies enable third-party features or functionality to be provided on or through the Website (e.g. advertising, interactive content and analytics). The parties that set these third-party cookies can recognise your computer both when it visits the Website in question and also when it visits certain other websites.

We process Personal Data obtained via Cookies for the purposes and on the legal basis described in this Privacy Policy.

13.1 What cookies we use and why

Necessary cookies help make the Website usable by enabling essential functions like page navigation and access to secure areas. The Website cannot function properly without these cookies.
Marketing cookies are used for personalising the content and ads on and off the Website. They are also used to assess advertising efficiency.
Preference cookies let us remember user personal settings.
Analytics / Statistics cookies help us understand how visitors interact with the Website by collecting and reporting information anonymously. They help us improve our Services. For analytics we use Matomo, a privacy-friendly, self-hosted analytics platform.

Name	Processor	Storage Period	Purpose
Necessary cookies
`ace_session`	AceChange	Session	Maintains your active session on the Website and Service.
`ace_acknowledged`	AceChange	24 hours	Records that you have read and acknowledged the regulatory notice / geo-restriction page.
`ace_attested`	AceChange	1 year	HMAC-signed legal-attestation cookie evidencing your declaration that you are not a person in a Restricted Jurisdiction.
`ace_cf_ray`	Cloudflare	Session	Cloudflare security and edge-routing identifier.
Analytics / Statistics cookies
`_pk_id` / `_pk_ses`	Matomo	Up to 13 months	Privacy-friendly website analytics — used for basic statistics purposes.
`ace_analytics_id`	AceChange	1 year	Internal anonymous analytics identifier — ensures behaviour in subsequent visits is attributed to the same anonymised ID.
Preference cookies
`ace_locale`	AceChange	Session	Holds language / locale preference and any redirection information.
`ace_theme`	AceChange	1 year	Holds your dark/light theme preference (currently dark theme only).
Marketing cookies
`ref`	AceChange	3 months	Accounting for actions of participants of any affiliate / referral programme.
`utm_*`	AceChange	30 days	Holds inbound campaign-attribution parameters (utm_source / utm_medium / utm_campaign).

13.2 How can I control cookies on my browser?

When you visit our Website for the first time we may ask for your consent to use cookies. At that time you may either agree to the use of cookies or disagree with cookie settings. As the means by which you can refuse cookies through your web-browser controls vary from browser to browser, you should visit your browser’s help menu for more information. The following is information about how to manage cookies on the most popular browsers:

Chrome
Firefox
Safari
Edge
Opera
Brave

13.3 What about other tracking technologies, like web beacons?

Cookies are not the only way to recognise or track visitors to a website. We may use other, similar technologies from time to time, like web beacons (sometimes called “tracking pixels” or “clear gifs”). These are tiny graphics files that contain a unique identifier that enables us to recognise when someone has visited our Website or opened an email including them. This allows us, for example, to monitor traffic patterns of users from one page within a website to another, to deliver or communicate with cookies, to understand whether you have come to the Website from an online advertisement displayed on a third-party website, to improve site performance and to measure the success of email marketing campaigns. In many instances, these technologies are reliant on cookies to function properly, and so declining cookies will impair their functioning.

Please note: disabling cookies may reduce the quality of your experience on the Website. Irrespective of your choice and/or your device settings, you will continue to see non-customised advertising (e.g. “contextual” advertising) and you may continue to receive personalised ads from third-party ad networks that have obtained your consent on other apps and/or websites.

13.4 Changes to Cookie Policy

We may update this Cookie Policy from time to time in order to reflect, for example, changes to the cookies we use or for other operational, legal or regulatory reasons. Please therefore revisit this Cookie Policy regularly to stay informed about our use of cookies and related technologies. The date at the top of this Privacy Policy indicates when it was last updated.

📧 Privacy Contact

[email protected]

For data-subject access / rectification / erasure / portability / objection / withdrawal of consent — please specify the inquiry type in the subject line: Privacy · Data Subject Request · GDPR · CCPA · Law Enforcement · Regulator · Compliance.

Marcus Richardson — Privacy Research & Content Lead

Marcus Richardson is a privacy and personal-security expert and a world-class authority on operational security (OPSEC). He has worked as a consultant for IBM, Palantir Technologies and European government agencies. Today he dedicates himself to AceChange — teaching people to protect themselves, their data and their assets in a natural, intuitive way, and building an exchange whose architecture itself guides users toward stronger security. His mission is to make AceChange the most trustworthy and secure authority in the world of cryptocurrency. Marcus is half Australian and half English, and is over 65 years old.

www.linkedin.com

Last updated May 27, 2026