Privacy Policy.

VELMORA LLC (“Velmora,” “we,” “us,” or “our”) is a limited liability company registered in the State of Wyoming, United States, with its principal place of business at 317 W Whitney St, Sheridan, WY 82801.

This Privacy Policy explains how we collect, use, disclose, and otherwise process personal information when you (a) visit velmoraseo.com or any subdomain, (b) contact us, sign up for our newsletter, or submit a form, (c) become a client of Velmora, or (d) interact with us in person, by phone, or by email. We act as a “controller” (GDPR) and a “business” (CCPA/CPRA) for the information described here.

Where we process personal information on behalf of our clients (for example, visitor or customer data collected by a website we build, host, or optimize for a client), we act as a “processor” / “service provider” under our Data Processing Agreement, not this Privacy Policy.

Controller

VELMORA LLC, a Wyoming limited liability company

Mailing address

317 W Whitney St, Sheridan, WY 82801, USA

Privacy contact

privacy@velmoraseo.com

In the past twelve months we have collected the following categories of personal information, as enumerated by the California Consumer Privacy Act (Cal. Civ. Code § 1798.140(v)):

Identifiers

Name, email address, postal address (if provided), business phone number, IP address.

Customer records

Information you provide in the contact form, sales correspondence, contracts, invoices, and project files (Cal. Civ. Code § 1798.80(e)).

Commercial information

Services purchased, billing history, project scope, and payment records (via Stripe).

Internet or network activity

Pages visited on velmoraseo.com, referring URL, session duration, device/browser metadata, and aggregated analytics events collected via privacy-friendly tooling.

Geolocation (coarse)

City/region inferred from IP address. We do not collect precise GPS coordinates.

Professional/employment information

Your job title, company, and role when relevant to an engagement.

Inferences

Project fit, lead score, and content preferences — only those drawn from information you provided directly.

We do not knowingly collect: government identifiers, biometric data, genetic data, racial or ethnic origin, religious beliefs, philosophical beliefs, trade union membership, sexual orientation, health information, or any other sensitive categories under GDPR Art. 9 or CPRA § 1798.140(ae) — except where you voluntarily disclose it in a free-text field, in which case we treat it as sensitive (see § 5).

We collect personal information from these sources:

• Directly from you — when you fill in a form, sign a contract, email us, or speak with us.
• Automatically from your device — IP, browser metadata, referring URL, page-view events.
• From our clients — when a client provides limited information about you in the course of an engagement (e.g., introducing you as a stakeholder).
• From service providers — Stripe (payment confirmation), Resend (email delivery status), Plausible (aggregated counts only).
• From publicly available sources — your company website or LinkedIn profile, if we research you before a sales call.

We do not purchase personal information from data brokers, and we do not enrich your record with third-party data on file.

Under the EU/UK GDPR we process personal data only where a lawful basis applies (Art. 6 GDPR). The table below maps each purpose to a basis. CCPA/CPRA business purposes are identical except where noted.

Respond to inquiries

Reply to forms, emails, and calls. Basis: contract (Art. 6(1)(b)) — steps prior to entering a contract — and legitimate interests (Art. 6(1)(f)) in operating the business.

Deliver services to clients

Perform our agreement (build, host, run SEO). Basis: contract (Art. 6(1)(b)).

Invoice & receive payment

Issue invoices, process card payments via Stripe. Basis: contract and legal obligation (Art. 6(1)(c)) for tax/record-keeping.

Run business operations

Accounting, books, taxes, regulatory filings. Basis: legal obligation and legitimate interests.

Improve our site and services

Aggregated analytics, debug. Basis: legitimate interests (Art. 6(1)(f)) and your consent (Art. 6(1)(a)) where cookies require it under the ePrivacy Directive.

Marketing & newsletter

Send our (rarely-sent) newsletter to subscribers. Basis: consent with one-click unsubscribe. US recipients: subject to CAN-SPAM (15 U.S.C. § 7701).

Security & abuse prevention

Detect and block attacks, spam, and abuse. Basis: legitimate interests in protecting our site and clients.

Comply with legal process

Respond to subpoenas, court orders. Basis: legal obligation.

We do not solicit sensitive personal information (SPI) as defined under the California Privacy Rights Act (Cal. Civ. Code § 1798.140(ae)) — government IDs, financial-account passwords, precise geolocation, race/ethnicity, religion, union membership, communications content, genetic data, biometric data, health data, sex life, or sexual orientation.

