Owned and operated by VRMLC LLC.[1]
Owned and operated by VRMLC LLC.[1]
Effective Date / Last Updated: May 24, 2026
This Privacy Policy explains how the publisher of confidentinvestor.org (the "Site") collects, uses, shares, and retains information about visitors. It also describes the rights U.S. residents have over that information and how to exercise them.
This Privacy Policy is one of three controlling documents that govern your use of the Site. The others are the Editorial Policy (which explains who owns the Site, how rankings are produced, and the publisher's relationship with the companies it ranks) and the Disclaimer (which explains the non-advisory, non-service-provider nature of the content). You should read all three together.
The Site is owned and operated by VRMLC LLC, a Delaware limited liability company that does business as Confident Investor (this Site) and also as Estaga (a vacation rental property management company that is ranked first on the Site). VRMLC LLC is referred to in this Policy as the "Publisher," "we," "us," or "our." Confident Investor and Estaga are not separate legal entities — they are two brand names of the same legal entity, VRMLC LLC.
Common-ownership disclosure. Because Confident Investor and Estaga are the same legal entity, the Site is not an independent review publisher. Rankings on the Site, including Estaga's first-place position, are the opinion of the Publisher, which has a direct financial interest in Estaga. This disclosure is restated in our Editorial Policy and Disclaimer, and it is repeated here because the same ownership relationship is the basis on which the Site exists and on which traffic about competing companies is collected.
Contact:
For privacy-rights requests, use the email above with the subject line "Privacy Request" or use the form on our Do Not Sell or Share My Personal Information page.
The Site is designed so that visitors can access content without submitting personally identifying information. We do not operate sign-up forms, account systems, or lead-capture forms that ask for your name, postal address, phone number, or financial information. We collect information in four categories:
If you email us (for example, to ask a question or exercise a privacy right), we collect the contact information you choose to provide and the contents of the message. We use that information only to respond to you and to keep a record of the request. We do not add email correspondents to any marketing list.
When you visit the Site, our servers and analytics providers automatically receive:
We use first-party and third-party cookies, web beacons, and tracking pixels — including Google Analytics 4, Meta Pixel, and Microsoft Bing UET (Universal Event Tracking) — to recognize your browser, remember preferences, analyze traffic, and measure marketing performance. The use of Meta Pixel and Microsoft Bing UET, and the use of Google Analytics 4 to the extent it is linked to Google Ads or has Google Signals or Ads Personalization enabled, constitutes "sharing" of personal information for cross-context behavioral advertising under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and substantially similar state laws. See Section 4 ("How We Share Information") and Section 6 ("Cookies, Advertising & Global Privacy Control"). You can opt out of this sharing using any of the methods described in Section 6.
We receive limited information from the analytics and advertising providers identified in Section 4 (for example, aggregated audience metrics, ad delivery reports, and click attribution). We do not purchase mailing lists, hashed contact files, or other lead data.
We obtain personal information directly from you (when you contact us), automatically from your browser and device (when you visit the Site), and from the analytics and advertising providers identified in Section 4 (in the form of aggregated reports and attribution data).
We use the information described in Section 2 to:
We do not use the information we collect to make decisions that produce legal or similarly significant effects about any visitor.
We do not sell personal information for money. We do, however, "share" personal information for cross-context behavioral advertising as that term is defined in CCPA §1798.140(ah) (and as equivalent terms — for example, "targeted advertising" — are defined in the Colorado Privacy Act, Connecticut Data Privacy Act, Virginia CDPA, and similar state laws). The categories of recipients are:
We do not share lead-form information, name, email, postal address, or phone number with the third-party companies listed on the Site, because we do not collect that information through the Site.
The rights described in this Section are granted by specific state privacy laws. Where state law grants a right to one group of residents, we extend the same right to all U.S. residents to the extent reasonably practicable. The fact that we extend rights voluntarily does not subject us to the jurisdiction of any state whose threshold for coverage we do not meet.
Depending on your state of residence and applicable law, you may have the right to:
The following state laws are in force or are scheduled to take effect, and grant some or all of the rights listed above. We extend equivalent rights to residents of all U.S. states where reasonably practicable.
The Florida Digital Bill of Rights (FDBR) does not apply to us because we are well below its $1 billion global-revenue threshold and do not meet the supplementary qualifiers. We do not claim FDBR coverage; the Florida-resident rights described in this Policy are extended by us voluntarily, not because the FDBR requires it.
Submit any privacy-rights request by:
To process your request we will need enough information to verify that the request is yours and to locate any data associated with you. Because we do not collect names, email addresses, or postal addresses through Site forms, our records are typically limited to the IP address, device identifier, and cookie identifiers associated with the browser used to visit the Site. We may ask you to submit your request from the same browser or to provide identifiers (for example, the email address you used to contact us previously, or the cookie identifier visible in your browser's developer tools) so we can match the request.
We will respond within the time frame required by the applicable law — 45 days under CCPA/CPRA (extendable once by 45 days with notice to you), and as required by other applicable state laws.
You may use an authorized agent to submit a request on your behalf. We will require written, signed authorization from you, verification of your identity, and verification of the agent's identity. A duly executed power of attorney also satisfies this requirement.
