VeraSafe Services Privacy Notice

Effective on: October 08, 2025

1. Introduction and Scope

At VeraSafe, privacy is what we do. Because of our focus on privacy, we take very seriously the protection of information commonly referred to as “Personal Data, which means information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual. 

In the course of operating our business, we process Personal Data in a variety of ways. This privacy notice (this Notice) addresses the individuals (Data Subjects) whose Personal Data we process in the course of providing our “Services, which include: 

  • the following “Professional Services”: 
    • professional data protection compliance and cybersecurity consulting services; 
    • external data protection officer and privacy officer services; 
    • representative services, including data protection representative services in the European Union (the “EU) and the United Kingdom (the “UK) under the EU General Data Protection Regulation and its UK equivalent (collectively, the “GDPR”), as well as legal representative services in the EU under the EU Digital Services Act; and 
    • dispute resolution services, including when acting as an Independent Recourse Mechanism (IRM) under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, or the Swiss-U.S. Data Privacy Framework (respectively, the “EU-U.S. DPF”, the “UK Extension to the EU-U.S. DPF”, and the “Swiss-U.S. DPF”; and collectively, the DPF); and 
  • the following “Applications”: 
    • our web-based learning management system; and 
    • our website seals, such as the VeraSafe Privacy Verified website seal, and their attendant administrative web application(s). 

2. What Is Not Covered by This Notice?

Information That Is Not Personal Data 
This Notice does not apply to information that is not Personal Data.

VeraSafe Human Resources Data 
This Notice does not apply to our collection of Personal Data related to VeraSafe team members or recruitment candidates, as described in our HR Privacy Notice.

Business Development Data 
This Notice does not apply to our collection of Personal Data about visitors to our websites, or in the context of our sales and marketing initiatives, as described in our Sales, Marketing, Outreach, and Website Privacy Notice.

3. Entities Covered by This Privacy Notice 

This Notice covers VeraSafe, LLC and its affiliated entities, which include:

  • VeraSafe Czech Republic s.r.o.; 
  • VeraSafe Ireland Ltd.;
  • VeraSafe Legal, LLP; 
  • VeraSafe Netherlands BV; 
  • VeraSafe South Africa (Pty) Ltd.; and 
  • VeraSafe United Kingdom Ltd. 

Throughout this Notice, when we refer to “VeraSafe”, “we”, “us”, or “our”, we mean VeraSafe, LLC and its abovementioned affiliates, collectively.

4. Our Role with Respect to Your Personal Data

VeraSafe as a Controller
Generally, when providing Professional Services, such as consulting services, VeraSafe acts as a data controller for the Personal Data we process. That means we decide how and why Personal Data provided to us by our clients is processed on their behalf.

VeraSafe as a Processor
When providing access to our Applications and when providing certain Professional Services, VeraSafe acts as a data processor for the Personal Data we process for our clients. That means those clients determine the type of Personal Data they provide to us to process on their behalf. We typically have no direct relationship with the individuals whose Personal Data we receive from our clients (generally, employee data) when we act as a data processor in providing access to our Applications.

Absent Controllership
In the context of certain Professional Services, such as our data protection representative services, VeraSafe is neither a data controller nor a data processor.

5. Basis of Processing

Depending upon the context, we may process your Personal Data on the basis of:

  • the need to perform a contract that we entered into with you or your organization;
  • our legitimate interests, such as our interest in providing our Services for valuable consideration, and our clients’ interests in complying with applicable data protection laws;
  • our obligation to comply with applicable laws; or
  • any other ground, as required or permitted by applicable laws.

Where we receive your Personal Data as part of providing our Services to you based on a contract, we require certain Personal Data in order to carry out the contract. Without that necessary Personal Data, we will not be able to provide the Services to you.

6. How We Receive Personal Data

We may collect or otherwise receive your Personal Data when:

  • you provide it directly to us as part of using our Services;
  • our clients (including their employees, contractors, and other representatives of the organization) provide it to us while using our Services;
  • we receive it from regulatory authorities;
  • we receive it from other entities within our corporate group;
  • we obtain it from publicly available sources, such as social media pages or corporate, government, or professional websites; or
  • an associate of yours or one of our partners or clients refers you to us by providing your Personal Data to us.

