Data Protection Policy of historicalbureau.com, Oleg Verbliudov the Genealogist, Historical Bureau LLC in accordance with GDPR
Effective date: 22 June 2026.
1. Introduction
This Data Protection Policy explains how HISTORICAL BUREAU LLC ("we", "us", "our", "the Company") collects, uses, discloses, and protects personal data in connection with the website https://historicalbureau.com/ (the "Website") and our genealogical and archival research services (the "Services").
We process personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"). We voluntarily extend these privacy standards to all individuals located in the European Union or the European Economic Area (Art. 3(2) GDPR) and worldwide, ensuring a uniform and high level of data protection regardless of your geographic location.
2. Data Controller
The controller of your personal data is:
HISTORICAL BUREAU LLC
5830 E 2nd St, Ste 7000 #23654
Casper, WY 82609, USA
Telegram: https://t.me/HistoricalBureau
WhatsApp: https://wa.me/380677910007, +380677910007
E-mail: info@historicalbureau.com
For all matters concerning personal data, including exercising your rights under Section 13, contact us at the e-mail address above.
3. Scope of This Policy
This Policy applies to personal data of living individuals: our clients and prospective clients, visitors of the Website, and living persons whose data appears in the course of genealogical or archival research (for example, persons named in a power of attorney or in recent civil status records).
The GDPR protects living individuals only. Data relating to deceased persons falls outside the GDPR (Recital 27 GDPR). Section 10 explains how we treat historical records in practice.
4. Personal Data We Collect
We collect only the minimum data necessary to provide the Services:
- Correspondence data. Your e-mail address and the content of e-mails you send us, and/or messages you exchange with us via Telegram or WhatsApp, including your name, contact details, and the information about your family history that you choose to share for the purpose of research. Webforms used on the website do not store any data. Data entered into our website forms remains strictly temporary and clears entirely upon closing or reloading the webpage.
- Research mandate data. Where the Services require it, identity data of the client or of persons named in a power of attorney (name, date of birth, passport or ID details, addresses), used solely for tracing and obtaining legal and archival documents on your behalf.
- Financial data. Payment records (payer name, amount, date, payment reference) that we are legally required to keep for tax and accounting purposes.
- Website analytics data. Pseudonymous usage data collected by Google Analytics cookies, only if you accept them (see Section 7).
5. What We Deliberately Avoid
We keep our data footprint minimal by design:
- We maintain no database of living persons — no CRM system, no mailing lists, no marketing profiles.
- We send no newsletters or marketing e-mails.
- We perform no automated decision-making or profiling within the meaning of Art. 22 GDPR.
- We never sell personal data.
Your personal data exists with us only in the form of our direct correspondence (e-mail, Telegram, WhatsApp) and legally mandated financial records.
6. Purposes and Legal Bases of Processing
| Purpose | Data | Legal basis (GDPR) |
|---|---|---|
| Responding to your enquiry and providing the Services (genealogical and archival research, document retrieval and obtaining from the competent authorities, translation coordination) | Correspondence data, research mandate data | Art. 6(1)(b) — performance of a contract or pre-contractual steps at your request |
| Tax accounting and compliance with financial legislation | Financial data | Art. 6(1)(c) — compliance with a legal obligation |
| Website audience measurement (Google Analytics) | Analytics cookies data | Art. 6(1)(a) — your consent, freely given via the cookie banner and revocable at any time |
| Establishing, exercising, or defending legal claims | Correspondence and financial data, as relevant | Art. 6(1)(f) — our legitimate interest in legal protection |
8. Payment Processing
Payments for the Services are processed by third-party payment providers acting as independent controllers of your payment data under their own privacy policies:
- Wise (Wise Payments Ltd. and affiliates)
- Monobank (Universal Bank JSC, Ukraine)
- PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A. / PayPal Inc.)
- Cryptocurrency payments, where transaction data is recorded on the respective public blockchain
We receive from these providers only the information necessary to confirm payment and to meet our tax obligations (Section 4). We store no card numbers or full banking credentials.
Please note that cryptocurrency blockchains are public and immutable by design; wallet addresses and transaction records on a blockchain remain permanently visible and lie outside our control.
9. Disclosure to Third Parties
Fulfilling a research mandate may require sharing personal data with third parties involved in tracing and obtaining legal documents on your behalf:
- state and municipal archives, civil registry offices, city and village councils and other governmental and local authorities;
- public notaries;
- lawyers and legal representatives;
- translation agencies;
- persons named in a power of attorney issued by the client.
