Privacy Policy - xcactus Scan

Effective date: 12 May 2026 Version: 1.0.0

This Privacy Policy is a service-specific extension of the corporate Privacy Policy published at https://www.xcactus.com/privacy. Where this document is silent, the corporate policy applies; where the two overlap, this document governs processing carried out via https://scan.xcact.us (the "Service").

Data Controller

xcactus spółka z ograniczoną odpowiedzialnością spółka komandytowa Plac Andersa 7, 61-894 Poznań, Poland

  • NIP: 9721177609
  • KRS: 0000302560
  • REGON: 300808810

Contact: info@xcactus.com.

1. Introduction and Legal Basis

This Privacy Policy governs the collection and processing of personal data carried out by the Administrator in connection with your use of the Service. The Administrator handles personal data fairly and transparently and complies with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR");
  • the Polish Act of 10 May 2018 on the Protection of Personal Data;
  • where applicable, the Polish Act of 18 July 2002 on the Provision of Services by Electronic Means and the Polish Telecommunications Law of 16 July 2004.

By using the Service you acknowledge that you have read this policy. Where a specific processing activity requires consent, that consent is requested separately and may be withdrawn at any time, without prejudice to the lawfulness of processing carried out before withdrawal.

2. Purpose and Principles of Processing

The Administrator processes personal data only for the specific, explicit and legitimate purposes set out in § 3 and does not further process the data in a manner incompatible with those purposes. In particular, the Administrator:

  • collects no more data than is necessary for the stated purpose;
  • maintains the accuracy of personal data and promptly responds to requests for rectification or update;
  • limits storage to what is necessary to achieve the stated purposes, except where indefinite retention is itself the purpose (see § 3.1);
  • implements all data-subject rights granted by the GDPR (see § 4);
  • applies appropriate technical and organisational measures to protect personal data against loss, unauthorised access, alteration, disclosure or destruction.

3. Data Processing Activities

3.1 Scan Request Submission

Data collected when you submit the scan-request form on scan.xcact.us:

  • The token contract address and the chain you selected.
  • Your email address (used to deliver the resulting PDF report).
  • A salted hash of your IP address (never the raw IP).
  • A truncated User-Agent string.
  • Your declared role / relationship (investor, researcher, legal advisor, exchange/platform, other).
  • Optional free-text context notes.
  • The HTTP Origin header - only when the form is submitted via a partner-site embed.
  • An optional partner identifier captured from a ?ref=… link in the URL or from the first-party referral cookie (see § 3.4).
  • An optional self-declared marketing source.
  • Your acceptance of the Terms of Use and Privacy Policy, and your optional consent to public listing of the report.

Legal basis:

  • Art. 6(1)(b) GDPR - performance of a service requested by you (delivery of the audit report and its public status page);
  • Art. 6(1)(f) GDPR - legitimate interest in service integrity, including abuse detection and rate-limit enforcement, based on the hashed IP and the User-Agent.

Retention. Scan records are retained indefinitely so that the public report URL remains resolvable for the report recipient and anyone they share the link with. You may request deletion at any time by emailing info@xcactus.com from the address you used to submit the scan; the row will be scrubbed within 30 days of identity verification.

Voluntary. Yes - without the form data the Administrator cannot deliver the requested scan.

3.2 Bot Protection (Cloudflare Turnstile)

Purpose: protecting the scan-submission form against automated abuse.

Data processed: the Turnstile challenge response and minimal browser metadata handled entirely by Cloudflare.

Legal basis: Art. 6(1)(f) GDPR - legitimate interest in service integrity.

Processor: Cloudflare, Inc., subject to Cloudflare's Privacy Policy.

3.3 Analytics (Google Analytics 4 - optional, off by default)

The Service uses Google Analytics 4 only after you explicitly opt in via the cookie banner. Until you opt in, analytics scripts are blocked from writing cookies or transmitting events.

Data collected after opt-in:

  • A pseudonymous client identifier (_ga / _ga_* cookies);
  • Approximate location derived from your IP (city-level); the IP itself is anonymised by Google before storage;
  • Pages visited, time on page, and the source that referred you to the Service.

Legal basis: Art. 6(1)(a) GDPR - your consent.

Withdrawal of consent. You may withdraw consent at any time by changing your cookie preferences or clearing browser storage for scan.xcact.us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

No linkage. The Administrator does not associate your scan-request email with your analytics identifier.

