Vavo Web3 Privacy Notice
Version of: June 17th 2026
The Vavo Web3 privacy notice (“Privacy Notice”) is drawn up in English as well as other language versions. In case of any discrepancy, the English language version prevails.
Vavo Web3 Ltd. (“Vavo Web3”, “we”, “us”, “our”) offers self-custodial wallet services through the Web3 Wallet functionality integrated in the Bitvavo App operated by Bitvavo B.V. (the “Web3 Wallet Services”). The Web3 Wallet Services enable users to create and manage self-custody blockchain wallet addresses, and provides a user interface that allows you to connect to and interact with third-party decentralised exchanges.
This is our Privacy Notice. In this document we explain what kind of personal data we collect and process in connection with the Web3 Wallet Services. Personal data means all information by which a person can be directly or indirectly identified and is a term under the General Data Protection Regulation (“GDPR”). We also explain what role we have in the processing of personal data, how long we retain personal data and what rights you have as a data subject.
The Web3 Wallet Services are accessible through the Bitvavo App operated by Bitvavo B.V. In order to access the Web3 Wallet Services, you must first have a Bitvavo account and complete the onboarding and verification procedures conducted by Bitvavo B.V.; Bitvavo B.V. therefore collects and processes the personal data as set out in accordance with the Bitvavo B.V. Privacy Notice. Bitvavo B.V. will provide Vavo Web3 with data as set out in paragraph 4.1 below.
Vavo Web3 receives personal data from Bitvavo B.V. insofar necessary to provide the Web3 Wallet Services, maintain the security and integrity of the Web3 Wallet Services, comply with applicable laws and prevent fraud or misuse.
In relation to making use of the self-custodial wallet services, Vavo Web3 is the controller of your personal data, Bitvavo B.V. acts as a processor in relation to this relationship.
If you want to know more about this Privacy Notice or when you have questions or recommendations, please send an email to [email protected]. We will respond to your request as quickly as possible.
[Vavo Web3 Ltd.]
Park Place
55 Par-la-Ville
Hamilton HM 11
Bermuda
E: [email protected]
W: bitvavo.com
Company registration number: 202606004
Pursuant to Article 27 GDPR, Vavo Web3 has appointed Bitvavo B.V., having its registered office at Keizersgracht 281, 1016 ED Amsterdam, as its representative in the European Union. The representative may be contacted at [email protected].
Vavo Web3 is responsible for the processing of personal data necessary for the provision, operation and security of the Web3 Wallet Services and acts as “controller” under the GDPR. While Bitvavo B.V. facilitates access to the Web3 Wallet Services through the Bitvavo App environment, Vavo Web3 independently determines the purposes and means of the personal data processing necessary for the provision and operation of the Web3 Wallet Services.
Bitvavo B.V. separately acts as controller for the personal data processed in connection with: the Bitvavo platform account, identity verification and KYC procedures, customer onboarding, fiat services, exchange services and regulatory compliance obligations applicable to Bitvavo B.V. Such processing is governed by the Bitvavo B.V. Privacy Notice.
In order to enable you to access and use the Web3 Wallet Services, Bitvavo B.V. may share a limited subset of such personal data with Vavo Web3, including your:
Globally Unique Identifier (“GUID“). This is a unique reference code used to identify a specific transaction, account, or record so it can be tracked and distinguished from all others;
first name and last name;
Email; and
address.
Vavo Web3 processes such personal data insofar necessary to:
provide the Web3 Wallet Services;
maintain security and integrity of the Web3 Wallet Services;
prevent fraud, abuse and unlawful activity;
comply with applicable legal obligations; and
provide customer support relating to the Web3 Wallet Services, which is provided on behalf of Vavo Web3 by Bitvavo B.V. as a service provider.
We receive and store certain types of information automatically when you access or use the Web3 Wallet Services through the Bitvavo App. This information is used to provide and secure the Web3 Wallet Services, facilitate wallet functionality, improve performance and user experience, prevent fraud or misuse and comply with applicable legal obligations.
The information collected automatically may include:
Usage data: Information relating to your access to and use of the Web3 Wallet Services, including your IP-address, which pages you visit, on which links you click, when and for how long you use the Web3 Wallet functionality integrated in the Bitvavo App, and technical information (e.g. type of browser and operating system). Please read our Cookie Statement for more information on how we use cookies and similar technologies to collect this type of information about you: https://bitvavo.com/en/cookie-policy.
