Notice — Company Formation Update
LEGITLY.COM L.L.C. is in the process of updating its company formation. These terms and related policies will be revised to reflect the new corporate structure. The version posted here is current and governs your use until it is updated.
Contents
- Introduction and Scope
- Information We Collect
- How We Use Information
- Legal Bases for Processing
- Cookies and Tracking Technologies
- How We Share Information
- Data Retention
- Data Security
- Your Privacy Rights
- California Privacy Rights (CCPA/CPRA)
- International Data Transfers
- Children’s Privacy
- Third-Party Links
- Changes to This Policy
1. Introduction and Scope
This Privacy Policy explains how LEGITLY (“LEGITLY,” “we,” “us”) collects, uses, discloses, and safeguards personal information when you visit our websites and subdomains, use our applications, scan or register Authentication Codes, or otherwise interact with our products and services (collectively, the “Services”). It applies to information about visitors, End Users who verify products, and Brand Customers and their authorized personnel.
By using the Services, you agree to the practices described in this Policy. If you do not agree, please do not use the Services. This Policy is incorporated into our Terms of Service.
2. Information We Collect
Information you provide
- Account and contact data: name, business name, email, phone number, password, and role.
- Product and brand data: catalog information, logos, and details you register for authentication.
- Transaction data: billing contact, plan, and limited payment details processed by our payment providers (we do not store full card numbers).
- Communications: information you submit through forms, support requests, or correspondence.
Information collected automatically
- Usage and device data: IP address, browser and device type, operating system, pages viewed, referring URLs, and timestamps.
- Verification data: when an Authentication Code is scanned or entered, we may collect the code, scan result, device and browser information, approximate location derived from your IP address, and—only if you grant your browser or device permission—precise geolocation (GPS), for fraud-prevention, anti-counterfeiting, and analytics. Granting precise location is optional; you can decline it or revoke it later in your browser or device settings, and we will then rely on approximate IP-based location only.
- Call and message data: when you call, text, or message us or numbers we publish, or when you opt in to receive calls or texts, we process your phone number, the content and metadata of those communications, and—where you are notified and applicable law permits—call recordings and transcripts.
- Cookies and similar technologies as described below.
Information from third parties
We may receive information from Brand Customers, payment processors, analytics and security providers, and publicly available sources.
3. How We Use Information
We use personal information to:
- provide, operate, maintain, and secure the Services and generate Authentication Codes, labels, and certificates;
- process transactions, manage accounts, and provide customer support;
- detect, investigate, and prevent counterfeiting, fraud, abuse, and security incidents;
- analyze usage, improve and develop features, and personalize the experience;
- communicate with you about updates, security alerts, and (where permitted) marketing, from which you may opt out; and
- comply with legal obligations and enforce our agreements.
4. Legal Bases for Processing
Where required (for example, under the EU/UK GDPR), we process personal information on the bases of: performance of a contract with you; our legitimate interests in operating, securing, and improving the Services and preventing counterfeiting; your consent (which you may withdraw); and compliance with legal obligations.
5. Cookies and Tracking Technologies
We and our service providers use cookies, web beacons, and similar technologies to operate the Services, remember preferences, measure performance, and support security. You can control cookies through your browser settings; disabling certain cookies may affect functionality. Where required, we present a cookie banner to obtain consent for non-essential cookies.
6. How We Share Information
We do not sell your personal information for money. We may share information:
- With service providers and sub-processors (such as cloud hosting, payment processing, telephony and SMS, AI-assisted call handling, transactional email, analytics, and security vendors) bound by confidentiality and data-protection obligations;
- With Brand Customers in connection with verification of their products, and with End Users to the extent necessary to display verification results;
- For legal reasons—to comply with law, legal process, or governmental request; to enforce our agreements; or to protect the rights, property, or safety of LEGITLY, our users, or the public, including in anti-counterfeiting investigations;
- In a business transaction—in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy; and
- With your consent or at your direction.
Our key service providers include cloud hosting (OVH), payment processing (Stripe), telephony and SMS (Twilio), AI-assisted call handling (Vapi), and transactional email (Resend). Where we process personal information on behalf of a Brand Customer, we do so under a data processing addendum (DPA) available on request, and a current list of sub-processors is available on request.
7. Data Retention
We retain personal information for as long as needed to provide the Services, comply with legal, tax, accounting, and security obligations, resolve disputes, and enforce our agreements. As a general guide: account and profile data are kept for the life of your account and deleted or de-identified within a reasonable period after closure; billing, tax, and transaction records are kept for approximately seven (7) years to meet tax and accounting requirements; verification and security logs are kept for up to twenty-four (24) months to support fraud prevention and anti-counterfeiting; call recordings, transcripts, and support communications are kept for up to twenty-four (24) months; and marketing preferences are kept until you opt out or your account is closed. Where we are required to retain information longer—for example, due to a legal hold, unresolved dispute, or regulatory obligation—we keep it only as long as necessary, after which we delete or de-identify it.
8. Data Security
We employ administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit and access controls. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for safeguarding your account credentials.
