Merit Institute Merit

Privacy Policy

How this Site collects, uses, retains, and protects personal data.

Effective Date: [CONFIRM: YYYY-MM-DD at publication]

Version: 1.0

1. Key Definitions

1.1 Site. “Site” means the publicly accessible website operated at merit.institute, including all subdomains, pages, content, forms, and interactive features served from that domain.

1.2 Operator. “Operator” means Virtu Prep, whose principal mailing address is 1279 W Palmetto Park Rd, P.O. Box 272105, Boca Raton, FL 33486-9998, and which acts as the data controller for Personal Data collected through the Site. [CONFIRM: confirm Virtu Prep is the controller for all three sites, or substitute a different legal entity for this tenant.]

1.3 Visitor. “Visitor” means any natural person who accesses the Site.

1.4 Personal Data. “Personal Data” means any information relating to an identified or identifiable natural person, consistent with the definition in Article 4(1) of Regulation (EU) 2016/679 (the “GDPR”).

1.5 Subscriber Data. “Subscriber Data” means the specific subset of Personal Data submitted by a Visitor through the Site’s email contact or subscription form, consisting of (a) the email address provided, (b) the IP address of the submitting device, (c) the user agent string of the submitting browser, (d) an ISO-8601 timestamp of the moment of submission, and (e) the tenant identifier for the Site to which the submission was made.

1.6 Analytics Data. “Analytics Data” means aggregate and session-level usage information collected by the self-hosted analytics component of the Site (Matomo), including request paths, referring URLs, approximate geography derived from truncated IP, device category, browser family, and session duration, collected only after the Visitor has granted express opt-in consent as described in Section 6.

1.7 Cookies. “Cookies” means small text files placed on the Visitor’s device by the Site, as further described in Section 6.

1.8 De-Identified Data. “De-Identified Data” means information that has been stripped of direct identifiers such that it cannot, without additional information, be linked to a specific natural person.

1.9 Supervisory Authority. “Supervisory Authority” means an independent public authority established pursuant to Article 51 of the GDPR or equivalent authority under other applicable data protection law.

2. Scope and Applicability

2.1 Applicability. This Privacy Policy applies to Personal Data collected by the Operator through the Site. By accessing or using the Site, Visitor acknowledges having read this Privacy Policy.

2.2 Relationship to Terms of Service. This Privacy Policy governs data collection on the public Site only. Personal Data processed inside the Operator’s proprietary Platform, including any Student Data as defined in the Operator’s Terms of Service, is governed by the Terms of Service and any separate data processing agreement between the Operator and its institutional customers, and not by this Policy.

2.3 Not Legal Advice. This Privacy Policy is a disclosure document. It is not legal advice to any Visitor, and it does not create a contractual relationship beyond the minimum required to satisfy applicable data protection and consumer protection law.

3. Personal Data Collected by the Site

3.1 Data Collected Automatically. When a Visitor accesses the Site, the Operator’s web server receives and records the following information in ordinary server request logs: IP address of the requesting device, user agent string of the requesting browser, timestamp of the request, the path and HTTP method of the request, the response status code, the referring URL (if any), and the number of bytes transferred. These server logs are retained for no longer than ninety (90) days and are used solely for operational, security, abuse-prevention, and diagnostic purposes. These logs are not combined with Analytics Data or Subscriber Data except where strictly necessary to investigate a specific suspected security incident.

3.2 Data Collected with Opt-In Consent (Analytics). If, and only if, the Visitor grants express opt-in consent via the Site’s consent banner described in Section 6, the Site will additionally collect Analytics Data through a self-hosted instance of Matomo operated by the Operator. The Operator does not use third-party advertising analytics, cross-site trackers, social-media pixels, or fingerprinting libraries of any kind. Analytics Data collected under opt-in consent is retained for [CONFIRM: Matomo retention window, e.g., thirteen (13) months]; after that period, Analytics Data is automatically deleted by the Matomo retention routine.

3.3 Data Voluntarily Submitted (Subscribers). If a Visitor voluntarily completes the “Stay in Touch” email contact form presented in the Site’s navigation, the Operator will collect and store the Subscriber Data as defined in Section 1.5. Submission of the form requires the Visitor to affirmatively type an email address and click the submit control; no Subscriber Data is collected passively.

3.4 Data Not Collected. The Operator does not collect, and the Site does not request: payment information; government-issued identifiers; health information; precise geolocation; contact-list access; device microphone or camera access; or information about any person other than the Visitor.

