The cookie statement explains how Bitvavo uses cookies to secure and improve its services.
Version of: 30 March 2026
When you visit www.bitvavo.com, use any related website or use the Bitvavo app, Bitvavo might use cookies and similar technologies to collect information about you. Since Bitvavo B.V. (“Bitvavo”) respects your privacy and makes it a high priority to handle your (personal) data with care, this “Cookie Statement” explains what these technologies are and why we use them, as well as your rights to control our use of them.
We are responsible for the use of cookies on our websites and applications. To get in contact with Bitvavo about our use of cookies, please refer to the contact details provided at the bottom of this Cookie Statement.
This Cookie Statement is part of, and utilizes certain terms that are defined in the User Agreement.
Cookies are small text files that websites place on your device as you are browsing. They are processed and stored by your web browser. A cookie enables data (potentially including personal data) to be stored on and retrieved from your device.
In and of themselves, cookies are harmless and are widely used for the proper functioning of a website, to make the website more efficient, as well as to provide information to website owners. Cookies can also generally be easily viewed and deleted.
The length of time a cookie will stay on your browsing device depends on whether it is a persistent or session cookie as both explained below:
Session cookies: These cookies are temporary and expire once you close your browser (or once your session ends).
Persistent cookies: This category encompasses all cookies that remain on your hard drive until you erase them or your browser does, depending on the cookie’s specific retention period (mentioned under section 3).
Cookies could be placed by several parties as explained below:
First-party cookies: Are put on your device directly by the website you are visiting.
Third-party cookies: Are the cookies that are placed on your device, not by the website you are visiting, but by a third party like an advertiser or an analytic system.
Please note that, although we use (some of) the information collected by third-party cookies, we do not control the types of information collected and stored by third-party cookies themselves. If you want more information on this, please check the third-party's website for more information on how they use cookies.
Bitvavo uses cookies for functional, analytical and marketing purposes.
Some cookies used for analytical or marketing purposes enable the storage and retrieval of personal data on your device. For example, cookies used to show you advertisements and other relevant information about topics of interest to you, to carry out campaign analysis and to approach target audiences. We will ask your consent before we use these types of cookies.
Set out below is a list of the cookies we currently use per category, the provider of these cookies, the purposes for which we use them, the lifespan of each cookie and the legal ground for the processing of personal data via these cookies.
A number of the cookies we place are essential to ensure the proper technical functioning of our Website. Other cookies are used to provide website functionalities such as the possibility to save or remember preferred settings. These functional cookies are limited to cookies that are strictly necessary for the operation, security, and core functionality of our Website and Services.
We process the following functional cookies:
Name | Source (Domain) | Purpose | Expiration | Legal ground |
kndctr_* | Adobe (.auth.bitvavo.com) | Mediates the propagation of consent signals across integrated third-party SDKs. | 1 year | Legitimate interest |
_legacy_auth0.* | Auth0/Bitvavo (account.bitvavo.com) | Preserves authentication payload state across degraded or legacy browser environments. | 1 year | Legitimate interest |
auth0 | Auth0/Bitvavo (login.bitvavo.com) | Stores encrypted JSON Web Tokens (JWT) to cryptographically validate authorization state. | Session | Legitimate interest |
auth0.cfl2mo4... | Auth0/Bitvavo (account.bitvavo.com) | Caches internal protocol flags to regulate secure subdomain authorization flows. | 1 year | Legitimate interest |
auth0_compat | Auth0/Bitvavo (login.bitvavo.com) | Mirrors authorization state to support environments lacking SameSite=None support. | Session | Legitimate interest |
