Skip to content
VitaCoreX logo
VitaCoreX LLC Revenue recovery, documentation control, and client workspaces.
Structured Intake • Recovery Systems • Legal File Control Structured Intake • File Control
VitaCoreX TimeU.S. Eastern
00:00
Your TimeLocal
00:00
VitaCoreX TimeU.S. Eastern
00:00
Your TimeLocal
00:00
VitaCoreX logo VitaCoreX
Structured Intake • Recovery Systems • Legal File Control Structured Intake • File Control

Two streams of data

This policy covers two distinct data streams that are handled differently:

  • Site data — submissions through public forms, cookies, and optional analytics on vitacorexllc.com. Governed by this privacy policy.
  • Operator data — data processed during engagements under a signed engagement letter (and, on request, a Data Processing Addendum). Governed by the DPA clauses summarized on the Sub-processors & DPA page and by the operator's own data-handling requirements where stricter.

Unless otherwise stated, sections below apply to site data. Operator-data sections are marked explicitly.

Information you submit via the public site

  • Name, company, phone number, email address, and the details you enter into the public forms.
  • Files or packet drafts that you choose to upload through the structured intake.
  • Context such as selected service line, urgency, and other form-routing information.

How site data is used

  • To route, review, and respond to requests.
  • To measure which public pages and campaigns are generating inquiries.
  • To improve site performance, form handling, and conversion paths.
  • Site data is not sold or rented. Where consented analytics (GA4) is active, measurement data is aggregated and retained per the consent banner choices. With separate explicit disclosure (see Marketing audiences section below), hashed business-contact email addresses may be shared with Google for advertising-audience matching only — never resold, never used for non-VitaCoreX advertising. Operator engagement data is never used for any marketing.

Important file-handling boundary

The public forms are designed for general business documents and non-regulated materials. Do not upload highly sensitive regulated records, medical records subject to HIPAA, financial records subject to GLBA, or other materials that require a dedicated secure workflow unless secure coordination has been arranged first. For regulated-data engagements the correct intake path is the Structured Case Intake followed by an engagement letter and, where applicable, a Business Associate Agreement.

Cookies and consent

The site uses a consent banner that distinguishes essential functionality from optional analytics or marketing measurement. Visitors can choose essential only, analytics only, or full consent where available. See the Cookie Policy for the specific cookie inventory.

Marketing audiences (Google Customer Match)

VitaCoreX may upload hashed business-contact email addresses to Google Ads Customer Match for the sole purpose of creating matched audiences for our own advertising on Google Search, Display, and YouTube networks. Hashing is performed before transmission; Google receives a one-way SHA-256 hash, not the plaintext email.

  • Scope: B2B operator contacts only — dental groups, healthcare networks, fleet operators, subscription businesses, contract-services firms, and similar commercial leads. Private-client (immigration, auto, contract review) emails are excluded by policy and never uploaded.
  • Purpose limitation: Audience matching for VitaCoreX advertising only. Google does not use uploaded data for its own advertising or to improve other advertisers' targeting. Hashed data is retained by Google only for the matching process and is deleted when the list is removed or expires.
  • Lawful basis: Legitimate interests in B2B advertising (GDPR Art. 6(1)(f) where applicable). For US contacts, processing is consistent with CCPA business-purpose use; we do not "sell" personal information as defined by CCPA.
  • Right to opt out: Email info@vitacorexllc.com with the subject "Customer Match Opt-Out" to be permanently excluded from any current or future marketing-audience uploads. Removal from existing Google audiences typically takes 7 days.
  • Sub-processor: Google LLC (Mountain View, CA, USA) acts as our processor under the Google Ads Data Processing Terms for Customer Match data.

Third-party services and sub-processors

Form delivery, calendar scheduling, analytics, email infrastructure, CRM, document signature, and optional campaign measurement rely on named third-party services. The complete list — vendor, purpose, data categories touched, and region — is published on the Sub-processors & DPA page and is updated when vendors are added, changed, or removed (30-day standard notice; 15-day objection window; 5-day emergency notice for security-driven swaps).

Operator data: purpose limitation & scope

Applies to engagement data, not site data. Operator data processed during engagements is used only for the purposes named in the engagement letter. It is not repurposed for marketing, training of general-purpose AI models, or use on other engagements. Operator data stays isolated in engagement-scoped storage with access limited to the named engagement team.

Retention & destruction

Site data: form submissions are retained while the inquiry is open plus 36 months for pattern analysis, then aggregated or deleted. Analytics data follows the GA4 default 14-month window unless you opt out.

Operator data: default retention is engagement duration plus 90 days unless the operator requests extended retention in writing. Certificates of destruction are issued at close and list what was destroyed and the method used. Operator-environment engagements require no destruction action on our side — access is revoked at close. Full retention matrix on the Security & Compliance page.

Breach notification

If VitaCoreX becomes aware of a personal-data or operator-data breach, the affected operator (for engagement data) or the affected individual (for site data, where individual notice is appropriate) is notified without undue delay and in no case later than 72 hours of becoming aware. Notification includes scope of data affected, systems affected, initial containment actions, and a named point of contact for the remediation thread. See the incident-response posture on the Security & Compliance page and the DPA clause on the Sub-processors & DPA page.

Your rights & data-subject requests

Individuals whose data is held on site forms or in engagement records may request, within limits imposed by legal hold or ongoing litigation:

  • Confirmation of what data is held and the purpose of processing.
  • A portable copy of data you submitted (CSV/PDF/JSON where practical).
  • Correction of inaccurate data.
  • Deletion of data, subject to retention obligations under applicable law and active engagement letters.
  • Withdrawal of consent for optional analytics at any time via the cookie-consent banner.

Submit requests to (888) 794-8292 or through the contact form with subject line "privacy request." Standard response time is 10 business days; verification of requester identity may be required for non-trivial requests. For engagement data, requests run through the operator (data controller) rather than VitaCoreX directly.

International transfers

All site data and all operator data are stored and processed on US-based infrastructure with US-based cloud vendors. No client or site data is stored in, processed in, or transits through jurisdictions outside the United States in ordinary operation. If a future engagement requires a different posture, it is documented in the engagement letter with the controlling transfer mechanism named in writing.

Governing law & jurisdiction

Site-data handling is governed by the laws of the State of Florida, United States, without regard to conflict-of-laws principles. Engagement-data handling is governed by the engagement letter and its DPA where applicable.

Changes to this policy

Material changes are announced on this page with a new "Last updated" date at the top. For engagements under a signed DPA, changes to data handling that materially affect operator data are communicated directly to the named operator contact with a 30-day notice window unless the change is security-driven, in which case the emergency 5-day notice applies.

Contact

Privacy-related questions: contact form (subject line "privacy") or call/text (888) 794-8292. Procurement contacts can also reach the designated procurement point of contact named in the engagement letter.