Your data, our policy.

01Who we are

Who we are

VertoDigital is the trading name of Advert Ltd., a company registered in Bulgaria. Advert Ltd. is the data controller for the personal information described in this policy.

• Registered office: Alexander Malinov 31, Sofia 1729, Bulgaria
• Company registration number: BG204489245
• Operating offices: Sofia, Bulgaria · Boston, MA, USA
• Privacy contact: privacy@vertodigital.com

We have not appointed a statutory Data Protection Officer because our processing does not meet the GDPR Art. 37 threshold. For all privacy matters, use the address above.

02What this policy covers

What this policy covers

This policy applies to personal information we collect when you:

• Visit vertodigital.com or any VertoDigital sub-page.
• Fill in a form on our site — for example, to book a call, download the Pipeline Report, or subscribe to our research dispatch.
• Receive or reply to outbound marketing email we send to business contacts.
• Interact with VertoDigital on a third-party platform we control (for example, our LinkedIn company page).

It does not cover personal data we process on behalf of a paying client as part of a campaign we run for them. That processing is governed by the Data Processing Agreement attached to the Master Services Agreement with that client.

03What we collect

What we collect

Information you give us

• Identity and contact data — name, work email, company, job title, phone number (if provided).
• Message content — anything you type into a form field or send us by email.
• Engagement preferences — newsletter topic interests, unsubscribe status.

Information collected automatically

• Device and browser data — IP address (truncated where possible), user-agent, screen size, language.
• Usage data — pages viewed, time on page, referrer, clicks on outbound links and form submissions.
• Cookie and similar identifiers — set by the tools listed in Section 07. Non-essential cookies only fire after you accept them in our consent banner.

Information we receive from third parties

• Firmographic enrichment — when you submit a form, we may enrich your company data (industry, employee band, revenue band) via Clearbit or a similar provider, to route your request internally.
• Ad network signals — LinkedIn, Meta, Google, 6sense and similar platforms may share aggregated audience or conversion signals with us.
• Public professional profiles — publicly available information (for example, LinkedIn profile data) when we research a company we'd like to reach out to.

04How we use your information

How we use your information

• To respond to you — reply to enquiries, book meetings, send materials you've asked for.
• To run our marketing — send our newsletter and research dispatches to people who subscribed; show relevant ads on LinkedIn, Google and other platforms; measure whether those ads work.
• To do B2B outreach — email a small, targeted list of business contacts at companies that match our ideal client profile, with a clear unsubscribe link and identifying information in every message.
• To improve the website — understand which pages resonate, diagnose bugs, test new page layouts.
• To run the business — contracting, billing, accounting, fraud prevention, legal compliance.
• To keep things secure — detect and block abuse, bots, and attempted attacks.

We do not use your information to make fully automated decisions that produce legal or similarly significant effects on you.

05Legal bases for processing

Legal bases for processing

Under the EU GDPR and UK GDPR, we rely on the following legal bases:

• Consent — for non-essential cookies, third-party analytics and advertising tags, and sending our newsletter to subscribers. You can withdraw consent at any time (see Section 06 and Section 10).
• Legitimate interests — for targeted B2B outreach to business contacts at companies that fit our ideal client profile, basic site analytics that cannot identify you, fraud prevention, and direct marketing to existing business contacts about similar services. We have weighed these interests against your rights and believe they are proportionate; you can object at any time.
• Performance of a contract — where you've engaged us or are negotiating an engagement.
• Legal obligation — where we must process data to comply with applicable law (for example, tax records).

If you're in California or another US state with a comprehensive privacy law, we rely on the equivalent "business purpose" and "commercial purpose" categories described in Section 10.

06Cookies & tracking

Cookies & tracking

We use cookies, pixels and similar technologies (collectively, "cookies") for four purposes:

• Strictly necessary — required to run the site: session management, security, load balancing, remembering your cookie choices. These cannot be turned off.
• Analytics — help us understand which pages work. We use a mix of cookie-based (Google Analytics 4, Amplitude, Microsoft Clarity) and cookieless (Simple Analytics, Dreamdata) analytics. These fire only with your consent where required by law.
• Advertising — let us show relevant ads and measure their performance on platforms like LinkedIn, Meta, Google, 6sense and Influ2. These fire only with your consent.
• Functionality — remember preferences (for example, which Pipeline Report chapter you last read). Only with your consent where required.

We use a consent management platform (Usercentrics) to collect and record your cookie preferences. You can change your choices at any time:

Manage cookie preferences

You can also block cookies at the browser level. Blocking strictly-necessary cookies may break the site. We honor the Global Privacy Control (GPC) signal as an opt-out of "sale" and "sharing" for US residents (see Section 10).

