PrivacyNotice

Effective date: 23 May 2026.

Controller and contact

The controller of personal data processed in connection with this site and its intake channels is XELTRUS LLC, a limited liability company organized under the laws of the State of New Mexico, United States, with principal office in New Mexico. Privacy-related correspondence may be directed to or via the form on our contact page.

For data subjects located in the European Economic Area or the United Kingdom: XELTRUS LLC has appointed an Article 27 GDPR representative for the purpose of receiving communications from supervisory authorities and data subjects. The representative’s contact details are available on request to the address above and will be published here once the appointment is finalised.

Categories of personal data we receive

Through the channels published on this site, XELTRUS receives, in the ordinary course of intake review, the following categories of personal data:

• Identifying data voluntarily submitted by inquirers: name, role, jurisdiction, email address, telephone number, and where applicable the identity of the represented claimant.
• Narrative case data: written descriptions of the matter for which assessment is requested, which may include allegations of criminal conduct by identified or identifiable third parties.
• Documentary attachments: communications, transaction records, marketing materials, contractual documents, and similar items relevant to the matter, which may incidentally contain personal data of third parties.
• On-chain references: blockchain addresses, transaction hashes, and contract identifiers voluntarily submitted by inquirers.
• Technical data automatically collected by our hosting infrastructure: IP address, browser user-agent, request path, and timestamp of each request, recorded in standard server access logs.

Some categories above may qualify as special category data under Article 9 GDPR or as sensitive personal information under US state privacy laws, in particular where a narrative discloses health information, criminal-allegation data, or financial-account identifiers. XELTRUS processes such data only where strictly necessary for the inquiry and applies enhanced safeguards.

What we do not collect, and what you should not transmit

XELTRUS does not request, and inquirers should not transmit, the following in initial correspondence:

• Private keys, seed phrases, or wallet recovery material of any kind.
• Account credentials for custodial exchanges, wallets, or related services.
• Identification documents that are not directly relevant to the matter under inquiry.

Where such material is mistakenly transmitted, it is not used, is not retained beyond the time required to identify and remove it, and is permanently deleted under documented procedure.

Purposes and lawful basis

Personal data is processed for the following purposes, under the following lawful bases:

• Reviewing intake inquiries and preparing the written viability assessment — lawful basis: Article 6(1)(b) GDPR (processing necessary in order to take steps at the request of the data subject prior to entering into a contract); for special category data, Article 9(2)(f) GDPR (establishment, exercise, or defence of legal claims).
• Coordinating with retained counsel where engagement is undertaken — lawful basis: Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(f) GDPR (legitimate interests in conducting the engaged matter); for special category data, Article 9(2)(f) GDPR.
• Maintaining the integrity of forensic and evidentiary work-product — lawful basis: Article 6(1)(c) GDPR (compliance with legal record-keeping obligations applicable to the engaged counsel) and Article 6(1)(f) GDPR (legitimate interests).
• Operating, securing, and defending the site itself — lawful basis: Article 6(1)(f) GDPR (legitimate interests in the integrity and security of the service).

For data subjects in California and other US states with comparable statutes, the purposes above correspond to the business purposes of providing the requested service, maintaining service integrity, and complying with applicable record-keeping and legal-claims-related obligations.

Recipients and processors

Personal data is disclosed only to the following categories of recipients:

• XELTRUS personnel bound by written confidentiality obligations.
• Independent counsel retained in connection with an engaged matter, under written engagement directly with the claimant and subject to attorney professional-conduct obligations.
• Service providers acting as processors under written data-processing agreements consistent with Article 28 GDPR, including:
  • our hosting provider (server infrastructure located in the United States);
  • our transactional email provider (United States);
  • Google LLC (United States) for the limited purpose of delivering web fonts to the visitor’s browser via the Google Fonts service — see Cookies, fonts, and technical loading below.
• Public authorities where disclosure is required by applicable law, including in response to lawful process.

XELTRUS does not sell, rent, or trade personal data. XELTRUS does not share personal data with advertisers, ad networks, or data brokers. XELTRUS does not engage in cross-context behavioral advertising.

International data transfers

XELTRUS is established in the United States and operates its infrastructure in the United States. Personal data submitted by data subjects located in the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions outside the United States is transferred to the United States as a necessary consequence of inquiring with a US-based service provider.

