Privacy Policy

Introduction & Scope

VertiSource HR, LLC ("VertiSource HR," "we," "our," or "us") is a Professional Employer Organization (PEO) and administrative services provider headquartered at 6985 Union Park Center, Suite 100, Cottonwood Heights, UT 84047. We provide payroll administration, employee benefits, workers' compensation, HR advisory services, compliance support, and HR technology solutions to business clients and their workforces.

This Privacy Policy explains how VertiSource HR collects, uses, discloses, retains, and protects personal information and business data obtained through: (a) our website located at vertisourcehr.com and any affiliated subdomains; (b) our client portal and HRIS platform; (c) direct service delivery under executed client agreements; and (d) sales, marketing, and support communications.

This Policy applies to:

• Prospective clients who submit inquiries, request quotes, or download resources from our website
• Current and former business clients and their authorized representatives
• Worksite employees covered under a PEO co-employment or ASO arrangement, supplemented by the separate Employee Privacy Notice
• Job applicants who apply for positions at VertiSource HR, supplemented by the separate Applicant Privacy Notice
• Visitors to our website

Related notices. Three separate privacy documents supplement this Policy for specific populations and data types:

• Employee Privacy Notice, for VSHR internal employees and PEO/ASO worksite employees.
• Applicant Privacy Notice, for individuals who apply for employment with VertiSource HR.
• Biometric Information Policy, BIPA/CUBI-compliant disclosure for worksite employees whose employer has activated a biometric time-clock integration.

This Policy does not apply to data practices of third-party websites or services linked from our site. By using our website or services, you acknowledge the practices described in this Policy.

Information We Collect

We collect information from multiple sources depending on your relationship with us. The categories of information we collect are described below.

2.1 Personal Identification Information

When you contact us, request a quote, or create an account, we may collect: full name; job title and employer name; business email address; business phone number; mailing address; and account login credentials.

2.2 Business & Entity Information

As part of client onboarding and service delivery, we collect information about your organization, including: legal business name and DBA; federal Employer Identification Number (EIN); state tax identification numbers; business structure and ownership information; NAICS industry codes; number of employees; payroll frequency and history; and existing benefit plan information.

2.3 Payroll & HR Data

To administer payroll and HR functions on your behalf, we collect and process employee-level data including:

• Full legal names, Social Security Numbers (SSNs), and dates of birth
• Home addresses and personal contact information
• Compensation, wage rates, salary history, and deduction elections
• Direct deposit banking information
• W-4 and state tax withholding elections
• I-9 documentation and employment eligibility records
• Time and attendance records
• Leave balances and usage (vacation, sick, FMLA)
• Performance and disciplinary records (where applicable)
• Benefits elections and enrollment data, including health plan and dependent information
• Workers' compensation claims and incident reports

This data is received from client companies as part of the co-employment or ASO relationship and is processed solely for service delivery purposes.

2.4 Sensitive Personal Information

The nature of HR and benefits administration requires us to process certain sensitive categories of information, including Social Security Numbers, financial account data, and health information related to benefits enrollment. We limit collection, access, and use of sensitive data to what is strictly necessary for service delivery and legal compliance. We do not sell sensitive personal information.

2.5 Website & Usage Data

When you visit our website, we automatically collect certain technical information through cookies and web analytics tools, including: IP address; browser type and version; operating system; referring URL; pages visited and time spent; click patterns and navigation behavior; and device identifiers. This data is collected using first-party and third-party tracking technologies described in Section 10.

2.6 Communications Data

We retain records of communications sent to or from VertiSource HR, including emails, support tickets, callback requests, and contact form submissions. This helps us provide consistent service and maintain a record of representations made during the client relationship.

2.7 Data Minimization Principle

We collect and process only the personal information that is reasonably necessary and proportionate to the purposes described in this Policy. We do not knowingly collect information that is not relevant to delivering our contracted services, maintaining an account, or satisfying a legal obligation. When the retention periods described in Section 8 lapse, we take commercially reasonable steps to delete or de-identify personal information. VertiSource HR personnel accessing personal information on our behalf are limited to the minimum scope required by their role under our role-based access controls (Section 7.2).

2.8 California Notice at Collection

This subsection serves as the “Notice at Collection” required by the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). It summarizes the categories of personal information we collect from California residents, the business purposes for which we collect each category, and the categories of third parties to which we may disclose the information.

Categories of Personal Information (PI) collected about California residents:

• Identifiers: full name, postal address, email address, phone number, employer name, job title, IP address, cookie identifiers. Purpose: deliver services, communicate, security.
• Customer Records (Cal. Civ. Code § 1798.80(e)): employment history, payroll records, tax withholding elections, banking information for direct deposit. Purpose: perform contracted payroll and HR services.
• Protected Classifications: age, marital status, national origin, disability, medical condition (for benefits enrollment), sex, gender. Purpose: benefits administration, EEO-1 reporting, leave administration.
• Commercial Information: services purchased, service history. Purpose: account management, billing.
• Internet or Electronic Network Activity: browsing history, interaction with our website, email open/click activity. Purpose: analytics, marketing, site improvement.
• Geolocation Data: approximate location derived from IP address. We do not collect precise (GPS-level) geolocation data from website visitors. (Where a client enables a mobile/GPS time clock, precise geolocation may be collected from worksite employees at clock-in. See the Employee Privacy Notice.) Purpose: regional analytics, regulatory compliance.
• Professional or Employment-Related Information: compensation, performance, disciplinary history, time and attendance. Purpose: perform contracted PEO/HR services.
• Sensitive Personal Information (SPI): see 2.8(a) below.
• Inferences: we do not draw commercial inferences from your PI (for example, we do not infer preferences, predispositions, behavior, or aptitudes for marketing or profiling).

Categories of sources. We collect personal information from the following sources: (i) directly from you (forms, account creation, communications, and information you submit); (ii) from your employer or the client company (for worksite-employee and co-employment data); (iii) automatically from your device and our website analytics (see Section 2.5); and (iv) from referral and event partners (see Section 2.10).

