logo
English
EnglishPolski

Law enforcement request policy

Last updated on September 1, 2025

1. INTRODUCTION

This Law Enforcement Request Policy (hereinafter – “Policy”) sets out the principles and procedures applied by Burvix sp. z o.o., a company incorporated under number 0001131882, having its registered address at ul. Żurawia 43, lok. 8a, 00-680 Warszawa, Republic of Poland (hereinafter – “Company”, “We”, “Our”, “Us”), when responding to requests from law enforcement and supervisory authorities.

The purpose of this Policy is to ensure compliance with applicable legal requirements while safeguarding the rights and interests of Our clients (hereinafter – “Clients”). It applies to all requests submitted by competent public authorities for access to Client or transaction information.

When handling such requests, the Company follows the principles of:

  • legality – We only disclose information where required or permitted by law;
  • proportionality – disclosure is limited strictly to the scope of the request;
  • confidentiality – We maintain secure handling and restricted access to all data;
  • data protection – We comply with data protection legislation, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter – “GDPR”).

The Company adheres to the following laws and regulations, among others:

  1. Act of March 1, 2018 on Counteracting Money Laundering and Financing of Terrorism;
  2. GDPR;
  3. Criminal Procedure Code of the Republic of Poland (1997);
  4. Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market;
  5. relevant international cooperation agreements.

2. TYPES OF REQUESTS AND JURISDICTION

Authorities may contact Us in different ways, and not every request is treated the same. For clarity, We distinguish between requests that are binding, those that require legal review, and those that come from outside Poland.

First, there are requests that We must always comply with. These are typically formal and backed directly by law. For example, a court order, a prosecutor’s demand in a criminal case, or a request from regulators such as the Polish Financial Supervision Authority (KNF) or the General Inspector of Financial Information (GIFI). Tax authorities may also submit such requests, but only within their lawful powers.

Next, We encounter requests that need legal assessment before We act. These often come from the police, administrative bodies (acting within their statutory powers, e.g. tax offices, regulatory agencies), or parties involved in civil proceedings. In such cases, Our legal team carefully checks the basis of the request to ensure it is valid and proportionate before any data is shared.

Finally, there are international requests, which add another layer of complexity. We only respond to them if they are made through official legal cooperation channels, such as mutual legal assistance (hereinafter – “MLA”), or via recognised bodies like Eurojust or Europol. Requests must also rely on binding international agreements. Private requests from foreign individuals, lawyers or companies are not accepted and must be routed through competent authorities under MLA or equivalent procedures.

Our approach also depends on jurisdiction:

  • In Poland, all national authorities may submit requests, but every disclosure must strictly follow Polish law.
  • Within the European Union, We apply the principle of mutual recognition, while making sure requests meet European data protection standards.
  • For third countries, cooperation is only possible if there is an international agreement in place and the request is routed through official MLA procedures. In addition, We verify that the request does not conflict with Polish or EU standards on human rights and data protection.

3. MANDATORY ELEMENTS OF A REQUEST

For Us to consider a request valid, it must contain certain essential elements. This ensures that the request is both authentic and clear, leaving no doubt as to its legal basis or scope.

Every request should begin with proper formal requirements. It needs to arrive on the official letterhead of the authority, signed by an authorised person, stamped or sealed, and dated. A unique reference or case number must also be included so that the request can be traced back to its origin.

Equally important are the substantive requirements. The request must specify the exact legal basis on which it is made, the relevant criminal or administrative case number, and the precise data being sought. Authorities should also indicate the time period covered by the request, explain why the information is necessary, and set a deadline for Our response.

Finally, the request must clearly identify the Client concerned. This means providing information such as the individual’s or legal entity’s full name, national identification number or business registration number (for example, PESEL or REGON if the Client is based in Poland), account or card numbers (if known), the relevant transaction period, and the type of information being requested.

By requiring these elements, We make sure that any disclosure of information is lawful, accurate, and limited strictly to what is necessary. These requirements apply regardless of how the request is delivered.

4. FORM OF DELIVERY OF DOCUMENTS

How a request reaches Us and how We respond – is just as important as what it contains. To protect both Clients and the authorities We work with, We accept and send documents only through secure and verifiable channels.

