Burhuc logo
Contact

Privacy policy

Burhuc is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Luxembourg data protection laws.

Last updated: 14 July 2026.

Data we collect

We may collect and process personal data that you voluntarily provide when:

  • contacting us by email,
  • submitting inquiries through the website,
  • requesting information about our services, or
  • interacting with our website.

The personal data collected may include:

  • name,
  • email address,
  • company information,
  • communication content,
  • technical data such as IP address or browser information where applicable,
  • public wallet addresses and related chain or transaction-context metadata where a wallet-enabled project explicitly sends wallet analytics events.

Purpose of processing

Your personal data is processed solely for legitimate business purposes, including:

  • responding to inquiries,
  • providing requested information or services,
  • maintaining business communications,
  • ensuring website security and functionality,
  • complying with legal obligations.

We do not sell personal data to third parties.

Legal basis for processing

Depending on the context, personal data is processed on the basis of:

  • your consent,
  • the performance of a contract or pre-contractual measures,
  • compliance with legal obligations,
  • our legitimate business interests, provided such interests do not override your fundamental rights and freedoms.

Data retention

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements.

Data sharing

We may share personal data with trusted service providers or technical partners acting on our behalf under appropriate confidentiality and data protection obligations. Personal data may also be disclosed where required by law or competent authorities.

Where personal data is transferred outside the European Economic Area (EEA), appropriate safeguards will be implemented in accordance with GDPR requirements.

Third-party services

The website may integrate technical providers used for hosting, security, email delivery, contact-form notification, or external links such as LinkedIn. Analytics tracking on the main Burhuc website is first-party Burhuc analytics and is only activated after consent. If additional services such as Google Analytics, Meta Pixel, newsletter tools, third-party wallet analytics, Discord login, or other third-party SaaS are added, this policy will be updated to disclose them clearly before those services are used.

Burhuc analytics tracker

Burhuc uses its own analytics tracker script, currently loaded as /tracker.js, to understand website usage and service health. On the main Burhuc website, the tracker loads only after analytics consent and respects browser Do Not Track signals.

The tracker may process page URL, path, referrer, page title, event name, campaign parameters, anonymous visitor and session identifiers, browser user-agent, approximate country from request headers, hashed IP address, timestamp, and limited event metadata such as contact-form submission events. It does not use this data to sell personal data.

For wallet-enabled projects, wallet-related events may include a public wallet address when that address is intentionally sent by the project. Burhuc treats wallet addresses as pseudonymous personal data because they may be linked to blockchain activity or other context. Wallet addresses are used for project analytics and are masked in admin reporting where practical.

Analytics identifiers are cleared when analytics consent is withdrawn through the cookie settings. Server-side analytics event data is retained for up to 395 days by default, unless a shorter retention period is configured.

Burhuc Scanner data

The Burhuc Privacy and Consent Scanner, powered by CertentiScan, stores the submitted website URL, normalized domain, scan status, timestamps, hashed request IP, consent-flow results, findings, and server-side evidence artifacts required to generate the report.

The public scan stays limited. Full report access and evidence are available only after domain control is verified through same-apex work email, DNS TXT, or an HTML file verification flow.

Evidence from unverified public scans expires after 24 hours. The cleanup worker purges unverified evidence and screenshot artifacts after expiry. Verified report records may be retained for report history, account access, abuse prevention, and re-scan comparison.

Email verification uses a short-lived one-time code or confirmation link. DNS and HTML-file verification store the generated verification token, verification method, domain, status, and related timestamps.

Scanner AI-assisted fix processing

AI-assisted fix generation is optional and starts only when a verified report user selects Generate AI fix. Burhuc currently uses the commercial Anthropic Claude API for this feature. Before transmission, the scanner removes or masks known cookie values, authorization data, email addresses, tokens, sensitive URL parameters, and sensitive paths. The request contains the finding category, redacted finding evidence, the affected website context where needed, and generic implementation guidance. Burhuc does not provide a free-text prompt field for this feature.

Anthropic processes this information to return technical remediation guidance on Burhuc's behalf. Anthropic's commercial terms incorporate its data processing addendum and Standard Contractual Clauses. Anthropic states that commercial API inputs and outputs are not used to train its models by default and that standard API inputs and outputs are deleted from its backend within 30 days, subject to agreed exceptions, usage-policy enforcement, or legal requirements.

Burhuc stores the redacted payload, selected provider and model, generated output, provenance metadata, user reference, and timestamps with the verified finding record for report history, accountability, and re-scan comparison. Users should not place personal data or confidential information into copied remediation material. See Anthropic's official information on its commercial DPA and SCCs, model-training policy, and API retention.

Your rights

Under the GDPR, you have the right to:

  • access your personal data,
  • request rectification of inaccurate data,
  • request erasure of your data,
  • request restriction of processing,
  • object to processing,
  • request data portability where applicable,
  • withdraw consent at any time where processing is based on consent.

Requests may be submitted to: contact@burhuc.com. We may request proof of identity before responding to certain requests. For analytics erasure requests, providing the relevant visitor identifier or wallet address helps Burhuc locate the pseudonymous records.

Cookies and tracking technologies

This website may use cookies and similar technologies. For more information, please consult our Cookie policy.

Supervisory authority

If you believe your personal data is processed unlawfully, you have the right to lodge a complaint with the Luxembourg supervisory authority: Commission nationale pour la protection des données (CNPD).

You can find additional information on the official CNPD website: CNPD Luxembourg.

Contact

For any questions regarding this Privacy policy or the processing of personal data, please contact:

Burhuc
Email: contact@burhuc.com

Burhuc has not published a separate data protection officer contact. Data-protection requests should be sent to the contact address above unless Burhuc later publishes a dedicated DPO or privacy contact.

Burhuc - Fortress of Trust
Research // Development // Innovation.
Made in Luxembourg.
Contact
Telegram Email LinkedIn X
Burhuc
Legal notice Privacy GDPR AI Act Terms Accessibility
Partner
Partner login
Sub-domains
Entrepreneurs Compta Regulation Compliance scanner
Settings
Cookie settings
© 2022-2026 Burhuc Research V.1.7 | All rights reserved.