2.8(a) Sensitive Personal Information (SPI) Categories (per Cal. Civ. Code § 1798.121). The following SPI subcategories are collected strictly for the purposes permitted under CCPA/CPRA. SPI is used only for service delivery, legal compliance, security, and fraud prevention. We do NOT use SPI to infer characteristics.

• Social Security Numbers: for tax reporting (W-2s, 1099s), I-9 verification, and new-hire reporting to state agencies.
• Driver’s license, state ID, passport numbers: for I-9 employment eligibility verification.
• Account log-in credentials: for client-portal and HRIS authentication. Passwords are stored as salted, one-way hashes and are never human-readable.
• Financial account information: bank routing and account numbers for direct-deposit payroll, health-spending account debit cards.
• Precise geolocation: not collected from website visitors. Where a client enables a mobile or GPS-enabled time clock, precise geolocation may be collected from worksite employees at the moment of a clock-in event; this is treated as Sensitive Personal Information and is disclosed in the Employee Privacy Notice.
• Racial or ethnic origin: collected only if voluntarily provided for EEO-1 reporting or affirmative-action program administration.
• Religious or philosophical beliefs: NOT collected.
• Union membership: collected only for clients whose workforces are covered by collective bargaining agreements requiring VertiSource HR to remit dues.
• Contents of mail, email, or text messages: only the contents of communications sent to us (for example, support tickets), not communications between unrelated parties.
• Genetic data: NOT collected.
• Biometric identifiers and biometric information: See our separate Biometric Information Policy for the full BIPA/CUBI-compliant disclosure. Summary: VertiSource HR’s HRIS and Time & Attendance platform can integrate with biometric time-clock kiosks (fingerprint, palm-vein, or facial recognition) operated by client worksites. When a client elects to enable a biometric time-clock integration, the biometric identifiers and/or biometric information captured at the kiosk may be received and stored by VertiSource HR as a processor on behalf of the client company, which acts as the controller of that data. Biometric data is used only to authenticate the worker to their time-clock punch record and is not used for any other purpose. Retention, consent, disclosure, security, and worker-notice obligations under the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (CUBI), the Washington biometric statute (RCW 19.375), the New York SHIELD Act, the Colorado Privacy Act, and the California Consumer Privacy Act are the joint responsibility of the client company (as the worker’s direct employer and BIPA “private entity” with primary collection authority) and VertiSource HR (as processor). Clients activating biometric time-clock integrations are required under our service agreement to obtain written, informed consent from each worker before enrollment, and VertiSource HR will destroy biometric data no later than three (3) years after the worker’s separation or on written request by the worker or client, whichever is earlier. VertiSource HR does not sell or lease biometric data and does not disclose biometric data to any party other than the client company (controller), the time-clock device vendor (subprocessor), and authorities as required by law. If a worker subject to a VSHR-administered biometric time clock has questions or wishes to withdraw consent, they should first contact their employer’s HR representative and, for escalations only, email privacy@vertisourcehr.com.
• Health information: limited to benefits enrollment, claims administration, FMLA/ADA leave, and workers’ compensation claims, only as required to deliver those services.
• Sex-life or sexual-orientation data: NOT collected.

2.8(b) Categories of third parties to whom PI may be disclosed. Benefits carriers and plan administrators; payroll-tax remittance agencies; workers’ compensation insurers; IT infrastructure and cloud-hosting providers; CRM and email communication platforms (for marketing activities); federal and state government agencies (as required by law); professional advisors (auditors, counsel). See Section 5 for the full list.

2.8(c) Retention criteria. Personal information is retained for the period described in Section 8, which varies by category (7 years for payroll records, 6 years for benefits records, 3 years post-separation for employment records, 26 months for website analytics, 13 months for HubSpot cookies). Retention periods are set by statutory recordkeeping requirements (IRS, DOL, ERISA, state employment law) and by our need to defend our services and respond to legal process.

2.8(d) Sale and sharing status. VertiSource HR does NOT sell California residents’ personal information for monetary consideration, and does NOT share personal information for cross-contextual behavioral advertising. See Section 9.2(b) for the full treatment of “sale” and “share” under CCPA/CPRA.

2.9 Phone Communications & Call Handling

VertiSource HR may be reached by telephone at 855-565-8747. Inbound calls are answered by specialists and support staff. VertiSource HR does not routinely record inbound sales or support calls. Certain clinically-adjacent or compliance-sensitive calls (for example, workers’ compensation intake, benefits-enrollment counseling) may be recorded on a case-by-case basis where recording materially supports accurate claim handling or regulatory compliance; in those instances, callers are notified at the beginning of the call and given the option to proceed without recording or to continue via email. Call records, where made, are retained only for the period required by the underlying use case and are treated as Sensitive Personal Information if they contain SSNs, health information, or financial account data. If you would like to confirm whether a specific call you placed was recorded, email privacy@vertisourcehr.com.

2.10 Information from Other Sources & Lead Enrichment

VertiSource HR does not currently use commercial lead-enrichment services (for example, Clearbit, ZoomInfo, Apollo, or Lusha) to append personal or business information to website visitors or HubSpot contact records. If we add an enrichment vendor in the future, we will update this Section and this Policy to name the vendor, the categories of data appended, and the data sources. We may receive business-contact information from event registration lists when we co-host or sponsor industry events, and we may receive referral contacts directly from existing clients where those clients have represented that they have the right to share the contact with us. Information received from referrals is limited to business-contact data (name, title, company, business email, business phone).

How We Use Information

We use the information we collect for the following purposes:

3.1 HR Service Delivery

The primary purpose for which we collect employee and business data is delivering contracted PEO, ASO, payroll, benefits, and HR services. This includes processing payroll, remitting federal and state taxes, administering benefits enrollment, managing workers' compensation coverage, maintaining compliance records, and providing HR advisory support.

3.2 Client Relationship Management

We use contact and business information to communicate with authorized client representatives about service updates, contract matters, billing, support, and account changes.

3.3 Legal & Regulatory Compliance

We use collected data to meet mandatory legal and regulatory obligations, including filing W-2s and 1099s, remitting payroll taxes to federal and state authorities, responding to government audits and agency requests, maintaining ERISA-compliant benefits records, and satisfying state employment law obligations.

