Privacy

We respect your privacy and follow industry standards to protect your personal information. Learn more about how your data is processed, transferred, and stored.

Privacy policy

Last updated: January 17, 2023

Overview

This Privacy Policy (“Privacy Policy”, “Policy”) describes how HashiCorp, Inc. (“HashiCorp”, “we”, “us” or “our”) collects, uses, shares, processes and protects personal information (“Personal Information”) relating to individuals (“you”, or “your”), who may use or interact with our websites or services, communicate with us, contact us, or attend our events. “You” may be a visitor to one of our websites, a user of one or more of our Services (“User”), a collaborator, or a customer (“Customer”).

HashiCorp respects your privacy and is committed to protecting your Personal Information (any information that relates to an identified or identifiable individual).

Note: We do not rent, sell, or trade your Personal Information.

Scope

This Policy applies to all visitors of our websites, and users of our products, websites, features or services, or any other HashiCorp websites that link to this Policy (collectively, the “Websites”), unless covered by a separate privacy policy, and explains how we collect, use, disclose, and safeguard your information. Please note that HashiCorp's Data Protection Addendum (DPA) is the governing document that applies to the extent that we process Personal Information in the role of a processor (or a comparable role such as “service provider” in certain jurisdictions) on behalf of our customers, including where we offer to our customers various cloud products and services, through which our customers (and/or their affiliates) connect their own applications to our hosted platform, sell or offer their own products and services, send electronic communications to other individuals, or otherwise collect, use, share or process Personal Information via our cloud products and services.

Please read this Privacy Policy carefully.

Data collections and uses

Overview

This Policy describes how we collect and use your Personal Information, whether it is shared and/or disclosed, and how we address privacy matters, such as deletion of your Personal Information upon request, and opting-out of marketing communications. Lastly, we describe methods for contacting us if you have privacy questions, comments or feedback.

Personal information we collect and receive

Transparency is one of the best ways to earn your trust. Below are the types of personal data elements we may receive and process about you through: the use of our website, products, or support services; attendance of our virtual and in-person events; third party advertising and marketing partners; and applications to our open roles. The summary sections and tables below explain in further detail the specific personal data elements information we collect from you or receive from third parties and why, based upon your relationship with us and as your relationship evolves with HashiCorp

Visitors

When you visit our public websites, without logging into an account or using our products and/or services, we consider you a Visitor. As a Visitor, the information we collect from you is listed below. You’re not obligated to provide us with such Personal Information, and you are free to change or completely opt-out of information being shared with us; however refusing to provide requested Personal Information might prevent you from using certain features of the Websites.

What do we collect?Why do we collect it?Can you limit collection?
HashiCorp CookiesTo recognize you when you make a return visit and deliver overall a consistent experienceMost modern browsers allow you to delete or limit cookies

You can manage your cookie preferences and settings by making choices in our cookie banner or through our cookie preference center

Third-Party Tags and CookiesTo deliver an overall consistent experience, and measure our marketing effectiveness

Most modern browsers allow you to delete or limit cookies, including third-party cookies; however, you may not be able to limit marketing tags entirely unless you do not visit our sites

You can manage your cookie preferences and settings by making choices in our cookie banner or through our cookie preference center

Internet Protocol (IP) Address
  • Part of the basic function of the internet
  • To measure who is visiting us and from where
The only way to avoid this is to not visit our sites
Browser Metadata

(i.e. browser type, version, operating system)

  • Part of the basic function of the internet
  • To ensure we maintain a positive website experience for most used browsers
Browsers communicate this automatically; however, some third-party extensions may allow you to limit this
Log data
  • To maintain website functionality
Log data is collected automatically and may include: Internet Protocol (IP) addresses; browser types, product versions, and operating systems, date and time stamp, language preferences, etc.
Contact Data

(i.e., Names, emails, phone numbers, etc.)

  • To respond to your inquiry via our “contact us” methods
  • This information is voluntarily shared
  • This may be required to respond to administrative or account issues or inquiries.
Customers/Prospective customers (marketing)

In addition to the data above, you may also voluntarily share Personal Information with us, as customers or prospective customers, in order to receive information about products and services, or to register for an upcoming event.

