/* VALDEX — Privacy notice */ const UPDATED = "May 18, 2026"; function PrivacyPage() { return (

This notice explains what personal data VALDEX LLC (a Wyoming limited liability company; "Valdex", "we", or "us") collects when you use our website at valdexai.com{" "} or contact us about an engagement, why we collect it, on what legal basis, how we use it, who we share it with, and the choices you have.

We try to keep this document short and readable. If you want the long jurisdictional drill-down, every section ends with a pointer to the regulator you'd write to.

} sections={[ { id: "controller", h: "1. Who is the data controller", body: (

VALDEX LLC is the data controller for the personal data described in this notice.

VALDEX LLC
1309 Coffeen Ave, Ste 1200
Sheridan, WY 82801, United States
privacy@valdexai.com · (762) 760-1179

We have not appointed a Data Protection Officer because our processing does not meet the GDPR Article 37 thresholds (we are not a public authority, we do not conduct large-scale systematic monitoring, and we do not process special- category data at scale). Our designated privacy contact is{" "} privacy@valdexai.com. If our scale changes, we will update this section.

)}, { id: "data", h: "2. What we collect", body: (

We collect three categories of personal data:

a. Information you give us

Contact details you provide through the intake form, audit form, or by emailing us — typically name, work email, role, company, website, and a few sentences about what you're trying to do.
Any documents, prompts, screenshots, or analytics access you share with us during an engagement or audit.
Billing details if you become a client. Card numbers are handled by Stripe; we never see or store them on our servers — Stripe returns us a token and a last-four for reconciliation.

b. Information we collect automatically

Cookieless web analytics. We use a privacy-respecting analytics tool that records page URL, referrer, country (derived from IP, then discarded), device class, and approximate session duration. No cookies are set for analytics. No cross-site tracking. No advertising identifiers. See cookie policy for the complete cookie inventory.
Server logs. IP address, user-agent, request path, and timestamp — retained for 30 days for security, debugging, and abuse prevention.

c. Information from third parties

If you authorize us during an engagement, we access analytics platforms (e.g. GA4), ad accounts, and CMS instances on your behalf. We do not retain copies of that data outside our engagement workspace, and we do not share it with anyone else.
If you reach out via a referral, we may receive your name and company from the referrer. We do not act on the introduction unless you contact us directly.

We do not knowingly collect special categories of personal data (health, biometric, political opinions, etc.) and we ask that you not send such data to us unsolicited. If you do, we will delete it.

)}, { id: "purposes", h: "3. Why we use it — purposes and legal basis", body: (

Under the EU/UK GDPR we must tell you the legal basis (Article 6) for each processing purpose. The table below is the operative one for us:

Purpose	Data used	Lawful basis (GDPR Art. 6)
Reply to your intake or audit request and assess fit	Name, work email, company, role, the message you sent	Legitimate interests — responding to inbound business inquiries (Art. 6(1)(f))
Deliver the engagement we agreed to and produce the documents in your engagement charter	Everything in your engagement workspace	Performance of a contract (Art. 6(1)(b))
Invoicing, accounting, tax records	Company name, billing contact, invoice line items	Legal obligation under Wyoming and U.S. federal tax law (Art. 6(1)(c))
Operate the website, prevent abuse, secure our systems	Server logs, IP, user-agent	Legitimate interests — security and abuse prevention (Art. 6(1)(f))
Aggregate, anonymous web analytics	Country-level traffic, referrer, device class	Legitimate interests — understanding which pages are useful (Art. 6(1)(f)); cookieless, so no ePrivacy consent required
Transactional and status emails to clients	Your contact email; engagement state	Performance of a contract (Art. 6(1)(b))
Defend against legal claims; respond to lawful government requests	Whatever is responsive	Legitimate interests (Art. 6(1)(f)) and/or legal obligation (Art. 6(1)(c))

We do not sell your personal data. We do not share it with advertising networks. We do not use it to train generative models — ours, our clients', or anyone else's. If our practice ever changes we will update this notice and notify existing clients before the change takes effect.

