xcactus Scan - Terms of Use

Effective date: 12 May 2026 · Version: 1.0.0 · Operator: xcactus sp. z o.o. sp.k. (Poznań, Poland) · Service URL: https://scan.xcact.us

Plain-language summary (not legally binding). xcactus Scan generates automated, AI-assisted transparency reports about smart contracts on EVM blockchains. You give us a contract address and a network; we return a PDF. Reports are not security audits, not investment advice, not MiCA deliverables, not guarantees of safety. Verdict labels (HIGH/MIXED/LIMITED/LOW/INSUFFICIENT) describe only what is publicly observable at scan time - they are not ratings. Reports are private by default. Currently in free beta, moving to per-scan paid via Stripe. Polish law applies; EU Consumers keep all mandatory protections of their country of residence. Not available in Iran, North Korea, Cuba, Syria, Russia, Belarus, or occupied Ukrainian regions. US users welcome.

1. Acceptance

1.1. These Terms of Use (the "Terms") constitute a legally binding agreement between xcactus spółka z ograniczoną odpowiedzialnością spółka komandytowa, with its registered seat at Plac Andersa 7, 61-894 Poznań, Poland, entered into the National Court Register (KRS) under no. 0000302560, NIP 9721177609, REGON 300808810 (the "Operator", "xcactus", "we"), and any person who accesses or uses the Service (the "User", "you").

1.2. By clicking "I accept", creating an Account, submitting a Scan, or downloading a Report, you agree to be bound by these Terms and the Privacy Policy available at https://www.xcactus.com/privacy. Electronic acceptance is valid under the Polish Act on the Provision of Services by Electronic Means (ustawa o świadczeniu usług drogą elektroniczną, "UŚUDE") and the Act on Consumer Rights (ustawa o prawach konsumenta). These Terms are the regulamin required by art. 8 UŚUDE.

1.3. If you do not agree, do not use the Service.

2. Definitions

  • "Account" - your personal account on the Site.
  • "Business User" - any User who is not a Consumer, including legal persons, sole traders acting in their professional activity, and natural persons treated as Business Users under art. 385⁵ of the Polish Civil Code ("KC").
  • "Consumer" - a natural person concluding with the Operator a transaction not directly connected with their business or professional activity (art. 22¹ KC).
  • "Report" - the PDF deliverable generated by the Service for a Subject Token.
  • "Scan" - one automated analytical run for one Subject Token.
  • "Service" - the xcactus Scan tool at https://scan.xcact.us (the "Site") and related features.
  • "Subject Token" - the smart contract identified by its address on a supported network that is the subject of a Scan.
  • "Verdict Labels" - the categorical labels assigned by the Service (HIGH/MIXED/LIMITED/LOW/INSUFFICIENT and COMPLETE/PARTIAL/SPARSE/INSUFFICIENT) describing the transparency surface of public data at scan time.

3. Operator Identification (UŚUDE art. 5)

  • Legal name: xcactus spółka z ograniczoną odpowiedzialnością spółka komandytowa (xcactus sp. z o.o. sp.k.)
  • Registered seat: Plac Andersa 7, 61-894 Poznań, Poland
  • KRS: 0000302560
  • NIP: 9721177609
  • REGON: 300808810
  • Registry court: Sąd Rejonowy Poznań - Nowe Miasto i Wilda w Poznaniu, VIII Wydział Gospodarczy KRS
  • Contact: info@xcactus.com

4. Eligibility and Sanctions

4.1. Minimum age and capacity. You must be at least 18 and have legal capacity. If you accept these Terms on behalf of an entity, you warrant authority to bind it.

4.2. Restricted Jurisdictions. The Service is not offered to any person who is (a) located, resident, established, or operating in Iran, North Korea, Cuba, Syria, the Russian Federation, Belarus, or the Crimea, Donetsk, Luhansk, Zaporizhzhia or Kherson regions of Ukraine, or in any other territory subject to comprehensive sanctions of OFAC, the EU, the UK, or the UN (each a "Restricted Jurisdiction"); (b) listed on or 50%+ owned/controlled by a person on the OFAC SDN List, the EU Consolidated Sanctions List, the UN Consolidated List, or the UK HMT sanctions list (each a "Sanctioned Person"); or (c) otherwise prohibited from receiving the Service under applicable sanctions, export-control, or AML/CFT law.