Incoming requests. The preferred way for authorities to contact Us is through formal, written communication on official letterhead, delivered either by courier or post, or electronically through secure channels such as ePUAP. In some cases, other methods may also be accepted – for example, an email with a qualified electronic signature. Requests submitted by email (legal@burvix.io) must be sent in a machine-readable format (such as PDF or Word), with text that can be copied and processed; scanned images or photographs are not accepted. In urgent situations, We may also accept oral requests, provided that a written confirmation follows within 24 hours.

Outgoing responses. When We respond, We follow the same standards. Our standard procedure involves an official letter on Company letterhead, signed by an authorised person, sealed where applicable, and accompanied by a list of the documents being disclosed. Where communication takes place electronically, We use a qualified electronic signature, secure communication channels, and encryption to ensure the confidentiality of any sensitive information.

5. PROCEDURE FOR HANDLING REQUESTS

Once a request arrives, it does not go unanswered. The Company follows a clear, step-by-step procedure to make sure every request is handled lawfully, consistently, and within the required deadlines.

Step 1 – Initial handling (within 24 hours). Every request is logged in Our internal register and assigned a unique internal number. Copies are made and scanned for record-keeping, and the responsible staff are notified. At this stage We also check the authenticity of the documents, the authority of the sender, and whether the request is complete. Finally, the request is classified according to urgency so that urgent matters can be prioritised.

Step 2 – Detailed verification (within 48 hours). After the initial checks, the request is passed on for in-depth review. Our legal team analyses the legal grounds, verifies compliance with GDPR, and assesses whether the request is proportionate. At the same time, the Company’s designated employees identify the Client in Our systems, locate the requested data, and confirm whether it can be securely provided.

Step 3 – Internal escalation. Not all requests are equal in complexity. Standard requests with clear legal bases are handled directly by the Company’s Chief Compliance Officer. More complex or international requests, or those involving disputed issues, are escalated to Our legal team. Requests that involve high risk, reputational concerns, precedent-setting issues, or come from the highest state authorities are further escalated to the executive management.

Step 4 – Decision and response. If the request is accepted, We prepare the response, verify the accuracy of the data, and obtain executive management approval before sending it within the deadline. If We must refuse, We explain the legal grounds for the refusal, propose alternatives where possible, and inform the authority of their right to appeal.

6. SPECIAL PROCEDURES

While most requests follow a standard path, some situations require extra care and faster action. For these cases, the Company applies special procedures.

Urgent requests. When time is critical, We fast-track the process. Urgent requests are escalated directly to the executive management and must be handled within 4 hours. If necessary, We may provide an oral response, but always followed by a written confirmation. Such requests receive the highest priority.

International requests. Cross-border requests involve additional safeguards. Before responding, We carefully verify the jurisdiction, consult with external legal experts if needed, and check compliance with international standards and human rights obligations. Because of this added complexity, processing times for international requests may be longer than for domestic ones.

Mass requests. Sometimes authorities request information about multiple Clients or large datasets. In these cases, We first assess the technical feasibility of providing the data, agree on realistic timelines, and, if needed, release the information in phases. We also allocate additional internal resources to make sure the request is fulfilled properly and securely.

7. OVERSIGHT AND ACCOUNTABILITY

The Company regularly reviews how requests from authorities are handled to ensure that they are processed lawfully, securely, and within the required deadlines. Reports are prepared for the executive management and regulators, and any issues identified are promptly addressed. This oversight ensures that Our approach remains consistent, reliable, and transparent.

8. PERSONAL DATA PROTECTION

Protecting Clients’ personal data is a top priority when We respond to requests from authorities. We only share information that is legally required and always apply strict safeguards.

Where the law allows, We inform Clients if their data has been disclosed. In certain cases, however, authorities may restrict Us from notifying the Client – for example, during active criminal investigations. We always document the legal basis for any disclosure and take extra care when sensitive categories of data are involved.

All disclosures are carried out in line with GDPR principles such as data minimisation, accuracy, storage limitation, and security.

9. UPDATES TO THE POLICY

Whenever laws or best practices evolve, We update this Policy so you can always rely on it being current.