Get started
Legal · Effective 2026-01-01

Privacy Policy

This Privacy Policy explains how Verdacert LLC (“Verdacert”, “we”, “us”) collects, uses, shares, and protects personal information when you visit verdacert.com or use our certified-translation services (the “Services”). It also describes your rights and the choices available to you, including the rights of residents of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia, and individuals in the European Economic Area and the United Kingdom.

This Policy is incorporated into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms.

1. Information we collect

We collect the following categories of personal information, including the categories enumerated under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Identifiers and contact data — name, email address, postal address, phone number, account credentials, IP address, and device identifiers.
  • Customer records — billing details (processed by our payment processor; we receive truncated card data and transaction confirmations), and order history.
  • Document content — the source documents you upload for translation. These may contain sensitive personal information such as full date and place of birth, government identification numbers, family relationships, immigration status, criminal-history information, health information, biometric identifiers (e.g., signatures), and information about minors.
  • Commercial information — products and Services purchased or considered, and refunds.
  • Internet activity — browser type, pages viewed, referring URLs, timestamps, interactions with the Services, and similar log data.
  • Geolocation — approximate location inferred from IP address (we do not collect precise GPS location).
  • Inferences — preferences, interests, and service-quality signals derived from the above.
  • Audio/visual — if you contact support by phone, we may record calls with appropriate disclosure.
  • Sensitive personal information (CPRA, Va. CDPA, and similar laws) — government identifiers, precise location (if you affirmatively provide it), racial or ethnic origin, religious beliefs, citizenship or immigration status, health information, sex-life or sexual-orientation data, account login in combination with required credentials, and union membership, where such information appears in documents you upload.

We do not knowingly collect personal information from children under 13, and the Services are not directed to children. If we learn we have collected personal information from a child under 13 without verifiable parental consent, we will delete it. Where you upload documents about minors as part of an immigration filing, you represent that you are the parent, legal guardian, or authorized representative of that minor.

2. Sources of information

  • Directly from you (orders, uploads, account, support).
  • Automatically (cookies, analytics, server logs).
  • From service providers (e.g., Stripe for payment confirmations; fraud-detection providers).
  • From you on behalf of third parties whose information appears in your documents.

3. How we use information (purposes & legal bases)

  • To translate, certify, and deliver your documents.
  • To communicate about orders, deliveries, revisions, security, and support.
  • To process payments and prevent fraud and abuse.
  • To comply with legal, tax, and regulatory obligations.
  • To operate, secure, debug, and improve the Services through aggregated, de-identified analytics.
  • With your separate opt-in, to send marketing communications you can withdraw at any time.
  • To establish, exercise, or defend legal claims and to enforce our terms.
  • Where you affirmatively consent, for any other purpose disclosed at the time of collection.

For individuals in the EEA or UK, our legal bases under GDPR/UK GDPR are (a) performance of a contract, (b) compliance with a legal obligation, (c) our legitimate interests in operating and securing the Services (balanced against your rights), and (d) your consent where required (e.g., for non-essential cookies and certain marketing).

4. How we share information

We share information only as described below. We do not sell personal information for money. In the prior 12 months we have not sold or shared personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA, and we have no plans to do so.

  • Service providers / processors. Vendors that process information on our behalf under written contracts that restrict them to our instructions and require appropriate safeguards — including hosting (Vercel), storage and content delivery (Cloudflare R2), database (Neon), email (transactional providers), payments (Stripe), error monitoring, and analytics.
  • Reviewers and translators. Vetted human reviewers under confidentiality obligations, accessible only to the orders assigned to them.
  • AI providers. We use Anthropic and OpenAI under zero-data-retention configurations to assist with drafting. Source content sent to these providers is not used to train their models.
  • Professional advisors. Lawyers, accountants, and auditors under duties of confidentiality.
  • Corporate transactions. In a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, information may be transferred, subject to standard confidentiality protections and continued application of this Policy or a successor policy.
  • Legal compliance & protection. Where required by law, valid legal process, or to protect rights, property, safety, or to investigate fraud or unlawful activity. We notify customers of governmental requests where permitted.
  • With your direction or consent. Such as when you ask us to deliver a translation to a third party.

5. AI processing and no training

We do not use customer documents or other personal information to train artificial-intelligence or machine-learning models. We use AI providers under zero-data-retention terms that prohibit those providers from retaining, training on, or further using customer content beyond delivering the immediate response. Human reviewers verify and finalize every certified translation.

