Privacy Policy
How IT Vortex collects, uses, shares, retains, and protects personal information. Designed to satisfy the privacy laws that apply to us and the clients we serve.
Built to the Standards That Matter
Our privacy and security program is designed in alignment with the frameworks our enterprise clients rely on, supported by independent attestation and continuous improvement.
GDPR & UK GDPR
Full lawful basis matrix, data subject rights, SCCs and UK IDTA for cross-border transfers, and 72-hour breach notification.
CCPA / CPRA
Notice at collection, right to know / delete / correct / opt out, sensitive personal information limits, and authorized agent process.
ISO/IEC 27001 & 27701
Information Security Management System and Privacy Information Management extension governing how we run controls end to end.
NIST CSF 2.0 & Privacy Framework
Govern, Identify, Protect, Detect, Respond, Recover. Privacy engineering and risk management woven into every system.
SOC 2 Type II
Trust Services Criteria covering Security, Availability, Processing Integrity, Confidentiality, and Privacy.
HIPAA & PCI DSS
BAAs available for covered entities. Card data tokenized by PCI DSS-validated processors with no card numbers stored on our systems.
Navigate the Policy
Twenty-three sections, organized so legal counsel, security teams, and individuals can find what they need quickly.
What This Policy Covers
The scope, vocabulary, and roles that frame every commitment in this document.
1. Scope and Application
This Privacy Policy explains how IT Vortex, LLC ("IT Vortex," "we," "us," or "our") collects, uses, discloses, retains, and protects personal information when you visit our websites, use our managed cloud and infrastructure services, engage with our marketing programs, or otherwise interact with our business. We have designed this Policy to give you a clear account of our practices and to satisfy our obligations under the privacy and data protection laws that apply to us and our clients worldwide.
IT Vortex operates as a Premier Broadcom VCSP Partner delivering Infrastructure as a Service (IaaS), Desktop as a Service (DaaS), Disaster Recovery as a Service (DRaaS), Backup as a Service (BaaS), and Security as a Service (SECaaS) to mid-market and enterprise clients. This Policy applies when we act as a data controller (or "business" under California law), including information collected through:
- Our websites, including theitvortex.com and any related subdomains, microsites, and landing pages.
- Our customer, partner, and vendor portals.
- Marketing and sales programs, including events, webinars, content downloads, and email campaigns.
- Customer support, professional services engagements, and contract administration.
- Recruiting, employment applications, and contractor onboarding.
This Policy does not apply to information we process on behalf of our clients as a data processor (or "service provider" under California law) in the course of delivering our cloud, infrastructure, and security services. See Section 21 for details.
At a Glance
We do not sell your personal information. We do not share it for cross-context behavioral advertising. We process personal information only for the purposes described in this Policy or as you have otherwise authorized.
2. Key Definitions
For clarity, we use the following terms throughout this Policy:
- Personal Information (also "Personal Data") means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
- Sensitive Personal Information means a subset of Personal Information that is treated as a special category under law, such as government identifiers, financial account credentials, precise geolocation, racial or ethnic origin, religious beliefs, health information, biometric data, and the contents of private communications.
- Processing means any operation performed on Personal Information, including collection, recording, storage, use, disclosure, transmission, alteration, and deletion.
- Services means the products, platforms, professional services, and managed services offered by IT Vortex.
- You means the individual to whom Personal Information relates.
3. Data Controller and Roles
For information we collect through our Sites, marketing programs, sales activities, support interactions, and recruiting:
| Role | Entity |
|---|---|
| Data Controller / Business | IT Vortex, LLC · 237 West Midland Avenue, Paramus, NJ 07652, USA |
| Privacy Office | [email protected] |
| EU Representative (Art. 27 GDPR) | Available upon written request to the Privacy Office |
| UK Representative | Available upon written request to the Privacy Office |
When we process Personal Information on behalf of our enterprise clients to deliver Services, we act as a processor (GDPR) or service provider (CCPA/CPRA). Our contractual commitments to clients in those scenarios are described in Section 21.
Information, Sources, and Sensitivity
The categories of information we handle, where it comes from, and how we treat the most sensitive elements.