If we become aware of a breach of security affecting your personal information, we will notify affected individuals and any applicable regulators without undue delay and as required by applicable law, including the California breach-notification law (Cal. Civ. Code § 1798.82).
9. Your Privacy Rights
Subject to applicable law, you may have the right to access, correct, update, delete, or port your personal information, to object to or restrict certain processing, and to withdraw consent. To exercise these rights, contact us at info@legitly.com. We will respond as required by law and may need to verify your identity. You will not be discriminated against for exercising your rights.
10. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the right to: (a) know the categories and specific pieces of personal information we collect, use, and disclose; (b) delete personal information we hold, subject to exceptions; (c) correct inaccurate personal information; (d) opt out of any “sale” or “sharing” of personal information, including sharing for cross-context behavioral advertising; and (e) limit the use and disclosure of sensitive personal information. You will not be discriminated or retaliated against for exercising these rights.
We do not sell personal information for monetary value, and we do not knowingly sell or share the personal information of consumers under 16. To the extent any analytics or advertising technologies constitute a “sale” or “sharing” under California law, you can opt out using our “Do Not Sell or Share My Personal Information” control and the “Cookie Settings” link in the site footer, and we honor recognized opt-out preference signals such as the Global Privacy Control (GPC) as a valid opt-out for the browser or device on which it is enabled. To submit a rights request, contact us at info@legitly.com; you may use an authorized agent, subject to verification of identity and authority.
Sensitive personal information. The only sensitive personal information we process is your account log-in credentials and, where you grant permission, precise geolocation collected during a verification scan. We use it solely to secure and authenticate your account and to prevent and investigate fraud and counterfeiting—purposes for which California law does not require us to offer the right to limit—and we do not use or disclose it to infer characteristics about you.
In the past 12 months we have not sold personal information for money, and we do not knowingly sell or share the personal information of consumers under 16. The only disclosures that may qualify as “sharing” (cross-context behavioral advertising) under California law occur through optional analytics or advertising cookies, which you can turn off at any time using the “Do Not Sell or Share” and “Cookie Settings” links in our footer or by enabling Global Privacy Control. We collect and disclose the following categories of personal information for the business purposes described in this Policy:
| Category | Examples | Sources | Business purpose | Disclosed to |
|---|---|---|---|---|
| Identifiers | Name, business name, email, phone number, IP address, account and device identifiers | You; collected automatically; Brand Customers | Create and secure accounts; provide and communicate about the Services; prevent fraud | Hosting, email, analytics, telephony, and security providers |
| Customer records & commercial information | Billing contact, plan, order and transaction history | You; payment processor | Billing, fulfillment, support, recordkeeping | Payment processor (Stripe); accounting providers |
| Internet or network activity | Pages viewed, usage, referring URLs, device/browser data, timestamps | Collected automatically | Analytics, security, debugging, improving the Services | Analytics and security providers |
| Geolocation data | Approximate location (from IP) and, where you permit, precise GPS location captured during verification | Collected automatically | Fraud prevention, anti-counterfeiting, analytics | Hosting and security providers |
| Audio / electronic information | Call recordings, transcripts, and message content when you contact us or opt in | You | Support, quality assurance, security | Telephony/SMS and AI call-handling providers |
| Professional / commercial brand information | Product catalog, logos, and registration details | You (Brand Customers) | Provide authentication Services | Hosting and service providers |
| Sensitive personal information | Account log-in credentials; precise geolocation (where permitted) | You; collected automatically | Secure and authenticate accounts; prevent fraud | Hosting and security providers |
11. International Data Transfers
The Services are directed to and intended for users in the United States. We do not target or market the Services to individuals in the European Economic Area (EEA), the United Kingdom, or Switzerland; if we begin offering the Services to individuals in those regions, we will appoint a representative under Article 27 of the EU/UK GDPR where required and update this Policy. We are based in the United States and process information there and in other countries where we or our service providers operate. If you access the Services from outside the United States, you understand your information may be transferred to and processed in the United States, which may have different data-protection laws. Where required, we use appropriate safeguards for such transfers, including the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum) or other lawful transfer mechanisms, together with supplementary measures where appropriate. For more information about these safeguards, contact us at info@legitly.com.
12. Children’s Privacy
The Services are intended for businesses and for individuals who are at least 18 years old, and are not directed to children. We do not knowingly collect personal information from anyone under 13 (or under 16 in the EEA and UK). If you believe a child has provided us personal information, contact us at info@legitly.com and we will take appropriate steps to delete it.
13. Third-Party Links
The Services may contain links to third-party sites and services that we do not control and that have their own privacy practices. We are not responsible for those practices, and we encourage you to review their policies.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated version with a new effective date and, where required, provide additional notice. Your continued use of the Services after changes take effect constitutes acceptance of the updated Policy.
Contact Us
If you have questions about this document, please contact us:
LEGITLY.COM L.L.C.
A California limited liability company
California Secretary of State — Entity No. 202134410198 · File No. BA20230924170
3921 E. Livingston Drive #2, Long Beach, California 90803, United States
Email: info@legitly.com
Phone: 1-888-LEGITLY