)}, { id: "share", h: "4. Who we share it with", body: (

We share personal data only with the service providers we actually use to run the business and with our professional advisors. The current list lives on the{" "} subprocessors page and is summarized here:

Stripe, Inc. — invoicing and card processing (United States).
Google LLC (Google Workspace) — business email, documents, calendar (United States).
1Password (AgileBits Inc.) — credential storage (Canada).
Plausible Analytics — cookieless web analytics, EU-hosted (Germany).
Cloudflare, Inc. — DNS, edge caching, DDoS protection (global).
Our accountant and our attorney, when required for bookkeeping or legal review (United States).

Each of these is under a written processor agreement that restricts use of your data to what is necessary to provide the service. None has the right to sell, repurpose, or train models on your data.

We will disclose information when legally required (subpoena, court order, lawful government request). We will tell you about it unless the request itself prohibits us from doing so.

)}, { id: "transfers", h: "5. International data transfers", body: (

We are a U.S. business and we process data with U.S.-based providers. If you contact us from outside the United States, your data will be transferred to and processed in the U.S.

For transfers of EU/EEA, UK, or Swiss personal data to the U.S. we rely on:

The EU–U.S. Data Privacy Framework, the UK Extension, and the Swiss–U.S. DPF where our subprocessor is certified (Google LLC and Stripe, Inc. are certified at the time of writing).
Standard Contractual Clauses (SCCs) for transfers to providers that rely on SCCs (1Password, Cloudflare), together with a transfer impact assessment kept on file.

You can request a copy of the safeguards in place for any specific transfer by emailing privacy@valdexai.com.

)}, { id: "retain", h: "6. How long we keep it", body: (

Intake messages from people we don't end up working with — 12 months from last contact, then deleted.
Audit requests and the diagnostics we produce — 24 months from delivery, then deleted unless the prospect becomes a client.
Engagement records (contracts, invoices, deliverables, status notes) — 7 years after the engagement ends, for tax and contract purposes (U.S. statute-of-limitations and IRS record-retention rules).
Server logs — 30 days.
Web analytics — aggregate, retained indefinitely; no individual identifiers stored.
Client data inside our engagement workspace — until 30 days after termination, then irrecoverably deleted (we hand you back credentials and exit).

)}, { id: "rights", h: "7. Your rights", body: (

Wherever you live, you can ask us to do any of the following with your personal data. We respond to verified requests within 30 days (45 days for California requests under the CCPA — see Section 8). We will comply unless we have a documented legal reason not to.

Access — get a copy of what we have about you.
Rectification — correct anything that's wrong or out of date.
Erasure ("right to be forgotten") — delete it, subject to the retention requirements in Section 6.
Restriction of processing — tell us to pause active processing while a dispute is resolved.
Data portability — receive your data in a structured, machine-readable format and have it transmitted to another controller where technically feasible.
Objection — object to processing based on legitimate interests, including objection to direct marketing (we don't currently send marketing, but the right stands).
Withdraw consent — where we rely on consent, withdraw it at any time. Withdrawal doesn't affect the lawfulness of processing before withdrawal.
Lodge a complaint — file with your local data-protection supervisory authority. For EU/EEA visitors that is your national DPA; for the UK that is the ICO (ico.org.uk); for California that is the CPPA (cppa.ca.gov). We'd appreciate the chance to address your concern first.

How to make a request — two methods:

Email privacy@valdexai.com with the request and enough information for us to verify your identity (typically the email address you used when contacting us).
Mail a written request to VALDEX LLC, Attn: Privacy, 1309 Coffeen Ave, Ste 1200, Sheridan, WY 82801.

You may use an authorized agent to submit a request on your behalf. We will ask for written authorization signed by you, and we may still verify your identity directly.

We do not discriminate against you for exercising any of these rights.{" "} You will receive the same service, at the same price, with the same quality.

)}, { id: "california", h: "8. Your California privacy rights (CCPA/CPRA)", body: (

This section applies to California residents and is in addition to the rights in Section 7. We provide it whether or not we currently meet the CCPA business thresholds, because we'd rather give you the rights than argue jurisdiction.

