Legal

Privacy Policy

Last updated: April 25, 2026

VMVTech, Ltd. ("VMVTech," "we," "us," or "our") is committed to protecting the privacy and security of the personal information entrusted to us. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our services, visit our website, or interact with our platforms.

1. Information We Collect

Personal Information

We may collect personal information that you voluntarily provide when using our services, including but not limited to your name, email address, phone number, company name, job title, and billing information.

Technical Information

When you access our platforms, we automatically collect certain technical data such as IP addresses, browser type, device identifiers, operating system, pages viewed, and timestamps of interactions. This data helps us maintain service quality and security.

Healthcare Data

In the course of providing healthcare technology solutions, we may process protected health information (PHI) on behalf of our clients. All such data is handled in strict compliance with applicable regulations, including HIPAA.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide, operate, and maintain our services and platforms
  • To process transactions and send related communications
  • To respond to your inquiries, requests, and support needs
  • To improve our products, services, and user experience
  • To comply with legal obligations and enforce our agreements
  • To detect, prevent, and address security incidents and fraud

3. Data Security

We implement industry-leading administrative, technical, and physical safeguards to protect your information. Our security program is designed to meet the rigorous requirements of healthcare data protection, including:

  • HIPAA Compliance: All protected health information is processed and stored in accordance with the Health Insurance Portability and Accountability Act. We maintain Business Associate Agreements (BAAs) with all applicable partners.
  • SOC 2 Type II Compliance: Our infrastructure and processes are independently audited to meet SOC 2 standards for security, availability, processing integrity, confidentiality, and privacy.
  • Encryption: Data is encrypted both in transit (TLS 1.2+) and at rest (AES-256) across all systems and storage.
  • Access Controls: Role-based access controls, multi-factor authentication, and comprehensive audit logging are enforced across all platforms.

4. Third-Party Services

We may share information with trusted third-party service providers who assist us in operating our platforms, conducting business, or servicing you. These providers are contractually obligated to keep your information confidential and are prohibited from using it for any purpose other than performing services on our behalf.

We may also disclose your information when required by law, to enforce our policies, or to protect our or others' rights, property, or safety.

We do not sell, trade, or otherwise transfer your personal information to outside parties for marketing purposes.

5. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal data. We are committed to honoring these rights in compliance with applicable law.

Rights Under GDPR (European Economic Area)

If you are a resident of the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data under certain conditions.
  • Right to Restrict Processing: Request limitation of processing your data.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or direct marketing.

To exercise any of these rights, please contact us using the information provided below. We will respond to your request within 30 days.

6. Analytics & Tracking — What We Collect

On our public marketing site (vmvtech.com), we run a first-party analytics script (/t.js) that collects only the data needed to understand which of our healthcare-tech case studies resonate. No advertising trackers, no third-party data sharing.

  • Anonymous visitor identifier (_vmv_vid cookie — first-party, 365-day max-age).
  • Session identifier (_vmv_sid cookie — 30-min sliding TTL).
  • Pageview events: URL, referrer, timestamp, viewport size.
  • Engagement signals: time-on-page, scroll depth, click count.
  • Form submissions: email + message body for /contact, /quote, /schedule.
  • Authenticated client portal: account email, name, organization, support tickets, project metadata, invoice line items.

7. MaxMind IP Enrichment

We use MaxMind GeoIP2 Insights as a sub-processor to derive approximate city, organization name, and ISP from the public IP that requests our analytics endpoint. We do NOT store the raw IP after enrichment — only the derived city, region, and organization fields are persisted on the visitor record. Enrichment is cached per visitor for 7 days to minimize MaxMind queries and respect their ToS.

8. Retention

  • Anonymous tracking events: 365 days, then deleted by scheduled job.
  • Authenticated portal data: kept for the active life of the account; deleted within 30 days of account closure.
  • Email transactional logs (delivery events): 90 days.
  • Stripe receipts and tax records: kept for 7 years per US tax law.

9. Your Rights & Opt-Out

  • Right to access: email privacy@vmvtech.com; we respond within 30 days.
  • Right to delete: same address; we delete within 30 days.
  • Right to object to tracking: click Reject on the consent banner OR set vmv_consent=denied cookie manually OR use a privacy-respecting browser (DuckDuckGo, Firefox, Brave).
  • California residents (CCPA): we do not sell personal information.
  • EU/UK residents (GDPR): legal basis for collection is legitimate interest (analytics) and contract (portal accounts).

10. Cookies We Set

NamePurposeLifetimeSet By
_vmv_vidVisitor identifier (analytics)365 dayspublic/t.js (only after consent)
_vmv_sidSession identifier (analytics)30 min slidingpublic/t.js (only after consent)
vmv_consentRecords consent decision365 daysConsentBanner (Accept/Reject)
next-auth.session-tokenAuthenticated session (admin + client)30 days renewingNextAuth on /api/auth/*
next-auth.csrf-tokenCSRF protection on auth flowsessionNextAuth
next-auth.callback-urlPost-login redirect targetsessionNextAuth

11. Contact for Privacy Concerns

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

VMVTech, Ltd.

Privacy Officer

Email: privacy@vmvtech.com

We reserve the right to update this Privacy Policy at any time. Changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically.

Have Questions About Your Data?

Our privacy team is here to help. Reach out to discuss your data rights or any privacy concerns.

Contact Us