Privacy Policy

1. Information We Collect

Information you provide directly: Name, email address, phone number, business information (for providers), payment information (processed by Stripe — we do not store card numbers), uploaded documents (licenses, insurance certificates), review content, and profile photos.

Information collected automatically: IP address, browser type, device information, pages viewed, search queries, click patterns, referring URLs, and interaction data with provider profiles. We use cookies and similar technologies as described in our Cookie Policy.

Information from third parties: Google OAuth data (if you sign in with Google), Stripe payment confirmations, and publicly available business license data for provider verification.

2. How We Use Information

• Provide and improve the Service: Match customers with providers, calculate trust scores, rank search results, detect fraud, and personalize your experience.
• Communications: Send lead notifications, review alerts, billing updates, security alerts, and service announcements. We will never send marketing emails without your consent.
• Safety and security: Detect and prevent fraudulent reviews, fake accounts, and abuse of the platform.
• Analytics: Understand usage patterns via PostHog to improve features and user experience.
• Legal compliance: Comply with applicable laws, respond to legal requests, and enforce our Terms.

3. Information Sharing

We do not sell your personal information. Period.

We share information only in these circumstances:

• With providers you contact: When you submit a lead, your name, email, phone, and job description are shared with the selected provider(s).
• Service providers: Stripe (payments), Resend (email), Cloudflare (CDN/security), Algolia (search), PostHog (analytics), Sentry (error tracking).
• Legal requirements: When required by law, court order, or governmental authority.
• Business transfer: In connection with a merger, acquisition, or sale of assets, with notice to users.

4. Data Security

We implement industry-standard security measures including:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption at rest for sensitive data
• Bcrypt password hashing with cost factor 12
• JWT token rotation with 15-minute access tokens
• Rate limiting and DDoS protection via Cloudflare
• Regular security audits and penetration testing
• Provider documents stored in private encrypted storage with time-limited signed URLs

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. After account deletion, we retain anonymized data for analytics and may retain certain data as required by law (e.g., billing records for tax purposes). Provider review data may be retained after provider account closure to maintain marketplace integrity.

6. Your Rights

California Residents (CCPA): You have the right to know what personal information we collect, request deletion of your data, opt-out of data sales (we do not sell data), and not be discriminated against for exercising these rights.

European Residents (GDPR): You have the right to access, rectify, erase, restrict processing, data portability, and object to processing of your personal data. Our legal basis for processing is contract performance, legitimate interest, and consent where applicable.

All users: You can access, update, or delete your account data at any time through your dashboard settings. To exercise any privacy rights, email privacy@vettalux.com. We will respond within 30 days.

7. Children's Privacy

VettaLux is not directed to individuals under 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.

8. Contact

For privacy inquiries, data requests, or concerns: