VITAL4

DATA PRIVACY POLICY

VITAL4DATA, LLC
PRIVACY POLICY – Data Privacy Framework

Effective Date: May 2026

INTRODUCTION

Overview

VITAL4DATA, LLC (“VITAL4DATA”, “VITAL4”, “Company”, “we”, “our”, or “us”) provides global compliance and due diligence data solutions, including Anti-Money Laundering (AML), Know Your Customer (KYC), Know Your Business (KYB), sanctions screening, Politically Exposed Person (PEP) identification, and adverse media screening services.

Purpose

This Privacy Policy (“Policy”) describes how VITAL4DATA collects, uses, processes, transfers, and protects Personal Data in accordance with applicable data protection laws and the Data Privacy Framework Principles (“DPF Principles”).

Scope of Application

This Policy applies to Personal Data processed via VITAL4DATA’s platform, services, website, client engagements, reseller relationships, and human resources administration.

 

NOTICE

VITAL4DATA provides this Privacy Policy in a clear and conspicuous manner at or before the time personal data is collected, or as soon thereafter as practicable, and in all cases prior to using such data for a purpose other than that for which it was originally collected or disclosing it to a third party.

Data Privacy Framework Participation

VITAL4DATA complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. VITAL4DATA has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  VITAL4DATA has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Program Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Types of Personal Data Collected

VITAL4DATA processes personal data that may include:

  • identification data (e.g., name, aliases, date of birth)
  • compliance and risk data (e.g., sanctions listings, politically exposed person (PEP) status, adverse media references)
  • publicly available contact data
  • technical data (e.g., IP address, device information, logs)
  • human resources data

Sources of Personal Data

VITAL4DATA obtains personal data primarily from publicly available and lawful sources, including:

  • government publications and sanctions lists
  • regulatory authorities and enforcement records
  • court records and official filings
  • publicly available media and internet sources

VITAL4DATA may also receive personal data from clients, resellers, and individuals. VITAL4DATA does not purchase personal data from commercial data brokers

Purposes of Processing

VITAL4DATA processes personal data for the following purposes:

  • compliance and due diligence services, including AML, KYC, and KYB
  • fraud prevention and risk mitigation
  • regulatory compliance and reporting
  • platform functionality and security
  • business operations and administration
  • human resources administration

Disclosure of Personal Data

VITAL4DATA may disclose personal data to:

  • clients and authorized users of its services
  • resellers and business partners
  • service providers and vendors supporting platform operations
  • regulators, law enforcement authorities, and public authorities where required by law

Such disclosures are made for purposes consistent with those described in this Privacy Policy.

Contact Information

Individuals may contact VITAL4DATA regarding this Privacy Policy or its data processing practices at:

VITAL4DATA, LLC
Compliance Department
3901 Mary Eliza Trace NW, Suite 203
Marietta, GA 30064, USA
Email: compliance@vital4.net

For individuals located in the European Union, the United Kingdom, or Switzerland, VITAL4DATA has appointed a representative to facilitate inquiries and the exercise of data subject rights. Additional information is available via VITAL4DATA’s designated representative portal. Access to this information can be found in Section 10 of this Privacy Policy.

Individual Rights

In accordance with the Data Privacy Framework Principles, individuals have the right to access personal data about them that is held by VITAL4DATA and to request correction, amendment, or deletion where such data is inaccurate or processed in violation of the Principles.

Additional information regarding the exercise of these rights is provided in the Access section of this Privacy Policy.

Choice

VITAL4DATA provides individuals with the opportunity to exercise choice regarding the use and disclosure of their personal data, including the ability to opt out of certain disclosures to third parties or uses for materially different purposes, and to provide affirmative consent where required for sensitive data.

Additional details regarding the exercise of choice are provided in the Choice section of this Privacy Policy.

Complaints and Dispute Resolution

Individuals may submit complaints directly to VITAL4DATA using the contact information above. VITAL4DATA maintains internal procedures for investigating and resolving complaints.

If unresolved, complaints may be referred to BBB National Programs at no cost.

Binding arbitration may be available.

See Section 8 for full details.

