VirtuAmerica
Legal

Privacy Policy

This policy explains how VirtuAmerica collects, uses, shares, retains, and protects personal data when we provide managed websites, SaaS subscriptions, support, consulting, and related services.

Last updated: May 19, 2026

1. Who we are and scope

VirtuAmerica LLC (“VirtuAmerica,” “we,” “us,” or “our”) provides vaMicrosites managed websites, customer portals, private access flows, lead capture, localization, media, approved-document search, AI-assisted drafting, support, consulting, and related technology services. This Privacy Policy applies to personal data we process through our public website, customer communications, support, billing coordination, portal, and Services. When this policy is linked at or near a data-collection point, it also serves as our notice at collection for the categories, purposes, retention practices, and sharing described below.

Human-assisted hours, support, and consulting references on this page are limited to customer websites, microsites, and use of vaMicrosites. They are not sold as standalone consulting, coaching, general IT or device repair, or unrelated professional services.

For some data, VirtuAmerica is the controller because we decide why and how the data is processed. For Customer Content, visitor submissions, approved documents, or account data processed on behalf of a customer, VirtuAmerica may act as a processor or service provider and follows the customer’s lawful instructions, our agreement, and applicable law.

VirtuAmerica is established in the United States. The Portuguese and Spanish translations of this Privacy Policy are provided for customer convenience. Where the Brazil General Data Protection Law (LGPD), the Costa Rica Law on the Protection of Persons Against the Processing of Personal Data, Canada’s PIPEDA, Quebec Law 25, the UK GDPR, the EU GDPR, or other foreign privacy laws apply to specific processing, the rights described in this policy combine with the additional local rights granted by those laws. Brazilian residents may direct LGPD inquiries and rights requests to contact@virtuamerica.com; we maintain a designated privacy contact for these purposes. If applicable law requires a formal data protection officer, Encarregado, EU/UK representative, or similar local contact for a specific processing activity, we will make the required contact details available before or as that processing begins.

2. Personal data we collect

Notice at collection summary (California and similar U.S. state laws). The categories of personal data described below are collected to operate, secure, deliver, and improve our Services; to provide support; to communicate with you and your authorized users; to detect and prevent abuse; and to comply with law. We do not sell personal data and do not knowingly share personal data for cross-context behavioral advertising. Retention for each category is described in Section 11. Sensitive personal information is collected only where you or a customer provide it for a necessary and authorized purpose, as described later in this section.

We collect contact and account data such as name, organization, email address, phone number, mailing address, role, preferred language, domain names, authorized users, project details, support requests, portal activity, and communication history.

We collect service and content data such as website copy, logos, images, documents, forms, customer-approved knowledge files, translation instructions, AI prompts or draft requests, support attachments, design preferences, publication approvals, and workflow information you provide or approve.

We collect technical and usage data such as IP address, approximate location derived from IP address, device and browser information, referring pages, requested URLs, timestamps, cookies or similar identifiers, logs, security events, form anti-spam signals, diagnostics, error reports, email delivery events, and usage records needed to operate, secure, support, and improve the Services.

For U.S. state privacy-law purposes, these data types may include identifiers, commercial information, internet or electronic network activity, professional or business information, geolocation approximations, audio or message content you choose to provide, and inferences related to service preferences. We do not intentionally collect sensitive personal information — which under U.S. state privacy laws may include precise geolocation, racial or ethnic origin, religious or philosophical beliefs, sexual orientation, union membership, citizenship or immigration status, the contents of mail, email, or messages not addressed to us, biometric or genetic identifiers used to identify a person, health or medical information, government-issued identification numbers, or financial-account or payment credentials — unless you or a customer provide it for a necessary and authorized service purpose, and we do not use such information to infer characteristics about an individual.

We collect billing coordination data such as selected plan, order identifiers, subscription status, invoice references, tax jurisdiction, transaction status, and payment support records. When you purchase through Paddle, Paddle processes payment details and acts as merchant of record or reseller. Payment card details are handled by Paddle and are not transmitted to or stored by VirtuAmerica.

3. Sources of personal data

We receive personal data directly from you, your organization, your authorized users, website visitors who submit forms, support conversations, customer portal activity, public business sources, domain or DNS records, and service providers such as payment, hosting, email, security, analytics, AI, and support providers.

Where we request personal data directly, providing it may be required to enter into or perform a contract, receive support, maintain account security, comply with legal obligations, or use a requested Service. If you choose not to provide required data, we may be unable to provide the requested Service, complete a transaction, respond to support, or maintain an account feature.