Processor: Google, subject to Google's processing terms.

3.4 Partner Referral Cookie (xcact_ref)

When you arrive at the Service via a partner link of the form https://scan.xcact.us/?ref=…, a first-party cookie named xcact_ref is stored in your browser for up to 60 days. It records which partner referred you so that, if you submit a scan, we can attribute the submission to that partner.

Legal basis: Art. 6(1)(f) GDPR - legitimate interest of the Administrator and the referring partner in measuring partner referrals. The cookie is first-party and is never read by third parties.

You can clear this cookie at any time by clearing browser storage for scan.xcact.us.

3.5 Email Correspondence

If you contact info@xcactus.com or another corporate address (for example, to exercise GDPR rights), your name, email address and the content of the correspondence are processed in accordance with § 3.1 of the corporate Privacy Policy at xcactus.com/privacy. Retention follows the statutory limitation period (typically up to 6 years from the end of the relationship), or longer where required for legal claims.

4. User Rights Under GDPR

Subject to the conditions in the GDPR, every data subject has the right to:

  • access their personal data and obtain a copy of it (Art. 15);
  • rectify inaccurate or incomplete data (Art. 16);
  • erase data - the "right to be forgotten" (Art. 17), absent an overriding legal basis for retention;
  • restrict processing in specific circumstances (Art. 18);
  • data portability - receive their data in a structured, commonly used and machine-readable format (Art. 20);
  • object to processing based on legitimate interest (Art. 21);
  • withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3)).

Direct marketing. Where personal data is processed for direct-marketing purposes, you have the right to object at any time. Such objection takes immediate effect.

Exercise of rights. Submit a written request to info@xcactus.com. Identity verification may be required. Responses are provided in writing within one month of receipt; this period may be extended by two further months for complex or numerous requests, in which case you will be informed of the extension within the first month.

Right to lodge a complaint. You have the right to lodge a complaint with the supervisory authority - President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych - UODO), ul. Stawki 2, 00-193 Warszawa, Poland - if you consider that the processing of your personal data infringes the GDPR.

5. Recipients and Third Parties

Personal data may be disclosed to the following categories of recipients where necessary for the purposes set out in § 3, and only to the extent required for that purpose:

  • IT systems and equipment service providers, including hosting, monitoring and backup operators;
  • postal, courier and similar delivery service providers;
  • marketing agencies engaged by the Administrator;
  • external service providers handling accounting, tax, audit, consulting, translation and legal services;
  • public authorities, in cases where disclosure is required by applicable law.

In addition, the Service relies on the following specific data processors:

  • Amazon Web Services - infrastructure provider for the Service backend (European Union region).
  • Cloudflare - bot protection (Turnstile) and content delivery.
  • Google - Google Analytics 4, only when you have opted in (see § 3.3).
  • Etherscan and Blockscout - public block-explorer services queried to verify contract source code and metadata. The Administrator transmits only the contract address you submitted; no email, IP, or other personal data is shared with these explorers.
  • Moralis - public indexer queried as a fallback source for holder distribution data when the primary block explorer caps or rate-limits the response. The Administrator transmits only the contract address; no email, IP, or other personal data is shared with Moralis.
  • Dexscreener - public DEX aggregator queried for pool discovery and USD valuation of liquidity. The Administrator transmits only the contract address; no email, IP, or other personal data is shared with Dexscreener.

Personal data is never sold to third parties.

6. International Data Transfers

The Administrator does not, as a rule, transfer personal data outside the European Economic Area. Where such a transfer becomes necessary, it takes place only:

  • to recipients in countries covered by a European Commission adequacy decision; or
  • under appropriate safeguards within the meaning of Art. 46 GDPR (in particular Standard Contractual Clauses), together with any supplementary measures required by EU case-law; or
  • with your explicit, informed consent for the specific transfer.

If you opt in to Google Analytics, transfers to Google rely on Standard Contractual Clauses and supplementary measures published by Google. The Service backend is hosted within the European Union and does not entail routine third-country transfers.

7. Policy Updates

The Administrator reserves the right to amend this policy to reflect legal, technical, or organisational changes. The current version is published at https://scan.xcact.us/privacy together with the effective date and version number. Material changes will be announced via the cookie banner on your next visit. External links displayed on the Service (third-party websites, block explorers, partner sites) are independent and not supervised by the Administrator; please review their privacy policies separately.