Legal · 01 / 06

Privacy Policy

Last updatedJanuary 14, 2026
Versionv4.0
EntityVelvet Storm LLC · Wyoming
Reading time~12 min

01Data controller

Velvet Storm LLC(“Velvet Storm,” “we,” “us”) is the data controller for personal information processed through velvetstormseo.com and our client engagements. We are a limited liability company organized under the laws of the State of Wyoming, USA.

Legal entity
Velvet Storm LLC
Registered address
1343 Bowman Ave, Sheridan, WY 82801, USA
Privacy contact
Phone

02Scope & definitions

This policy applies to:

  • Visitors to velvetstormseo.com and any subdomain we operate.
  • People who contact us through the website form, email, or phone.
  • Active clients and their authorized representatives during the course of an engagement.
  • Vendors, contractors, and applicants whose data we process to operate the business.

“Personal data” / “personal information” means any information that identifies, relates to, or could reasonably be linked to an identifiable individual, as defined under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA, and other applicable laws.

03Categories of personal data we collect

We deliberately collect the minimum data needed. Categories fall into four buckets, listed with their CCPA category identifiers in parentheses where applicable:

Identifiers (Cat. A)
Name, email address, phone number, company name, IP address.
Commercial info (Cat. D)
Service tier selected, project scope, invoice and payment history (payment card data is processed by Stripe and never stored on our servers).
Internet activity (Cat. F)
Pages visited, referrer, country-level location, device type, browser. Collected via cookieless aggregate analytics.
Professional info (Cat. I)
Job title, role at your company, and any project context you share in a brief.

We do not knowingly collect sensitive personal information as defined under CPRA §1798.140(ae) (e.g. precise geolocation, racial/ethnic origin, religious beliefs, union membership, genetic or biometric data, health information, sexual orientation, contents of mail or messages). If you send such information unsolicited, we will delete it on receipt.

We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please email hello@velvetstormseo.com and we will delete it.

04Purposes & legal bases

Under GDPR Article 6, we must identify a lawful basis for each processing activity. The table below lists every purpose, the data it touches, and the legal basis we rely on.

Reply to your inquiry
Identifiers + brief content. Legal basis: pre-contractual measures at your request (Art. 6(1)(b)).
Deliver contracted services
Identifiers, commercial info, project data. Legal basis: performance of a contract (Art. 6(1)(b)).
Send invoices, collect payment
Identifiers, commercial info. Legal basis: contractual necessity and legal obligation (Art. 6(1)(b) & (c)).
Maintain tax & accounting records
Invoice history, payment records. Legal basis: compliance with US federal & Wyoming tax law (Art. 6(1)(c)).
Site security & abuse prevention
IP, user-agent, request logs. Legal basis: legitimate interest in keeping the service running safely (Art. 6(1)(f)).
Aggregate analytics
Cookieless, country-level. Legal basis: legitimate interest in understanding which pages help readers (Art. 6(1)(f)). You may object at any time — see Section 8.

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

05Service providers & transfers

We share personal data only with the sub-processors listed below. Each is bound by a written data-processing agreement (or equivalent) and processes data on our instructions only.

Vercel Inc. (USA)
Website hosting + edge cache. Receives IP + request logs.
Cloudflare Inc. (USA)
DNS, CDN, WAF. Receives IP + request metadata.
Fastmail Pty Ltd (Australia)
Business email hosting under EU-AU SCCs.
Stripe, Inc. (USA)
Card processing. PCI-DSS Level 1. We never see your full card number.
Plausible Insights OÜ (Estonia)
Cookieless EU-hosted analytics. No personal profiles.
Linear Orbit, Inc. (USA)
Project management for active clients only.
Notion Labs, Inc. (USA)
Client documentation for active engagements only.

International transfers.Where personal data leaves the European Economic Area, the UK, or Switzerland, we rely on (a) the European Commission's Standard Contractual Clauses (2021/914) with our US providers, plus (b) supplementary technical measures including TLS in transit and encryption at rest. Copies of the SCCs are available on request.

We do not sell or rent personal information in any sense of those words, including under CCPA/CPRA §1798.140(ad). We do not share personal information for cross-context behavioral advertising. We have not done so in the preceding twelve months.

We will disclose personal data to government authorities only when compelled by a valid subpoena, court order, or legally enforceable request, and only to the minimum extent required. Where we are permitted to do so, we will notify the affected individual before disclosure.

06Retention periods

We keep personal data only as long as needed for the purpose it was collected for, plus any period required by law.