The 76-year rule. We share personal data contained in the records we research only where the records are younger than 76 years — the threshold under Ukrainian archival legislation at which the persons concerned are presumed to be living and the records remain under restricted access. Such disclosure occurs strictly to the extent necessary to fulfil our contractual obligation to trace and obtain legal documents on behalf of the client (Art. 6(1)(b) GDPR) or where the receiving authority requires it by law (Art. 6(1)(c) GDPR).
For records older than 76 years, the persons concerned are presumed deceased, the records are publicly accessible archival material, and we share no personal data of living persons in connection with them.
Client identity data. Independently of the age of the records, identity data of the client or of persons named in a power of attorney (Section 4) may be disclosed to notaries, authorities, and archives where such disclosure is a legal or procedural precondition for obtaining the requested documents. This disclosure rests on Art. 6(1)(b) and, where mandated, Art. 6(1)(c) GDPR.
Each recipient receives only the data strictly necessary for its role, in line with the data minimisation principle (Art. 5(1)(c) GDPR).
10. Historical Records and Deceased Persons
Our core activity is genealogical research and archival intelligence into historical records. The GDPR applies to living individuals only (Recital 27 GDPR); data of deceased persons falls outside its scope.
Where a record may concern a living person — in practice, any record younger than 76 years — we treat all personal data in it as protected under this Policy and apply the safeguards described in Section 9.
Research results are delivered to the client and stored only within our correspondence with the client (Section 4). We build no separate research database.
11. International Data Transfers
The Company is established in the United States, our research operations are based in Ukraine, and the Website is hosted by Hostinger on servers located in the Netherlands (EU).
Because our correspondence with you is inherently cross-border, personal data of EU/EEA residents may be transferred outside the EU/EEA — in particular to the USA and Ukraine. Such transfers rest on:
- Art. 49(1)(b) GDPR — the transfer is necessary for the performance of the contract between you and us, or for pre-contractual steps taken at your request;
- for e-mail, messaging, and analytics providers (Google, Meta/WhatsApp, Telegram): the providers' own transfer mechanisms, including the EU–US Data Privacy Framework and Standard Contractual Clauses;
- for Ukraine: Ukraine's Law "On Personal Data Protection" No. 2297-VI, which provides data protection guarantees modelled on European standards.
12. Data Retention and Deletion
- Telegram and WhatsApp messages. You control these yourself: both platforms let you delete messages for both sides of the conversation at any time.
- E-mails. We retain correspondence for as long as needed to provide the Services and handle follow-up questions. Upon your request, we delete your e-mails from all our servers (Section 13).
- Financial data. Retained for the period required by applicable tax and accounting legislation; after this statutory period (7 years) expires, the data is deleted.
- Analytics data. Retained according to the Google Analytics retention settings and deleted or aggregated thereafter.
13. Your Rights
Under the GDPR you have the right to:
- Access your personal data (Art. 15);
- Rectification of inaccurate data (Art. 16);
- Erasure ("right to be forgotten", Art. 17) — including deletion of your e-mails from all our servers; erasure of financial data becomes possible after the statutory tax retention period expires;
- Restriction of processing (Art. 18);
- Data portability (Art. 20);
- Object to processing based on legitimate interests (Art. 21);
- Withdraw consent at any time, with effect for the future (Art. 7(3)) — e.g., for analytics cookies;
- Lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement (Art. 77).
To exercise any of these rights, e-mail us at info@historicalbureau.com. We respond within one month (Art. 12(3) GDPR). We may ask you to confirm your identity where reasonably necessary to protect your data.
14. Data Security
We apply technical and organisational measures appropriate to the risk (Art. 32 GDPR): TLS encryption of the Website and e-mail in transit, end-to-end or transport encryption of messenger communications provided by Telegram and WhatsApp, access to correspondence limited to personnel involved in your case, and EU-based hosting infrastructure.
Our minimal-data approach (Section 5) is itself a core security measure: data that we never collect or store can never be breached.
15. Children
Our Services are directed at adults. We knowingly collect data of persons under 16 only where it appears in civil records requested by an adult client (e.g., a birth record of a client's child), processed under Section 9.
16. EU Representative
Our processing of EU residents' data is occasional, small in scale, includes no large-scale processing of special categories of data (Art. 9 GDPR) or criminal-conviction data (Art. 10 GDPR), and is unlikely to result in a risk to the rights and freedoms of natural persons. On this basis we rely on the exemption in Art. 27(2)(a) GDPR from the obligation to designate a representative in the EU. All requests are handled directly by the controller (Section 2).
17. Changes to This Policy
We may update this Policy to reflect changes in our Services or in the law. The current version is always published on this page with its effective date (Section 1). Material changes affecting ongoing engagements will be communicated to affected clients by e-mail or messenger.
18. Contact
Questions about this Policy or our data practices: info@historicalbureau.com.