4. Information We Collect
The categories of Personal Information we collect depend on how you interact with us. In the twelve months preceding the date of this Policy, we have collected the following categories:
| Category (CCPA §1798.140) | Examples |
|---|---|
| Identifiers | Name, postal address, email address, telephone number, company affiliation, job title, IP address, account identifiers, and online identifiers. |
| Customer Records Information | Billing address, payment account information (processed by our payment processors), and signed agreements. |
| Commercial Information | Records of Services purchased or considered, account history, usage patterns, and support interactions. |
| Internet / Network Activity | Browsing history on our Sites, interactions with our advertisements, device and browser information, referring URLs, session data, and security telemetry. |
| Geolocation Data | General location inferred from IP address. We do not collect precise geolocation through the Sites. |
| Professional / Employment-Related | Employer name, job function, work history, professional licenses, and information submitted with employment or vendor applications. |
| Audio and Visual | Call recordings (where lawful and disclosed), webinar recordings, and security camera footage at our facilities. |
| Inferences | Derived insights about role, interests, and likely product fit used to tailor outreach and content. |
| Sensitive Personal Information | See Section 5. |
5. Sensitive Personal Information
In limited circumstances, we collect a narrow set of Sensitive Personal Information, including:
- Account credentials used to authenticate to our portals.
- Government-issued identifiers such as a passport, visa, or other identification, where required for facility access or employment.
- Financial account information needed to invoice clients or pay vendors, with card data tokenized by PCI DSS-compliant processors.
- Contents of private communications when you email us, open a support ticket, or otherwise contact us directly.
We use Sensitive Personal Information only for the purposes permitted under California Civil Code §1798.121 and analogous laws, namely to provide the Services you have requested, to ensure security and integrity, to detect and respond to security incidents, to prevent fraud, and to comply with legal obligations. We do not use or disclose Sensitive Personal Information for purposes that would require providing you with a right to limit such use.
6. Sources of Personal Information
We collect Personal Information from the following sources:
- Directly from you when you fill out a form, request a quote, sign a contract, attend an event, apply for a position, or otherwise communicate with us.
- Automatically from your device when you visit our Sites or use our portals, through cookies, server logs, and similar technologies described in Section 10.
- From your employer or organization when you are designated as a contact, administrator, or authorized user under a client or partner agreement.
- From service providers and business partners such as marketing platforms, CRM and sales intelligence providers, payment processors, identity providers, security tooling, and channel partners.
- From publicly available sources such as professional networking sites, corporate websites, government registries, and licensed business databases.
Purposes, Legal Basis, and Disclosure
What we do with information, why we are allowed to do it, and who else may see it.
7. How and Why We Use Information
- Deliver and manage Services, including provisioning, billing, support, and account management.
- Communicate with you, including responding to inquiries, sending administrative notices, and providing service updates.
- Marketing and sales, including inviting you to events, sending newsletters and product information, and tailoring outreach based on your role and interests, subject to your consent where required.
- Improve our Services and Sites through analytics, usage measurement, A/B testing, and research.
- Security, integrity, and fraud prevention, including authentication, access control, monitoring for suspicious activity, vulnerability management, and incident response.
- Comply with law, including tax, accounting, audit, export control, anti-bribery, sanctions screening, and lawful requests from public authorities.
- Recruit and hire, including evaluating applications, conducting interviews, and performing background checks where permitted.
- Corporate transactions, including evaluating, negotiating, and completing mergers, acquisitions, divestitures, financings, or reorganizations.
8. Legal Basis for Processing (GDPR and UK GDPR)
For individuals in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following legal bases under Article 6 of the GDPR:
| Legal Basis | Typical Use |
|---|---|
| Performance of a contract (Art. 6(1)(b)) | Account creation, Service delivery, billing, and support. |
| Legitimate interests (Art. 6(1)(f)) | Direct B2B marketing to business contacts, Site analytics, fraud prevention, network and information security, and corporate administration. |
| Consent (Art. 6(1)(a)) | Optional cookies, certain marketing communications, and any other use that requires consent. You may withdraw consent at any time. |
| Legal obligation (Art. 6(1)(c)) | Tax, accounting, regulatory, and law-enforcement compliance. |
| Vital interests (Art. 6(1)(d)) | Limited and exceptional circumstances involving life or physical safety. |
| Public interest (Art. 6(1)(e)) | Rare scenarios where a public interest task applies. |
For Special Category Data, where processed, we rely on the additional conditions in Article 9, typically explicit consent or the establishment, exercise, or defense of legal claims.
