Privacy Policy
Vidori (the "Service") operates programmatic real-time auctions for lead-flow markets. This policy describes what consumer data passes through the Service, how we handle it, and how to exercise your rights under applicable law.
1. Who we are
Vidori is operated by Vidori, a Delaware LLC (formed/forming). For privacy questions and data-subject access requests, contact [email protected].
2. Our role under TCPA, state privacy law, and similar regimes
Vidori is a service provider / processor to lead sellers and lead buyers. Consumer data enters the Service only when a seller submits a lead. The seller is the controller of the consent obtained from the consumer; Vidori processes that data on the seller's behalf to operate the auction and route the lead to the winning buyer, who in turn becomes the controller for downstream contact.
We do not operate consumer-facing lead forms. We do not collect consumer data directly. We do not sell consumer data to third parties outside the auction-routing function described in this policy.
3. What data passes through the Service
A typical lead carries fields such as: first name, last name, email, phone (US E.164), postal address (city / state / ZIP), date of birth, drivers-license state (where applicable to the vertical), vertical-specific intent fields (vehicle, roof age, project type, etc.), consent metadata (TrustedForm or Jornaya certificate URL, IP address at consent capture, user agent, timestamp), and a supplier identifier.
The Service stores leads in two forms:
- Raw lead — encrypted at rest, retained for a window matching the strictest applicable rule for the lead's jurisdiction (currently five years for both US TCPA-jurisdiction and Brazilian LGPD-jurisdiction leads). Used for auction routing, dispute resolution, and TCPA recordkeeping. Access restricted to operators with a documented audit reason.
- Anonymized features — PII-free typed fields derived from the raw lead. Used for scoring-model training and analytics. No name, no email, no phone, no street address. Retained indefinitely.
4. Consent provenance
Every lead routed through the Service must carry consent evidence from the consumer. For US TCPA-jurisdiction verticals this typically means a TrustedForm or Jornaya certificate URL recorded at the seller's form fill. Vidori verifies certificate age and issuer at lead ingest and rejects leads whose consent provenance fails validation. The certificate URL passes through unmodified to the winning buyer so the buyer can independently verify consent at contact time.
5. Cookies and tracking on this site
This site (vidori.net) is a static informational page. It does not set marketing cookies, does not run analytics scripts, and does not embed third-party trackers. Hosting infrastructure (Cloudflare, Amazon S3) may log request metadata as part of standard operational logging.
6. Your rights
Under the Telephone Consumer Protection Act (TCPA), the California Consumer Privacy Act (CCPA) as amended by the CPRA, the Virginia CDPA, the Colorado CPA, the Connecticut CTDPA, the Utah UCPA, and other state privacy laws as applicable, US consumers whose data passed through Vidori may:
- Request a copy of personal data we hold about you (Data Subject Access Request, "DSAR").
- Request correction of inaccurate personal data.
- Request deletion of personal data, subject to legal retention requirements (TCPA recordkeeping obligations may delay or partially override a deletion request).
- Opt out of further routing of your data through the Service. Note that the seller who originally captured your consent is typically the appropriate first contact for revocation; we will honor a revocation request directly when received.
For consumers whose data is subject to the Brazilian Lei Geral de Proteção de Dados (LGPD), equivalent rights apply, including the right to portability and the right to information about the legal basis under which data was processed.
To exercise any of the above, email [email protected] with sufficient information for us to identify the relevant records (typically your full name, the email address or phone number that was submitted, and an approximate date of the original form fill). We respond within statutory timelines (45 days for CCPA / CPRA; 15 days for LGPD on a confirmation; comparable windows for other state laws).
7. Sharing with third parties
We share lead data with:
- The winning buyer of an auction, per the seller's instructions and the consumer's consent. The buyer becomes the controller for downstream contact.
- Subprocessors that provide infrastructure to operate the Service (Amazon Web Services for cloud compute and storage, Cloudflare for DNS and edge delivery, ActiveProspect for TrustedForm verification). Subprocessor list available on written request to [email protected].
- Government or law-enforcement authorities when compelled by valid legal process.
We do not sell consumer data to advertising networks, data brokers, or any party outside the auction-routing function described above.
8. Security
Consumer data at rest is encrypted with customer-managed keys (AWS KMS). Data in transit is TLS-only. Access to raw consumer data is logged via AWS CloudTrail with object-level events on the lead-storage buckets. The Service follows an "auction-or-nothing" ordering invariant: an auction record is persisted before any compliance log, and the compliance log is persisted before any buyer fan-out, ensuring no consumer data reaches a buyer without a corresponding audit trail.
9. Breach notification
In the event of a data breach affecting consumer data routed through the Service, we will notify affected seller and buyer partners promptly and assist them in any consumer-facing notifications required under applicable law. Direct consumer notification responsibility rests with the controller (seller or buyer, as applicable).
10. Children
The Service is not directed at children under 16 and we do not knowingly route data of children under 16. If we learn we have inadvertently processed such data we will delete it.
11. Changes to this policy
We may update this policy from time to time. Material changes will be announced at the top of this page and via notice to partner contacts. Continued use of the Service after the effective date of a change constitutes acceptance.
12. Contact
Vidori, a Delaware LLC (formed/forming).
Privacy + DSAR: [email protected]
General contact: [email protected]