3.4 Sales & Marketing Communications

With prospects and subscribers who have provided consent or with whom we have an existing business relationship, we may use contact information to send information about our services, industry resources, compliance updates, and event invitations. You may opt out of marketing communications at any time by clicking "Unsubscribe" in any email or by emailing privacy@vertisourcehr.com.

3.5 Platform & Product Improvement

Aggregated and de-identified usage data from our HRIS and website is used to understand how our services and platform are used, identify areas for improvement, develop new features, and conduct internal analytics. De-identified data cannot reasonably be re-linked to individual users.

3.6 Security & Fraud Prevention

We use technical and behavioral data to monitor for unauthorized access, detect fraudulent activity, and protect the security of our systems and your data.

Legal Basis for Processing

To the extent applicable data protection laws require us to identify a lawful basis for processing personal information, VertiSource HR relies on the following:

4.1 Contract Performance

The majority of personal and business data we process is necessary for the performance of our executed service agreements with client companies. Without such processing, we cannot fulfill our contractual obligations for payroll, benefits, tax administration, and compliance services.

4.2 Legal Obligation

Processing payroll records, withholding taxes, remitting employer contributions, retaining I-9 documents, and filing required government reports are legal obligations under federal and state law, including the Internal Revenue Code, the Fair Labor Standards Act, the Affordable Care Act, and applicable state employment statutes.

4.3 Legitimate Interests

We process certain information, such as website analytics, fraud monitoring, and sales communications with existing clients, based on our legitimate business interests, provided those interests are not overridden by the rights and interests of the individuals whose information is processed.

4.4 Consent

For marketing communications directed at prospects who have not yet engaged us for services, we rely on prior consent where required by applicable law. You may withdraw consent at any time without affecting the lawfulness of processing conducted before withdrawal.

Data Sharing & Disclosure

5.1 Service Providers & Subprocessors

We share personal and business data with trusted third-party vendors and service providers who assist in delivering our services. These include payroll processing technology providers, benefits carriers and administrators, workers' compensation insurers, tax filing services, secure document storage vendors, IT infrastructure and cloud hosting providers, and CRM and email communication platforms. All service providers are bound by data processing agreements requiring them to use shared information only for specified service purposes and to maintain appropriate security measures.

5.2 Benefit Plan Carriers

To administer health, dental, vision, life, disability, and other benefits, we share employee enrollment data with the relevant insurance carriers and plan administrators. This sharing is required to effectuate coverage and process claims on behalf of enrolled employees.

5.3 Government Agencies & Legal Process

We disclose information to government authorities (including the IRS, state departments of revenue, the Department of Labor, and immigration agencies) as required by law. We may also disclose information in response to a valid court order, subpoena, or other legal process. Where permitted by law, we will attempt to notify the affected client prior to such disclosure.

5.4 Business Transfers

In the event of a merger, acquisition, sale of assets, or similar corporate transaction, personal information may be transferred as part of the transaction. We will provide notice on our website and, where feasible, to affected clients prior to any such transfer, and the recipient will be required to honor the commitments made in this Policy.

5.5 Protection of Rights

We may disclose information when we believe disclosure is appropriate to: protect the rights, property, or safety of VertiSource HR, our clients, their employees, or the public; investigate suspected fraud or policy violations; or enforce our agreements.

5.6 Background Checks & FCRA-Adjacent Processing

As part of our HRIS and onboarding services, VertiSource HR may coordinate background checks, drug screens, employment-eligibility verifications (I-9 / E-Verify), and reference checks on behalf of client companies. These checks are performed by third-party Consumer Reporting Agencies (CRAs) and screening vendors (including category-representative providers such as Checkr, Sterling, and GoodHire) under contract with VertiSource HR or directly with the client. When a client company orders a background check through VertiSource HR:

• The client company acts as the “user” of the consumer report under the Fair Credit Reporting Act (FCRA, 15 U.S.C. § 1681 et seq.) and is responsible for issuing FCRA pre-adverse and adverse-action notices to applicants or employees.
• The CRA acts as the “consumer reporting agency” under the FCRA and is responsible for compliance with 15 U.S.C. §§ 1681b, 1681e, and 1681g.
• VertiSource HR acts as a service provider that facilitates the workflow (ordering the report, receiving results, storing results with the applicable personnel file) and does not independently compile consumer reports.

Results of background checks are treated as Sensitive Personal Information. Access to background check results within VertiSource HR is limited to personnel with a role-based need and to the requesting client company’s authorized representatives. Applicants or employees with questions about the accuracy or content of a report should direct those questions to the CRA identified in the written FCRA disclosure they received at the time the check was ordered; VertiSource HR can facilitate that contact on request.

Co-Employment Data

VertiSource HR's PEO model creates a co-employment relationship in which VertiSource HR serves as the employer of record for certain HR, payroll, and benefits purposes, while the client company retains operational control over day-to-day work assignments, supervision, and business direction. This arrangement has specific implications for how employee data is handled.

6.1 Shared Employer Responsibilities

Under the co-employment model, both VertiSource HR and the client company are considered employers of the worksite employees. As a result, VertiSource HR has a direct legal relationship with worksite employees for purposes including payroll, tax withholding, benefits administration, and applicable employment law compliance. Client companies retain employment responsibilities related to hiring, termination, performance management, and workplace supervision.

6.2 Employee Data Received from Client Companies

Virtually all employee personal data processed under a PEO arrangement is initially collected by the client company and transmitted to VertiSource HR for service delivery purposes. VertiSource HR acts as both an employer and a data processor with respect to this information. Client companies are responsible for ensuring they have appropriate authority to share employee data with VertiSource HR and for notifying their employees of the co-employment relationship and associated data handling practices.

6.3 Employee Notifications

Client companies are required under our service agreement to inform their worksite employees that VertiSource HR serves as co-employer and will process payroll, benefits, and related HR data on their behalf. VertiSource HR may also provide employees with direct notice through onboarding documentation accessible through the employee self-service portal.

6.4 ASO Arrangements

Under Administrative Services Only (ASO) arrangements, VertiSource HR acts as a service provider rather than a co-employer. In ASO arrangements, the client company remains the sole employer and VertiSource HR processes employee data solely as a contracted data processor under the client's direction and in accordance with the executed service agreement.