4.3. US users. Users in the United States are welcome, subject to US law and these Terms. The Operator provides no service requiring SEC, CFTC, FinCEN, or state-financial-regulator registration.

4.4. Continuous sanctions representations. Each time you access the Service, submit a Scan, pay, or download a Report, you represent and warrant on a continuing basis that: (a) you are not in or accessing from a Restricted Jurisdiction; (b) you are not a Sanctioned Person and are not owned, controlled by, or acting for one; (c) you will not use the Service in violation of any sanctions, export-control, or AML/CFT law; and (d) the contract address you submit does not correspond to a token issued by or primarily serving a Sanctioned Person.

4.5. Enforcement. The Operator may use IP geolocation, self-declaration, and Stripe's payment screening to verify compliance. The Operator may refuse, suspend, or terminate access at any time on reasonable suspicion of breach, without liability and without prejudice to amounts due. False representations under Section 4.4 are a material breach and may be reported to competent authorities.

5. The Service

5.1. What it is. xcactus Scan is an automated, AI-assisted, point-in-time transparency screening tool. You submit a contract address and a network; we generate a PDF Report describing what is publicly observable about the Subject Token at the moment of the Scan, drawing on public on-chain data and third-party sources (block explorers, RPC providers, DEX aggregators, indexers, sanctions lists, allowlists).

5.2. No human review. There is no audit, code review, penetration test, or manual investigation. AI components generate narrative; they are not the opinion of a qualified human auditor.

5.3. Scope limitations - explicitly acknowledged by the User. You acknowledge that: (a) holder analysis is window-bounded; (b) fund-flow analysis is hop-1 only unless stated otherwise; (c) for proxy contracts, the proxy stub and the implementation contract may differ materially, and the implementation can be replaced by privileged actors; (d) static analysers (e.g. Slither, Mythril, Aderyn, Semgrep) detect only known patterns - "0 findings" does not mean the Subject Token is secure or safe; (e) any "LOW" / "LIMITED" / "HIGH" verdict does not mean the Subject Token is secure, legitimate, solvent, or suitable for any purpose; (f) third-party data sources may be incomplete, delayed, inaccurate, or manipulated; (g) on-chain changes after the Scan timestamp are out of scope and we have no duty to update.

5.4. Verdict Labels. Verdict Labels describe method-bounded transparency observations only. They are not ratings of security, quality, creditworthiness, investment merit, regulatory status, or legitimacy; they are not "buy/sell/hold" signals; they do not rank the Subject Token against any population. The Operator may rename or revise Verdict Labels at any time without affecting previously issued Reports.

5.5. Beta status. The Service is currently in free beta and is provided strictly "as is" and "as available" to the maximum extent permitted by law. Beta features may be unstable, changed, suspended, or discontinued at any time.

6. Critical Disclaimers

By using the Service or any Report, you acknowledge that:

6.1. The Service is NOT a security audit, code review, formal verification, penetration test, or assurance engagement. Automated screening is not a manual audit or assurance engagement. References to Slither, Mythril, Aderyn, Semgrep, or any other tool do not change this.

6.2. The Service is NOT investment, financial, legal, tax, regulatory, or accounting advice, and NOT an "investment recommendation" within the meaning of art. 3(1)(34)-(35) of Regulation (EU) 596/2014 (MAR) or Commission Delegated Regulation (EU) 2016/958.

6.3. The Service is NOT a MiCA-regulated deliverable. xcactus is not a Crypto-Asset Service Provider (CASP) under Regulation (EU) 2023/1114 (MiCA); the Service is not a crypto-asset service; no Report is a MiCA white paper or any other MiCA-regulated document.

6.4. The Service is NOT a guarantee of safety, security, legitimacy, solvency, lawfulness, MiCA compliance, freedom from vulnerabilities or admin abuse, accuracy, completeness, or fitness for any purpose.

6.5. The Service is NOT a recommendation to buy, sell, hold, stake, provide liquidity for, bridge, list, delist, integrate, or avoid any token, project, contract, wallet, or platform.

6.6. Reports are point-in-time only. Subsequent on-chain changes are out of scope. We have no duty to update or withdraw any Report.