did | Auth0/Bitvavo (login.bitvavo.com) | Asserts hardware-level identity signatures to execute real-time threat detection algorithms. | Session | Legitimate interest |
did_compat | Auth0/Bitvavo (login.bitvavo.com) | Mirrors hardware signatures to preserve security models across legacy browser engines. | Session | Legitimate interest |
ab.storage.userId.* | Bitvavo (.bitvavo.com) | Binds experimental feature flags to authenticated user principals. | ~2 years | Legitimate interest |
anonymousId | Bitvavo (.bitvavo.com) | Facilitates stateless event buffering prior to formal identity resolution. | ~1 month | Legitimate interest |
auth0_device_id | Bitvavo (.bitvavo.com) | Issues a persistent cryptographic salt to establish trust for Multi-Factor Authentication. | ~1 year | Legitimate interest |
bitvavo-consent-settings | Bitvavo (.bitvavo.com) | Persists explicit user data processing directives to enforce client-side tracking logic. | ~6 months | Legitimate interest |
country | Bitvavo (.bitvavo.com) | Maps resolved IP geolocations to ensure compliance with regional regulatory boundaries. | Session | Legitimate interest |
locale | Bitvavo (.bitvavo.com) | Reads stored locale preferences to execute localized UI rendering pipelines. | ~1 year | Legitimate interest |
user_in_session_since | Bitvavo (account.bitvavo.com) | Records a temporal epoch to enforce strict session timeout and token rotation policies. | 1 year | Legitimate interest |
userId | Bitvavo (.bitvavo.com) | Binds the active session context to the primary key of the central user database. | 1 year | Legitimate interest |
__cf_bm | Cloudflare (.bitvavo.com) | Employs client-side heuristics to filter adversarial bot requests and maintain service availability. | ~30 mins | Legitimate interest |
__cf_bm | Cloudflare (.t.co) | Employs client-side heuristics to filter adversarial bot requests and maintain service availability. | ~30 mins | Legitimate interest |
__cf_bm | Cloudflare (.twitter.com) | Employs client-side heuristics to filter adversarial bot requests and maintain service availability. | ~30 mins | Legitimate interest |
cf_clearance | Cloudflare (.bitvavo.com) | Issues cryptographic proof-of-work tokens to bypass upstream Web Application Firewalls. | 1 year | Legitimate interest |
dpr | Facebook (.facebook.com) | Transmits client hardware capabilities (pixel ratio) to optimize media payload delivery. | Session | Legitimate interest |
oo | Facebook (.facebook.com) | Asserts a dominant boolean flag to structurally suppress downstream data ingestion. | 5 years | Consent |
wd | Facebook (.facebook.com) | Transmits viewport dimensions to dynamically render responsive third-party iframes. | ~4 days | Legitimate interest |
AEC | Google (.google.com) | Ingests behavioral signals to detect anomalous traffic and mitigate spam vectors. | ~6 months | Legitimate interest |
HSID | Google (.google.com) | Deploys cryptographic signatures to associate ad interactions with authenticated accounts. | ~13 months | Legitimate interest |
HSID | Google (.google.nl) | Deploys cryptographic signatures to associate ad interactions with authenticated accounts. | ~13 months | Legitimate interest |
SOCS | Google (.google.com) | Archives explicit user consent resolutions to halt restricted data processing paths. | ~13 months | Legitimate interest |
_okta_original_* | Okta/Bitvavo (.auth.bitvavo.com) | Caches identity provider routing parameters to ensure seamless SSO handshake completion. | 1 year | Legitimate interest |
OptanonAlertBoxClosed | OneTrust (.auth.bitvavo.com) | Registers an interaction timestamp to suppress redundant display of the CMP interface. | 1 year | Legitimate interest |
OptanonConsent | OneTrust (.auth.bitvavo.com) | Encodes user privacy selections into a standard string to gate external data transfers. | 1 year | Legitimate interest |
tt_csrf_token | TikTok (.tiktok.com) | Generates randomized cryptographic nonces to mitigate cross-site request forgery attacks. | Session | Legitimate interest |
We use analytical cookies to collect information about how you use our Website. The information these cookies collect is used to obtain information about the quality or effectiveness of our Website. The data we collect via analytical cookies can include which web pages you go to most often, how much time you spend on that page, or if you get error messages from certain pages.