Categories of personal information collected in the last 12 months

CCPA category	What we actually collect	Source	Purpose
Identifiers	Name, work email, company name, IP address	You; web request	Reply to inquiry; security
Commercial information	Engagement charter, invoices, billing history	You; Stripe	Deliver and bill the engagement
Internet or network activity	Pages viewed, referrer, device class — cookieless	Your browser	Understand which pages are useful
Geolocation (coarse)	Country derived from IP, then discarded	Your browser	Aggregate analytics
Professional / employment information	Title, role, what you're trying to do at work	You	Assess fit
Inferences drawn from any of the above	Whether you look like a fit prospect	Internal	Decide whether to reply with a discovery call

We do not collect: biometric information, geolocation beyond country, audio or visual recordings, sensitive personal information (precise geolocation, race/ethnicity, religious beliefs, union membership, genetic data, health information, sex life / sexual orientation, mail/email content, contents of messages, government-issued IDs, financial-account numbers, log-in credentials, citizenship status).

Categories of third parties we disclose PI to

Service providers and contractors only, listed on the{" "} subprocessors page. We do not disclose PI to data brokers, advertisers, or for cross-context behavioral advertising.

Sale and sharing of personal information

We do not sell or share your personal information as those terms are defined under the CCPA (including "share" for cross-context behavioral advertising). We have not done so in the preceding 12 months and have no intention to. Because we do not sell or share, no opt-out is operationally required — but you can confirm or formally request opt-out at any time via the methods in Section 7.

Sensitive personal information

We do not collect sensitive personal information as defined by the CPRA. If we ever do, you will have the right to limit its use to what is necessary to provide the service.

Your California rights

Right to know — what categories of PI we collect, sources, purposes, third parties.
Right to delete — your PI, subject to retention exceptions in Section 6.
Right to correct — inaccurate PI.
Right to opt out of sale or sharing — N/A since we do neither, but the right is preserved.
Right to limit use and disclosure of sensitive PI — N/A since we do not collect it.
Right to non-discrimination — we will not deny service, charge a different price, or provide a different quality of service for exercising any of these rights.
Right to data portability — same as Section 7.

Response timeline: we acknowledge receipt within 10 business days and substantively respond within 45 days. We may extend once by an additional 45 days where reasonably necessary, with notice to you.

Authorized agents: California residents may use an authorized agent. We will require written, signed permission from you and may verify your identity directly.

How to exercise: the two methods in Section 7 (email{" "} privacy@valdexai.com or mail to the office). You may also use the{" "} Your California privacy choices link in our footer to reach this section directly.

Shine the Light (Cal. Civ. Code § 1798.83)

California residents may request a notice describing categories of PI we shared with third parties for those third parties' direct marketing purposes in the prior calendar year. We do not share PI for third-party direct marketing.

Financial incentives

We do not offer loyalty programs, discounts in exchange for personal information, or other financial incentives.

)}, { id: "cookies", h: "9. Cookies and similar technologies", body: (

We don't use cookies for tracking or advertising. We don't load third-party advertising scripts, pixels, or social-media beacons. The complete inventory of cookies and similar technologies in use on this site — including any strictly- necessary cookies and what they do — lives on the{" "} cookie policy page.

)}, { id: "security", h: "10. How we secure your data", body: (

We use commercially reasonable technical and organizational measures, including transport encryption (HTTPS/TLS) for the website, encryption at rest where our providers support it, single-sign-on with hardware-key second factor for employee accounts, credential storage in 1Password Business, least-privilege access to client workspaces, and an internal incident-response runbook. Full description on the trust & security page.

No system is perfectly secure. If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority (e.g. an EU DPA, the UK ICO) within 72 hours of becoming aware, where GDPR Article 33 applies.
Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34).
For California residents, comply with Cal. Civ. Code § 1798.82 breach-notification requirements.

)}, { id: "children", h: "11. Children", body: (

Our services are for businesses. We do not knowingly collect personal data from anyone under 16. We do not direct our services at children. If you believe a child has provided us personal data, email us and we will delete it.

)}, { id: "automated", h: "12. Automated decision-making", body: (

We do not subject you to legal or similarly significant decisions made solely by automated processing. Humans make the call on every engagement decision.

)}, { id: "changes", h: "13. Changes to this notice", body: (

When we change this notice, we update the date at the top and add a one-line note describing the change. Material changes that affect existing clients are also emailed to those clients at least 14 days before they take effect.

)}, { id: "contact", h: "14. Contact", body: (

Questions, requests, or complaints about this notice:

VALDEX LLC
Attn: Privacy
1309 Coffeen Ave, Ste 1200
Sheridan, WY 82801, United States
privacy@valdexai.com · (762) 760-1179

)}, ]} /> ); } ReactDOM.createRoot(document.getElementById("root")).render();