4. How we use personal data

We use personal data to operate and secure our website and Services, respond to inquiries, prepare proposals, create and manage accounts, verify authorized access, provide support, deliver managed websites, publish approved content, process subscription status, coordinate payment support, detect abuse, prevent spam, troubleshoot issues, maintain backups, measure usage, improve quality, communicate service updates, comply with law, enforce agreements, and protect rights and safety.

We may use business contact details to send relevant service, account, operational, or marketing communications. You can opt out of marketing emails, and we will honor opt-out requests within the legally required timeframe, but we may still send transactional, security, billing, support, and legal notices where permitted. Where the U.S. CAN-SPAM Act applies, we honor commercial email opt-outs within 10 business days and do not require a fee, extra identifying information beyond an email address, or more than a reply email or single-page web action to opt out. Marketing emails we send identify VirtuAmerica as the sender, include a valid postal address, and provide a working unsubscribe mechanism in accordance with the U.S. CAN-SPAM Act, Canada’s CASL, and similar marketing-communications laws.

5. Legal bases for EEA, UK, and similar privacy laws

Where GDPR, UK GDPR, or similar laws apply, our legal bases may include performance of a contract, steps requested before entering a contract, legitimate interests in operating and improving secure business services, consent where required, compliance with legal obligations, and protection of vital interests or public interests in rare cases. Our legitimate interests include service delivery, account administration, security, fraud prevention, diagnostics, business communications, support, and product improvement, balanced against individual rights.

6. Customer sites, forms, visitor data, and data processing terms

When a customer uses vaMicrosites to collect form submissions, provide private pages, publish content, or operate customer-facing workflows, that customer is usually responsible for giving its own privacy notices, collecting lawful consent where required, and deciding what personal data should be collected. VirtuAmerica processes that data to provide, secure, support, and maintain the customer’s site or workflow.

Customers should not ask us to collect special-category, highly sensitive, payment-card, health, children’s, government-ID, biometric, precise location, or regulated data unless the collection is necessary, lawful, and specifically agreed in writing with appropriate safeguards. Customers that need a data processing agreement, sub-processor list, transfer terms, or regulated-data safeguards should contact us before collecting that data through the Services.

7. AI-assisted processing, search, and automated decisions

Some Services may use AI-assisted drafting, translation support, search, classification, or document analysis. We use these tools to help prepare, review, or support customer-approved work. Human review remains important, and customers are responsible for approving public copy and business decisions.

We may process prompts, source documents, summaries, retrieval results, output, and usage metadata to provide AI-assisted features, improve service quality, monitor cost, prevent abuse, and maintain support records. We use reasonable controls to avoid submitting unnecessary sensitive information to AI services, and customers should not provide sensitive data unless necessary and authorized.

We do not use personal data to make solely automated decisions that produce legal or similarly significant effects about individuals unless we provide any legally required notice, lawful basis, and rights.

We do not use Customer Content, visitor submissions, AI prompts, customer-approved documents, or other personal data we hold on your behalf to train third-party large language models. Where we use external AI service providers, those providers operate under contractual terms that restrict training use of inputs in line with their published commercial-API or enterprise-API policies. This statement is made in light of disclosure requirements such as the Connecticut Data Privacy Act amendment effective July 1, 2026.

Where you interact with an AI-driven feature provided by us — such as an AI-assisted draft, classifier, or chat surface — we will identify the AI nature of the interaction or output where required by EU AI Act Article 50, the Utah Artificial Intelligence Policy Act (Utah Code §§ 13-72-101 et seq.), or similar transparency laws. AI-generated content surfaced to you in the customer portal is labeled as such, and you remain responsible for reviewing and approving AI-generated text before publishing it under your name.

8. Cookies, analytics, and browser signals

We may use cookies, local storage, server logs, or similar technologies for security, session management, language preferences, anti-spam controls, diagnostics, performance, analytics, and user experience. These fall into categories such as strictly necessary, preferences, and analytics. Some cookies are necessary for the Services to work. Where required by law, we will request consent for non-essential cookies or provide another lawful control. The specific providers in use at any given time can be requested at contact@virtuamerica.com.

Because we do not currently sell personal data or knowingly share it for cross-context behavioral advertising, Global Privacy Control and similar opt-out signals should not be needed to opt out of a sale or sharing on our own site. Where a legally required browser signal applies to a future processing activity, we will honor it as required.