Wallet interaction data. Information relating to your use of the Web3 Wallet Services and your blockchain interactions, including blockchain wallet addresses, public wallet information, transaction hashes, supported blockchain networks used, smart contract interaction data, token balances, decentralized exchange interaction metadata and gas fee information. Please note that transactions executed through public blockchain networks may be publicly visible on the relevant blockchain. Blockchain wallet addresses, transaction hashes and related transaction details may therefore be accessible to third parties and may, in certain circumstances, be associated with an individual user. Due to the nature of blockchain technology, on-chain records generally cannot be modified or deleted once recorded on the blockchain. Vavo Web3 does not control the operation of public blockchain networks and cannot erase or alter information recorded on-chain.
Advertising and attribution identifiers: Where permitted under applicable law and, where required, based on your consent, we may collect certain identifiers used for campaign attribution, analytics and fraud prevention purposes, including:
a. mobile advertising identifiers (such as IDFA or GAID);
b. click identifiers (such as gclid, fbclid, msclkid, ttclid or sc_click_id); and
c. platform user identifiers assigned by advertising or analytics providers.
These identifiers help us measure the effectiveness of campaigns, understand how users discover the Web3 Wallet Services and detect fraudulent or abusive activity.
We may only process your personal data where we have a lawful basis under Article 6 GDPR. The table below sets out each processing purpose together with the applicable legal basis. Where we rely on “legitimate interests” (Article 6(1)(f) GDPR), we have carried out a balancing test confirming that our interests are not overridden by your interests or fundamental rights.
We may use your personal data for the following purposes: | Your personal data is only processed for a specified purpose and based on a legal ground, such as your consent or when necessary for the execution of an agreement with you, to comply with a legal obligation or to protect a legitimate interest. | Legal Basis (Article 6 GDPR) |
(a) To comply with laws and regulations. (b) To prevent fraud, misuse of Web3 Services, or illegal activity. | Based on our regulatory requirements or the legitimate interest to prevent fraud, misuse of Web3 Services, or money laundering/terrorist financing. | Legal obligation – Art. 6(1)(c) GDPR Legitimate interests – Art. 6(1)(f) (interest: protecting Vavo Web3 and its users from financial crime) |
(c) To enforce the Web3 Wallet - User Agreement and other agreements with you. (d) To provide the Web3 Wallet Services. (e) To provide Web3 Wallet Service communications. We send service-related messages, security alerts, transaction notifications, technical notices and operational updates. (f) To provide customer service. We process personal data when responding to support requests, disputes, complaints and troubleshooting inquiries. | Based on our contract with you or to take steps at your request prior to entering into a contract. | Performance of a contract – Art. 6(1)(b) GDPR Legal obligation – Art. 6(1)(c) |
(g) For research and development purposes. We process personal data to analyze service performance, improve security, enhance functionality and resolve technical issues. | Based on your consent or our legitimate interest. When we process your personal data for our legitimate interest we always ensure that we consider and balance any potential impact on you and your rights under data protection laws | Legitimate interests – Art. 6(1)(f) (interest: improving and securing the Web3 Wallet Services). We use aggregated or pseudonymised data wherever possible to minimise privacy impact. |
(h) To engage in marketing activities. Based on your communication preferences and applicable consent requirements, we may engage in marketing activities relating to the Web3 Wallet Services. | Based on your consent or our legitimate interest. When we perform our marketing activities towards you on the basis of your customer profile, we will make sure we do so in a fair way. | Consent – Art. 6(1)(a) GDPR (where required by applicable law) or Legitimate interests – Art. 6(1)(f) (existing customer marketing, where permitted) |
(i) For accountability purposes. Vavo Web3 retains personal data insofar necessary to (i) maintain a proper administration and (ii) to substantiate potential legal claims. Vavo Web3 therefore needs to keep records of registration, identification, transactions, withdrawals of funds, access logs and important correspondence. | Based on our legal obligation or our legitimate interest. When we retain your personal data to maintain a proper administration and substantiate potential legal claims, we will make sure we do not keep any personal data that is not necessary for this purpose. | Legal obligation – Art. 6(1)(c); or Legitimate interests – Art. 6(1)(f) (interest: defending or bringing legal claims) |
Please note:
If you provided consent for any processing of your personal data, you always have the right to withdraw your consent at any moment by emailing us at: [email protected]. Please note withdrawal of your consent does not affect the lawfulness of the processing of your personal data before such withdrawal. In addition, where we are required to process your personal data to comply with a legal or regulatory obligation, we may continue to process such personal data notwithstanding the withdrawal of your consent, to the extent necessary to comply with those obligations.
Legitimate interests: When we rely on legitimate interests, we always ensure that we have carried out a balancing test and that our interests are not overridden by your rights and interests. You have the right to object to processing on this basis – see paragraph 9 below.