We process the following analytical cookies:
Name | Source (Domain) | Purpose | Expiration | Legal ground |
AF_SYNC | Appsflyer (.bitvavo.com) | Facilitates payload synchronization between segmented marketing data silos. | ~7 days | Consent |
af_id | Appsflyer (.appsflyer.com) | Resolves probabilistic mobile-to-web pathways to validate acquisition funnels. | ~13 months | Consent |
af_id | Appsflyer (.onelink.me) | Resolves probabilistic mobile-to-web pathways to validate acquisition funnels. | ~13 months | Consent |
afUserId | Appsflyer (.bitvavo.com) | Associates device-level metadata with external customer acquisition profiles. | ~13 months | Consent |
mp_*_mixpanel | Appsflyer (.appsflyer.com) | Assigns a distinct ID to track granular user events and product usage across sessions for behavioral analytics. | ~1 year | Consent |
ab.storage.deviceId.* | Bitvavo (.bitvavo.com) | Provisions stable device-level identifiers for granular feature experimentation. | ~2 years | Legitimate interest |
ab.storage.sessionId.* | Bitvavo (.bitvavo.com) | Correlates user actions within a bounded temporal window for A/B test routing. | ~2 years | Legitimate interest |
_ga | Google Analytics (.appsflyer.com) | Aggregates behavioral telemetry to construct session graphs for cross-platform analytics. | ~13 months | Consent |
_ga | Google Analytics (.bitvavo.com) | Aggregates behavioral telemetry to construct session graphs for platform analytics. | ~13 months | Consent |
_ga_* | Google Analytics (.appsflyer.com) | Persists deterministic state variables to maintain analytic session integrity. | ~13 months | Consent |
_ga_* | Google Analytics (.bitvavo.com) | Persists deterministic state variables to maintain analytic session integrity. | ~13 months | Consent |
_gat | Google Analytics (.bitvavo.com) | Regulates outbound telemetry payloads to prevent infrastructure rate-limit exhaustion. | ~1 min | Legitimate interest |
_gat_UA-* | Google Analytics (.bitvavo.com) | Regulates outbound telemetry payloads to prevent infrastructure rate-limit exhaustion. | ~1 min | Legitimate interest |
_gid | Google Analytics (.bitvavo.com) | Assigns ephemeral client identifiers to correlate 24-hour engagement patterns. | ~24 hours | Consent |
FPID | Server Side GTM (.bitvavo.com) | Establishes a server-side trust anchor to route anonymized metrics to Tag Manager nodes. | ~13 months | Consent |
FPLC | Server Side GTM (.bitvavo.com) | Employs salted hashes of the FPID to ensure cross-domain metric continuity. | ~20 hours | Consent |
We place various cookies for advertising, commercial and promotional purposes. The personal data collected by these cookies are analyzed and used for the development of campaigns and to target audiences with the most relevant information and personalized communications on the Website or app. For certain marketing campaigns, we utilize server-to-server (S2S) tracking technologies. In these instances, confirmation of actions, such as completing a registration or making a deposit, may be transmitted securely from our servers directly to our advertising or measurement partners. This processing is technically linked to your cookie preferences; it only occurs if you have provided marketing consent via our cookie banner. This method utilizes pseudonymized or hashed identifiers (like a hashed email) to protect your privacy, rather than relying on standard browser cookies alone. Where applicable, these partners may act as independent or joint controllers of the data they receive. This process does not involve sharing your plain personal data with these partners.