6.7. You are solely responsible for any decision based on the Service or a Report. You must perform your own due diligence and obtain qualified professional advice where appropriate.

6.8. Third-party brand references. Brand, project, protocol, and tool names that appear in Reports (e.g. USDC, USDT, SHIB, Uniswap, Curve, Balancer, ShibaSwap, Gnosis Safe, Etherscan, Slither, Mythril, Aderyn, Semgrep, Moralis, Dexscreener) are derived from on-chain metadata, the Subject Token's interactions, or industry-standard allowlists. They are not user-submitted content and imply no relationship, endorsement, affiliation, sponsorship, or approval between xcactus and the referenced project, nor between you and the referenced project. All such marks belong to their respective owners.

6.9. AI outputs may contain errors, omissions, or hallucinations and must not be relied upon as a sole source of truth.

6.10. Mandatory consumer rights preserved. Nothing in this Section limits mandatory Consumer rights of the Consumer's country of habitual residence (Rome I art. 6), nor any liability that cannot be excluded under Polish law - in particular liability for damage caused intentionally (see Section 11.1).

7. User Obligations

You undertake to: (a) submit only public contract addresses on supported networks that you are lawfully entitled to query; (b) refrain from using the Service for any unlawful, fraudulent, defamatory, or manipulative purpose; (c) refrain from reverse-engineering, scraping, bulk-extracting, or circumventing rate limits, except where mandatory law (art. 75 of the Polish Copyright Act for limited interoperability) permits; (d) refrain from redistributing, reselling, or making any Report available to third parties except as permitted in Section 8 or under separate written agreement; (e) refrain from using any Report or Verdict Label as marketing, listing, or promotional material without our prior written consent, or from quoting Reports or Verdict Labels selectively in misleading ways; (f) refrain from representing that a Report is a security audit, MiCA deliverable, investment recommendation, regulatory approval, guarantee, or xcactus endorsement; (g) refrain from removing or altering any disclaimer, attribution, version marker, or notice within a Report; (h) keep your Account credentials confidential and notify us of any unauthorised use; (i) refrain from posting unlawful content (art. 8 sec. 3 pt 2 lit. b UŚUDE).

8. Intellectual Property and Licence

8.1. Our IP. All rights in the Service, scanner engine, methodology, verdict logic, AI narrative system, report templates, datasets, Verdict Labels (as composite expressions), software, schemas, and Content - including copyright, sui generis database rights, trademarks, and trade secrets - belong to the Operator and/or its licensors. "xcactus", the xc mark, the xcactus logo, "Public Evidence & Risk Screening", and "xcactus Scan" are our trademarks. Third-party marks remain the property of their respective owners and are referenced under Section 6.8.

8.2. Licence to use the Report. Subject to compliance with these Terms (and, where applicable, payment in full), we grant you a limited, personal, non-exclusive, non-transferable, non-sublicensable, revocable licence to view, download, store, and make a reasonable number of internal copies of the Report for your own internal due-diligence purposes.

8.3. Prohibited uses of the Report. Except as expressly permitted, you may not: (a) republish, redistribute, syndicate, host, or make the Report available to third parties; (b) sell, sublicense, or commercialise the Report; (c) modify or create derivative works; (d) quote the Report or any Verdict Label selectively in a misleading way; (e) use the Report or any Verdict Label in marketing, token sales, listings, exchange applications, whitepapers, pitch decks, or sponsored content without our prior written consent; (f) represent that xcactus has endorsed or is affiliated with the Subject Token or its issuer; (g) use the Report to train, fine-tune, or evaluate machine-learning or AI models other than for your own internal due-diligence.

8.4. Publication opt-in. Reports are private by default. You may opt in to publication by xcactus via a separate, conspicuous, non-default-checked in-product control. Publication consent entitles us to host and link to the Report on xcactus channels and to display the corresponding Verdict Labels. You may revoke consent at any time for future publications, but we are not required to recall or modify copies already distributed.

8.5. Feedback. Any feedback you provide may be used by the Operator without restriction or compensation.

9. Third-Party Data Sources

9.1. The Service relies on public block explorers (e.g. Etherscan, BscScan, Polygonscan), RPC providers, indexers, DEX aggregators, multisig solutions, price feeds, static analysers, AI providers, and sanctions/allowlist data. We are not responsible for the availability, accuracy, completeness, timeliness, or lawfulness of any third-party source, nor for errors, manipulation, or delays attributable to them.