Data Security

VertiSource HR takes the security of personal and business data seriously and implements multiple layers of technical, administrative, and physical safeguards.

7.1 Encryption

All data transmitted between users and our systems is encrypted using TLS 1.2 or higher. Data at rest, including payroll records, banking information, and SSNs, is encrypted using AES-256 or equivalent industry-standard encryption.

7.2 Access Controls

Access to personal and payroll data is restricted on a role-based, need-to-know basis. Privileged access requires multi-factor authentication (MFA). System access is logged and reviewed. Employee access is revoked immediately upon termination or role change.

7.3 Infrastructure & Vendor Security

Our HRIS platform (marketed by VertiSource HR as “The VertiSource HR Cloud”) and the data infrastructure underlying it are operated by cloud and SaaS service providers that have represented to us, under contractual commitments, that they maintain independent third-party security attestations (including SOC 2 Type II or ISO 27001-family reports). VertiSource HR relies on those attestations as part of our vendor due-diligence process but does not independently audit each provider’s controls. VertiSource HR does not itself hold an independent SOC 2 attestation as of the effective date of this policy. We conduct periodic vendor security reviews, require contractual security commitments from all data subprocessors, and require breach-notification obligations consistent with applicable law.

Named subprocessors

For transparency under CCPA/CPRA, GDPR (where applicable), and analogous state laws, the principal subprocessors that process personal information on behalf of VertiSource HR include:

• Worklio, Inc., HRIS, payroll, and benefits-administration platform layer (white-labeled to clients as “The VertiSource HR Cloud”). Holds SOC 2 Type II attestation at the platform layer.
• Microsoft Corporation (Microsoft Azure), U.S.-region cloud infrastructure hosting. Maintains SOC 2 Type II, ISO 27001, and ISO 27018 attestations.
• HubSpot, Inc., marketing, CRM, and contact-form processing.
• ZayZoon, Inc., earned-wage-access integration where elected by the client employer.
• Stripe, Inc., payment tokenization and ACH/card processing for client billing. A PCI DSS Level 1 service provider; VertiSource HR does not store cardholder data.
• Postmark / SendGrid (Twilio Inc.), transactional email delivery (paystub notifications, password resets, and system notices).

A full and current list of subprocessors, including secondary processors used for ancillary functions, is maintained in our Data Processing Addendum, available to clients on request to privacy@vertisourcehr.com. Subprocessor changes that materially affect the processing of personal information will be notified to active clients consistent with the DPA.

7.4 Internal Controls & Training

VertiSource HR personnel who handle personal data are required to complete information security and privacy training. We maintain written data security policies and conduct periodic internal audits of data handling practices.

7.5 Incident Response

We maintain a written incident response plan. In the event of a confirmed data security incident that affects personal information, we will:

• Contain and investigate the incident promptly
• Notify affected clients and, where required by law, affected individuals
• Report to relevant regulatory authorities as required under applicable breach notification laws
• Document the incident and implement remediation measures

Notification timelines will comply with applicable state and federal breach notification requirements, which may vary from 30 to 72 hours depending on jurisdiction and incident classification.

7.6 Limitations

Despite our security efforts, no system can guarantee absolute security. We encourage clients and users to use strong, unique passwords, enable MFA where available, and promptly report any suspected unauthorized access to privacy@vertisourcehr.com.

7.7 HIPAA & Business Associate Agreements

Several VertiSource HR services involve the creation, receipt, maintenance, or transmission of Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the HITECH Act and implementing regulations (the “HIPAA Rules”). PHI is most commonly involved in: (a) group-health-plan benefits enrollment and administration, (b) claims administration for clients’ self-insured or level-funded plans, (c) Family and Medical Leave Act (FMLA) leave administration, (d) workers’ compensation claim coordination where health records are involved, and (e) Consolidated Omnibus Budget Reconciliation Act (COBRA) administration.

VertiSource HR’s HIPAA role. VertiSource HR generally acts as a Business Associate (or, in some structures, a Subcontractor Business Associate) of its client companies and the group health plans they sponsor, rather than as a Covered Entity. Where a Business Associate Agreement (BAA) is required under 45 CFR § 164.504(e), VertiSource HR executes a BAA with the client (or plan sponsor) before receiving PHI. Our BAA template incorporates required use-and-disclosure limitations, safeguard requirements under the HIPAA Security Rule (45 CFR Part 164, Subpart C), breach-notification obligations under the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D), and subcontractor flow-down language.

Interaction with this Policy. To the extent PHI is processed under a BAA, the BAA and the HIPAA Rules govern, and this Privacy Policy is supplemental and does not override the BAA’s terms. Individuals wishing to exercise HIPAA rights of access (45 CFR § 164.524), amendment (§ 164.526), or accounting of disclosures (§ 164.528) regarding PHI held by VertiSource HR should first contact the Covered Entity (typically, their employer’s group health plan administrator). Requests escalated to VertiSource HR directly should be sent to privacy@vertisourcehr.com with “HIPAA Request” in the subject line; we will coordinate with the applicable Covered Entity to respond.

Minimum-necessary standard. VertiSource HR limits access to PHI to the minimum necessary for the particular use or disclosure (45 CFR § 164.502(b)). Personnel with access to PHI complete HIPAA privacy-and-security training before access is granted and annually thereafter.

Data Retention

We retain personal and business information for as long as necessary to fulfill the purposes described in this Policy, comply with applicable legal obligations, resolve disputes, and enforce our agreements. Specific retention periods by category are as follows:

8.1 Payroll Records

Payroll records, including wage rates, hours worked, tax withholding calculations, and payment records, are retained for a minimum of seven (7) years following the end of the relevant tax year, consistent with IRS and Department of Labor recordkeeping requirements under the FLSA and Internal Revenue Code.

8.2 Benefits Records

Employee benefits enrollment records, plan documents, and ERISA-required records are retained for a minimum of six (6) years from the date of filing, in accordance with ERISA Section 107 and applicable DOL regulations. COBRA election notices are retained for a minimum of six (6) years.