We process the following marketing cookies:
Name | Source (Domain) | Purpose | Expiration | Legal ground |
a | Bitvavo (.bitvavo.com) | Cryptographically links ingress traffic to origin partners to allocate referral incentives. | 30 days | Consent |
_fbp | Facebook (.bitvavo.com) | Facilitates deterministic matching of client events to Meta's central identity graph. | ~3 months | Consent |
ps_l | Facebook (.facebook.com) | Aggregates off-platform identity signals to bridge disparate tracking domains. | ~13 months | Consent |
__Secure-1PAPISID | Google (.google.com) | Manages cryptographic session assertions for targeted ad delivery across distributed nodes. | ~13 months | Consent |
__Secure-1PAPISID | Google (.google.nl) | Manages cryptographic session assertions for targeted ad delivery across distributed nodes. | ~13 months | Consent |
__Secure-1PSID | Google (.google.com) | Manages cryptographic session assertions for targeted ad delivery across distributed nodes. | ~13 months | Consent |
__Secure-1PSID | Google (.google.nl) | Manages cryptographic session assertions for targeted ad delivery across distributed nodes. | ~13 months | Consent |
__Secure-1PSIDCC | Google (.google.com) | Validates Cross-Site Request Forgery (CSRF) tokens linked to persistent ad identities. | ~1 year | Consent |
__Secure-1PSIDTS | Google (.google.com) | Enforces temporal bounds on authenticated advertising session requests. | ~1 year | Consent |
__Secure-3PAPISID | Google (.google.com) | Manages cryptographic session assertions for targeted ad delivery across distributed nodes. | ~13 months | Consent |
__Secure-3PSID | Google (.google.com) | Manages cryptographic session assertions for targeted ad delivery across distributed nodes. | ~13 months | Consent |
__Secure-3PSIDCC | Google (.google.com) | Validates Cross-Site Request Forgery (CSRF) tokens linked to persistent ad identities. | ~1 year | Consent |
__Secure-3PSIDTS | Google (.google.com) | Enforces temporal bounds on authenticated advertising session requests. | ~1 year | Consent |
__Secure-BUCKET | Google (.google.com) | Partitions users into distinct cohort clusters for federated ad processing and delivery. | ~6 months | Consent |
__Secure-ENID | Google (.google.com) | Persists obfuscated identity tokens to align external activity with central user graphs. | ~13 months | Consent |
APISID | Google (.google.com) | Broadcasts encrypted demographic preferences for distributed personalization engines. | ~13 months | Consent |
APISID | Google (.google.nl) | Broadcasts encrypted demographic preferences for distributed personalization engines. | ~13 months | Consent |
IDE | Google (.doubleclick.net) | Utilized to evaluate cross-site engagement signals and enforce frequency capping on ads. | ~13 months | Consent |
NID | Google (.google.com) | Caches persistent query parameters and algorithmic preferences to customize external output. | ~6 months | Consent |
SAPISID | Google (.google.com) | Ensures secure transmission of profile metadata for ad network decisioning. | ~13 months | Consent |
SAPISID | Google (.google.nl) | Ensures secure transmission of profile metadata for ad network decisioning. | ~13 months | Consent |
SID | Google (.google.com) | Preserves federated session contexts to inform wide-scale ad personalization algorithms. | ~13 months | Consent |
SID | Google (.google.nl) | Preserves federated session contexts to inform wide-scale ad personalization algorithms. | ~13 months | Consent |
SIDCC | Google (.google.com) | Verifies domain integrity signatures to mitigate unauthorized ad-profile tampering. | ~1 year | Consent |
SSID | Google (.google.com) | Binds session duration telemetry with persistent identity tokens for ad tracking. | ~13 months | Consent |
SSID | Google (.google.nl) | Binds session duration telemetry with persistent identity tokens for ad tracking. | ~13 months | Consent |
test_cookie | Google (.doubleclick.net) | Performs a boolean storage capability check to validate state persistence availability. | Session | Consent |
_gcl_au | Google Ads (.appsflyer.com) | Anchors first-party conversion events to upstream ad impressions via URL decorrelation. | ~3 months | Consent |
_gcl_au | Google Ads (.bitvavo.com) | Anchors first-party conversion events to upstream ad impressions via URL decorrelation. | ~3 months | Consent |
FPAU | Google Analytics (.bitvavo.com) | Implements first-party delegation to preserve identity graphs under strict tracking protections. | ~3 months | Consent |
_uetsid | Microsoft Bing (.bitvavo.com) | Links disjointed session interactions to evaluate ad network routing efficiency. | ~24 hours | Consent |
_uetvid | Microsoft Bing (.bitvavo.com) | Correlates persistent visitor engagement to optimize bidding algorithms. | ~13 months | Consent |