Regulatory Enforcement

The Federal Trade Commission has jurisdiction over VITAL4DATA’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Binding Arbitration

Under certain conditions, individuals may invoke binding arbitration to address residual claims not resolved by other available redress mechanisms. Additional information is available at:
https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf

Disclosure to Public Authorities

VITAL4DATA may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, as permitted under the Data Privacy Framework Principles.

Accountability for Onward Transfer

In the context of onward transfers of personal data to third parties, VITAL4DATA remains responsible and liable under the Data Privacy Framework Principles if such third parties process personal data in a manner inconsistent with the Principles, unless VITAL4DATA proves that it is not responsible for the event giving rise to the damage.

 

CHOICE

VITAL4DATA provides individuals with the opportunity to exercise choice regarding the use and disclosure of their personal data in accordance with the Data Privacy Framework Principles.

Opt-Out Rights

Individuals have the right to opt out of:

  • the disclosure of their personal data to a third party acting as an independent controller; and
  • the use of their personal data for purposes that are materially different from the purposes for which it was originally collected or subsequently authorized.

VITAL4DATA provides clear, conspicuous, and readily available mechanisms for individuals to exercise these rights.

Exercise of Choice

Individuals may exercise their choice rights by contacting VITAL4DATA at compliance@vital4.net

Requests will be handled in accordance with VITAL4DATA’s internal procedures designed to ensure timely, consistent, and verifiable processing of such requests.

Transfers to Agents 

VITAL4DATA may disclose personal data to third-party service providers acting as agents on its behalf to perform tasks under VITAL4DATA’s instructions.

In such cases:

  • individuals are not required to exercise choice for such disclosures;
  • VITAL4DATA enters into contracts with such agents requiring that they process personal data only for specified purposes and provide at least the same level of protection as required by the Data Privacy Framework Principles.

Sensitive Personal Data

For personal data considered “sensitive” under applicable data protection laws, VITAL4DATA will obtain affirmative express consent (opt-in) from the individual prior to:

  • disclosing such data to a third party; or
  • using such data for a purpose other than that for which it was originally collected or subsequently authorized.

VITAL4DATA will also treat as sensitive any personal data received from a third party where that third party identifies and treats such data as sensitive.

Limitations on Choice

In certain circumstances, the ability to exercise choice may be limited where processing is   necessary to:

  • comply with legal or regulatory obligations, including anti-money laundering (AML), counter-terrorist financing, and sanctions compliance requirements;
  • prevent, detect, or investigate fraud or other financial crimes; or
  • protect the rights, safety, and integrity of VITAL4DATA, its clients, or the public.

Where such limitations apply, VITAL4DATA will process personal data only to the extent permitted and required by applicable law and the Data Privacy Framework Principles.

Operational Implementation 

VITAL4DATA maintains internal processes and technical controls designed to ensure that choice requests are:

  • logged and tracked;
  • reviewed and validated;
  • implemented consistently across relevant systems; and
  • documented for audit and compliance purposes.

Where an individual exercises a valid choice right, VITAL4DATA will take reasonable steps to:

  • restrict processing;
  • cease disclosure to third parties acting as controllers; and
  • apply suppression or control mechanisms within its systems, except where processing is required by law.

VITAL4DATA will not process personal data in a manner inconsistent with an individual’s expressed choice, except where required by applicable law.

 

ACCOUNTABILITY FOR ONWARD TRANSFER

VITAL4DATA may transfer personal data to third parties, including service providers and business partners, in connection with the delivery of its services, platform operations, and business activities.

Transfers to Third-Party Controllers

Where VITAL4DATA transfers personal data to a third party acting as an independent controller, such transfers are made in accordance with the Notice and Choice Principles of the Data Privacy Framework.

VITAL4DATA enters into contracts with such third-party controllers that provide that:

  • personal data may be processed only for limited and specified purposes consistent with the consent provided by the individual;
  • the recipient will provide at least the same level of protection as required by the Data Privacy Framework Principles; and
  • the recipient will notify VITAL4DATA if it makes a determination that it can no longer meet its obligations under the Data Privacy Framework Principles.

The contract further provides that, upon such notification, the third-party controller will cease processing or take other reasonable and appropriate steps to remediate any non-compliant processing.