7. Categories of Personal Data

We may process the following categories of Personal Data:

  • biographical information, such as your first and last name;
  • professional information, such as your job title, your position within your organization, the industry in which you work, and details about your organization;
  • billing information, such as your bank account information and payment card number; 
  • contact information, such as your email address, postal address, phone number, fax number, and social media pages;
  • identifiers and device information, such as your IP address and associated location, operating system, and device IDs; and 
  • other information, such as your interests, whether or not you have opened emails we send you, information pertaining to your use of the Applications, details about your data protection inquiry or concern, and any other category of Personal Data submitted to us.

8. Purposes of Processing Personal Data

We may process your Personal Data for the purposes of: 

  • managing our relationship with you; 
  • providing and enabling use of the Services; 
  • measuring and improving our Services; 
  • responding to your requests or questions;
  • complying with our legal obligations, such as in our role as a data protection officer, a data protection representative, or an IRM; and 
  • collecting payments that are due to VeraSafe, enforcing our legal rights, and complying with laws and regulations applicable to VeraSafe. 

9. Personal Data Retention 

When we act as a data controller, we will retain your Personal Data for as long as is necessary to fulfill the purpose for which it was collected, or any other permitted purpose, and to comply with our legal obligations. Such retention will continue for no longer than permitted by applicable law. 

When we act as a data processor, we will retain your Personal Data for as long as instructed by the relevant client (who will typically act as a data controller). 

10. Sharing Personal Data with Third Parties 

When providing Services causes us to act as a data processor of your Personal Data, we may engage third parties to process that Personal Data on our behalf. Those third parties, whom we refer to as subprocessors, have agreed to use the Personal Data only to assist us in providing the Services or as required by law. We list them on our Third-Party Subprocessors webpage along with a description of the services they provide. Please refer to the privacy notices of those subprocessors to learn more about the way in which they collect and process Personal Data.

We remain liable for the protection of your Personal Data that we transfer to third parties, except to the extent that we are not responsible for the event that leads to any unauthorized or improper processing of your Personal Data.

Where your Personal Data is protected by the GDPR, before transferring your Personal Data to any of those third parties, we will either ask for your explicit consent or require the third party to maintain at least the same level of privacy and security in respect of your Personal Data as we do. We will only transfer your Personal Data to third parties in countries not recognized by the European Commission as providing an adequate level of protection (a list of countries with levels of protection recognized as adequate is available here) where there are appropriate safeguards in place. Such safeguards may include the Data Privacy Framework or Standard Contractual Clauses as approved by the European Commission. 

11. Other Disclosures of Your Personal Data

We may disclose your Personal Data to the extent required by law or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings. We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our affiliates if necessary for business purposes.

12. Cookies

A “cookie” is a small file stored on your device that contains information about your device. We may use cookies to provide some of our Applications’ functionality, authentication, usage analytics (web analytics), and to remember your settings, and generally improve our Applications.

We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser. Most of the cookies placed on your device through our Applications are first-party cookies since they are placed directly by us. Other parties, such as Google, may also set their own (third-party) cookies through our Applications. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.

For more information about the cookies we use, please refer to our Cookie Policy, which forms a part of this Policy.

13. Data Integrity & Security 

We have implemented and will maintain appropriate technical, administrative, and physical security measures designed to facilitate the protection of your Personal Data against unauthorized processing, such as unauthorized access, disclosure, alteration, or destruction.

14. Your Privacy Rights: Access & Review

You may have specific rights in respect of how we treat your Personal Data. In particular, you may be entitled to: 

  • identify the Personal Data we have about you; 
  • receive a copy of your Personal Data; 
  • object to the processing of your Personal Data; 
  • have your Personal Data updated, corrected, or deleted; 
  • have your Personal Data sent to another company in line with data portability requirements; or 
  • limit or stop the further processing or sharing of your Personal Data. 

If your Personal Data was provided to us by another company, then requests related to the exercise of the foregoing rights should be sent directly to that company, not VeraSafe. VeraSafe has limited rights in respect of Personal Data submitted to us by our clients, for example. If you nevertheless choose to contact us with such a request, please provide the name of the VeraSafe client who submitted your Personal Data to us. We will forward your request to that client and provide any necessary assistance as they respond to your request. 

