Privacy Policy

Buzko Krasnov LLC, a law firm organized under the laws of the State of New York (“Buzko Krasnov,” “we,” or “us”), is committed to safeguarding the privacy of individuals whose Personal Data we process. This includes visitors to our website at buzko.legal (“Website”), contacts for clients and prospective clients, contacts for suppliers and service providers, candidates for employment, and any other individuals whose Personal Data we obtain in the course of our business (each, “you”). This Privacy Policy describes how and why we collect, use, and share Personal Data and explains your rights regarding that data. “Personal Data” means any information relating to an identified or identifiable natural person.

Buzko Krasnov LLC is the data controller for the Personal Data described in this Privacy Policy. We are committed to processing Personal Data in compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other laws described in Section 11.

This Privacy Policy applies to Personal Data we process in connection with our legal services, our Website, and our business operations, including recruitment. Local-language versions of our Website may be subject to additional privacy terms reflecting local legal requirements.

1. Information We Collect

We collect Personal Data from multiple sources, either directly from you or from clients, colleagues, agents, and publicly available sources. The categories of Personal Data we collect include:

Contact and identification data: name, gender, organization, title, job responsibilities, phone number, mailing address, email address, and social media identifiers.
Financial data: bank account information and invoicing details.
Client service data: Personal Data provided by or on behalf of clients regarding their employees, customers, counterparties, or other individuals, in connection with our legal services.
Compliance data: government-issued identifiers, passport or identification document copies, beneficial ownership data, and due diligence information.
Recruitment data: identification and contact information, resume or curriculum vitae, and data obtained from recruiters or recruitment platforms.
Device and usage data: Internet Protocol (IP) address, device identifiers, browser type, and usage data related to the Website.

We do not intentionally collect Personal Data from children under 16 years of age. If you believe that we have inadvertently collected such data, please contact us using the details in Section 13.

2. How We Use Personal Data

We use Personal Data for the following purposes:

Provision of legal services. We process Personal Data voluntarily submitted during our engagement, including sharing with third parties such as experts, courts, and professional advisers, as necessary to perform our contractual obligations (Article 6(1)(b) GDPR).
Responding to inquiries. We process contact and identification data provided when you contact us with a question or inquiry, based on our legitimate interest in responding to potential clients and business contacts (Article 6(1)(f) GDPR).
Management of business and client relationships. We use contact, financial, and service data for invoicing, client and vendor relationship management, and record-keeping, as necessary to perform our contractual obligations (Article 6(1)(b) GDPR).
Marketing and business development. We may communicate with you regarding events, seminars, legal updates, client conferences, and networking events. For existing clients and contacts, we rely on our legitimate interest in maintaining professional relationships (Article 6(1)(f) GDPR). For electronic marketing (email, newsletters), we provide an opt-out mechanism in each communication. Where applicable law requires prior consent for electronic marketing, we will obtain your consent before sending such communications.
Keeping our Website and IT systems safe. We use identification, contact, financial, and device data to monitor Website usage and detect fraud, crimes, and misuse, based on our legitimate interest in ensuring safe use of our systems (Article 6(1)(f) GDPR).
Complying with legal or regulatory obligations. We process identification, contact, financial, compliance, and device data for anti-money laundering compliance, fraud detection, statutory returns, and professional ethical obligations, as necessary for compliance with legal obligations (Article 6(1)(c) GDPR).
Recruitment. We collect and process recruitment data for screening, evaluating, and hiring candidates, and for related record-keeping and compliance. Where you have applied for a position, processing is necessary to take steps at your request prior to entering into a contract (Article 6(1)(b) GDPR). Compliance data may be processed to meet legal requirements (Article 6(1)(c) GDPR).

Special categories of Personal Data. In the course of providing legal services, we may process Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or health data, to the extent necessary to establish, exercise, or defend legal claims (Article 9(2)(f) GDPR) or where you have given explicit consent (Article 9(2)(a) GDPR). We may also process data concerning criminal convictions and offenses where necessary for the establishment, exercise, or defense of legal claims or as otherwise authorized under applicable law (Article 10 GDPR).

Automated decision-making. We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.

3. How We Share Personal Data

We may share your Personal Data with the following categories of recipients:

Affiliates. We share Personal Data with affiliated offices to provide legal services and administer client relationships, including invoicing and business development.
Suppliers and service providers. We share Personal Data with vendors who process data on our behalf under written agreements, including IT service providers (such as website hosting and analytics), payment processors (such as Stripe), scheduling platforms (such as Calendly), workflow automation tools (such as Zapier), team communication platforms (such as Slack), financial institutions, and third-party event organizers. These vendors are contractually required to process Personal Data only on our instructions, to implement appropriate technical and organizational security measures, and to notify us without undue delay upon becoming aware of a personal data breach affecting your data.
Business transfers. In connection with any reorganization, merger, acquisition, or transfer of assets, we may transfer Personal Data to the extent permitted by applicable data protection law. We will take reasonable steps to ensure that any such transfer is conducted in compliance with applicable data protection law.
Legal and regulatory disclosures. We may share Personal Data with law enforcement, regulatory, or government agencies in response to lawful requests, subpoenas, court orders, or other legal processes, or to establish, exercise, or defend legal claims.

4. Marketing Choices

You have control over how we use your Personal Data for marketing purposes. Where required by applicable law (including the ePrivacy Directive for electronic communications in the EEA), we obtain your consent before sending marketing communications. In all cases, you may opt out of receiving marketing communications at any time by:

following the unsubscribe link in the relevant communication; or
contacting us at info@buzko.legal.