Transfers to Third-Party Agents (Service Providers) 

Where VITAL4DATA transfers personal data to third-party agents acting on its behalf, VITAL4DATA:

  • transfers such data only for limited and specified purposes;
  • ensures that the agent is contractually obligated to provide at least the same level of privacy protection as required by the Data Privacy Framework Principles;
  • takes reasonable and appropriate steps to ensure that the agent effectively processes personal data in a manner consistent with VITAL4DATA’s obligations under the Data Privacy Framework Principles;
  • requires the agent to notify VITAL4DATA if it makes a determination that it can no longer meet its obligations;
  • upon such notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and
  • will, upon request, provide a summary or representative copy of the relevant privacy provisions of its contract with the agent to the U.S. Department of Commerce.

Due Diligence and Oversight

VITAL4DATA conducts appropriate due diligence on third-party service providers and maintains oversight mechanisms designed to verify that such parties continue to provide a level of protection consistent with the Data Privacy Framework Principles. VITAL4DATA periodically reviews its third-party relationships and data transfer practices to ensure ongoing compliance with the Data Privacy Framework Principles.

Liability

In the context of onward transfers of personal data, VITAL4DATA remains responsible and liable under the Data Privacy Framework Principles if its third-party agents process personal data in a manner inconsistent with the Principles, unless VITAL4DATA proves that it is not responsible for the event giving rise to the damage.

 

SECURITY

VITAL4DATA implements reasonable and appropriate administrative, technical, and organizational measures to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, in accordance with the Data Privacy Framework Principles.

These safeguards are designed taking into account:

  • the nature and sensitivity of the personal data processed;
  • the risks associated with the processing activities; and
  • the current state of technology and operational requirements.

Security measures implemented by VITAL4DATA include, as appropriate:

  • access controls and authentication mechanisms;
  • encryption and data protection technologies;
  • system monitoring, logging, and alerting;
  • vulnerability management and security testing;
  • role-based access and least privilege principles; and
  • employee training and awareness programs.

VITAL4DATA regularly reviews and updates its security practices to address evolving risks, threats, and technological developments and to maintain alignment with applicable legal and regulatory requirements. VITAL4DATA maintains incident response and security management procedures designed to detect, respond to, and mitigate potential security incidents involving personal data.

 

DATA INTEGRITY AND PURPOSE LIMITATION

VITAL4DATA processes personal data in a manner that is consistent with the purposes for which it was collected or subsequently authorized and in accordance with the Data Privacy Framework Principles.

Purpose Limitation

Personal data is processed solely for the purposes described in this Privacy Policy, including the provision of compliance, due diligence, and risk mitigation services, or for purposes that are compatible with those purposes.

VITAL4DATA does not process personal data in a way that is incompatible with the purposes for which it was originally collected or subsequently authorized by the individual, except where permitted or required by applicable law.

Data Minimization

VITAL4DATA limits the collection and processing of personal data to that which is relevant and necessary for the purposes for which it is processed.

Data Quality and Accuracy

To the extent necessary for the purposes of processing, VITAL4DATA takes reasonable steps to ensure that personal data is reliable for its intended use and is accurate, complete, and current.

Where personal data is derived from publicly available sources, VITAL4DATA processes such information in its original context and does not independently verify all underlying source material. Accordingly, VITAL4DATA relies on the accuracy of the originating sources and implements processes designed to maintain data integrity within its systems.

VITAL4DATA takes reasonable steps to ensure that personal data is processed in a manner consistent with the expectations of a reasonable person given the context in which the data was collected.

Contextual Nature of Compliance Data

Certain categories of personal data processed by VITAL4DATA, including sanctions data, politically exposed person (PEP) status, and adverse media references, reflect information derived from public records or third-party publications.

Such data is provided for informational and compliance purposes and may require further review, verification, or contextual analysis by VITAL4DATA’s clients.

Retention Limitation

VITAL4DATA retains personal data in identifiable form only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, contractual, and compliance obligations.

Personal data may be retained for longer periods where permitted by applicable law and where such retention reasonably serves purposes such as:

  • compliance with legal or regulatory obligations;
  • audit and risk management functions;
  • fraud prevention and security monitoring;
  • establishment, exercise, or defense of legal claims; or
  • statistical, research, or archival purposes, where applicable.