MUID | Microsoft Bing (.bing.com) | Ingests globally unique hardware/browser signatures to unify fragmented user data. | ~13 months | Consent |
_rdt_uuid | Reddit (.appsflyer.com) | Resolves cross-domain device signatures for targeted campaign attribution. | ~3 months | Consent |
_ScCbts | Snapchat (.bitvavo.com) | Transmits buffered event signals to validate conversion completion. | ~7 days | Consent |
_scid | Snapchat (.bitvavo.com) | Snapchat pixel unique ID of the user, similar to how the _ga cookie works with Google Analytics | ~13 months | Consent |
_scid_r | Snapchat (.bitvavo.com) | Sets a unique ID to enable targeted advertising and facilitate real-time bidding from third-party advertisers. | ~13 months | Consent |
sc_at | Snapchat (.snapchat.com) | Employs access tokens to securely attribute off-platform conversions to ad inventory. | ~13 months | Consent |
X-AB | Snapchat (sc-static.net) | Routes clients to variant UI components to capture controlled experimental telemetry. | ~24 hours | Consent |
_tt_enable_cookie | TikTok (.bitvavo.com) | Acts as an initialization flag to deploy downstream behavioral tracking scripts. | ~3 months | Consent |
_ttp | TikTok (.bitvavo.com) | Constructs a behavioral footprint to optimize algorithmic content/ad curation. | ~3 months | Consent |
_ttp | TikTok (.tiktok.com) | Constructs a behavioral footprint to optimize algorithmic content/ad curation. | ~3 months | Consent |
sid_guard_ads | TikTok (.tiktok.com) | Deploys anti-fraud heuristics to cryptographically verify ad-click authenticity. | ~10 months | Consent |
tt_chain_token | TikTok (.tiktok.com) | Links sequential network requests to map complete conversion funnel trajectories. | ~6 months | Consent |
ttcsid | TikTok (.bitvavo.com) | Transmits unified session footprints to external aggregation endpoints. | ~3 months | Consent |
ttcsid_* | TikTok (.bitvavo.com) | Routes discrete behavioral events (clicks/views) to specific pixel campaign IDs. | ~3 months | Consent |
_twpid | Twitter (.bitvavo.com) | Reconciles anonymous endpoint activity with authenticated micro-blogging profiles. | ~13 months | Consent |
guest_id | Twitter (.twitter.com) | Assigns synthetic identifiers to model behavior of unauthenticated traffic. | ~13 months | Consent |
guest_id_ads | Twitter (.twitter.com) | Routes unauthenticated engagement data directly to advertising optimization nodes. | ~13 months | Consent |
guest_id_marketing | Twitter (.twitter.com) | Reconciles off-platform web requests with central marketing models. | ~13 months | Consent |
muc_ads | Twitter (.t.co) | Optimizes link-routing telemetry to improve downstream ad-click reliability. | ~13 months | Consent |
personalization_id | Twitter (.twitter.com) | Maps off-site browsing patterns to construct detailed interest-based taxonomy profiles. | ~13 months | Consent |
On your first visit to our Website you have made a choice on whether or not to accept cookies. You can always change this via the cookie settings on our Website. In case you want to disable cookies being placed, want to receive a notification at the moment when a cookie is placed on your device, or want to delete all stored cookies on your device, you can do so through your browser settings (often found under “Help” or “Internet options”). See the relevant link below for your selected browser type:
If Bitvavo changes the cookies used on the Website, Bitvavo will amend this Cookie Statement accordingly. Any update of the Cookie Statement will apply after announcing the update on the Website or any other official communication channel.
If you want to know more about Bitvavo’s Cookie Statement or have any questions or recommendations, please send an email to [email protected] or contact Bitvavo’s Data Protection Officer directly at [email protected]. Bitvavo will respond to your request as quickly as possible.
Contact details
Bitvavo B.V.
Keizersgracht 281
1016 ED Amsterdam The Netherlands
E: [email protected] W: bitvavo.com
Chamber of Commerce number: 68743424
Bitvavo B.V.
Il trading con strumenti digitali comporta dei rischi significativi. Gli strumenti digitali sono molto volatili e potresti perdere una parte o tutto il tuo investimento. Le informazioni su questa pagina non sono da considerarsi alla stregua di una consulenza e non bisogna farvi affidamento in tal senso. Bitvavo B.V. è autorizzato come prestatore di servizi per le cripto-attività ai sensi del Regolamento (UE) 2023/1114 (MiCA) dall'Autoriteit Financiële Markten (AFM), Vijzelgracht 50, 1017 HS Amsterdam. Per maggiori informazioni consulta la nostra informativa sui rischi.
Bitvavo è registrata presso la camera di commercio dei Paesi Bassi con il numero 68743424.