9. How We Share Information
We disclose Personal Information only as described below. We do not sell Personal Information for monetary consideration, and we do not share Personal Information for cross-context behavioral advertising as those terms are defined under CCPA/CPRA.
Service Providers and Processors
We engage carefully selected vendors to perform services on our behalf, including cloud hosting, CRM, marketing automation, analytics, payment processing, customer support tooling, identity and access management, security operations, communications, and professional services. These vendors are bound by written contracts that limit their use of Personal Information to performing services for us and that require appropriate security and confidentiality safeguards.
Business and Channel Partners
Where you have engaged with a referral, distribution, or alliance partner (for example, Broadcom, Microsoft, Dell, Cisco, Fortinet, Veeam, CrowdStrike, Nutanix, or Omnissa), we may share limited business contact information with that partner to support the engagement.
Compliance and Legal
We may disclose Personal Information when we have a good-faith belief that disclosure is necessary to comply with applicable law, a subpoena, court order, or other lawful request; to enforce our agreements; to investigate, prevent, or address suspected fraud, security incidents, or other wrongdoing; or to protect the rights, property, or safety of IT Vortex, our clients, our employees, or the public.
Corporate Transactions
If we are involved in a merger, acquisition, divestiture, financing, reorganization, bankruptcy, or sale of all or a portion of our business or assets, Personal Information may be disclosed to advisors and counterparties subject to customary confidentiality protections, and may be transferred as part of the transaction.
With Your Direction
We share Personal Information with third parties when you direct us to do so, for example, by participating in a co-sponsored event or requesting an introduction to a partner.
10. Cookies and Tracking Technologies
Our Sites use cookies, pixels, tags, and similar technologies to make the Sites function properly, remember your preferences, measure performance, and support our marketing programs. We classify these technologies into four categories:
- Strictly necessary cookies, which are required for the Sites to function and cannot be disabled.
- Functional cookies, which remember choices you have made.
- Analytics cookies, which help us understand how visitors use our Sites.
- Advertising and marketing cookies, which support measurement of our campaigns and help us deliver relevant content.
Where required by law, we obtain your consent before placing non-essential cookies through a cookie banner on first visit. You can manage your preferences at any time through the cookie preferences link on our Sites or by configuring your browser to refuse or delete cookies. We honor Global Privacy Control (GPC) signals as a valid request to opt out of the sale or sharing of Personal Information for users covered by laws that recognize universal opt-out signals.
11. Automated Decision-Making and Artificial Intelligence
We do not use Personal Information to make decisions about you that produce legal or similarly significant effects through automated means without human involvement. Where we use machine learning or generative AI to support our operations (for example, to triage support tickets, summarize meeting notes, or score marketing leads), human reviewers remain accountable for outcomes that affect you. We do not train third-party foundation models on client Personal Information processed under our Services.
Retention and Cross-Border Transfers
How long we keep information and the safeguards that travel with it when it moves across borders.
12. Data Retention
We retain Personal Information only as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, audit, or reporting requirements; to resolve disputes; and to enforce our agreements. The criteria we use to determine retention periods include:
- The nature and sensitivity of the information.
- The purposes for which we process it and whether we can achieve those purposes through other means.
- The amount of information involved and the potential risk of harm from unauthorized use or disclosure.
- Applicable legal, regulatory, tax, accounting, or contractual obligations.
When Personal Information is no longer needed, we securely delete, destroy, or de-identify it in accordance with our records management program.
13. International Data Transfers
IT Vortex is headquartered in the United States and supports clients globally. Personal Information we collect may be transferred to, stored in, or processed in the United States and other countries that may have data protection laws different from those of your jurisdiction. Where required, we implement appropriate safeguards for cross-border transfers, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission and the equivalent UK International Data Transfer Agreement (IDTA) or Addendum.
