logo

Privacy policy

1. OVERVIEW

Burvix sp. z o.o. (hereinafter – “Company”, “We”, “Our”, “Us”) is committed to protecting your personal data and ensuring transparency in how it is handled. We process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter – “GDPR”), the Polish Personal Data Protection Act, and other applicable laws.

This Privacy Policy (hereinafter – “Policy”) explains how We collect, use, disclose, and protect personal data when you interact with Our website – https://burvix.exchange/ (hereinafter – “Website”), and provides a concise overview of how personal data is processed when you access Our services via the Telegram bot – @burvix_bot (hereinafter – “Bot”, “OTC Bot”).

For the avoidance of doubt, the detailed rules governing personal data processing in the OTC Bot are set out in a separate Privacy Policy for the Bot, available in the “Documents and guides” menu of the Bot. In the event of any inconsistency between this Policy and the OTC Bot Privacy Policy with respect to Bot processing, the OTC Bot Privacy Policy shall prevail.

By browsing or using the Website and/or engaging with the Bot, you acknowledge that you have read and understood this Policy and, where applicable, the Bot Privacy Policy.

2. DATA CONTROLLER

The data controller responsible for the processing of your personal data is Burvix sp. z o.o.

  • Full name: Burvix Spółka z ograniczoną odpowiedzialnością.
  • Legal status:  Polish limited liability company.
  • Registration number: 0001131882.
  • Legal address: Żurawia street, No. 43, room. 8a, Warsaw, Poland, postal code 00-680.
  • Email: support@burvix.io.
  • Official website: https://burvix.exchange/.
  • Official link to the Telegram bot: @burvix_bot.

If you have any questions, requests, or concerns regarding how We process your personal data, you may contact Us at the details above.

3. PRINCIPLES OF PERSONAL DATA HANDLING

We are committed to processing personal data in full compliance with the GDPR and the principles it establishes. These principles form the foundation of all Our data protection practices and ensure that your rights and freedoms are respected at every stage of the data lifecycle.

In particular, We adhere to the following principles:

  • Lawfulness, fairness, and transparency – personal data is processed lawfully, fairly, and in a transparent manner. We always provide clear information about the legal basis and purpose of data collection.
  • Purpose limitation – personal data is collected for specific, explicit, and legitimate purposes and is not further processed in a way incompatible with those purposes.
  • Data minimization – We only collect and process personal data that is adequate, relevant, and limited to what is necessary for the stated purposes.
  • Accuracy – We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date.
  • Storage limitation – We retain personal data only for as long as necessary for the purposes for which it was collected or as required by law.
  • Integrity and confidentiality – We process personal data securely, using appropriate technical and organizational measures to protect it against unauthorized or unlawful processing, accidental loss, destruction, or damage.
  • Accountability – as a data controller, the Company is responsible for, and able to demonstrate compliance with, these principles.

4. DATA WE COLLECT

When you interact with Our Website, We may collect the following personal data:

  • data you provide voluntarily:
    • contact details (such as name, email address, phone number) submitted by email or contact forms;
    • information you include in messages, inquiries, or requests for information;
    • all information you provide via the contact form available on the Website;
  • technical and usage data:
    • IP address, browser type and version, device type, operating system, and time zone settings;
    • information about how you use the Website, such as pages viewed, time spent on the Website, and navigation patterns;
    • data collected through cookies and similar technologies;
  • communication records:
    • copies of correspondence you send to Us, including inquiries, feedback, or complaints submitted via the Website.

Data processed in the OTC Bot, in particular:

  • basic identifiers: Telegram user ID, username, and Bot account status;
  • service profile data: acceptance of Terms of Use, user type (individual/legal entity), basic settings;
  • service interaction logs: commands used, timestamps, operational events necessary to provide the service and support;
  • compliance/KYC data (via third-party provider): identification documents, selfies/liveness, questionnaire responses required by AML/CFT rules;
  • transactional data: amount of assets the Client intends to receive, the bank account provided (to execute settlements), the estimated amount of assets the Client will receive after any fees, based on the current rate.

Telegram may process your messages and account data under its own privacy policy.

5. MINORS DATA

The Website and the Bot are intended for users aged 18+. We do not knowingly collect personal data from minors. If you believe a minor has provided data, please contact support@burvix.io so we can delete it and, where applicable, block access to Bot services.

6. PERSONAL DATA WE DO NOT COLLECT

The Company follows the principle of data minimization and only processes personal data that is necessary for the provision of Our services, compliance with legal obligations, and the fulfillment of legitimate interests. Accordingly, We do not intentionally collect or process the following categories of personal data:

  • Special categories of personal data –  as defined under Article 9(1) of the GDPR, We do not collect any data revealing:
    • racial or ethnic origin;
    • political opinions;
    • religious or philosophical beliefs;
    • trade union membership;
    • genetic data;
    • biometric data (except where biometric data is collected strictly for identity verification and with appropriate safeguards)
    • health data;
    • data concerning a person’s sex life or sexual orientation.
  • Criminal convictions and offenses – We do not process data relating to criminal convictions and offenses except where such processing is explicitly required under applicable law (e.g. for AML purposes, in accordance with Article 10 of the GDPR); in such cases, the processing is carried out under strict legal safeguards.
  • Personal data from unlawful or non-transparent sources – We do not obtain or use personal data from third-party sources unless:
    • the data subject has been properly informed in accordance with Article 14 of the GDPR; and
    • the transfer is based on a valid legal basis, such as contractual necessity, legal obligation, or legitimate interest.
  • Private keys / seed phrases / withdrawal credentials – We do not request, collect, or store private keys, seed phrases, or any credentials enabling unilateral withdrawals from client wallets or venue accounts.