For transfers from the EEA, UK, or Switzerland: XELTRUS relies on the Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), supplemented where necessary by additional technical, contractual, and organisational measures identified through a Transfer Impact Assessment in light of the Schrems II jurisprudence. Where a recipient is self-certified under the EU–US Data Privacy Framework (and its UK Extension and Swiss–US framework), that mechanism is relied upon. A copy of the safeguards applicable to any specific transfer is available on request to the contact address above.

Retention

Retention periods are determined by the purpose of processing:

• Declined inquiries: intake correspondence and attachments are deleted within twelve (12) months of the decision not to engage, unless retention is required to defend against a potential legal claim arising from the inquiry, in which case retention extends only as long as necessary for that purpose.
• Engaged matters: matter records are retained for the duration of the engagement and for seven (7) years thereafter, consistent with US litigation-hold practice and with record-keeping obligations applicable to engaged counsel.
• Server access logs: retained for ninety (90) days for operational and security purposes; longer where a specific security incident requires investigation.
• Privacy-rights request records: retained for the period required by applicable law to demonstrate compliance with the request.

Security

XELTRUS applies technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include transport-layer encryption (TLS) for all site traffic, encryption at rest for stored case material, role-based access controls, documented access logging, multi-factor authentication for administrative access, and written information-security procedures. No system is perfectly secure; XELTRUS does not represent that submitted material is invulnerable to unauthorised access, but operates under documented procedures designed to minimize exposure.

In the event of a personal data breach, XELTRUS will notify the competent supervisory authority without undue delay and, where required, within seventy-two (72) hours of becoming aware of the breach (Article 33 GDPR), and will notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR). XELTRUS will additionally comply with applicable US state breach-notification laws, including the New Mexico Data Breach Notification Act.

Cookies, fonts, and technical loading

This site does not set first-party cookies and does not deploy any third-party analytics, advertising, or tracking cookies. No consent banner is presented because no consent-requiring storage takes place.

This site does load web fonts from the Google Fonts service (fonts.googleapis.com and fonts.gstatic.com), operated by Google LLC in the United States. The loading of these fonts transmits the visitor’s IP address and user-agent to Google. No cookies are set by Google in connection with this font loading. Visitors who do not wish their IP address to be transmitted to Google in connection with font loading may use a browser configured to block requests to those hostnames. XELTRUS is evaluating the migration to self-hosted fonts as a forward-looking measure to eliminate this transfer.

Server-level access logs maintained by our hosting provider include the IP address, request path, user-agent, and timestamp of each request, processed under Article 6(1)(f) GDPR for operational and security purposes and retained as described under Retention above.

Do Not Track: this site does not respond differently to Do Not Track browser signals because no cross-context tracking occurs in any configuration.

Your rights under the GDPR (EEA, UK, Switzerland)

Where the GDPR or equivalent law applies, you have the right to:

• request access to your personal data (Art. 15);
• request rectification of inaccurate personal data (Art. 16);
• request erasure of your personal data (Art. 17), subject to the limitations applicable to legal-claims data;
• request restriction of processing (Art. 18);
• request portability of personal data you provided (Art. 20);
• object to processing based on legitimate interests (Art. 21);
• withdraw any consent previously given, without affecting the lawfulness of processing carried out before withdrawal;
• lodge a complaint with a supervisory authority in your EU Member State, the UK Information Commissioner’s Office, or the Swiss Federal Data Protection and Information Commissioner, as applicable.

No decisions producing legal or similarly significant effects are made about you on a solely automated basis (Art. 22).

Your rights under US state privacy law

Residents of California, Virginia, Colorado, Connecticut, Texas, Utah, and other US states with comprehensive privacy statutes have, depending on residence, the right to: (i) know what personal information is collected and the purposes of collection; (ii) access a copy of personal information held; (iii) correct inaccurate personal information; (iv) request deletion of personal information; (v) opt out of sale or sharing of personal information for cross-context behavioral advertising; (vi) limit the use of sensitive personal information; (vii) not be subject to discriminatory treatment for exercising these rights; (viii) appeal a denied request. XELTRUS does not sell or share personal information within the meaning of the CCPA/CPRA or comparable statutes. Authorised agents may submit requests on behalf of a data subject upon documented authorisation.

To exercise any of the rights above, contact or use the form on our contact page. XELTRUS will verify the requester’s identity proportionate to the sensitivity of the request and respond within the period required by the applicable statute.

Children

This site is not directed to children under the age of thirteen (13), and XELTRUS does not knowingly collect personal data from children. If you believe a child has submitted personal data to XELTRUS, please contact or use the form on our contact page and the data will be deleted.

Updates

This privacy notice may be updated from time to time. Material updates will be published on this page with a revised effective date.