8.3 Employment & I-9 Records

I-9 Employment Eligibility Verification forms are retained for three (3) years from date of hire or one (1) year after separation, whichever is later, as required by federal immigration law. Other employment records, including offer letters, disciplinary records, and performance documentation, are retained per applicable state law, which varies; minimum retention is generally three (3) years post-separation.

8.4 Workers' Compensation Records

Workers' compensation claim records are retained for a minimum of five (5) years or for the duration of any open claim, plus applicable state-law minimums, whichever is longer.

8.5 Tax Filings & Reports

Copies of all tax filings (W-2s, 941s, 940s, state returns) and supporting documentation are retained for seven (7) years.

8.6 Website & Marketing Data

Website analytics data is retained for up to twenty-six (26) months. CRM records for prospects and leads are retained for up to three (3) years from last meaningful engagement. Email opt-out lists are retained indefinitely to honor future opt-out preferences.

8.7 Post-Relationship Retention

Following termination of a client service agreement, we will retain client and employee data for the applicable statutory retention periods described above. Clients may request a data export during the wind-down period specified in their service agreement. After the applicable retention period, data will be securely destroyed or de-identified.

Your Rights

Depending on your location and relationship with VertiSource HR, you may have the following rights regarding your personal information.

9.1 Rights Available to All Individuals

• Access: You may request a copy of the personal information VertiSource HR holds about you.
• Correction: You may request correction of inaccurate or incomplete personal information.
• Deletion: You may request deletion of your personal information, subject to our legal retention obligations and contractual commitments.
• Portability: You may request that we provide your personal information in a structured, machine-readable format for transfer to another service provider where technically feasible.
• Opt-Out of Marketing: You may opt out of marketing communications at any time as described in Section 3.4.

9.2 California Residents. CCPA / CPRA Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). See Section 2.8 for the required Notice at Collection disclosures.

9.2(a) Your CCPA / CPRA Rights

• Right to Know: You may request that we disclose the specific pieces of personal information we have collected about you, the categories of personal information collected, the categories of sources from which the information was collected, the business or commercial purposes for collecting the information, and the categories of third parties with whom we share it.
• Right to Delete: You may request that we delete personal information we have collected from you, subject to exceptions including information needed to complete transactions, comply with legal obligations, maintain security, defend legal claims, or serve as a record of the business relationship.
• Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing: See Section 9.2(b) below. We do not sell or share personal information as those terms are defined under the CCPA/CPRA.
• Right to Limit Use of Sensitive Personal Information (SPI): You may request that we limit the use of SPI to purposes necessary to perform the services reasonably expected by an average consumer. VertiSource HR already limits SPI use to service delivery, legal compliance, security, and fraud prevention, we do not use SPI to infer characteristics or for any purpose beyond those enumerated in Cal. Civ. Code § 1798.121(a), so this right is functionally maintained by our default practice.
• Right to Opt-Out of Automated Decision-Making & Profiling: See Section 13 for our full statement. We do not currently engage in automated decision-making that produces legally significant effects.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA right. We will not deny you services, charge different prices, provide a different level or quality of services, or retaliate.
• Right to Appeal (on Denial): If we deny a rights request, you may submit an appeal. We will respond to appeals within sixty (60) days with a written explanation of our decision.

9.2(b) Do We Sell or Share Your Personal Information?

Under the CCPA/CPRA, “sale” means the disclosure of personal information for monetary or other valuable consideration. “Sharing” is the broader concept of disclosing personal information for cross-contextual behavioral advertising, whether or not for monetary consideration.

VertiSource HR does not sell your personal information for monetary consideration. VertiSource HR does not disclose personal information to third parties for cross-contextual behavioral advertising. Our disclosures to third parties are limited to: (i) service providers and contractors bound by data-processing agreements that prohibit secondary use of the information, (ii) government agencies as required by law, (iii) affiliates and successors in a business transfer (per Section 5.4), and (iv) parties we disclose for the specific purposes you authorized. None of these disclosures qualify as a “sale” or “share” under the CCPA/CPRA. Accordingly, there is no active opt-out mechanism required, but we honor Global Privacy Control signals (Section 10.5) as a precaution.

9.2(c) How to Exercise Your CCPA / CPRA Rights, Four Methods

You may submit a consumer rights request through any of the following methods:

• Email: privacy@vertisourcehr.com, include “California Privacy Rights Request” in the subject line and identify the right you wish to exercise.
• Toll-Free Phone: 855-565-8747, ask for the Privacy Officer during business hours (Mon–Fri, 8:00 a.m. to 5:00 p.m. Mountain Time).
• Online Form: Visit vertisourcehr.com/contact and select “Privacy Request” from the reason-for-contact dropdown.
• Mail: Attn: Privacy Officer, VertiSource HR, LLC, 6985 Union Park Center, Suite 100, Cottonwood Heights, UT 84047.

9.2(d) Verification of Requests

We will verify your identity before responding to a substantive rights request. Verification uses two data points that already exist in our records (for example: full name plus last four of SSN, or full name plus employer and date of hire). For requests made on behalf of a household, we will verify that every member of the household is a party to the request. For sensitive requests (deletion of a broad category of data; disclosure of specific pieces of personal information), we apply a higher standard of verification and may require a signed declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request.

9.2(e) Response Timing

We will confirm receipt of your request within ten (10) business days and will respond substantively within forty-five (45) days. Where necessary, we may extend the response period by up to an additional forty-five (45) days with written notice to you describing the reason for the extension. If we cannot fulfill all or part of your request, we will explain why in writing and provide instructions for filing an appeal.

9.2(f) No Financial Incentives

VertiSource HR does not offer financial incentives or price/service differences in exchange for the retention or sale of personal information, and we do not engage in financial-incentive programs under Cal. Civ. Code § 1798.125(b). You are not required to provide personal information beyond what is strictly necessary to use our services.

9.2(g) Authorized Agent Submissions

Authorized agents may submit CCPA/CPRA requests on your behalf. See Section 9.8 for the required verification process.

9.2(h) Annual Metrics Disclosure

The California Privacy Protection Agency regulations at 11 CCR § 7102 require businesses that buy, receive, sell, or share the personal information of 10 million or more California consumers in a calendar year to disclose certain metrics about consumer requests. VertiSource HR processes the personal information of significantly fewer than 10 million California consumers and therefore falls below this reporting threshold. If VertiSource HR’s California consumer footprint expands to meet the threshold in a future calendar year, we will publish the required metrics within the timeframes specified by the regulations.