4. Purposes of Processing

4.1 The Operator will process Personal Data collected through the Site only for the following purposes:

(a) delivering the Site’s requested pages and content;

(b) maintaining the security, availability, and integrity of the Site and preventing fraud, abuse, and attack;

(c) if opt-in consent is granted, understanding aggregate usage of the Site to improve its content and structure;

(d) responding to Visitors who have voluntarily submitted their email address through the “Stay in Touch” form, including to send information, updates, and announcements relating to the Operator and its offerings that the Operator reasonably believes to be of interest to the submitting Visitor;

(e) complying with the Operator’s legal and regulatory obligations; and

(f) establishing, exercising, or defending legal claims.

4.2 No Sale of Personal Data. The Operator does not sell, rent, or trade Personal Data to any third party. The Operator does not participate in any advertising exchange, data broker arrangement, or cross-context behavioral advertising program. Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, the Operator has not “sold” or “shared” Personal Data in the preceding twelve (12) months, and does not intend to do so.

4.3 No Automated Decision-Making. The Operator does not use Personal Data collected through the Site to make any decision that produces legal or similarly significant effects on the Visitor by means of solely automated processing.

For Visitors located in the European Economic Area, the United Kingdom, or Switzerland, the Operator relies on the following legal bases under GDPR Article 6:

(a) Consent (Article 6(1)(a)) for the collection of Analytics Data under Section 3.2 and for the sending of marketing email to Subscribers under Section 4.1(d);

(b) Legitimate interests (Article 6(1)(f)) for the collection of server logs under Section 3.1 and for the prevention of fraud, abuse, and attack; the Operator’s legitimate interest in maintaining a secure, available, and lawful Site has been balanced against the rights and freedoms of the Visitor, and is narrowly tailored as described in Section 3.1;

(c) Performance at the request of the data subject (Article 6(1)(b)) for the initial storage and acknowledgement of a submission through the “Stay in Touch” form, to the extent the Visitor has requested to be contacted;

(d) Legal obligation (Article 6(1)(c)) where processing is required to comply with applicable law.

A Visitor may withdraw consent under (a) at any time, as described in Section 10. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

6. Cookies and Tracking Technologies

6.1 Cookies Used. The Site sets storage entries in two categories:

(a) Strictly necessary. A consent-preference record (stored in browser localStorage, technically not a cookie but disclosed here for transparency) that remembers the Visitor’s choice on the consent banner, so the banner is not shown repeatedly. This record contains only the values “granted” or “denied” and a timestamp. It does not track the Visitor across sessions or sites. It is set regardless of the Visitor’s choice on the consent banner because its sole purpose is to record that choice.

(b) Analytics, opt-in only. If the Visitor grants consent, the self-hosted Matomo component will set the standard Matomo cookies _pk_id.* and _pk_ses.*. These cookies are first-party, are scoped to the Site domain only, and are deleted after the retention period stated in Section 3.2.

6.2 No Third-Party Trackers. The Site does not load any third-party advertising, marketing, social-media, or analytics code. There are no Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, X (Twitter) conversion tag, or similar third-party scripts present on the Site.

6.3 Consent Banner and Withdrawal. On first visit, the Site displays a consent banner offering the Visitor a clear, binary choice: accept analytics or decline. The default state is decline; Analytics Data is not collected unless the Visitor affirmatively clicks accept. The Visitor may withdraw consent at any later time by clearing the consent preference from browser storage or by using the “Manage consent” control in the footer.

6.4 Do Not Track. The Site respects the Do Not Track browser signal. If the Visitor’s browser sends DNT: 1, the Site will not present the consent banner and will not load the Matomo component, regardless of any prior consent.

7. Subscriber Data and Direct Communications

7.1 Scope of Use. Subscriber Data submitted under Section 3.3 will be used only to communicate with the submitting Visitor by email regarding the Operator and its offerings, and to maintain the security and integrity of the submission system.

7.2 Retention. Subscriber Data is retained indefinitely until the Subscriber requests erasure under Section 10. The IP address stored with the Subscriber record is retained for the same period and is used for abuse prevention, fraud detection, and investigation of any credible claim of unauthorized submission.

7.3 Unsubscribe. Every marketing email from the Operator includes a one-click unsubscribe link. Unsubscribe takes effect within seven (7) days of receipt of the request. Unsubscribing removes the Subscriber from the Operator’s sending list but does not automatically erase the Subscriber Data; to request erasure, see Section 10.