15. Privacy of Children

The Services are neither directed at, nor intended for use by, children under the age of 16. To the extent that we process any Personal Data about children under the age of 16, we do so according to the documented instructions of our clients, who will typically act as a data controller, or in order to comply with applicable law.

If we process your or your child’s Personal Data, you may have the right to request access to (or to update, correct, or delete) such Personal Data. You may also have the right to object to, limit, or stop our further processing of such Personal Data. You may also have the right to data portability with respect to such Personal Data.

16. Choice in Respect of Use and Disclosure

If Personal Data processed within the scope of this Notice is to be used for a new purpose that is materially different from that for which it was originally collected or subsequently authorized, or if such Personal Data is to be disclosed to a non-agent third party in a manner not specified in this Notice, we will provide you with an opportunity to choose whether to have your Personal Data so used or disclosed. To opt out of such use or disclosure of your Personal Data, please contact us using the information in the “Contact Us” section below.

17. Data Privacy Framework

For Personal Data processed within the scope of this Notice, VeraSafe, LLC complies with the principles of the U.S. Department of Commerce Data Privacy Framework (the “Data Privacy Framework” or “DPF”) when processing Personal Data transferred under the Data Privacy Framework from the European Union (the “EU”) and the European Economic Area (the “EEA”), the United Kingdom (the “UK”), and Switzerland to the United States (the “U.S.”), or Personal Data otherwise received in reliance on the Data Privacy Framework. 

We adhere to the Data Privacy Framework and VeraSafe, LLC has certified to the Department of Commerce its commitment to comply with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. 

To learn more about the Data Privacy Framework principles, and to view our certification information, please visit https://www.dataprivacyframework.gov and https://www.dataprivacyframework.gov/s/participant-search, respectively. 

18. Data Privacy Framework Dispute Resolution

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, VeraSafe, LLC commits to resolve DPF principles-related complaints about our collection and use of your Personal Data. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of Personal Data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, or the Swiss-U.S. DPF should first contact VeraSafe, LLC by emailing [email protected] or calling +1-617-398-7067.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, VeraSafe, LLC commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of Personal Data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

If your dispute or complaint related to your Personal Data that VeraSafe, LLC received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, or the Swiss-U.S. DPF cannot be resolved by us or through the dispute resolution mechanism mentioned above, you may have the right to require that we enter into binding arbitration with you under the Data Privacy Framework’s “Recourse, Enforcement and Liability” principle and Annex I of the Data Privacy Framework.

19. U.S. Regulatory Oversight

VeraSafe, LLC is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. 

20. EEA and UK Supervisory Authority Oversight

If the GDPR applies to our processing of your Personal Data, you may have the right to lodge a complaint with a supervisory authority in the EEA or the UK if you are not satisfied with how we process your Personal Data.

21. Data Protection Representatives 

EU – VeraSafe Czech Republic s.r.o.
Address: Rohanské nábřeží 678/23, Prague 8, 18600, Czech Republic  

UK – VeraSafe United Kingdom Ltd.
Address: 37 Albert Embankment, London, SE1 7TL, United Kingdom 

Phone: +420 228 881 031
Email: [email protected] 

22. Changes to This Notice

If we make any material change to this Notice, we will post the revised Notice to this webpage. We will also update the effective date at the top of this Notice.

23. Contact Us

If you have any questions about this Notice or our processing of your Personal Data, you can contact us at:

Address: VeraSafe
Attn: Internal Privacy Team
100 M Street S.E., Suite 600
Washington D.C., 20003
USA
Email: [email protected]
Phone: +1-617-398-7067

 

We will respond to legitimate inquiries within 30 days of receipt.

Why VeraSafe?

Track record of successful GDPR implementations across industries.

Work directly with our in-house team of US and European attorneys, IT experts, and project managers.

Strategic, risk-based approach to compliance.

Fully customizable GDPR compliance program, tailored to fit your needs.

Holistic approach: We help you identify business opportunity hidden inside the GDPR.

Going beyond just EU privacy law, VeraSafe is your end-to-end partner for the entire privacy and cybersecurity domain.