9.3 Worksite Employees

Worksite employees should direct most personal data requests to their employer's HR representative. For requests that cannot be resolved at the employer level, worksite employees may contact VertiSource HR directly at privacy@vertisourcehr.com. Please note that some data deletion requests from worksite employees may be limited by applicable payroll and employment record retention laws and by the terms of the co-employment relationship.

9.4 Visitors Outside the United States

VertiSource HR provides services only to businesses and individuals located in the United States. We do not target or market to residents of the European Economic Area (EEA), the United Kingdom, or Switzerland, and our website is not directed to them. Our website and systems are hosted in the United States, so if you access our website or submit information to us from outside the United States, your information will be transferred to and processed in the United States under U.S. law. If you are located in the EEA, UK, or Switzerland and believe the GDPR or UK GDPR applies to our processing of your personal data, please contact us at privacy@vertisourcehr.com and we will respond to verifiable requests as required by applicable law.

9.5 Utah Residents. Utah Consumer Privacy Act (UCPA) Rights

VertiSource HR is headquartered in the State of Utah. If you are a Utah resident, the Utah Consumer Privacy Act (UCPA, Utah Code § 13-61, effective December 31, 2023, as amended by HB 418 effective July 1, 2026) provides you with the following rights, to the extent the UCPA's thresholds apply to our processing:

• Right to confirm and access: the right to confirm whether we are processing your personal data and to access that data.
• Right to delete: the right to request deletion of the personal data you provided to us.
• Right to portability: the right to obtain a copy of personal data you previously provided to us in a portable and, to the extent technically feasible, readily usable format.
• Right to opt out of targeted advertising: the right to opt out of the processing of your personal data for targeted advertising.
• Right to opt out of the sale of personal data: the right to opt out of the sale of your personal data (exchange for monetary consideration). VertiSource HR does not sell personal data as defined under the UCPA.
• Right to correct (effective July 1, 2026): under HB 418, the right to request that we correct inaccuracies in your personal data, taking into account the nature of the data and the purposes of processing.

Utah residents may exercise these rights by emailing privacy@vertisourcehr.com. We will respond within forty-five (45) days of receiving a verifiable request, with a one-time 45-day extension if reasonably necessary. The UCPA does not currently provide a private right of action or an appeal requirement, but we will consider good-faith reconsideration requests at our discretion.

9.6 Other US State Consumer Privacy Rights

Several states have enacted consumer privacy laws that may apply depending on your state of residence. Where applicable to our processing, we extend the following rights under the listed state regimes:

• Virginia Consumer Data Protection Act (VCDPA): access, correction, deletion, portability, opt-out of targeted advertising, sale, and profiling in furtherance of legally significant decisions, and appeal.
• Colorado Privacy Act (CPA): access, correction, deletion, portability, opt-out of targeted advertising, sale, and profiling; processing of Universal Opt-Out Mechanism (UOOM) signals as described in Section 10.5.
• Connecticut Data Privacy Act (CTDPA): access, correction, deletion, portability, opt-out of targeted advertising, sale, and profiling; appeal.
• Texas Data Privacy and Security Act (TDPSA): access, correction, deletion, portability, opt-out of targeted advertising, sale, and profiling; appeal.
• Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Kentucky, Nebraska: similar state privacy law rights, applied where their respective thresholds are met. Specific state law rights will be honored in accordance with each statute's requirements.

To exercise state privacy rights, email privacy@vertisourcehr.com and identify your state of residence so we can apply the correct statutory framework. If we deny a request, we will explain the denial and, where the applicable state law requires, provide an appeal process. Appeals must be filed within the timeframe specified by your state's statute (typically 45-60 days from denial).

9.7 California “Shine the Light” Disclosure

California Civil Code § 1798.83 (the “Shine the Light” law) permits California residents to request, once per calendar year, information about the categories of personal information (if any) we disclosed to third parties for their direct marketing purposes during the preceding calendar year, along with the names and addresses of those third parties. VertiSource HR does not disclose personal information to third parties for their direct marketing purposes, so the typical response will be a confirmation that no such disclosures occurred. To make a Shine the Light request, email privacy@vertisourcehr.com with the subject line “California Shine the Light Request.”

9.8 Authorized Agents

If you are a consumer residing in a state with a privacy law that permits authorized agents (including California, Colorado, Connecticut, and Virginia), you may designate an authorized agent to submit privacy requests on your behalf. To designate an authorized agent, provide us with one of the following:

• A notarized Power of Attorney granting the agent authority to act on your behalf; or
• A signed, written authorization on your behalf identifying the agent, the scope of the designation, and the privacy rights the agent is authorized to exercise on your behalf, along with verification of your identity (for example, a government-issued photo identification copy).

We reserve the right to verify the authenticity of the agent relationship and may contact you directly to confirm the agent’s authority before processing the request. A business acting on behalf of a consumer pursuant to a written contract meeting the requirements of California Civil Code § 1798.145(j) is not required to submit authorization through this process. Authorized agent requests are processed under the same response timelines as direct consumer requests.

Cookies & Tracking

Our website uses cookies and similar tracking technologies to provide site functionality, understand user behavior, and support marketing efforts.

10.1 Types of Cookies We Use

• Strictly Necessary Cookies: Essential to website functionality, including session management, security tokens, and form submissions. These cannot be disabled without affecting site operation.
• Functional Cookies: Remember your preferences (e.g., language, region) to improve your experience on return visits.
• Analytics Cookies: Collect aggregate information about how visitors use our site, including pages visited, time on page, and navigation paths. Used to improve content and user experience.
• Marketing Cookies: Track your activity across our site and, with third-party partners, across the web, to measure campaign effectiveness and deliver relevant content.

10.2 Specific Tracking Technologies

Google Tag Manager (GTM-N8R7WTZ): Our website loads Google Tag Manager, a tag management system that serves as a container for other tracking technologies listed below. Google Tag Manager itself does not set tracking cookies or collect personal information; it loads and fires other tags based on configured triggers. The list of tags currently deployed through GTM is maintained internally and is available to clients and regulators upon written request to privacy@vertisourcehr.com.