7.4 No Sharing. The Operator does not share Subscriber Data with any third party except (a) where required by lawful process as described in Section 9, or (b) in connection with a merger, acquisition, reorganization, or sale of substantially all assets, in which case the acquirer will be bound by terms no less protective than this Privacy Policy.

8. Security

8.1 Technical Measures. The Operator protects Personal Data in transit using industry-standard TLS encryption. The Operator restricts access to stored Subscriber Data to a limited number of authorized personnel with a legitimate operational need to access the data. The Operator does not expose the Subscriber database to the public internet; access is gated through an authenticated administrative interface.

8.2 Hosting. The Site and the subscription service are hosted on infrastructure located in [CONFIRM: cloud region, e.g., the United States — DigitalOcean, NYC3], with commercially reasonable physical, administrative, and logical security controls.

8.3 Breach Notification. In the event of a confirmed personal data breach as defined in GDPR Article 4(12), the Operator will notify the competent Supervisory Authority within seventy-two (72) hours of becoming aware of the breach where the breach is likely to result in a risk to the rights and freedoms of natural persons, and will notify affected Visitors without undue delay where the breach is likely to result in a high risk to the rights and freedoms of natural persons.

8.4 No Promise of Absolute Security. No system connected to the public internet is entirely immune to compromise. The Operator makes no representation or warranty that the Site is or will remain free from unauthorized access, use, or disclosure.

9. Disclosures Required by Law

9.1 The Operator will disclose Personal Data only where required by a lawful order of a court of competent jurisdiction, a validly issued subpoena, or a clear requirement of applicable law. The Operator will disclose only the minimum information necessary to comply.

9.2 Notice to Affected Visitor. Where disclosure is compelled by legal process and notice to the affected Visitor is not prohibited by that process, the Operator will give the affected Visitor prompt written notice before complying, so that the Visitor may seek a protective order or other remedy.

10. Your Rights

10.1 Rights Available to All Visitors. Every Visitor may request:

(a) Access — a copy of the Personal Data the Operator holds about the Visitor;

(b) Rectification — correction of inaccurate or incomplete Personal Data;

(c) Erasure — deletion of the Visitor’s Personal Data, subject to any legal retention obligation;

(d) Restriction — a pause on processing pending resolution of a dispute;

(e) Objection — an objection to processing based on legitimate interests;

(f) Portability — a copy of the Visitor’s Personal Data in a structured, commonly used, machine-readable format;

(g) Withdrawal of consent — at any time, without affecting the lawfulness of processing before withdrawal; and

(h) Complaint — to the Supervisory Authority of the Visitor’s habitual residence, place of work, or place of the alleged infringement.

10.2 Rights Specific to California Residents. Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, California residents additionally have the right to know the categories and specific pieces of Personal Data collected, the right to delete Personal Data, the right to correct inaccurate Personal Data, the right to opt out of sale or sharing (which is moot because the Operator does not sell or share Personal Data), the right to limit use of sensitive personal information (moot because the Operator does not collect sensitive personal information as defined under CCPA/CPRA), and the right to non-discrimination for exercising any of these rights.

10.3 How to Exercise a Right. A Visitor may exercise any right in this Section 10 by sending a request to the privacy contact listed in Section 15. The Operator will respond within thirty (30) days, extendable to ninety (90) days for complex or voluminous requests upon written notice. The Operator may require reasonable identity verification before responding, limited to what is necessary to confirm that the requester is the Visitor or an authorized agent.

10.4 No Charge. Requests under this Section are honored free of charge, except that the Operator may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive, in particular because of its repetitive character, as permitted by GDPR Article 12(5).

11. Children

11.1 Not Directed to Children. The Site is not directed to children under thirteen (13) years of age and is not designed to attract children. The Operator does not knowingly collect Personal Data from children under 13.

11.2 Parental Remedy. If a parent or legal guardian becomes aware that a child under 13 has submitted Personal Data to the Operator through the Site, the parent or guardian should contact the Operator at the address in Section 15 and request deletion. The Operator will delete the child’s Personal Data promptly upon verification.

11.3 Teen Users (13-17). The Site does not knowingly target teens as an audience. To the extent a Visitor between 13 and 17 voluntarily submits an email address, the Operator processes that data under the same terms as data submitted by adult Visitors, and relies on the Visitor’s representation of age.

12. International Transfers

12.1 Transfer Mechanism. The Operator processes Personal Data on infrastructure located in [CONFIRM: region, e.g., the United States]. If the Visitor is accessing the Site from outside that jurisdiction, the Visitor’s Personal Data will be transferred to, and processed in, that jurisdiction.