If we send you targeted marketing messages based on legitimate interest, we always offer you the opportunity to unsubscribe. If you wish to unsubscribe, you can do so (i) on our website www.bitvavo.com by changing your preferences under the ‘settings’ tab or (ii) in every marketing email we send you, by clicking ‘unsubscribe’.
The following chart summarizes how we use the categories of personal data we collect:
Personal Data Category as mentioned in par. 4 | Source of Personal Data | Purpose of Collection Personal Data |
Usage data | Information we collect from you automatically | (i) To enforce the Web3 Wallet - User Agreement, (ii) to prevent fraud, misuse of services, or money laundering, (iii) to provide the Web3 Services, (iv) to provide Web3 Services communication. |
Wallet interaction data | Information we collect from you automatically | To prevent and detect fraud, misuse of services, or money laundering, and to provide the Web3 Services. |
Advertising and attribution identifiers | Information we collect from you automatically | (i) To prevent fraud, misuse of services, or money laundering, and (ii) to engage marketing activities. |
GUID, name, email and address | Information we receive from Bitvavo B.V. | (i) To comply with laws and regulations, (ii) to enforce the terms in the Web3 Wallet - User Agreement, (iii) to prevent fraud, misuse of services, or money laundering, (iv) to provide the Web3 Services, (v) to provide customer service, and (iv) accountability purposes. |
Vavo Web3 uses automated software tools to identify interactions with the Web3 Wallet Services, wallets or counterparties that may fall outside Vavo Web3’s risk appetite (for example, interactions involving wallets associated with sanctions lists or illicit activity). Where a solely automated assessment produces a decision that produces legal or similarly significant effects on you (such as suspension of your access to the Web3 Wallet Services), Vavo Web3 ensures that:
you are informed of the decision and its basis;
you have the right to request human review of the decision; and
you may contest the decision by contacting us at [email protected].
Vavo Web3 only provides access to your personal data to personnel of Bitvavo B.V. and other service providers that require access to perform their duties to enable the Web3 Services.
We may engage third-party service providers acting as processors, including:
a service provider who provides embedded wallet infrastructure; and
a service provider that enables users to swap, bridge, and move assets across multiple blockchains through a single integrated interface or API.
Because the Web3 Wallet Services are accessible through the Bitvavo App environment, Bitvavo B.V. performs various operational, technical and support activities in connection with the Web3 Wallet Services on behalf of or in support of Vavo Web3. In this context, Bitvavo B.V. may engage third-party service providers and infrastructure providers as further set out in the Bitvavo B.V. Privacy Notice.
Vavo Web3 may also engage third-party service providers acting as processors under Article 28 GDPR, including:
a service provider providing embedded wallet infrastructure; and
a service provider enabling users to swap, bridge and move assets across multiple blockchains through a single integrated interface or API.
All processors are bound by data processing agreements requiring them to process personal data only on our documented instructions and to implement appropriate technical and organisational security measures.
Personal data may also be shared with:
Recipient category | Basis for sharing |
Competent supervisory authorities, law enforcement agencies or financial intelligence units | Legal obligation – Art. 6(1)(c) GDPR |
Blockchain analytics providers (e.g. for AML/sanctions screening) | Legal obligation – Art. 6(1)(c); or legitimate interests – Art. 6(1)(f) |
Decentralised applications, decentralised exchanges or other third-party services you choose to interact with | Performance of a contract – Art. 6(1)(b); note that by interacting with such services you direct us to share data with them |
Advertising, analytics and attribution partners operating within the Bitvavo App environment | Consent – Art. 6(1)(a); or legitimate interests – Art. 6(1)(f), as applicable |
Important – Blockchain Transactions: Blockchain transactions are inherently public and visible on distributed ledger networks. Information recorded on a blockchain may remain publicly accessible indefinitely and generally cannot be deleted or modified. Vavo Web3 does not control, and cannot limit the use of, information that has been recorded on-chain by third parties.
Personal data relating to the Web3 Services may be transferred to, accessed from or processed in countries outside the EEA, including Bermuda. In this context, Vavo Web3 takes the following safeguards to ensure that personal data is adequately protected in accordance with EU law:
Transfer scenario | Safeguard |
Transfer to a country covered by a European Commission Adequacy Decision | Adequacy Decision under Art. 45 GDPR – no additional safeguards required |
Transfer to the United States | EU-U.S. Data Privacy Framework (Art. 45 GDPR); or, where the recipient does not participate, Standard Contractual Clauses (Art. 46(2)(c) GDPR) supplemented by a Transfer Impact Assessment where required |
Transfer to any other third country without an Adequacy Decision | Standard Contractual Clauses (Art. 46(2)(c) GDPR) and, where necessary, supplementary measures following a Transfer Impact Assessment |
You may request a copy of the relevant safeguards or further information about any international transfer by contacting us at [email protected].