We do collect payment-card information indirectly through Stripe, which stores it under PCI-DSS Level 1 controls. We never see or store full card numbers. Stripe acts as an independent controller and a service provider, depending on the action.

Where you voluntarily disclose sensitive information (for example, in a free-text contact form), we process it only to respond to your message and delete it from the form record on request.

California residents have a Right to Limit the use of sensitive personal information. Because we do not use SPI for inferring characteristics about consumers, this right is honored by default.

We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects (GDPR Art. 22, CPRA § 1798.185(a)(16)). We do not engage in profiling, scoring, or behavioral advertising.

We may use generative AI tools (Claude, Anthropic; ChatGPT, OpenAI; GitHub Copilot, GitHub Inc.) to draft internal notes, code, and content briefs. We do not send personal information you provide to these tools without your prior knowledge, and we do not opt your data into model training. Our agreements with these vendors include zero-retention or training-opt-out terms where available.

We disclose personal information only in these limited situations and never for monetary consideration:

• With sub-processors and vendors that need it to provide a service to us (see § 8).
• With our subcontractors (a small group of trusted writers and engineers), under written confidentiality and data-processing agreements.
• In connection with a corporate transaction — merger, acquisition, asset sale, or financing — subject to your continuing rights under this policy. We will notify you 30 days before any such transfer.
• When required by law — subpoena, court order, or formal legal request from a US authority with jurisdiction. We will notify you unless legally prohibited.
• To protect rights, property, and safety — of Velmora, our clients, or the public.

We do not sell personal information as defined by CCPA/CPRA § 1798.140(ad), and we do not share personal information for cross-context behavioral advertising as defined by CPRA § 1798.140(ah). The Global Privacy Control (GPC) signal is honored automatically as a legally-binding opt-out for California, Colorado, and Connecticut residents.

The following service providers process personal information on our behalf. Each operates under a written contract requiring confidentiality, security, and use limited to our instructions.

Cloudflare, Inc. (US)

CDN, DNS, DDoS protection. Processes IP addresses transiently; logs not retained by us.

Vercel Inc. (US)

Production hosting for velmoraseo.com. Edge logs retained 24 hours.

Plausible Insights OÜ (Estonia, EU)

Privacy-friendly analytics. No cookies, no cross-site tracking, IP anonymized.

Resend, Inc. (US)

Transactional email delivery (form responses, receipts).

Stripe, Inc. (US, EU)

Payment processing (PCI-DSS Level 1). Independent controller for fraud and AML purposes.

Google LLC (US) — Workspace

Email, calendar, document storage for internal operations only.

Notion Labs, Inc. (US)

Internal project documents and notes.

1Password (AgileBits Inc., Canada)

Encrypted storage of credentials clients share with us.

Loom, Inc. (US)

Video walk-throughs we send to clients.

A current list, with security certifications and applicable transfer mechanisms, is maintained on our Trust & Security page. We will notify clients of new sub-processors with at least 30 days' notice in accordance with our DPA.

We are based in the United States and our primary data storage is in the United States. When personal information of EU, UK, or Swiss residents is transferred outside of the EEA/UK/Switzerland, we rely on the following transfer mechanisms under GDPR Chapter V:

• EU–US Data Privacy Framework (DPF) certifications of our US sub-processors where available.
• Standard Contractual Clauses (European Commission Implementing Decision (EU) 2021/914) in our DPA with each US-based sub-processor that is not DPF-certified.
• UK International Data Transfer Addendum to the SCCs (in force since March 2022).
• Swiss FDPIC SCC addendum for transfers from Switzerland.

A copy of our SCCs and a Transfer Impact Assessment is available on request from privacy@velmoraseo.com.

We retain personal information only as long as is necessary for the purposes set out in § 4:

Site request logs

≤ 30 days (rolling)

Aggregated analytics

24 months

Contact form submissions

24 months, or until you ask us to delete

Active client records (contracts, deliverables)

For the engagement, plus 7 years (US tax-record retention)

Invoices & financial records

7 years (Internal Revenue Code § 6001)

Newsletter subscribers

Until you unsubscribe, then 30 days for suppression-list purposes

Backups

Encrypted, rolling 35 days, after which they are cryptographically erased

After the retention period expires, we either delete the data, anonymize it irreversibly, or place it in a legal-hold archive isolated from operational systems.