A detailed, per-cookie inventory — including vendor, duration and purpose — is available inside the cookie preferences dialog above, and is updated automatically as vendors change.

07Third parties & processors

Third parties & processors

We share personal information only with service providers that help us run the website and our marketing. Each one acts under a written agreement with appropriate data-protection terms. The current list:

We do not sell your personal information for money. Some transfers to advertising platforms may constitute "sharing" or "sale" under the California CPRA definition; our cookie banner lets California residents opt out, and we honor the GPC signal automatically.

08International data transfers

International data transfers

We're based in the EU (Bulgaria) with a presence in the US. Several of the providers in Section 07 are headquartered in the United States or route data through the United States.

• For transfers out of the EEA, we rely on the European Commission's Standard Contractual Clauses (2021/914), together with any supplementary measures a transfer requires.
• For transfers out of the UK, we rely on the UK International Data Transfer Addendum to the SCCs, or the UK IDTA where appropriate.
• We have not certified Advert Ltd. under the EU–US Data Privacy Framework. Where a US provider is DPF-certified, we may additionally rely on its certification; where it is not, SCCs are the transfer mechanism.

You can ask for a copy of our transfer safeguards (redacted where needed) at privacy@vertodigital.com.

09Retention

Retention

We keep personal information only as long as we need it for the purpose we collected it for, plus any period required by law.

• Marketing contacts (form submissions, newsletter subscribers) — up to 24 months from the last meaningful interaction, after which the record is deleted or anonymized.
• CRM records in HubSpot (clients, active sales conversations) — up to 7 years from the last engagement, to preserve account history for a reasonable business relationship cycle.
• Contractual and financial records — as long as required by tax, accounting and corporate law (generally up to 10 years under Bulgarian law).
• Analytics — aggregated or truncated, retained for up to 26 months.
• Server and security logs — up to 12 months.
• Cookie consent records — up to 24 months, so we can prove you consented if challenged.

10Your rights

Your rights

Depending on where you live, you have some or all of the following rights:

Under the EU GDPR and UK GDPR

• Access the personal information we hold about you.
• Correct information that's inaccurate or out of date.
• Delete your information (the "right to be forgotten"), subject to exceptions.
• Restrict how we process your information.
• Object to processing based on legitimate interests, including direct marketing.
• Receive a machine-readable copy of information you provided (data portability).
• Withdraw consent at any time, without affecting prior lawful processing.
• Lodge a complaint with your local supervisory authority. In Bulgaria that's the Commission for Personal Data Protection (CPDP). In the UK, the Information Commissioner's Office (ICO).

Under California's CCPA/CPRA (and similar US state laws)

• Know what personal information we collect and how we use it.
• Access, correct or delete your personal information.
• Opt out of "sale" or "sharing" of personal information. We do not sell for money; some advertising activity constitutes "sharing" under CPRA — you can opt out via the cookie preferences dialog, and we automatically honor the Global Privacy Control (GPC) browser signal.
• Limit the use of "sensitive personal information" — we do not knowingly process sensitive personal information through this site.
• Non-discrimination — we will not treat you differently for exercising any of these rights.

To exercise any right, email privacy@vertodigital.com with enough detail for us to identify you. We'll respond within the timeframe required by the applicable law (typically one month under GDPR, 45 days under CCPA).

11Security

Security

We apply organizational and technical measures appropriate to the risk, including:

• TLS (HTTPS) in transit across all forms and pages.
• Encryption at rest for CRM, email and file storage systems.
• Single sign-on and two-factor authentication for employee access to systems that hold personal data.
• Role-based access — employees see only what they need for their role.
• Periodic review of processors and sub-processors for their security posture.
• Incident response procedures and breach-notification routines aligned with Art. 33 GDPR.

No system is perfectly secure. If you believe your account or information has been compromised, contact privacy@vertodigital.com immediately.

12Children

Children

The VertoDigital website is a business-to-business service and is not intended for children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

13Changes to this policy

Changes to this policy

We may update this policy to reflect new services, new legal requirements, or changes in the tools we use. The "Last updated" date at the top always shows the latest version. If we make a material change — for example, new categories of personal data or a new legal basis — we'll highlight it on this page and, where appropriate, notify you by email.

14Contact us

Contact us

For any question about this policy or how we handle your information:

• Email: privacy@vertodigital.com
• Post: Advert Ltd. — Privacy, Alexander Malinov 31, Sofia 1729, Bulgaria

We read every message, and we reply — usually within a few business days, always within the timeframe required by law.