Google Analytics 4 (G-DCBC0J4WL5 and GA-LWR6PM790E): We use Google Analytics 4 to collect aggregated website usage data. GA4 uses first-party cookies to measure sessions, page views, engagement time, traffic sources, and in-page events. We have enabled IP anonymization and have disabled Google Signals and advertising features on our GA4 property. GA4 event data is retained for up to fourteen (14) months, after which it is deleted automatically. You may opt out of Google Analytics across all websites by installing the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout.

Rybbit (first-party, privacy-first analytics): Our website uses Rybbit, an independent, privacy-focused analytics platform that runs as a first-party script. Rybbit's approach differs from traditional analytics in three key ways: (1) it is cookieless by default, using aggregated session identifiers derived from a daily-rotating hash of IP address and user-agent rather than persistent tracking cookies; (2) it does not share data with third-party advertising networks; and (3) it retains only de-identified page-level and event-level aggregates. The data Rybbit collects includes page URLs visited, referring sources, aggregated country and device category, engagement duration, and conversion events. No personally identifying information (name, email, phone) is sent directly from the website to Rybbit in the normal course. Aggregated Rybbit event data is retained for up to twenty-four (24) months.

Rybbit ↔ HubSpot Identify Bridge: When a visitor voluntarily submits a form on our website or signs in to a gated resource, we may associate that visitor's Rybbit session with their HubSpot contact record through a server-side identify call. This linkage allows us to understand which marketing content contributed to a specific lead and to personalize follow-up content. The identify bridge is never engaged until a visitor has submitted their own contact information to us. If you submit a form but wish to have the associated session analytics dissociated from your HubSpot contact, you may request dissociation by emailing privacy@vertisourcehr.com. Dissociation does not delete the HubSpot contact record itself; see Section 9 for deletion rights.

HubSpot (CRM Portal 21999530): We use HubSpot's marketing, CRM, and customer relationship platform (a) to manage contact and quote form submissions from our website; (b) to track marketing funnel activity such as email opens, link clicks, content downloads, and meeting bookings for known contacts who have opted in; (c) to associate website activity with identified contact records via the HubSpot tracking script (__hstc, hubspotutk, __hssc, __hssrc first-party cookies); and (d) to send automated email sequences and workflows. HubSpot's tracking script loads across site pages via Google Tag Manager. For known contacts (visitors who have submitted a form), HubSpot can associate prior anonymous browsing history with the contact record at the moment of form submission. HubSpot cookies expire after thirteen (13) months from the last visit. You may opt out of HubSpot tracking, request that your HubSpot contact record be deleted, or request a machine-readable export of your data by emailing privacy@vertisourcehr.com. HubSpot's own privacy disclosures are available at legal.hubspot.com/privacy-policy.

LinkedIn Insight Tag (not currently loaded): VertiSource HR may from time to time enable the LinkedIn Insight Tag for paid LinkedIn advertising campaign attribution. As of the Last Updated date above, the LinkedIn Insight Tag is not loaded on our production website. If we enable it for a future campaign, we will update this Policy to say so and disclose the cookies set. You may opt out of LinkedIn retargeting at any time at linkedin.com/psettings/guest-controls/retargeting-opt-out.

Personalized Landing Experience (Rybbit → HubSpot → UI personalization): For visitors arriving from specific marketing campaigns or known-contact links, our personalized landing page at /personalized-landing may display the visitor's first name or their assigned VertiSource HR advisor's contact details. This personalization is only triggered when an identifier supplied by the visitor (via a form, a campaign link, or an authenticated session) is matched against an existing HubSpot contact record. No personalization occurs for anonymous visitors, and personalization can be disabled for a given contact by request to privacy@vertisourcehr.com.

10.3 Cookie Retention Summary

• Session cookies (strictly necessary): deleted when you close your browser.
• Functional cookies: up to twelve (12) months.
• GA4 first-party cookies: up to fourteen (14) months.
• HubSpot cookies (__hstc, hubspotutk): up to thirteen (13) months from last visit.
• HubSpot session cookies (__hssc, __hssrc): thirty (30) minutes or until browser close.
• Rybbit: no persistent tracking cookies (rolling daily hash); aggregated server-side data retained for up to twenty-four (24) months.
• LinkedIn Insight Tag: not currently active; if enabled for a paid campaign, first-party cookies persist up to six (6) months and LinkedIn’s own retention applies to any third-party cookies.

10.4 Managing Cookies

You can manage your cookie preferences on our website in three ways:

• Our on-site cookie preference center. Manage cookie preferences opens a modal where you can grant or deny consent for functional, analytics, and marketing cookies category-by-category. Your choice is stored locally in your browser and honored on return visits. Strictly-necessary cookies cannot be disabled because the site breaks without them.
• Browser controls. Most web browsers allow you to block all cookies or clear stored cookies. Browser-specific instructions are available in your browser’s help documentation. Note that disabling all cookies will affect site functionality (for example, form submissions may fail without session cookies).
• Tag-by-tag opt-out. For a per-tag opt-out (for example, disabling HubSpot tracking while keeping Google Analytics), email privacy@vertisourcehr.com and we will walk you through the options applicable to your jurisdiction.

Our website uses Google Consent Mode v2 on an opt-out (implied consent) model consistent with California and other U.S. state privacy laws: analytics and marketing technologies are enabled by default when you visit the site. You may withdraw consent at any time, by category, using the “Manage cookie preferences” control above or the “Do Not Sell or Share My Personal Information” link in the footer. When you opt out, we update your Consent Mode signal to “denied” for the affected categories and the corresponding tags stop setting non-essential cookies. If your browser sends a Global Privacy Control (GPC) signal, we treat your session as opted out automatically (see Section 10.5). Strictly-necessary technologies cannot be disabled because the site will not function without them.

10.5 Opt-Out Preference Signals (DNT, GPC & UOOM)

Do Not Track (DNT): Some browsers transmit a “Do Not Track” signal. Our website does not currently respond to DNT signals because no consensus industry standard exists.