- Supplementary technical and organizational measures such as encryption in transit and at rest, access controls, and pseudonymization where appropriate.
- Transfer Impact Assessments conducted in light of the Schrems II and successor frameworks.
- Where applicable, certifications under the EU-US Data Privacy Framework, the UK Extension, and the Swiss-US Data Privacy Framework.
You may request a copy of the safeguards in place for a specific transfer by writing to the Privacy Office.
Defense in Depth, By Design
A documented Information Security Management System aligned to ISO 27001/27701, NIST CSF 2.0, the NIST Privacy Framework, and the AICPA Trust Services Criteria.
14. Information Security Program
IT Vortex maintains a comprehensive Information Security Management System (ISMS) governed by senior leadership and reviewed at planned intervals. Our program is designed in alignment with internationally recognized frameworks, including ISO/IEC 27001 and ISO/IEC 27701, the NIST Cybersecurity Framework (CSF) 2.0, the NIST Privacy Framework, and the AICPA Trust Services Criteria underlying SOC 2 Type II attestation.
Administrative Safeguards
- Written information security and privacy policies reviewed at least annually.
- Mandatory security and privacy awareness training for all personnel at hire and annually thereafter, with role-based training for privileged personnel.
- Background checks for personnel, where permitted.
- Vendor risk management, including security assessments, contractual flow-downs, and ongoing monitoring of critical suppliers.
- Documented incident response, business continuity, and disaster recovery plans tested at least annually.
Technical Safeguards
- Encryption of Personal Information in transit using TLS 1.2 or higher and at rest using industry-standard algorithms (AES-256 or equivalent).
- Multi-factor authentication for administrative and remote access.
- Network segmentation, next-generation firewalls, intrusion detection and prevention, and 24x7 security monitoring through our SECaaS practice.
- Endpoint detection and response on managed devices, with hardened baseline configurations.
- Vulnerability management, including regular scanning, patching, and independent penetration testing.
- Centralized logging, log integrity controls, and security information and event management.
Physical Safeguards
- Access-controlled facilities with visitor management, surveillance, and environmental controls.
- Data centers operated by IT Vortex or by carrier-grade colocation providers that maintain SOC 2, ISO 27001, or equivalent certifications.
Privacy by Design
Privacy is embedded into our engineering and procurement processes. New products, features, and vendor relationships are assessed for privacy impact, and we apply data minimization, purpose limitation, and storage limitation principles by default.
No security program can guarantee absolute protection, and we encourage you to take reasonable steps to protect your own accounts, including using strong, unique passwords and enabling multi-factor authentication where available.
15. Incident Response and Breach Notification
We maintain a documented Incident Response Plan that defines roles, severity classifications, containment procedures, forensic preservation, and communications. In the event of a Personal Information breach, we will notify affected individuals and applicable supervisory authorities without undue delay and within the timelines required by applicable law, including within 72 hours of becoming aware where required under the GDPR, and within the timelines specified by state breach notification statutes in the United States. Where IT Vortex acts as a processor on behalf of a client, we notify the relevant client as required by our contractual commitments so that the client can fulfill its own notification obligations.
What You Can Ask Us to Do
The rights you have under European, UK, Swiss, California, and other US state privacy laws, and exactly how to exercise them.
16. Your Rights (EU, UK, and Switzerland)
If you are located in the EEA, the UK, or Switzerland, you have the following rights with respect to your Personal Information, subject to conditions and exceptions in applicable law:
- Right of access to confirm whether we process your Personal Information and to obtain a copy.
- Right to rectification of inaccurate or incomplete information.
- Right to erasure ("right to be forgotten") where the conditions for erasure apply.
- Right to restriction of processing in certain circumstances.
- Right to data portability for information you provided to us and that we process by automated means based on consent or contract.
- Right to object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
- Right not to be subject to solely automated decision-making that produces legal or similarly significant effects.
- Right to lodge a complaint with your local supervisory authority. We would, however, appreciate the chance to address your concerns first and encourage you to contact our Privacy Office.
