U.S. Privacy Notice (CCPA / CPRA + multi-state)

1. Scope

This U.S. Addendum applies to residents of California (CCPA + CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other states with comprehensive privacy laws. The notice primarily follows the CCPA model as the most stringent.

2. Business identity

Vermont Solutions S.L., NIF B66520446, Agustín de Betancourt Street, 21 — 28003 Madrid, Spain.

Data Protection Officer: dpo@vermont-solutions.com. We do not maintain a physical office or sales presence in the United States.

3. CCPA/CPRA applicability

The CCPA applies to for-profit businesses doing business in California meeting one of: (a) annual revenues > $25M USD; (b) processes data of 100K+ California consumers/households/devices; (c) >50% revenue from selling/sharing personal information. Vermont Solutions provides this notice out of an abundance of caution regardless of whether thresholds are met.

4. Categories of Personal Information collected

In the last 12 months we have collected:

• Identifiers (name, email, IP address) — from you and automatically
• Customer Records (company name, job title) — from you
• Internet/Network activity (browsing, cookies) — automatically, with consent
• Geolocation data (country-level approximation) — automatically, with consent
• Professional/employment info (job title) — from you

We do NOT collect Sensitive Personal Information under CPRA § 1798.140(ae).

5. Sources

Directly from you (forms, subscriptions); automatically (cookies, server logs); from third-party service providers with consent (Google Analytics, LinkedIn Insight Tag).

6. Business purposes

Responding to your inquiries; sending commercial communications with consent; analytics (anonymized aggregates); legal compliance; fraud and security prevention; internal R&D.

7. Disclosure

In the past 12 months we have disclosed: Identifiers and Internet activity to Service Providers (analytics, email, hosting) and Third Parties for cross-context advertising (LinkedIn — only with consent).

We do NOT sell Personal Information for monetary consideration. Sharing for cross-context behavioral advertising requires your express opt-in.

8. Your CCPA/CPRA rights

California residents have the rights to:

9. How to exercise your rights

Submit a request to dpo@vermont-solutions.com with subject "CCPA Request" or by postal mail to Vermont Solutions S.L. — Privacy Rights — Agustín de Betancourt Street, 21 — 28003 Madrid, Spain.

We will: confirm receipt within 10 business days; respond within 45 calendar days (extendable by 45 additional days for complex requests); verify your identity using reasonable methods. Authorized agents accepted with written authorization.

10. "Do Not Sell or Share My Personal Information"

A "Your Privacy Choices" / "Do Not Sell or Share My Personal Information" link is provided in our website footer. This opens cookie preferences where you can opt out. We also honor Global Privacy Control (GPC) signals as valid opt-out requests.

11. Cross-border transfers (EU-US)

Personal Information of U.S. users is transferred to and processed in Spain (EU). Vermont Solutions S.L. relies on the European Commission Standard Contractual Clauses (SCCs) Module 2 (Controller-to-Processor) and Module 3 where applicable, together with a documented Transfer Impact Assessment (TIA) per Schrems II requirements. The EU-US Data Privacy Framework (DPF) self-certification was evaluated and discarded in favor of SCCs + TIA as the chosen lawful transfer mechanism.

12. Other U.S. state privacy laws

For residents of VA, CO, CT, UT, TX and other states with comprehensive privacy laws, similar rights apply: access, deletion, correction, portability, opt-out of sale/sharing/targeted advertising. We honor Universal Opt-Out Mechanisms (UOOM) like GPC in states that require them (CO, CT, TX).

13. Children's privacy (COPPA)

We do not knowingly collect Personal Information from children under 13. Contact dpo@vermont-solutions.com for immediate deletion.

14. Cookies and tracking

See our Cookie Policy. Vermont Solutions honors Do Not Track (DNT) browser signals where technically feasible and Global Privacy Control (GPC) signals as opt-out of sale/sharing.

15. Data security

Reasonable security measures appropriate to the nature of Personal Information held, in compliance with ISO/IEC 27001:2022: SSL/TLS encryption, access controls, MFA, regular security audits.

16. Data breach notification

Affected California residents will be notified under Cal. Civ. Code § 1798.82 without unreasonable delay. The California Attorney General will be notified if 500+ California residents are affected. Other state breach laws will be complied with.

17. Contact and complaints

For questions or complaints: dpo@vermont-solutions.com or postal mail to Vermont Solutions S.L. — Agustín de Betancourt Street, 21 — 28003 Madrid, Spain.

You also have the right to lodge a complaint with the California Privacy Protection Agency (CPPA) at https://cppa.ca.gov/ or the California Attorney General at https://oag.ca.gov/privacy.

18. Updates

Last reviewed: 2026-05-14. Material changes communicated with 30 days advance notice.