Global Privacy Control (GPC): When a browser sends a GPC signal, we treat the session as having opted out of any data processing that would qualify as a “sale” or “share” under the CCPA/CPRA. Because we do not sell or share personal information as defined under the CCPA, this functionally maintains the same treatment for all visitors, but we honor GPC explicitly to remove ambiguity.

Universal Opt-Out Mechanism (UOOM): Colorado’s Privacy Act requires businesses to recognize universal opt-out signals beginning July 1, 2024. We process GPC as a valid UOOM signal for Colorado residents, treating the session as an opt-out of targeted advertising and the sale of personal data. When additional signals are approved by the Colorado Attorney General, we will extend the same treatment to those signals. Because we do not sell personal data or engage in targeted advertising beyond our own first-party platform, no additional consumer-side action is required to achieve opt-out.

To exercise any opt-out right that is not triggered by a browser signal (for example, to revoke past marketing consents or to remove an existing HubSpot contact record), email privacy@vertisourcehr.com.

10.6 Email Tracking Notice

Marketing and transactional emails we send from the HubSpot platform may contain tracking pixels (1×1 transparent images) and instrumented links. These technologies allow us to understand whether an email was opened, when it was opened, the approximate IP address and geographic region of the device that opened it, and which links were clicked. We use this data to measure campaign performance, ensure deliverability, and tune content to what our audience actually reads. Operational and account emails (password resets, service notices, invoices, payroll confirmations) are not used for marketing analytics.

If you do not want your email activity tracked, you may: (a) configure your email client to block external images (for example, Apple Mail Privacy Protection, Gmail’s image proxy, or Outlook’s “download pictures” prompt); (b) click the “Unsubscribe” link at the bottom of any marketing email; or (c) email privacy@vertisourcehr.com and ask to be removed from all email tracking.

Children's Privacy

Our website and services are intended for business clients and their adult representatives. Our website is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13 through our website or marketing channels.

If we become aware that we have inadvertently collected personal information from a child under 13, we will take prompt steps to delete that information from our systems. If you believe a child under 13 has provided us with personal information through our website, please contact us at privacy@vertisourcehr.com.

Note that worksite employee data administered through our PEO services may include dependent information for benefits purposes, which can include information about minor children enrolled as dependents on health plans. Such information is collected and processed solely for the purpose of administering benefits coverage and is subject to the applicable carrier's privacy practices in addition to this Policy.

Changes to This Policy

We review this Privacy Policy at least once every twelve (12) months and may update it from time to time to reflect changes in our practices, applicable law, or our services. When we make material changes, we will:

• Update the "Last Updated" date at the top of this Policy
• Post a prominent notice on our website for at least 30 days following any material change
• For active clients, notify the primary contact on the account by email when changes are material

Your continued use of our website or services after the effective date of any updated Policy constitutes your acceptance of the revised terms. We encourage you to review this Policy periodically.

Prior versions of this Policy are available upon written request to privacy@vertisourcehr.com.

Automated Decision-Making, Profiling & AI

VertiSource HR does not use fully automated decision-making (including profiling) to make decisions that produce legal or similarly significant effects on individuals (for example, decisions to hire, fire, discipline, deny benefits coverage, or deny credit) without meaningful human involvement. Payroll calculations, tax withholding determinations, and benefits eligibility flags that operate on the data you provide are rule-based computations performed by our HRIS platform and are not considered “profiling” under applicable state privacy laws, because they do not evaluate personal aspects to predict or analyze behavior.

Use of AI tools internally. Our internal teams may use generative AI tools (for example, to draft boilerplate language, summarize support tickets, or assist with internal research) under a policy that prohibits submitting client payroll records, Social Security Numbers, banking information, or other sensitive personal information to third-party AI systems. All AI-assisted outputs intended to reach a client or an employee are reviewed by a human before delivery.

Right to opt out of profiling for legally significant decisions. Residents of California, Colorado, Connecticut, Virginia, and Texas have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. Because VertiSource HR does not currently engage in such profiling, this right is maintained but there is no active processing to which it would apply. If we begin using such systems in the future, we will update this Policy, provide conspicuous notice, and obtain required consent or provide an opt-out mechanism before processing.

Large language model training (Connecticut residents). Effective July 1, 2026 the Connecticut Data Privacy Act requires controllers to disclose in the privacy notice whether they collect, use, or sell personal data to train large language models. VertiSource HR does not collect, use, or sell personal data to train large language models. If our practice changes in the future, we will update this Policy and provide notice before any such processing.

Accessibility of This Policy

VertiSource HR is committed to ensuring this Privacy Policy is accessible to consumers with disabilities. The page is published in semantic HTML with a skip-to-content link, landmark regions, proper heading hierarchy (H1 → H2 → H3), visible focus indicators, and a table of contents for keyboard-first navigation. The page is partially conformant with the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA standard, consistent with our Accessibility Statement; we are working toward full Level AA and evaluating WCAG 2.2 success criteria as we update pages. If you have difficulty accessing any portion of this Policy, or would like to request this Policy in an alternative format (large print, audio, plain-text), please contact us at accessibility@vertisourcehr.com. See our full Accessibility Statement for more on our broader commitments.

External Links & Third-Party Sites

Our website contains links to third-party websites and services, including regulatory agency sites (IRS, DOL, NAPEO, SHRM, and state revenue departments), partner platforms (HubSpot, Axiom Bookkeeping, ZayZoon, Worklio, PayrollServers), social media (LinkedIn, Facebook), and educational resources linked from our glossary and blog. This Privacy Policy applies only to VertiSource HR’s own websites and services; we do not control the privacy practices of any third-party site.

We encourage you to read the privacy policy of every third-party site you visit from a link on our website. A link from our website does not constitute an endorsement of the third party’s privacy practices. If you submit information directly to a third party after clicking an external link (for example, signing into Worklio at worklio.com), that submission is governed by the third party’s privacy policy and terms, not by ours.

Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or need to report a privacy concern, please contact us through one of the following channels:

We aim to respond to all privacy-related requests within 10 business days. For CCPA-specific requests, we will respond within 45 days as required by law.

If you are unsatisfied with our response, you may have the right to lodge a complaint with your applicable state privacy authority or the Federal Trade Commission.