Privacy Policy

1. Overview & Scope

This Privacy Policy explains how Eremine Holdings, LLC (EIN 36-5059758), a Delaware limited liability company operating the VettaLux platform ("VettaLux," "we," "us"), collects, uses, discloses, and safeguards personal data when you access our websites, mobile applications, APIs, and related marketplace services (the "Service"). It applies to customers who request providers, service professionals who list on VettaLux, affiliates who refer traffic, and visitors who browse publicly.

This policy does not govern third-party websites you reach through outbound links. Every paid interaction between a customer and a provider introduced through VettaLux runs on the Platform — VettaLux is the system of record for booking, payment, and dispute data for the full provider-customer relationship, and providers may not accept customer payment outside VettaLux. Capitalized terms used but not defined here carry the meaning given in our Terms of Service.

2. Data Controller & Contact

Eremine Holdings, LLC (current operator of VettaLux) is the data controller for personal data processed through the Service in most jurisdictions, and a "business" under California law. For service providers operating on the marketplace, we act as an independent controller of platform data and as a processor for limited lead data that we route to you at your request.

General privacy inquiries: privacy@vettalux.com. Our Data Protection Officer serves EU, EEA, and UK data subjects and is reachable at dpo@vettalux.com. We respond to verifiable requests within statutory timelines and keep a rights-request log for audit.

3. Categories of Personal Data

We process the following categories, depending on your role and activity:

• Account data: name, email, phone, password hash, preferences, role.
• Identity verification: government-issued ID images and, where you opt in, a face-match selfie used solely to confirm the ID belongs to you.
• Financial data: billing name, last-four digits, and tokens returned by our payment processor. We do not store full card numbers or bank credentials.
• Location: city, ZIP, and approximate IP-derived region; precise GPS only with explicit permission.
• Device & usage: IP, browser, OS, pages viewed, clicks, crash traces.
• Communications: in-platform messages, call metadata, support tickets.
• Third-party signals: license registries, background-check results, OAuth profile fields.

4. Sources of Data

We obtain personal data from you directly when you register, complete a profile, submit a lead, post a review, or contact support. We also receive data from identity-verification vendors that confirm your government ID, background-check providers that return criminal and licensing records for providers, and our payment processor, which returns tokenized settlement results.

Additional sources include cookies and similar technologies described in our Cookie Policy, OAuth identity providers when you elect single sign-on, public business registries, and referring affiliates who disclose attribution parameters. Where permitted, fraud-prevention partners may supply signals about suspected abusive devices or identities.

5. Purposes & Legal Bases (GDPR)

For EU, EEA, and UK users, we rely on the following Article 6 bases: contract for account creation, booking fulfillment, escrow, and customer support; legal obligation for tax, anti-fraud, sanctions screening, and responding to lawful requests; legitimate interest for trust scoring, security monitoring, product analytics, and limited direct marketing to existing customers; and consent for optional cookies, marketing SMS, precise geolocation, and the face-match biometric step.

For special-category data such as biometrics, we rely on Article 9(2)(a) explicit consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.

6. How We Use Data

• Matching: route leads to qualified nearby providers based on category, availability, and proximity.
• Escrow & billing: authorize, capture, and release funds through our payment processor; issue receipts and tax forms.
• Trust scoring: compute provider reputation from verified credentials, reviews, completion rate, and dispute outcomes.
• Fraud prevention: detect fake accounts, review manipulation, stolen-card use, and abusive traffic.
• Communications: send transactional email, SMS, and push messages, plus optional marketing where you opt in.
• Product improvement: run aggregate analytics, A/B tests, and debugging to refine the Service.

7. Sharing & Disclosures

We share personal data with: providers you book, who receive your name, contact details, and job description; affiliates who referred you, limited to attribution identifiers and non-sensitive conversion status; identity-verification vendors that validate government IDs and face-match selfies; our payment processor, which handles card authorization, settlement, and chargebacks; cloud infrastructure and security vendors hosting and protecting the platform; and law enforcement or regulators under valid legal process.

We also disclose aggregated or de-identified analytics that cannot reasonably identify you. We do not sell personal data to data brokers. Business transfers occur only with advance notice and equivalent protections.

8. International Transfers

VettaLux is headquartered in the United States, and personal data may be processed in the US and other countries where our vendors operate. When we transfer personal data from the EU, EEA, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where appropriate, the UK Addendum or the UK International Data Transfer Agreement (IDTA). Where an adequacy decision applies, we rely on that decision instead.

We conduct transfer impact assessments and apply supplementary measures such as encryption, access controls, and strict vendor obligations. You may request a copy of the relevant transfer mechanism by emailing dpo@vettalux.com.

9. Retention Schedule

• Active accounts: retained while active, then 7 years after closure for financial, dispute, and legal-hold reasons.
• Booking and tax records: 7 years from the transaction date to satisfy IRS and equivalent rules.
• Identity-verification records: up to 5 years after deletion to detect repeat fraud and satisfy KYC duties.
• Marketing contact data: until you opt out, plus 12 months to honor your suppression preference.
• Deleted accounts: a 30-day grace window for recovery, after which personal identifiers are anonymized or destroyed.

Backups expire on a rolling 90-day cycle, and anonymized analytics may persist indefinitely. Legal holds or subpoenas may extend retention for specific records in scope.