Unsuccessful inquiries
12 months after last contact, then deleted.
Active client records
Duration of engagement + 7 years (US tax retention).
Email correspondence
7 years for client matters; otherwise deleted at your request.
Server access logs
30 days, then automatically purged.
Aggregate analytics
Pageview counts kept indefinitely; no individual-level data retained.
Backups
Encrypted, rolling 30 days, then overwritten.

07Security

We implement technical and organizational measures appropriate to the risk, as required by GDPR Article 32:

  • TLS 1.3 in transit, AES-256 at rest for all client data.
  • Unique passwords stored in a zero-knowledge password manager, with mandatory hardware-key two-factor authentication on every vendor account.
  • Principle of least privilege: only assigned staff have access to project data.
  • Production secrets stored in encrypted environment variables, never in source control. Pre-commit hooks scan for accidental secret commits.
  • Software dependencies monitored daily for known vulnerabilities.
  • Quarterly review of access logs and permission grants.

In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify our supervisory authority within 72 hours of becoming aware and notify affected individuals without undue delay, as required by GDPR Articles 33–34 and applicable US state breach laws.

For more detail on our security posture, see our Trust & Security page.

08Your rights

Depending on your jurisdiction, you have some or all of the following rights. We extend the strongest set of rights to every individual, regardless of where you live.

GDPR & UK GDPR (Articles 15–22)

  • Access. A copy of the personal data we hold about you.
  • Rectification. Correction of inaccurate data.
  • Erasure. Deletion of data we no longer have a lawful basis to keep.
  • Restriction. Pause processing while a request is reviewed.
  • Portability. Receive a machine-readable copy of data you provided.
  • Objection. Object to processing based on legitimate interests, including analytics.
  • Withdraw consent at any time without affecting prior lawful processing.

California (CCPA/CPRA)

  • Right to know the categories and specific pieces of personal information collected.
  • Right to delete personal information we hold about you.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing of personal information. (We do neither, but the right exists.)
  • Right to limit use of sensitive personal information. (We do not collect any.)
  • Right to non-discrimination for exercising any of the above.

How to exercise: email hello@velvetstormseo.com with the subject line “Privacy request” from the email address on file. We will verify your identity and respond within 30 days (GDPR) or 45 days (CCPA), extendable once if reasonably necessary. There is no fee for the first request in a 12-month period.

Authorized agents.California residents may designate an agent in writing to make a request on their behalf. We will require proof of the agent's authority and may contact you directly to verify.

If you are in the EEA, UK, or Switzerland and believe we have mishandled your data, you have the right to lodge a complaint with your local supervisory authority. For US residents, you may contact your state attorney general.

09Cookies & tracking technologies

We use one strictly-necessary first-party cookie. We do not use any third-party advertising, retargeting, or social-media tracking cookies. Full details are in our Cookie Policy.

We honor the Global Privacy Control (GPC) signal (IAB-defined). Browsers transmitting GPC are treated as having opted out of any sale or sharing of personal information.

10California “Shine the Light” & other state notices

California Civil Code §1798.83 (“Shine the Light”) permits California residents to request, once per year, free of charge, a list of third parties to whom we disclosed personal information for direct marketing purposes in the preceding calendar year. We do not disclose personal information for direct marketing, so the answer for every requesting California resident is “none.”

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have rights substantially similar to those under CCPA/CPRA. We apply the same process described in Section 8 to all such requests.

Do Not Track. Because there is no industry consensus on how to interpret browser DNT signals, we do not change our processing based on DNT alone. We do honor the more specific GPC signal, as noted above.

11Changes to this policy

We may update this policy when our practices or the law change. When we make a material change, we will:

  • Update the “last updated” date at the top.
  • Bump the version number.
  • For active clients and anyone with a verified email address on file, send a notice at least 14 days before the change takes effect.
  • Maintain prior versions in a public archive on request, so you can compare what changed.

12Contact & complaints

For privacy-related questions, requests, or complaints:

Velvet Storm LLC
Attn: Privacy Officer
1343 Bowman Ave
Sheridan, WY 82801
+1 (912) 914-2846
hello@velvetstormseo.com

We respond to every request within 30 days. If we cannot resolve your concern, you have the right to escalate to your local data protection authority or state attorney general.

Effective date: January 14, 2026. Last updated: January 14, 2026.

Need this in another form?

If you'd like a signed PDF copy, or this policy translated, or a redline against a previous version — email us and we'll send it over.

Email us
PrivacyTermsCookiesTrust & SecurityAcceptable UseAccessibility