9.2. Your use of third-party sources directly is governed by those sources' own terms; for example, Etherscan prohibits use of its data for AI/ML training, model testing, distribution, or commercial use without prior written permission. We manage our own compliance with such terms.

10. Payment, Refunds, and Consumer Withdrawal

10.1. Beta - free. During public beta, the Service is provided free of charge, subject to rate limits the Operator may impose at its discretion. The free tier may be discontinued at any time on reasonable notice.

10.2. Paid Service. After beta, the Service will move to a per-Scan paid model processed exclusively through Stripe Payments Europe, Ltd. under Stripe's own terms. The Operator does not accept and has no plans to accept crypto-asset payments or any other alternative payment rail. Consumer prices include VAT where applicable; B2B prices are net of VAT. VAT is settled under Polish/EU rules including the OSS regime where applicable.

10.3. Refunds - general. Paid Scans are digital services performed and delivered immediately upon successful execution. Refunds are not provided once a Scan has been completed and the Report has been made available, except where required by law (Section 10.4 below) or at the Operator's discretion (e.g. demonstrable technical failure, duplicate charge).

10.4. Consumer right of withdrawal. Under art. 27 of the Polish Act on Consumer Rights (transposing Directive 2011/83/EU as amended by Directive (EU) 2019/2161, the Omnibus Directive), a Consumer who concludes a distance contract has the right to withdraw within 14 days without reason.

Statutory exception (art. 38 pkt 13). This right does not apply to fully performed paid digital services where the Consumer has given prior express consent to commencement before the lapse of the 14-day period, has acknowledged that they will lose the right of withdrawal upon completion, and has received durable-medium confirmation. Before any paid Scan is run for a Consumer, the Service presents a separate, non-default-checked control with substantially this text:

"I expressly request the Operator to commence performance of the Service before the lapse of the 14-day withdrawal period, and I acknowledge that upon completion of performance I will lose my right of withdrawal from this contract, in accordance with art. 38 pkt 13 of the Polish Act on Consumer Rights."

Following payment and before performance, the Consumer receives email confirmation of the consent and acknowledgement. Failure to obtain this consent or send the confirmation means the Consumer keeps the 14-day right.

10.5. How to withdraw (where the right still applies). Send an unequivocal statement to info@xcactus.com or by post to the registered seat in Section 3. The model form in Annex 2 to the Act may be used but is not mandatory. We will reimburse all received payments within 14 days of receipt using the same payment method.

10.6. Free beta. Where the Service is provided free of charge during beta and the Consumer is obliged neither to pay nor to provide personal data beyond what is necessary for performance or legal compliance, the withdrawal regime does not apply (art. 3 sec. 1 pt 10 of the Act on Consumer Rights).

10.7. Chargebacks. Unjustified chargebacks may result in Account suspension and recovery of associated fees and costs.

11. Limitation of Liability

11.1. Statutory floor - applies in all cases. Nothing in these Terms excludes or limits: (a) liability for damage caused intentionally (art. 473 § 2 KC; such exclusion is null and void); (b) liability for gross negligence to the extent its limitation is impermissible under Polish law; (c) liability for death or personal injury caused by the Operator's fault, to the extent such liability cannot lawfully be excluded; (d) any liability that cannot be excluded under mandatory Polish law or under the mandatory consumer law of a Consumer's country of habitual residence pursuant to art. 6 of Regulation (EC) 593/2008 (Rome I). The limitations below apply only to the maximum extent permitted by such mandatory law.

11.2. Excluded heads of damage - all Users. To the maximum extent permitted by law, the Operator and its affiliates, directors, officers, employees, contractors, and licensors (the "Operator Parties") shall have no liability for any: (i) indirect, consequential, special, incidental, exemplary, or punitive damages; (ii) loss of profit, revenue, business, contracts, customers, goodwill, or reputation; (iii) loss of opportunity or opportunity cost; (iv) loss of or damage to data; (v) trading losses, investment losses, token-price movements, impermanent loss, slippage, MEV losses, or liquidation losses; (vi) business interruption; (vii) cost of substitute goods or services - regardless of whether the claim is in contract, tort, statute, or otherwise, and regardless of whether we were advised of the possibility.

11.3. No liability for specific items. Without limiting Section 11.2, the Operator Parties shall have no liability for: (i) any decision to buy, sell, hold, stake, lend, bridge, subscribe to, or avoid any token, asset, protocol, or platform; (ii) any trading or investment outcome; (iii) errors, outages, or manipulation in any third-party data source; (iv) any downstream use, modification, or quotation of any Report by any User or third party; (v) reliance on a Report by any person who is not the original commissioning User (we owe no duty of care to such third parties); (vi) any outcome affecting any project, token, contract, or platform referenced in a Report; (vii) your interpretation of any Verdict Label; (viii) acts or omissions of any project team referenced in a Report; (ix) unavailability or modification of the Service during beta; (x) force-majeure events.

11.4. Aggregate cap - Consumers. Subject to Section 11.1, our aggregate liability to any Consumer arising out of or in connection with the Service or these Terms shall not exceed the higher of: (a) the total amount paid by that Consumer in the 12 months preceding the event, or (b) EUR 100. For Consumers who used only the free beta, the cap is EUR 100.

11.5. Aggregate cap - Business Users. Subject to Section 11.1, our aggregate liability to any Business User shall not exceed the higher of: (a) the total amount paid by that Business User in the 12 months preceding the event, or (b) EUR 100. Liability for the categories listed in Sections 11.2 and 11.3 is fully excluded for Business Users to the maximum extent permitted by law. The Business User acknowledges this allocation of risk is reasonable in light of the price of the Service and is an essential basis of the contract.

11.6. Rome I preservation. For Consumers habitually resident in an EU/EEA Member State other than Poland to which the Operator directs its activity, mandatory provisions of the law of habitual residence prevail over this Section to the extent more favourable to the Consumer (art. 6(2) Rome I).

11.7. Polish abusive-clauses reservation. Any term in this Section that would be regarded as an unfair term in respect of a particular Consumer under art. 385¹ § 1 KC shall not bind that Consumer, without prejudice to the validity of the remainder of the Terms (art. 385¹ § 2 KC).

12. Indemnification (Business Users Only)

12.1. To the maximum extent permitted by law, and excluding Consumers, each Business User shall defend, indemnify, and hold harmless the Operator Parties against any third-party claim, action, demand, loss, damage, fine, cost, or expense (including reasonable legal fees) arising from: (a) the Business User's use of the Service, any Report, or any Content; (b) the Business User's breach of these Terms; (c) the Business User's breach of applicable law (sanctions, AML/CFT, market-abuse, IP, competition, data-protection); (d) any unauthorised publication, redistribution, or selective or misleading quotation of any Report or Verdict Label by the Business User; (e) any claim by the Subject Token's issuer, team, or affiliates against the Operator that arises because the Business User commissioned the Scan or used the Report in a manner objected to by such third party.

12.2. We will promptly notify the Business User of any claim and allow the Business User to control defence and settlement, provided no settlement adversely affects our rights without our prior written consent.

12.3. No Consumer indemnification. Nothing in this Section imposes any indemnification obligation on a Consumer.

13. Termination

13.1. By us. We may suspend, restrict, or terminate your access immediately where: (a) you materially breach these Terms (including Sections 4, 7, 8); (b) we reasonably suspect sanctions exposure, fraud, abuse, chargeback abuse, scraping, or violation of law; (c) required by law or competent authority; (d) the Service is discontinued for legitimate business or technical reasons.

13.2. By you. You may close your Account at any time via Account settings or by writing to info@xcactus.com. Closure does not entitle you to a refund for digital services already performed (subject to Section 10.4 for Consumers).

13.3. Survival. Sections 4, 6, 8, 9, 11, 12, 14, 15, and 16 survive termination.

14. Data Protection

xcactus sp. z o.o. sp.k. is the data controller (art. 4(7) GDPR / RODO) for personal data processed in connection with Accounts, payments, communications, and sanctions-screening telemetry. Processing is based on contract performance (art. 6(1)(b) GDPR), legitimate interest (art. 6(1)(f)) for security and abuse prevention, legal obligation (art. 6(1)(c)) for tax/invoice retention, and consent (art. 6(1)(a)) for publication opt-in and optional cookies. Scan inputs are public on-chain identifiers; we do not require or process private keys, seed phrases, or KYC documents. Data are retained for the duration of the Account plus statutory retention periods (in Poland generally 5 years for tax records) and the limitation period of potential claims.