Data Disposal and De-Identification

Where personal data is no longer required for the purposes described above, VITAL4DATA takes reasonable and appropriate steps to securely delete, anonymize, or de-identify such data in accordance with applicable law and internal retention policies.

Ongoing Review

VITAL4DATA periodically reviews its data processing activities to ensure continued alignment with the purposes for which personal data was collected and to maintain compliance with the Data Privacy Framework Principles.

 

ACCESS

In accordance with the Data Privacy Framework Principles, VITAL4DATA provides individuals with the ability to access personal data about them that is held by VITAL4DATA and to request the correction, amendment, or deletion of such data where it is inaccurate or has been processed in violation of the Data Privacy Framework Principles.

Submission of Requests

Individuals may submit access requests by contacting:

VITAL4DATA, LLC
Compliance Department
3901 Mary Eliza Trace NW, Suite 203
Marietta, GA 30064, USA
Email: compliance@vital4.net

Verification 

VITAL4DATA will take reasonable steps to verify the identity of the individual prior to providing access to personal data in order to prevent unauthorized disclosure.

Scope of Access 

Upon receipt of a valid request, VITAL4DATA will provide access to the personal data it holds about the individual and, where applicable, information regarding the purposes of processing and categories of recipients to whom the data may have been disclosed.

Correction and Deletion 

Where personal data is determined to be inaccurate or processed in violation of the Data Privacy Framework Principles, VITAL4DATA will take reasonable steps to correct, amend, or delete such data, as appropriate.

Limitations on Access

In certain circumstances, VITAL4DATA may limit or deny access to personal data where permitted by the Data Privacy Framework Principles and applicable law, including where:

  • the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question;
  • the rights of other individuals or third parties would be violated;
  • disclosure is restricted by law, court order, or regulatory requirement;
  • providing access would interfere with or undermine efforts related to fraud prevention, anti-money laundering (AML), sanctions compliance, or other legal or regulatory obligations; or
  • the request is manifestly unfounded or excessive.

Publicly Available and Compliance Data Context 

Where personal data is derived from publicly available sources and processed for compliance, due diligence, or risk mitigation purposes, access may be limited to the extent necessary to preserve the integrity of regulatory processes and to comply with applicable legal obligations.

Response Timeframe 

VITAL4DATA will respond to access requests within a reasonable timeframe consistent with the Data Privacy Framework Principles and applicable law, generally within forty-five (45) days.

Fees 

VITAL4DATA does not charge a fee for processing access requests, except where permitted by applicable law in cases of excessive or repetitive requests.

 

RECOURSE, ENFORCEMENT AND LIABILITY

As described in the Notice section of this Privacy Policy, VITAL4DATA is committed to providing effective mechanisms for addressing complaints, resolving disputes, and enforcing its obligations under the Data Privacy Framework Principles.

Internal Complaint Resolution 

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, VITAL4DATA commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact VITAL4DATA at:

VITAL4DATA, LLC
Compliance Department
3901 Mary Eliza Trace NW, Suite 203
Marietta, GA 30064, USA
Email: compliance@vital4.net

VITAL4DATA will investigate and attempt to resolve complaints in a timely manner and, in any event, within forty-five (45) days of receipt.

Independent Dispute Resolution

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, VITAL4DATA commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to BBB National Programs DPF Services, an alternative dispute resolution provider based in United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers for more information or to file a complaint. The services of BBB National Programs DPF Services are provided at no cost to you.

Cooperation with Authorities

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, VITAL4DATA commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF in the context of the employment relationship.

Verification and Compliance Monitoring

VITAL4DATA maintains internal procedures designed to verify that its privacy practices are implemented as represented and are in compliance with the Data Privacy Framework Principles.

These procedures include monitoring, periodic review, and internal oversight mechanisms designed to identify and address potential instances of non-compliance.

Remediation and Enforcement 

VITAL4DATA is committed to remedying problems arising out of any failure to comply with the Data Privacy Framework Principles.

Where non-compliance is identified, VITAL4DATA will take appropriate corrective action, which may include:

  • updating policies and procedures;
  • implementing technical or organizational controls;
  • providing additional training; and
  • taking disciplinary or contractual action where appropriate.