12.2 Safeguards for EEA/UK/Swiss Transfers. Where the Operator transfers Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland to a country not subject to an adequacy decision, the Operator relies on the European Commission’s Standard Contractual Clauses (2021/914) and applicable UK and Swiss addenda. A copy of the safeguards applied is available on request at the privacy contact in Section 15.

13. Changes to This Privacy Policy

13.1 Updates. The Operator may update this Privacy Policy from time to time. The current version is identified by the Effective Date at the top of this document and by the Version identifier. Material changes will be announced on the Site at least thirty (30) days before they take effect; non-material changes (such as clarifications or typographical corrections) take effect immediately on posting.

13.2 Continued Use. The Visitor’s continued access to the Site after a change takes effect constitutes acknowledgement of the updated Privacy Policy. If the Visitor does not agree to an update, the Visitor should stop accessing the Site and, if applicable, exercise the erasure right in Section 10.

14. Governing Law and Venue

14.1 Governing Law. This Privacy Policy, and any dispute arising out of or related to it that is not preempted by applicable mandatory consumer protection or data protection law, is governed by the laws of the State of Florida, without regard to conflict of laws rules.

14.2 Venue. Any dispute arising out of or related to this Privacy Policy that is not preempted by applicable mandatory consumer protection or data protection law will be brought exclusively in the state or federal courts located in Palm Beach County, Florida.

14.3 Preservation of Visitor Rights. Nothing in this Section 14 limits the Visitor’s right, where that right is granted by mandatory law, to bring a complaint before the Supervisory Authority of the Visitor’s habitual residence, to sue in the courts of the Visitor’s habitual residence where permitted by applicable procedural rules, or to pursue any other non-waivable remedy granted by the law of the Visitor’s jurisdiction.

15. Contact

15.1 Controller and Privacy Contact. The data controller for Personal Data collected through the Site is:

Virtu Prep
Attn: Privacy
1279 W Palmetto Park Rd
P.O. Box 272105
Boca Raton, FL 33486-9998
United States

Email: [CONFIRM: privacy contact address — e.g., privacy@virtuprep.com]

15.2 EU / UK Representative. [CONFIRM: if the Operator has appointed representatives under GDPR Article 27 / UK GDPR, identify them here; otherwise state: “The Operator has not appointed a representative under Article 27 of the GDPR or the UK GDPR, and Visitors in those jurisdictions may contact the Operator directly using the address in Section 15.1.”]

15.3 Response. The Operator will acknowledge every privacy request within seven (7) days and respond substantively within the timelines in Section 10.3.

16.1 Recordkeeping. Where this Privacy Policy or applicable law requires consent — including consent to analytics under Section 6 and consent to receive email communications under Section 7 — the Operator will record and retain proof of that consent, including the version identifier of the Privacy Policy presented at the time of consent, the IP address of the consenting device, the user agent string of the consenting browser, and the ISO-8601 timestamp of the consent act. Such records are retained for the same period as the Personal Data to which they relate and are admissible to establish the fact of consent.

16.2 Revocation. The Visitor may revoke any consent at any time through the mechanisms described in this Policy. Revocation is effective prospectively; the lawfulness of processing based on consent before revocation is unaffected.

17. General

17.1 Entire Agreement. This Privacy Policy, together with any separately signed data processing agreement between the Operator and an institutional customer, is the entire statement of the Operator’s obligations to Visitors regarding Personal Data collected through the Site.

17.2 Order of Precedence. If there is a direct conflict between this Privacy Policy and the Operator’s Terms of Service applicable to the Site, the more Visitor-protective provision controls, solely with respect to the processing of Personal Data.

17.3 Severability. If any provision of this Privacy Policy is held invalid or unenforceable, the remainder will continue in full force, and the invalid or unenforceable provision will be replaced with a valid and enforceable provision that reflects the original intent as closely as possible, consistent with applicable law.

17.4 Waiver. No waiver of any right or remedy under this Privacy Policy is effective unless in writing and signed by the Operator. No waiver operates as a waiver of any later breach.

17.5 Notices. Routine privacy notices to a Visitor will be delivered to the email address the Visitor has provided to the Operator, if any. Legal notices to the Operator must be delivered as set out in the Operator’s Terms of Service.

17.6 Survival. Provisions of this Privacy Policy that by their nature should survive termination of the Visitor’s use of the Site — including retention, security, Visitor rights, governing law, and recordkeeping — survive.