Uh. An API that provides currency exchange rates is a textbook case of a read-only API. Unless that privacy policy is the nonsensical "we receive and process your IP address" (or course you do, that's how the internet works, duh), it has no reason to have one because no data flows in that direction.
Trying to get legal to sign-off on allowing no-privacy-policy access to anything is going to be hard every time, especially if you do keep personal information like IP addresses for any amount of time (hello gdpr).
While I don't think there would be much investigation on a simple currency API storing user info, most companies aren't in the business of increasing legal risk for the tradeoff of user experience.
IP addresses are not identifying info under the GDPR. They are only potentially identifying. The address in your nginx logs does not count, if you are storing other data and can use the IP to identify an individual, now its identifying data.