California Civil Code §1798.83 permits California residents to request information about disclosure of personal information to third parties for those third parties' own direct marketing purposes. We do not disclose personal information to third parties for the third parties' direct marketing purposes, so this law does not require us to respond — but you may still send the request, and we will confirm that no such disclosure occurred.
When you first visit the Site (and again when your prior choice has expired), you will see a Notice at Collection banner. The banner presents an equally weighted Accept All and Reject All choice, with a "Customize" link for granular category-level control. This is designed to satisfy the symmetry requirement reflected in California Attorney General enforcement (Sephora settlement, 2022; Tractor Supply settlement, $1.35M, September 2025) and the multistate joint enforcement sweep by the California, Colorado, and Connecticut Attorneys General announced September 9, 2025.
You can change your cookie choices at any time by clicking the persistent "Cookie Preferences" link in the Site footer.
You may also control cookies and tracking through:
Blocking strictly-necessary cookies may break parts of the Site.
We do not respond to legacy browser "Do Not Track" (DNT) signals. DNT was never finalized as a standard and is no longer a reliable opt-out mechanism. This disclosure is required by California Business & Professions Code §22575(b)(5) (CalOPPA).
We do honor the Global Privacy Control (GPC) signal as an opt-out of the sale and sharing of personal information under CCPA/CPRA and equivalent state laws. When we detect a GPC signal in your browser, we treat that as a verified, valid opt-out, and we do not require any additional action from you to apply it.
Confirmation of GPC honoring. Per California Code of Regulations, Title 11, §7025 (as amended effective January 1, 2026), when our systems detect and apply your GPC signal, the Site will display a brief, user-facing confirmation toast: "Global Privacy Control detected — your opt-out preference has been applied." The confirmation appears once per session and dismisses automatically. We log the GPC signal so that the opt-out persists for that browser even if the toast is dismissed.
If you opt out (whether via the banner, via your account preferences, via GPC, or via a written request):
We retain personal information only as long as needed for the purposes described in this Policy and as required by applicable law. Specific category retention periods are:
| Category | Retention period |
|---|---|
| Google Analytics 4 usage data | 26 months (max permitted by GA4) |
| Communications you send us (email, contact-form messages) | 3 years from the date of the last message in the thread |
| Cookies set on your device | 13 months from the date of last activity |
| Raw IP logs from our hosting and CDN providers | 90 days |
| Marketing-interaction data (ad clicks, attribution events) | Until you opt out, plus 30 days for reconciliation |
After the applicable retention period expires, we delete or de-identify the data, except where a longer retention period is required to comply with a legal obligation (for example, tax recordkeeping), resolve a dispute, or enforce our agreements.
We use commercially reasonable administrative, physical, and technical safeguards to protect information, including transport-layer encryption (HTTPS), access controls on internal systems, vendor-security reviews, and logging. No system is perfectly secure; we cannot guarantee absolute security and do not warrant against unauthorized access that occurs despite reasonable safeguards.
If we experience a personal-data breach that triggers notification obligations under any U.S. state breach-notification law, we will notify affected individuals and applicable regulators within the time frames required by that law.
The Site is not directed to children. We do not knowingly collect personal information from anyone under the age of 16. If you are a parent or guardian and you believe a child under 16 has provided personal information to us, contact info@confidentinvestor.org and we will delete the information. Under CCPA, we do not sell or share the personal information of consumers under 16 without affirmative authorization (the "right to opt-in"); because we do not knowingly collect from anyone under 16, no such authorization is sought.
The Site is operated from the United States and is intended for U.S. audiences. If you access the Site from outside the United States, you consent to the transfer and processing of your information in the United States, where data-protection laws may differ from those in your jurisdiction. We do not target the Site to residents of the European Economic Area, the United Kingdom, or other non-U.S. jurisdictions, and we do not represent that this Policy complies with the GDPR, UK GDPR, PIPEDA, LGPD, or any non-U.S. data-protection law.
We may update this Policy from time to time. When we do, we will update the "Effective Date / Last Updated" date at the top. If a change is material — for example, if we add a new category of personal information, a new category of third-party recipient, a new purpose of use, or a new opt-out mechanism — we will also:
Continued use of the Site after the effective date of an updated Policy constitutes acceptance of the updated Policy.
We comply with the CAN-SPAM Act, 15 U.S.C. §7701 et seq. The Site does not send marketing email under the confidentinvestor.org brand. If you have provided your email address to us (for example, by emailing us a question), we will use that address only to respond to you. Marketing communications you receive from the third-party companies listed on the Site are sent by those companies under their own privacy and email practices, and the appropriate unsubscribe mechanism is provided by them.
This Section is the Notice at Collection required by CCPA §1798.100(b) and 11 CCR §7012. It is provided at or before the point of collection through the consent banner described in Section 6 and is restated here in full.
For any question about this Policy, to submit a privacy-rights request, to ask an authorized-agent question, or to raise a concern:
For substantive questions about how the Site ranks vacation-rental management companies and about the Publisher's common ownership with Estaga, see the Editorial Policy. For questions about the non-advisory nature of the content, see the Disclaimer.