6. Cookies & similar technologies

We use strictly-necessary, functional, and limited analytics cookies. See our Cookie Policy for categories, third parties, retention periods, and how to manage cookies.

Global Privacy Control / Do Not Track. Where required, we honor browser signals such as Global Privacy Control (GPC) as opt-out preference signals from California, Colorado, and other states whose laws recognize them. We do not currently respond to Do Not Track (DNT) signals because there is no industry consensus on how to interpret them.

7. Data retention

We retain translation deliverables and minimum certification records for seven (7) years to support reissuance requests and to comply with recordkeeping, tax, and dispute-resolution obligations. Source documents are deleted from active systems after one (1) year unless you ask us to retain them. Backups and logs follow shorter, rolling retention schedules. You may request earlier deletion by emailing privacy@verdacert.com; we will confirm in writing when deletion is complete, except where retention is required by law.

8. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS 1.3) and at rest (AES-256), strict access controls, audit logging, secret rotation, vendor due diligence, and SOC 2 Type II–aligned controls. For documents containing protected health information, we apply HIPAA-aware handling. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. You are responsible for safeguarding your account credentials.

9. International data transfers

We operate primarily on U.S.-based infrastructure. If you are located outside the United States, your information will be transferred to and processed in the United States, which may have different data-protection laws than your jurisdiction. Where required, transfers from the EEA, UK, or Switzerland are made pursuant to the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism. By using the Services you consent to these transfers to the extent permitted by law.

10. Your privacy rights

Depending on where you live, you may have some or all of the following rights regarding personal information about you:

  • Access / know — confirm whether we process personal information about you and obtain a copy.
  • Correct — correct inaccurate personal information.
  • Delete — request deletion, subject to legal exceptions (e.g., recordkeeping, fraud prevention).
  • Portability — receive your information in a portable, machine-readable format.
  • Opt-out of sales/sharing — we do not sell or share for cross-context behavioral advertising, but you may still submit a verified request.
  • Opt-out of profiling / targeted advertising — we do not engage in profiling that produces legal or similarly significant effects, nor in targeted advertising.
  • Limit use of sensitive personal information — we use sensitive personal information only for purposes permitted under CPRA (e.g., providing the Service, security, quality control).
  • Non-discrimination — we will not deny goods or services, charge different prices, or provide a different quality of service because you exercised a privacy right.
  • Appeal (Colorado, Connecticut, Texas, Virginia, others) — appeal a denial of your request by replying to our decision notice; if your appeal is denied you may contact your state attorney general.
  • Withdraw consent — where processing is based on consent.
  • Lodge a complaint — with a supervisory authority (EEA/UK) or your state attorney general.

How to exercise rights. Email privacy@verdacert.com or write to Verdacert LLC, Attn: Privacy, 4112 Manor Oaks Ct, Export, PA 15632. We will verify your request by matching the information you provide to information we already hold and, where appropriate, by requesting additional confirmation. Authorized agents may submit requests on your behalf with written, signed permission and verification of identity. We will respond within the time required by applicable law (generally 45 days, extendable as permitted).

11. California “Shine the Light”

California residents may request, once per calendar year, information about categories of personal information (if any) we disclosed to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

12. Nevada residents

Nevada residents may direct us not to sell their personal information. We do not sell personal information as defined under Nevada law, but you may submit a verified request to privacy@verdacert.com to confirm.

13. Children’s privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, contact us and we will delete it.

14. Third-party links

The Services may link to third-party websites or services. We are not responsible for their privacy practices. Their use of your information is governed by their own policies.

15. Data-breach notification

If we determine that a security incident has resulted in the unauthorized acquisition of unencrypted personal information, we will notify affected individuals and regulators as required by applicable law. Nothing in this Policy constitutes a waiver of any rights or remedies otherwise available under applicable breach-notification laws.

16. Changes to this Policy

We may update this Policy from time to time. The version posted on this page is the current version and supersedes prior versions. We will notify you of material changes by email, by a prominent notice in the Services, or both, at least 14 days before they take effect, except where a shorter period is required by law or by a security incident.

17. Contact us

Verdacert LLC, Attn: Privacy, 4112 Manor Oaks Ct, Export, PA 15632. Email: privacy@verdacert.com. For EEA/UK individuals: where required, our designated contact for data-protection inquiries is the privacy email above.

Counsel-review notice. This Policy is drafted to align with current U.S. state privacy laws and EU/UK GDPR. It should be reviewed by privacy counsel against the categories, sources, purposes, and recipients you actually use in production before public launch, and updated as new state privacy statutes take effect.

Get instant quotePricing