10. Security Measures

We enforce TLS 1.2 or higher in transit and AES-256 encryption at rest for sensitive fields. Role-based access controls, least-privilege IAM, multi-factor authentication for employees, continuous logging, and regular vulnerability scans protect the environment. We are pursuing SOC 2 Type II attestation on a published roadmap and align internal controls to ISO 27001 and NIST CSF.

If a personal-data breach creates risk to your rights, we notify the competent supervisory authority within 72 hours under GDPR Article 33 and affected individuals "without unreasonable delay" as required by US state breach-notification laws. No system is perfectly secure; we encourage strong, unique passwords and prompt reporting of suspicious activity.

11. Rights Under GDPR

If you are located in the EU, EEA, UK, or Switzerland, you have the right to access your personal data, rectify inaccuracies, erase data in defined circumstances, restrict or object to processing, receive your data in a portable format, and withdraw consent at any time. Where processing is based on legitimate interest, you may object on grounds relating to your particular situation.

Submit requests to privacy@vettalux.com or dpo@vettalux.com. We respond within 30 calendar days and may extend by two further months for complex requests, with notice and reasons.

12. Rights Under CCPA / CPRA

California residents may request to know the categories and specific pieces of personal information we collect, delete personal information, correct inaccurate data, opt out of "sale" or "sharing" of personal information, and limit our use and disclosure of sensitive personal information. We do not sell personal information for monetary value, and we treat cross-context behavioral advertising signals as opt-out eligible.

We will not discriminate against you for exercising these rights. Authorized agents may submit requests with written permission and identity verification. To exercise rights, email privacy@vettalux.com or use the "Do Not Sell or Share My Personal Information" link in our footer.

13. Other US State Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA), as well as other states with comprehensive privacy laws that take effect during the term of this policy, have rights similar to those described for California, including rights to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, "sale," or profiling producing legal or similarly significant effects. We honor verifiable consumer requests consistent with each statute's scope, exemptions, and appeal procedures, and we provide a clear appeal pathway if we decline a request.

14. Cookies & Similar Technologies

We use first- and limited third-party cookies, local storage, SDKs, and pixels to authenticate sessions, remember preferences, measure performance, and support security. Some cookies are strictly necessary, while analytics and advertising cookies load only where lawful and, in the EU and UK, only after you grant consent.

For category-by-category detail, purposes, retention, and controls, please review our Cookie Policy. You can adjust preferences at any time through the in-product cookie banner or your browser settings. Rejecting non-essential cookies will not affect your ability to create an account, book a provider, or receive transactional communications from the Service.

15. Marketing & Communications

We send transactional messages that are required to operate your account, including booking confirmations, verification codes, receipts, and security alerts. Marketing email and SMS are separate opt-in channels. For SMS, standard message and data rates apply; reply STOP to cancel and HELP for assistance, consistent with TCPA and CTIA guidelines. Expected frequency is up to 6 messages per month unless otherwise disclosed at opt-in.

You can unsubscribe from marketing email via the link in any message or from SMS by replying STOP. Push notifications can be toggled in your device settings and in-app preferences without affecting transactional delivery.

16. Children

The Service is intended only for individuals aged 18 or older. We do not knowingly collect personal data from children under 18, and we do not permit minors to register as customers or providers. If we learn that we have inadvertently collected data from a person under 18, we will delete it promptly and terminate any associated account.

Parents or guardians who believe a minor has provided us data may contact privacy@vettalux.com and we will act without undue delay. We do not build profiles of minors and do not direct advertising toward anyone we reasonably believe to be under 18.

17. Automated Decision-Making

We compute a trust score for providers using signals such as verified license status, insurance validity, completed-booking volume, on-time completion, refund and dispute rate, review patterns, and fraud indicators. The score influences search ranking and eligibility for premium placements, but it does not produce legal or similarly significant effects for consumers without meaningful human review.

When a dispute, suspension, or payout hold is triggered by automated signals, a trained reviewer evaluates the evidence before any final adverse decision. You may contest outcomes, submit additional information, and obtain an explanation by emailing privacy@vettalux.com.

18. Global Privacy Control & Do Not Track

We honor the Global Privacy Control (GPC) browser signal as a valid opt-out of "sale" and "sharing" for California and Colorado residents, and we treat it as a preference signal for other US state residents whose laws recognize it. When we detect GPC from a browser associated with your account, we apply the opt-out to that account as well, to the extent we can reasonably link them.

Because no common Do Not Track standard has emerged, we do not respond to legacy DNT headers beyond the opt-outs described here and in our Cookie Policy.

19. Biometric Data

When you choose the optional face-match step during identity verification, our vendor generates a mathematical template from a selfie and compares it to the photo on your government ID. The template is classified as a biometric identifier under the Illinois Biometric Information Privacy Act (BIPA) and comparable laws in Texas, Washington, and other states.

We obtain written, informed consent before collection, use the template only for identity assurance and fraud prevention, never sell it, and retain it for no longer than 3 years from your last interaction with the Service or until you close your account, whichever occurs first.

20. Changes, Supervisory Authority & Contact

We may update this Privacy Policy to reflect operational, legal, or regulatory changes. For material changes, we will notify you at least 30 days before they take effect through email, in-product banners, or both, and update the "Effective Date" above. Continued use constitutes acceptance of the update.

You may lodge a complaint with a supervisory authority: the Irish Data Protection Commission for EU and EEA residents, the UK Information Commissioner's Office (ICO) for UK residents, and your state Attorney General for US residents. Contact us first at privacy@vettalux.com or dpo@vettalux.com.