Privacy policy
1. Controller
The controller within the meaning of the GDPR is:
NC AGENTIC GmbH, Lilienstraße 11, 20095 Hamburg, Germany
Represented by its Managing Director Gerald Fehringer
Email: kontakt@token-xchange.ai
No data protection officer has been appointed (Art. 37 GDPR / § 38 BDSG do not mandate one at this company size). Please address data-protection requests to the contact above.
2. Categories of data processed
- KYB evidence: company name, legal form, register data, VAT-ID, address, uploaded evidence documents, authority of acting persons.
- Trade data: listings, offers, counter-offers, concluded contracts, contract PDFs.
- Invoice data: fee invoices, VAT treatment, VIES validation records.
- Account/identity data: user account, passkey/TOTP authentication.
- Log/audit data: tamper-evident audit log, server logs.
3. Purposes and legal bases
- Art. 6(1)(b) — performance of the marketplace contract (registration, listings, conclusion of trades, fee invoicing).
- Art. 6(1)(c) — legal obligations: due-diligence/verification duties (KYB) and tax/commercial retention (§ 14b UStG, § 147 AO, § 257 HGB).
- Art. 6(1)(f) — legitimate interests: fraud/abuse prevention, integrity and auditability of the audit log.
4. Source of data (Art. 14(2)(f) GDPR)
Where data is not collected directly from you, it originates from publicly accessible sources: the commercial register (register data) and the European Commission's VIES system (VAT-ID confirmation).
5. Recipients and processors
- Hetzner Online GmbH (Germany) — application hosting.
- Amazon Web Services (region
eu-central-1, Frankfurt) — key management (KMS) and tamper-evident audit anchors (S3 Object-Lock).
6. International data transfer
Processing takes place exclusively in the eu-central-1 (Frankfurt)
region; no transfer to a third country is intended. Should a third-country
nexus exceptionally arise within the services used, the EU Standard Contractual
Clauses and/or the EU-US Data Privacy Framework apply as a safeguard under
Art. 46 GDPR.
7. No automated individual decision-making (Art. 22 GDPR)
No solely automated decision producing legal effects takes place. KYB verification is reviewed and approved manually by an authorised person (tf_root).
8. Retention periods
| Category | Period | Basis |
|---|---|---|
| Invoices / accounting records | statutory minimum 8 years, conservatively 10 years | § 14b UStG, § 147 AO |
| Commercial letters | 6 years | § 257 HGB |
| Audit anchors (S3 Object-Lock) | 7 years | auditability |
| KYB evidence | crypto-erasure on offboarding (subject to statutory retention / legal hold) | Art. 17(3)(b) GDPR |
| Server logs | 30 days | Art. 6(1)(f) |
9. Encryption and crypto-erasure
Personal data is stored encrypted per tenant. On offboarding the tenant-specific key is destroyed ("crypto-erasure"), rendering the associated data irrecoverable. Statutorily retained accounting data is held under a separate, non-deletable retention key (key separation). See the data-deletion concept (Löschkonzept) for details.
10. Your rights
You have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21). Requests: kontakt@token-xchange.ai.
11. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority, in particular: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI), Ludwig-Erhard-Straße 22, 20459 Hamburg.
12. Cookies and local storage
This service uses only strictly necessary cookies required to
provide the marketplace functions you explicitly request — in particular a
session cookie (tf_session) that keeps you signed in, and
short-lived state cookies used solely during the passkey (WebAuthn)
login/registration ceremony. These are exempt from consent under
§ 25(2) TDDDG (formerly TTDSG), so no cookie consent
banner is required. We set no analytics, advertising, tracking
or third-party cookies and embed no third-party content. Legal basis
for the data they process: Art. 6(1)(b) and (f) GDPR. You can block or delete
these cookies in your browser; the sign-in function will then not work.
As of June 2026.