If you opt out, we will retain your contact details on a suppression list and take reasonable steps to ensure we do not contact you again for marketing purposes, based on our legitimate interest in honoring opt-out requests and preventing future unwanted contact (Article 6(1)(f) GDPR). We retain suppression list data indefinitely for this purpose.

5. Your Rights

If you are located in the European Economic Area (“EEA”), you have the following rights under the GDPR:

Access — Right to request a copy of the Personal Data we hold about you.
Rectification — Right to request correction of inaccurate or incomplete Personal Data.
Erasure — Right to request deletion of your Personal Data, subject to our legal obligations to retain certain data. If you have opted out of marketing communications, we will retain your email address on our suppression list (Section 4) even after an erasure request, to ensure we do not inadvertently re-contact you.
Restriction — Right to request that we restrict processing of your Personal Data in certain circumstances.
Portability — Right to receive your Personal Data in a structured, commonly used, machine-readable format and to transmit it to another controller, where technically feasible.
Objection — Right to object to processing based on our legitimate interests, including direct marketing. We will cease processing unless we demonstrate compelling legitimate grounds.
Withdrawal of consent — Where we rely on your consent, you may withdraw it at any time, free of charge, without affecting the lawfulness of processing carried out prior to withdrawal.

you also have the right to lodge a complaint with your local data protection authority (for example, la Commission Nationale de l’Informatique et des Libertés (CNIL) in France or the Berliner Beauftragte für Datenschutz in Germany) if you believe that we have not complied with applicable data protection laws.

These rights may be limited where we have overriding legitimate interests or legal obligations to continue processing — including the establishment, exercise, or defense of legal claims (Article 17(3)(e) GDPR) — or where data is subject to legal professional privilege or professional secrecy obligations.

To exercise these rights, you should:

Email info@buzko.legal;
Provide sufficient information to verify your identity (such as confirming your name and email address associated with our records); and
Provide information relating to your request.

We may request additional verification where we have reasonable doubts about your identity, but will ensure that any such request is proportionate to the Personal Data we hold about you.

We will respond to your request within one month of receipt. In complex cases or where we receive a high volume of requests, we may extend this period by a further two months; in that event, we will notify you within the first month and explain the reason for the extension (Article 12(3) GDPR).

6. Information from Third-Party Sources

For individuals located in the EEA, where we obtain Personal Data about you from sources other than you directly (for example, from our clients, professional contacts, recruiters, or publicly available sources), we will provide you with the information in this Privacy Policy:

within one month of obtaining the data;
at our first communication with you, if earlier; or
at the time we first disclose the data to another recipient, if earlier.

We may be exempt from this obligation where providing such information would be impossible or involve disproportionate effort, or where processing is required by law or subject to professional secrecy obligations (Article 14(5) GDPR).

7. Data Security

We have implemented technical and organizational security measures to safeguard Personal Data in our custody and control. These measures include restricted access to Personal Data on a need-to-know basis and administrative, technical, and physical safeguards.

While we take reasonable steps to protect Personal Data, no method of transmission over the Internet or electronic storage is completely secure. We encourage you to exercise caution when communicating sensitive information electronically. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at info@buzko.legal.

In the event that we become aware of circumstances suggesting a personal data breach, we will take appropriate steps in accordance with applicable law. In the event of a confirmed personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (Article 33 GDPR). Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Article 34 GDPR), unless an exemption applies (for example, where measures such as encryption render the affected data unintelligible to any unauthorized person). Our breach notification will include, where available, a description of the measures taken or proposed to address the breach and mitigate its possible adverse effects.

8. International Data Transfers

Buzko Krasnov LLC is based in the United States. When you provide Personal Data to us or we otherwise process your data, it may be transferred to, stored in, or accessed from the United States or other countries that may not provide the same level of data protection as your home jurisdiction.

For transfers of Personal Data from the EEA to the United States or other countries not subject to an EU adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as our primary transfer mechanism. We conduct transfer impact assessments where required and, where elevated risks are identified, implement supplementary technical and organizational measures — such as encryption in transit and at rest and access controls — designed to provide appropriate safeguards for your Personal Data.

9. Data Retention

We retain Personal Data only as long as necessary for the purposes described in this Privacy Policy or as required by applicable law. The following retention criteria apply:

10. Cookies and Website Analytics

Our web server automatically records certain technical information in server access logs, including IP addresses, browser type, and access times, for security and troubleshooting purposes. These logs are retained for 90 days and then deleted.

For website analytics, we use Plausible Analytics, a privacy-focused analytics service that does not use cookies or collect Personal Data. Plausible does not track individual visitors, does not store information in your browser, and generates only aggregate statistics about website usage.

We do not use advertising cookies, tracking pixels, or third-party analytics services that place cookies on your device. Accordingly, no cookie consent mechanism is required for our Website.

11. Additional Disclosures for Specific Jurisdictions

California (United States). If you are a California resident, the California Online Privacy Protection Act (CalOPPA) applies to your use of our Website. This Privacy Policy is our CalOPPA disclosure. We do not respond to “Do Not Track” browser signals, as there is no industry-standard technology for recognizing such signals. We do not sell or share your Personal Data for cross-context behavioral advertising. If you would like to review or change the Personal Data we hold about you, please contact us using the details in Section 13.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. Where we make material changes, we will notify you by posting the updated Privacy Policy on our Website and, where practicable, by email. We encourage you to review this Privacy Policy periodically.

13. Contact Us

For questions, concerns, or suggestions regarding this Privacy Policy or our data processing practices, please contact us:

Buzko Krasnov LLC

Email: info@buzko.legal

We have not appointed a Data Protection Officer, as we do not fall within the categories of controllers required to designate a DPO under Article 37 GDPR.