You have rights of access, rectification, erasure, restriction, portability, and objection under the GDPR, and may complain to the Polish President of the Personal Data Protection Office (Prezes UODO).

Full details, including the list of processor categories, international transfers and safeguards, cookies, and exercise of your rights, are in the separate Privacy Policy at https://www.xcactus.com/privacy. A DPA for Business Users is available from info@xcactus.com.

15. Changes to the Terms

15.1. We may amend these Terms to reflect changes in the Service, law, or business practices. The current version is always available on the Site.

15.2. We will notify registered Users of material changes by email and/or in-product notice at least 14 days before they take effect, unless a shorter period is required by law or urgent security/legal needs.

15.3. Consumers. Changes that affect a Consumer's rights or obligations (other than purely editorial or beneficial changes) will not apply to that Consumer without their express acceptance (e.g. renewed click-through). Continued use after notification does not, for Consumers, constitute acceptance of such changes; the Consumer may continue under the previous version until termination.

15.4. Business Users. For Business Users, amended Terms take effect on the stated effective date; continued use constitutes acceptance.

16. Governing Law and Dispute Resolution

16.1. Governing law. These Terms and any non-contractual obligations arising from them are governed by Polish law, excluding conflict-of-laws rules.

16.2. Rome I Consumer carve-out. Where the User is a Consumer habitually resident in an EU/EEA Member State other than Poland and the Operator directs its activity to that Member State, the choice of Polish law shall not deprive the Consumer of mandatory protections of the law of their habitual residence (art. 6(2) Rome I).

16.3. Jurisdiction. Subject to Section 16.4, the courts of the Operator's registered seat in Poznań, Poland have exclusive jurisdiction.

16.4. Brussels I bis Consumer carve-out. Where the User is a Consumer: (a) the Consumer may sue the Operator either in the Polish courts or in the courts of the Consumer's domicile (art. 18(1) Regulation (EU) 1215/2012); (b) the Operator may sue the Consumer only in the courts of the Consumer's domicile (art. 18(2)).

16.5. Out-of-court resolution (Consumers). Consumers may use the EU Online Dispute Resolution platform at https://ec.europa.eu/consumers/odr, the Polish Trade Inspection Authority (Inspekcja Handlowa), the municipal/district consumer ombudsman, or general consumer information from UOKiK at https://prawakonsumenta.uokik.gov.pl. Use of these mechanisms is voluntary; the Operator does not at the Effective Date commit to any specific ADR scheme.

17. General

17.1. Severability. If any provision is held invalid, the remainder continues in force (subject, for Consumers, to art. 385¹ § 2 KC).

17.2. Entire agreement. These Terms and the Privacy Policy constitute the entire agreement on the Service. For Business Users, any inconsistent usage of trade or course of dealing is excluded.

17.3. No waiver. Our failure to enforce any right is not a waiver of that or any other right.

17.4. Assignment. You may not assign your rights or obligations without our prior written consent. We may assign or transfer ours in a merger, reorganisation, sale of assets, or to a group company, provided your rights are not materially diminished.

17.5. Force majeure. We are not liable for failures caused by events beyond our reasonable control, including acts of God, war, sanctions, governmental action, internet or blockchain outages, third-party data provider outages, DDoS, smart-contract exploits affecting referenced third parties, or labour disputes.

17.6. Notices. Notices to us: info@xcactus.com; for service of process, registered mail to the seat in Section 3. Notices to you are valid if sent to your Account email.

17.7. Language. These Terms are concluded in English. A Polish version may be made available for information; in case of conflict, English prevails for Business Users, while for Consumers the version in the language of effective conclusion prevails to the extent required by mandatory consumer law.

Contact

  • Email: info@xcactus.com
  • Postal address: xcactus sp. z o.o. sp.k., Plac Andersa 7, 61-894 Poznań, Poland

Version: 1.0.0 · Effective Date: 12 May 2026 · Prior versions archived and available on request.

End of Terms of Use.