Under the GDPR, you have the following rights in relation to the personal data that Vavo Web3 processes about you:
Right | What this means |
Right of access (Art. 15) | You may request confirmation of whether we process personal data about you and, if so, receive a copy of that data together with information about how it is processed. |
Right to rectification (Art. 16) | You may request that inaccurate or incomplete personal data is corrected or completed. |
Right to erasure (Art. 17) | You may request deletion of your personal data in certain circumstances (e.g. when it is no longer necessary for the purpose for which it was collected). Please note that this right does not extend to personal data recorded on public blockchain networks, which Vavo Web3 cannot erase or alter – see paragraph 4.2 and 7.2 above. |
Right to restriction of processing (Art. 18) | You may request that we restrict the processing of your personal data in certain circumstances (e.g. while the accuracy of the data is contested). |
Right to data portability (Art. 20) | Where processing is based on your consent or on a contract, and is carried out by automated means, you may request that we provide your personal data to you or another controller in a structured, commonly used and machine-readable format. |
Right to object (Art. 21) | You may object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims. |
Right not to be subject to solely automated decisions (Art. 22) | See paragraph 6 above. |
Right to withdraw consent (Art. 7(3)) | Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. |
To exercise any of the above rights, please contact us at [email protected]. We may ask you to provide information to verify your identity before responding to your request.
We will respond as quickly as possible and in any event within one month of receipt of your request. If more time is needed (up to a maximum of three months in total), we will inform you of the extension and the reasons for the delay within one month.
Please note that these rights are not absolute. In some circumstances we may have a legal obligation or other legitimate ground to decline your request or to limit the scope of our response. If we do so, we will explain our reasons.
If you believe that Vavo Web3 has processed your personal data unlawfully or if you are not satisfied with our response to your request, you can send your complaint to [email protected].
You are always entitled to file a complaint with a data protection supervisory authority if you believe that we are not processing your personal data in accordance with applicable laws. For Vavo Web3, the leading supervisory authority where you may file a complaint is: Autoriteit Persoonsgegevens (https://www.autoriteitpersoonsgegevens.nl).
Vavo Web3 will not keep your personal data longer than the mandatory statutory retention period or, if such a mandatory statutory retention period does not apply, no longer than is strictly necessary to achieve the purposes for which your personal data were collected or processed.
Criteria for data retention
Vavo Web3 retains personal data processed to execute any agreement with you as long as the term of such agreement. Vavo Web3 retains personal data processed to comply with a legal obligation, as long as such legal obligation applies to Vavo Web3. Vavo Web3 retains personal data processed to protect any legitimate interest (as described in this Privacy Notice) for as long as necessary to achieve such protection. If Vavo Web3 has asked for your (explicit) consent for any processing of your personal data, Vavo Web3 retains your personal data until you withdraw your (explicit) consent or until your (explicit) consent can be deemed expired and you have not renewed such (explicit) consent.
In addition to the legal obligations already mentioned in this Privacy Notice, Vavo Web3 has the legal obligations to (keep) retaining personal data to the extent relevant for tax purposes (pursuant to Article 52 of the Dutch General Tax Act): 7 years after the latest relevant calendar year.
Vavo Web3 may update this Privacy Notice. Any update of the Privacy Notice will apply after announcing the update on our website www.bitvavo.com or any other official communication channel. If the change to the Privacy Notice concerns a fundamental change to the nature of the processing (e.g. a new category of sensitive data processed) or if the change may be relevant to and impact upon you, Vavo Web3 will inform you of changes to the Privacy Notice, explicitly and effectively, well in advance of the change actually taking effect.
This Privacy Notice is effective as of the date indicated and listed at the beginning of this document and may be updated or amended at any time, including to reflect material changes. Any such updates take effect upon publication on our website www.bitvavo.com, where the current version of this Privacy Notice is made available.
Trading digital assets involves significant risks. Digital assets are highly volatile and you may lose some or all of your investment. The information on this page does not constitute advice, and should not be relied upon as such.
The Web3 wallet is provided by Vavo Web3 Limited, a separate entity from Bitvavo B.V. This service is not regulated under Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA), and the protections afforded to users of regulated services may not apply to you.
Vavo Web3 Limited is registered at Park Place, 55 Par-la-Ville, Hamilton HM 11, Bermuda, company registration number 202606004.
Please review the full User Terms of Service, Privacy Notice, and Pricing Policy before using the Web3 wallet.