17. Your Rights (California and Other US States)
If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Tennessee, New Jersey, Minnesota, Maryland, Nebraska, New Hampshire, Kentucky, Rhode Island, or another state with a comprehensive consumer privacy law, you have the following rights, subject to applicable conditions and exceptions:
- Right to know the categories and specific pieces of Personal Information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties to whom we have disclosed Personal Information.
- Right to delete Personal Information we have collected from you, subject to applicable exceptions.
- Right to correct inaccurate Personal Information.
- Right to portability, where applicable, to receive a copy of Personal Information in a portable and, to the extent technically feasible, readily usable format.
- Right to opt out of sale or sharing for cross-context behavioral advertising. As stated above, IT Vortex does not sell Personal Information and does not share it for cross-context behavioral advertising.
- Right to limit the use of Sensitive Personal Information where applicable. We use Sensitive Personal Information only for permitted purposes under California Civil Code §1798.121.
- Right to non-discrimination for exercising any of your privacy rights.
- Right to appeal our decision on a request, where state law provides such a right.
California residents may also designate an authorized agent to submit requests on their behalf. We will require written authorization and may require the agent and consumer to verify the agent's identity and authority.
Shine the Light: California Civil Code §1798.83 entitles California residents to request information regarding our disclosure of Personal Information to third parties for those third parties' direct marketing purposes. We do not disclose Personal Information for such purposes.
18. How to Exercise Your Rights
You can exercise any of the rights described above by contacting us using the methods below. We will respond within the timelines required by applicable law, generally 30 days for CCPA/CPRA requests with one allowed extension of up to 45 days, and one month for GDPR requests with allowed extensions.
- Email: [email protected]
- Phone: 1 (844) 704-0684 and ask for the Privacy Office
- Mail: IT Vortex, LLC, Attn: Privacy Office, 237 West Midland Avenue, Paramus, NJ 07652, USA
Identity verification: To protect your information, we will take reasonable steps to verify your identity before responding to a rights request. The verification method will be proportionate to the sensitivity of the information involved and the risk of harm posed by unauthorized access or deletion. We may ask you to provide information that matches what we already have on file or to confirm specific details about your relationship with us. We will not require you to create an account solely to submit a request. If we deny your request, we will explain why and inform you of your right to appeal where applicable.
Children, Third Parties, Client Data, and Updates
The remaining commitments that round out our privacy framework.
19. Children's Privacy
Our Sites and Services are directed to businesses and are not intended for children. We do not knowingly collect Personal Information from anyone under 16 years of age. If we learn that we have collected Personal Information from a child without parental consent, we will delete that information promptly. Parents or guardians who believe their child has provided us with Personal Information may contact our Privacy Office.
20. Third-Party Services and Links
Our Sites may contain links to third-party sites, products, and services that we do not operate. This Policy does not apply to those third-party properties, and we are not responsible for their content or practices. We encourage you to review the privacy policies of any third-party service before providing your information.
21. Client Data and Our Role as a Service Provider
Many of our Services involve processing Personal Information that our enterprise clients place into our cloud, desktop, backup, disaster recovery, and security environments. In these cases:
- We act as a processor under GDPR and a service provider under CCPA/CPRA.
- The relevant client is the controller and business and remains responsible for its own privacy notices and lawful basis for processing.
- Our processing is governed by the master services agreement, Data Processing Addendum (DPA), and where applicable, Business Associate Agreement (BAA) under HIPAA.
- We process client Personal Information only on documented instructions from the client and for the purposes of providing the Services.
- We assist clients with data subject rights requests, security incident notifications, Data Protection Impact Assessments, and audits to the extent set out in our agreements.
Individuals whose Personal Information is processed by IT Vortex in this capacity should direct privacy requests to the client that controls their information. If you are unsure who controls your information, we will work in good faith to route your inquiry appropriately.
22. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do, we will revise the "Last Updated" date at the top of the Policy. If the changes are material, we will provide additional notice, such as a prominent notice on our Sites or, where appropriate, a direct communication. We encourage you to review this Policy periodically.