We maintain administrative, technical, and physical safeguards designed to:

• Encrypt personal information in transit using TLS 1.2 or higher.
• Encrypt sensitive data at rest using AES-256 (vendor-managed) or platform-equivalent.
• Limit access on a least-privilege basis with mandatory multi-factor authentication.
• Use a managed password manager for all shared credentials.
• Patch software within 14 days of vendor disclosure (24 hours for critical CVEs).
• Maintain audit logs of administrative actions.
• Conduct an annual third-party security review.

Full controls inventory is published on our Trust & Security page. To report a vulnerability, see security.txt or email security@velmoraseo.com.

In the unlikely event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Art. 33).
• Notify affected individuals without undue delay where required (GDPR Art. 34).
• Comply with applicable US state breach-notification laws (e.g., Wyoming Stat. § 40-12-501 et seq.; California Civ. Code § 1798.82; Texas Bus. & Com. Code § 521.053).
• Notify clients in accordance with our DPA within 48 hours of discovery.

Regardless of where you live, we honor the following rights:

• Right to know / access. Receive a copy of the personal information we hold about you, in a portable format.
• Right to correct. Update inaccurate or incomplete information.
• Right to delete. Erase information that is no longer needed for the original purpose (subject to legal retention obligations).
• Right to portability. Receive your information in a structured, machine-readable format.
• Right to restrict / object. Pause or object to certain processing based on legitimate interests.
• Right to opt out of sales, sharing for cross-context behavioral advertising, and profiling that produces legal effects. (We do none of these by default.)
• Right to limit use of sensitive personal information (California).
• Right to non-discrimination for exercising any of the above (CCPA/CPRA § 1798.125).
• Right to lodge a complaint with your supervisory authority (EU/UK) or attorney general (US states).

To exercise a right, email privacy@velmoraseo.com with “Privacy request” in the subject. We may need to verify your identity by matching the request to information already on file. We respond within 30 days (or 45 days if the request is complex). Verified agent requests under CCPA must include the consumer's signed authorization.

We do not sell or share personal information for cross-context behavioral advertising. There is therefore nothing to opt out of. If you believe otherwise — for instance, if you suspect a tracking pixel was unintentionally introduced on our site — please email privacy@velmoraseo.com.

Browsers configured with the Global Privacy Control (GPC) signal will be treated as having opted out under California Civ. Code § 1798.135(b)(1) and equivalent laws in Colorado, Connecticut, and Texas.

Detailed information about the cookies and similar technologies we use is set out in our separate Cookie Policy. We use only essential cookies by default; analytics is loaded via a privacy-friendly provider that does not set tracking cookies.

Velmora's services are directed to businesses. We do not knowingly collect personal information from any individual under the age of 16 (the Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq., uses age 13; we apply the stricter EU standard of 16 to all visitors).

If we learn that we have collected information from a child under 16, we will delete it without delay. Parents or guardians may report such collection to privacy@velmoraseo.com.

In addition to California's CCPA/CPRA, we comply with comprehensive state privacy laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Delaware (DPDPA), New Hampshire (NHPA), Iowa (ICDPA), Indiana (ICDPA), Tennessee (TIPA), Montana (MTCDPA), New Jersey (NJDPA), Minnesota (MCDPA), and Maryland (MODPA), as each comes into force.

Our processing of EU/UK/Swiss personal data is subject to the GDPR, UK GDPR, and the revised Swiss Federal Act on Data Protection (revFADP).

We have not appointed an Article 27 representative because we do not regularly process EU/UK data on a large scale and our processing is not high-risk. If we cross those thresholds we will appoint a representative and update this policy.

You have the right to lodge a complaint with your supervisory authority. A list is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office at ico.org.uk.

We may revise this Privacy Policy from time to time. When we do we will update the version number and effective date at the top. For material changes we will (a) post a prominent notice on velmoraseo.com for at least 30 days, and (b) email anyone on our client list or newsletter at least 14 days before the change takes effect.

Prior versions are maintained in the public Git repository for this website so that diffs can be audited.

For any question about this policy, your data, or how we process it — contact us by any of these channels:

Privacy email

privacy@velmoraseo.com

General email

hello@velmoraseo.com

Mail

VELMORA LLC, ATTN: Privacy Inbox, 317 W Whitney St, Sheridan, WY 82801, USA

Phone

+1 (912) 915-0729 (Mon–Fri, 8a–6p Mountain Time)