If you have discovered that the Company has collected such information, please contact Us at support@burvix.io and request that it be removed.

7. LEGAL BASES FOR DATA GATHERING

We ensure that any processing of your personal data is based on a valid lawful ground under Article 6 of the GDPR.

      Depending on the purpose, one or more of the following legal grounds will apply:

  • Consent (Article 6(1)(a) of the GDPR) – in some cases, We process your personal data based on your explicit and freely given consent.
  • Performance of a contract (Article 6(1)(b) of the GDPR) – when processing is required to provide Our services and perform Our contract with you, We rely on this basis. 
  • Legal obligation (Article 6(1)(c) of the GDPR) – many of Our processing activities are necessary for compliance with a legal obligation to which the Company is subject. We are subject to a number of legal and regulatory obligations (e.g., AML/CFT regulations, data retention requirements). Where required by AML laws, We also process and exchange CDD/KYC/KYB information with other obliged entities under a reliance arrangement, including providing copies of supporting documents upon request and receiving equivalent information from those entities. Consent is not the legal basis for these activities.
  • Legitimate interests (Article 6(1)(f) of the GDPR) – We may process personal data where it is necessary for Our legitimate interests, provided that such interests are not overridden by your fundamental rights and freedoms.
  • Protection of vital interests (Article 6(1)(d) of the GDPR) – this legal basis is rarely applicable but may be invoked in extreme situations where processing is necessary to protect your life or that of another natural person (e.g., emergency disclosures to law enforcement).

You may contact Us at any time to obtain clarification about the specific lawful basis relied upon for processing your personal data.

8. PURPOSES OF PROCESSING

We process your personal data only for specific, explicit, and legitimate purposes. In particular, We use your data for:

  • to communicate with you and provide support: via Website forms/email (questions, requests, feedback) and via the Bot, including sending service notifications about the status of your requests or operations;
  • to provide services and administer accounts: on the Website (lead management, sign-ups for events/newsletters); in the Bot (creating and managing your Bot profile, processing your commands/orders, and maintaining operational logs necessary to execute your instructions);
  • to meet legal obligations: on the Website (maintaining mandatory records and responding to supervisory/regulatory authorities); in the Bot (conducting KYC/AML due diligence, ongoing monitoring, sanctions/risk screening, retaining evidential records, and, where required, submitting reports to competent authorities under EU and national law);
  • to ensure security and prevent abuse: technical safeguards and monitoring for the Website (anomaly detection, bot/spam protection) and for the Bot (access controls, anti-fraud, rate-limiting, incident investigation), as well as protection against unauthorized access and preservation of event logs;
  • to keep services functioning and improve quality: Website analytics/diagnostics and Bot operational telemetry, debugging and stability improvements, UX enhancements, and quality assurance;
  • for marketing and product updates (as permitted by law and with consent where required): on the Website (newsletter subscriptions, measuring content/campaign effectiveness (e.g., UTM parameters)), basic web analytics; in the Bot (optional service updates and, where allowed, promotional communications with an opt-out at any time).

9. SHARING OF PERSONAL DATA

We do not sell or commercially trade personal data collected. Where sharing occurs, it is limited to what is necessary and proportionate, subject to data minimization, confidentiality, and GDPR-compliant contracts.

The Company may disclose such data to the following categories of recipients, for instance:

  • Service providers and sub-processors – hosting/cloud infrastructure, IT support, maintenance, email delivery, and analytics tools that help Us operate, secure, and improve the services. For the Bot, this also includes operational vendors such as identity/KYC/AML verification and sanctions-screening providers engaged strictly under Our instructions. These providers may only process data to deliver the contracted service and may not use it for their own purposes.
  • Professional advisers – such as legal, regulatory, or compliance consultants, where disclosure is necessary to protect Our rights or comply with obligations.
  • Regulatory authorities and public bodies – where disclosure is required by applicable laws, court orders, or regulatory investigations.
  • Other obliged entities under AML reliance (independent controllers) – for CDD/KYC/KYB and, where applicable, activation of services with venue/liquidity partners. Under the AML reliance framework, We may exchange CDD information with such obliged entities, including providing copies of supporting documents upon request and receiving equivalent information from them; each party acts as an independent controller for its own AML purposes, and exchanges occur under written terms and applicable AML regulations.
  • Group companies or affiliates – to the extent necessary for internal administrative purposes, provided that equivalent data protection measures are applied.