Because there is no industry or regulatory consensus on the “Do Not Track” (DNT) browser signal, our website does not currently respond to DNT signals differently from other browsers. We honor recognized opt-out preference signals (such as Global Privacy Control) where applicable law requires.

9. How we share personal data

We share personal data only as needed for the purposes described in this policy. Recipients may include hosting and cloud infrastructure providers, email delivery providers, support and operations tools, security and anti-abuse providers, analytics providers, AI service providers used for approved workflows, contractors or professional advisers, payment and merchant-of-record providers such as Paddle, domain or integration providers at your direction, copyright or safety-removal requesters and affected account holders where needed to process rights, safety, DMCA, or TAKE IT DOWN Act requests, legal authorities where required, and parties involved in a business transfer.

We do not sell personal data. We do not knowingly share personal data for cross-context behavioral advertising in a way that would be considered a “sale” or “sharing” under U.S. state privacy laws unless we provide the required notice and opt-out rights. We do not use sensitive personal information to infer characteristics where a law gives a right to limit that use.

We may create or use aggregated, anonymized, or de-identified information for security, analytics, service improvement, capacity planning, and business reporting. When we treat information as de-identified under an applicable privacy law, we maintain and use it in de-identified form and do not attempt to re-identify it except as permitted by law, such as to test whether our de-identification safeguards work.

A current list of named sub-processors is maintained and is available on request to contact@virtuamerica.com. Where a data processing agreement is in place, we will provide reasonable advance notice of new sub-processors before they are engaged for in-scope processing, and the customer may object on legitimate data-protection grounds.

10. International transfers

VirtuAmerica is based in the United States, and we serve customers internationally. Personal data may be processed in the United States and other countries where we, our providers, or customer-selected tools operate. When applicable law requires safeguards for international transfers, we rely on recognized transfer mechanisms such as standard contractual clauses, adequacy decisions, provider data-processing terms, or other lawful transfer bases. For transfers of personal data originating in Brazil, we rely on the Brazilian Standard Contractual Clauses or another transfer mechanism approved by the Autoridade Nacional de Proteção de Dados (ANPD) under Resolução CD/ANPD No. 19/2024, which became mandatory after the grace period ended on August 23, 2025.

11. Retention

We keep personal data for as long as needed to provide the Services, maintain accounts, comply with legal and tax obligations, resolve disputes, enforce agreements, preserve security logs, support backups, and maintain business records. Retention periods vary by data type and are based on account status, service need, legal requirements, risk, backup cycles, and dispute needs. As practical guidance, typical retention periods are: billing, tax, order, and contract records — up to 7 years after the account closes, to meet U.S. federal and state tax-retention requirements; account and authorized-user records — the account term plus up to 2 years for audit, dispute, and legal-claim purposes; support and project records — the account term plus up to 2 years; Customer Content and hosted assets — the active term of the relevant Service, then removed or archived per termination, backup, legal, and dispute needs (typically within 90 days of termination, except where law, security, or backup cycles require longer); marketing-communication preferences — until you withdraw consent or opt out; security logs, anti-spam, and diagnostics — usually 12 to 24 months, longer where needed for an active investigation, regulatory matter, or legal claim. Specific retention may be shorter where law requires deletion or longer where law, dispute, or compliance need requires preservation.

When data is no longer needed, we delete, de-identify, or archive it according to our retention practices and any written customer instructions that apply to processor or service-provider data.

12. Security and incident handling

We use administrative, technical, and organizational safeguards designed to protect personal data, including access controls, secure transport, security headers, private-access flows where needed, anti-spam protections, monitoring, and provider security controls. No internet service can guarantee absolute security, and customers remain responsible for maintaining secure account access, approved users, strong email security, lawful content practices, and secure third-party accounts.

If we become aware of a personal-data incident requiring notice, we will notify affected customers, individuals, providers, or authorities as required by applicable law and our role in the processing. Where we act as a controller for EEA, UK, or similar personal data and the incident creates a risk to rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, under GDPR Article 33 or its equivalent. Where we act as a controller for personal data covered by Brazil’s LGPD and the incident creates a relevant risk or damage to data subjects, we will notify the Autoridade Nacional de Proteção de Dados (ANPD) and the affected data subjects within the timeframe set by Resolução CD/ANPD No. 15/2024 (currently 3 business days from becoming aware of the incident, doubled for small processing agents under Resolução CD/ANPD No. 2/2022). Where we act as a processor or service provider, we will notify the relevant controller customer without undue delay and support that customer’s own breach-notification obligations.

13. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, restrict, object to, or receive a copy of personal data; withdraw consent; opt out of certain marketing, targeted advertising, sale or sharing of personal data, or profiling that produces legal or similarly significant effects; appeal a decision where applicable; and complain to a privacy regulator. We will respond to rights requests within the timeframe required by applicable law and may need to verify your identity, residence, account relationship, or authorized-agent authority. Where the law permits, we may extend the response period for complex or numerous requests and will explain the extension when required.

If we deny a privacy request in whole or in part and applicable law gives you an appeal right, our response will explain how to appeal or submit additional information. We will review appeals within the timeframe required by the applicable law.

California residents additionally have rights under the CCPA and CPRA, including the right to know, access, correct, delete, opt out of sale or sharing, limit certain sensitive personal information uses, and not be discriminated against for exercising privacy rights. We do not offer financial incentives or price differences in exchange for personal data unless we first provide any notice required by law. Residents of other U.S. states with comprehensive consumer privacy laws — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Kentucky, Rhode Island, Florida, Nebraska, and similar jurisdictions as their laws come into effect — may have similar rights to access, correct, delete, port, opt out, appeal, or limit certain processing. An authorized agent acting on behalf of a California resident or other state-law consumer must provide signed permission from the consumer, proof of the agent’s identity, and we may also require the consumer to verify the request directly before we process it. We do not retaliate against any individual for exercising privacy rights.

California residents may also have rights under the California “Shine the Light” law (Cal. Civ. Code § 1798.83) to request, once per calendar year, information about personal information VirtuAmerica disclosed to third parties for those third parties’ own direct marketing purposes in the prior calendar year. VirtuAmerica does not share personal information with third parties for those third parties’ own direct marketing purposes; requests under § 1798.83 may be sent to contact@virtuamerica.com with “Shine the Light” in the subject line.

Brazilian residents may have LGPD rights to confirm processing, access data, correct incomplete or outdated data, anonymize, block, or delete unnecessary, excessive, or unlawfully processed data, port data where applicable, receive information about sharing, receive information about the possibility of denying consent and the consequences of denial, revoke consent, and request review of decisions made solely on automated processing where applicable. Costa Rica residents and residents of other jurisdictions may have similar rights to access, rectify, cancel or delete, object to, port, withdraw consent, or complain under local law.

You also have the right to lodge a complaint with a competent privacy authority. EEA residents may contact the data protection authority of their country (the European Data Protection Board lists national authorities at edpb.europa.eu); UK residents may contact the Information Commissioner’s Office (ICO) at ico.org.uk; Brazilian residents may contact the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd; California residents may contact the California Privacy Protection Agency or the California Attorney General. We encourage you to contact us first so we can attempt to resolve your concern.

If your data is processed on behalf of one of our customers, we may direct your request to that customer or process it under the customer’s instructions. To make a request, email contact@virtuamerica.com.

14. Children’s privacy

Our Services are not directed to children under 13 (or the higher minimum age applicable in your jurisdiction), and we do not knowingly collect personal data from children under that age. We do not knowingly sell or share children’s personal data or use it for targeted advertising where privacy laws use those terms. Customers must not use the Services to collect children’s data unless they have the required authority, notices, consents, and written agreement with VirtuAmerica.

15. Third-party links and services

Our websites and customer sites may link to third-party services, social networks, payment flows, domain tools, embedded media, or integrations. Those services are governed by their own privacy policies and terms. We are not responsible for third-party privacy practices.

16. Translations and accessibility

We may provide translations of this Privacy Policy for convenience and international customer clarity. The English version controls to the maximum extent permitted by law if a translation conflicts with the English version, except where mandatory local law requires otherwise.

This Privacy Policy is designed to be reasonably accessible to users with disabilities. The page uses semantic headings, sufficient color contrast, keyboard navigation, and screen-reader-friendly markup, and we aim to align with the Web Content Accessibility Guidelines (WCAG) 2.2, Level AA, the current W3C Recommendation (also published as ISO/IEC 40500:2025). If you need this Privacy Policy in an alternative format or have an accessibility question, contact contact@virtuamerica.com.

17. Changes and contact

We may update this Privacy Policy to reflect changes in our Services, legal obligations, providers, or privacy practices. The updated version will be posted on this page with a new effective date.

Questions or privacy requests can be sent to contact@virtuamerica.com or mailed to VirtuAmerica LLC, 7533 S Center View Ct #8067, West Jordan, UT 84084, USA.