Regulatory Enforcement 

VITAL4DATA is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) with respect to its compliance with the Data Privacy Framework Principles.

In the event VITAL4DATA becomes subject to a court order or regulatory determination based on non-compliance, VITAL4DATA will make public any relevant Data Privacy Framework-related portions of any compliance or assessment report submitted to the court or regulatory authority, to the extent consistent with applicable confidentiality requirements.

Binding Arbitration

Under certain conditions, individuals may invoke binding arbitration to address residual claims not resolved by other available redress mechanisms, in accordance with Annex I of the Data Privacy Framework Principles.

Additional information regarding binding arbitration is available at: https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf

Liability for Onward Transfers

In the context of onward transfers of personal data, VITAL4DATA remains responsible and liable under the Data Privacy Framework Principles if its third-party agents process personal data in a manner inconsistent with the Principles, unless VITAL4DATA proves that it is not responsible for the event giving rise to the damage.

 

SUPPLEMENTAL DATA PRIVACY FRAMEWORK PRINCIPLES

Human Resource Data

VITAL4DATA processes human resources (“HR”) personal data transferred from the European Union, the United Kingdom, and Switzerland in the context of the employment relationship in accordance with the Data Privacy Framework Principles.

With respect to such HR data, VITAL4DATA commits to cooperate and comply with the advice of the relevant data protection authorities, including European Union Data Protection Authorities, the UK Information Commissioner’s Office, and the Swiss Federal Data Protection and Information Commissioner, in the investigation and resolution of complaints.

HR data is processed solely for employment-related purposes, including personnel administration, benefits management, compliance with legal obligations, and other legitimate employment-related activities.

VITAL4DATA applies appropriate safeguards to protect HR data and limits access to such data to authorized personnel with a legitimate business need.

Sensitive Personal Data

VITAL4DATA recognizes that certain categories of personal data are considered sensitive under the Data Privacy Framework Principles, including data relating to medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information concerning an individual’s sex life.

VITAL4DATA will obtain affirmative express consent (opt-in) from the individual prior to:

  • disclosing sensitive personal data to a third party; or
  • using sensitive personal data for a purpose other than that for which it was originally collected or subsequently authorized.

VITAL4DATA will also treat as sensitive any personal data received from a third party where that third party identifies and treats such data as sensitive.

To the extent sensitive personal data is processed, VITAL4DATA applies enhanced safeguards and limits such processing to what is necessary and appropriate for the purposes described in this Privacy Policy and in accordance with the Data Privacy Framework Principles.

Publicly Available Information

VITAL4DATA processes personal data derived from publicly available sources, including government records, regulatory publications, sanctions lists, and publicly accessible media.

To the extent that VITAL4DATA relies on the Data Privacy Framework for such data, VITAL4DATA applies the Data Privacy Framework Principles to publicly available personal data where it combines such data with non-public personal data or where required by applicable law.

Where personal data is obtained solely from publicly available sources and is not combined with non-public personal data, VITAL4DATA processes such data in accordance with applicable law and recognizes that certain obligations under the Data Privacy Framework Principles may not apply to the same extent, as permitted under the Supplemental Principles.

VITAL4DATA processes publicly available data in its original context and provides such data for informational and compliance purposes. VITAL4DATA does not independently verify all underlying source material and relies on the accuracy of the originating sources.

 

CONTACT US

If you have any comments or questions about our privacy policy or our processing of your information, please contact:

VITAL4DATA, LLC
Compliance Department
3901 Mary Eliza Trace NW, Suite 203
Marietta, GA 30064, USA
Email: compliance@vital4.net

In compliance with the DPF Principles, VITAL4DATA commits to resolve complaints about your personal information. We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the following regions:

  • European Union (EU)
  • United Kingdom (UK)
  • Switzerland

Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: https://app.prighter.com/portal/12629606300


GDPR Certification: Art 27 representation by Prighter


UK-GDPR Certification: Art 27 representation by Prighter


Switzerland FADP certificate of representation

 

POLICY CHANGES

VITAL4DATA reserves the right to change this policy from time to time, consistent with the DPF Principles.