Please note that by using OTC Bot, certain basic information is processed by Telegram itself, under Telegram’s own privacy policy. We do not control how Telegram processes such data and encourage you to review Telegram’s policies separately.

10. INTERNATIONAL DATA TRANSFERS

We aim to store and process personal data collected within the European Economic Area (hereinafter – “EEA”).

However, some of Our service providers may be located outside the EEA. Where such transfers occur, We ensure that your data is protected to the same standard required under the GDPR.

In particular, We rely on one or more of the following safeguards:

  • an adequacy decision of the European Commission confirming that the destination country provides an adequate level of protection;
  • the use of Standard Contractual Clauses adopted by the European Commission, together with supplementary measures where required;
  • in exceptional cases, your explicit consent or another derogation under Article 49 of the GDPR, provided you are informed of the associated risks.

We continuously monitor legal and regulatory developments regarding international transfers to ensure that your personal data remains protected at all times.

11. DATA RETENTION

We retain personal data only for as long as necessary for the purposes described in this Policy or to comply with applicable law, after which it is securely deleted or anonymised. Specific periods depend on the data category and legal requirements.

In practice, this means, for instance:

  • KYC/AML and compliance data is retained for the periods required under applicable AML and financial regulations (for example, 5 years after the end of the business relationship, unless longer retention is legally required). Where reliance requires Us to keep copies of identification documents or to supply copies to another obliged entity, We will retain such copies for as long as the law requires.
  • Support and communication records may be retained for a limited period to resolve inquiries and ensure service quality.
  • Regulatory or legal records may be stored for a longer period if required by law, regulatory authority, or for the establishment, exercise, or defence of legal claims.

12. DATA SUBJECT RIGHTS

As a data subject, you have the following rights under the GDPR and applicable data protection laws:

  • Right of access – to obtain confirmation whether We process your personal data, and if so, to receive a copy along with information on how it is processed.
  • Right to rectification – to request correction or completion of inaccurate or incomplete personal data.
  • Right to erasure (“right to be forgotten”) – to request deletion of your personal data where there is no lawful reason for Us to continue processing it. This right does not apply where We must retain data under AML/CFT or other legal obligations.
  • Right to restriction of processing – to request limitation of the processing of your data under certain circumstances (e.g., contesting accuracy). Please note that restrictions may not be available for records We are legally required to maintain for AML/CFT purposes.
  • Right to object – to object at any time to processing of your personal data carried out on the basis of Our legitimate interests (including for direct marketing). This right does not apply to processing that is strictly necessary to comply with Our legal obligations, including AML/CFT requirements.
  • Right to data portability – to receive your personal data, which you provided to Us, in a structured, commonly used, machine-readable format and to transmit it to another controller, where technically feasible. Portability does not apply to processing carried out under legal obligation.
  • Right to withdraw consent – where processing is based on your consent, you may withdraw it at any time. Withdrawal will not affect the lawfulness of processing prior to withdrawal.
  • Right to lodge a complaint – if you believe your data protection rights have been infringed, you may file a complaint with the competent supervisory authority. In Poland, this is the Personal Data Protection Office (UODO).

We encourage you to first contact Us directly so We can address your concerns promptly and effectively.

13. HOW TO EXERCISE YOUR RIGHTS

You may exercise any of your rights described in this Policy by contacting Us at email: support@burvix.io.

Please include sufficient information to identify yourself and clearly specify which right you wish to exercise. For security reasons, We may request additional information to verify your identity before acting on your request.

We will respond to your request without undue delay and in any case within one (1) month of receipt, as required by Article 12(3) GDPR. In complex cases, or where multiple requests are received, this period may be extended by up to two (2) additional months, and We will inform you accordingly.

Exercising your rights is free of charge. However, We may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded, excessive, or repetitive.

14. SECURITY OF PERSONAL DATA

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

Our safeguards include, among others:

  • access controls – restricting access to personal data only to authorised personnel who require it for legitimate business purposes;
  • secure infrastructure – use of trusted hosting providers, firewalls, encryption, and monitoring tools to safeguard data; We use authenticated, encrypted channels and signed requests; access is restricted on a need-to-know basis and governed by written terms with recipients;
  • data minimisation – limiting the volume of data collected and processed to what is strictly necessary;
  • incident response procedures – established processes for detecting, reporting, and responding to potential data breaches.

While We take all reasonable steps to protect your personal data, please be aware that no system of electronic transmission or storage is fully secure. You also play a role in keeping your data safe by exercising caution when submitting information to Us.

15. LINKS AND THIRD-PARTY SERVICES

The Website may contain links or embedded features (e.g., social media buttons). Third-party privacy practices apply to your interactions with those services; please review their policies. Interactions with Telegram and other Bot-related providers are governed by their own privacy terms; see also the Bot Privacy Policy.

16. UPDATES TO THIS POLICY

We may update or amend this Policy from time to time to reflect changes in law, regulatory guidance, or Our business practices.

Any updates will be published on this page, and the “last updated” date at the top of the Policy will be revised accordingly. 

We encourage you to review this Policy periodically to stay informed about how We protect your personal data. Your continued use of Our services after any update constitutes your acknowledgement of the revised Policy.