We may also receive information about you, such as your name, employer, title, country, state and contact information, from third parties, such as marketing partners, and combine it with other information we have about you. If we already have information about you in our database in accordance with applicable data retention periods, we would update this information. We also use data enrichment agencies to supplement the information we have. These data enrichment agencies can also be located in third countries outside the European Union, European Economic Area, or UK, in particular in the U.S. We will then use adequate safeguards such as Standard Contractual Clauses, as updated from time to time, and supplementary measures, where required. In addition, HashiCorp may engage third parties to deliver advertising about our Products or Services. This advertising helps us personalize the advertising content that is relevant to you. The collection and use of your data by third parties is subject to the applicable third party’s privacy policy, but the use of your data by HashiCorp is subject to HashiCorp’s Privacy Policy.

If you have provided your information for sales and marketing communications and are a resident of the following countries, your data may be shared with our partner Nuaware for outreach on our behalf: Israel, South Africa, Algeria, Morocco, Angola, Benin, Botswana, Burkina Faso, Burundi, Cameroon, Central African Republic, Chad, Comoros, Congo, Cte DIvoire, Djibouti, Eritrea, Eswatini, Ethiopia, Gabon, Gambia, Ghana, Guinea, Guinea-Bissau, Kenya, Lesotho, Liberia, Libya, Madagascar, Malawi, Mali, Mauritania, Mauritius, Mozambique, Namibia, Niger, Nigeria, Rwanda, Sao Tome and Principe, Senegal, Seychelles, Sierra Leone, Somalia, South Sudan, Sudan, Tanzania, Togo, Uganda, Zambia, or Zimbabwe.

What do we collect?Why do we collect it?Can you limit collection?
Name + Email
  • To respond to your inquiry
  • Email you about product offerings, updates and other marketing promotions
  • This information is voluntarily shared, to provide individuals with relevant marketing materials
  • This may be required to respond to administrative or account issues or inquiries.
  • You can opt out of marketing emails, see the “Contact Us” section
Company Name
  • To further develop our understanding of you
  • This information is voluntarily shared; however, for marketing purposes, this is required
Job Title
  • To further develop our understanding of you
  • Yes, this is voluntary
Phone Number
  • To contact you
  • Yes, this is voluntary
Analytics information
  • To measure the effectiveness of our marketing activities
You can manage your preferences and settings by making choices in our cookie banner or through our preference center

Users/Customers

If you choose to register for an account with HashiCorp or on our Websites, you will share Personal Information with us.

When you register, create a User Account on our Website and begin using our products, we consider you a User. This section describes our privacy practices related to Users. Keep in mind Users are also considered Visitors so we collect this data in addition to what was described for Visitors.

What do we collect?Why do we collect it?Can you limit collection?
Email, Username, and Password
  • In order to establish your account and allow you to securely access it
  • Email you about service updates, maintenance activities, security notifications, weekly summaries, and other account related information
  • No, these are required for us to facilitate your account lifecycle or to contact you
  • You can; however, opt out of marketing emails, see the “Contact Us” section
Phone Number
  • For 2-factor authentication to increase security
  • No, this is required to enable 2-factor authentication
Payment Data (credit card data, address, etc.)
  • In order to process you payment, we require the minimum amount of data NOTE: We do not store any financial data, as we use Stripe and/or Shopify to process the payments.
  • No, this is required to process your payment
Audio and video recording data
  • For sales team’s training and awareness activities.
  • At the request of a customer.
  • We only enable these functions with your consent to do so. At any time you may withdraw consent verbally during the call or via writing prior to or following the call.
Other personal dataIncluding but not limited to:
  • To facilitate use of our website contact forms.
  • To fulfill support tickets
  • To facilitate events and attendance
  • For interactions of social media
  • Participation in surveys
  • Each of these activities are optional and personal data is provided voluntarily.

Job candidates

We provide the ability to submit job applications to our open job listings and ​​we receive candidate information from recruitment agencies for recruitment purposes. To appropriately respond to your application, we need to collect and process your provided Personal Information, which may also be carried out electronically. If we begin an employment contract with you, your submitted application data will be stored for the purpose of processing the employment relationship in compliance with legal requirements. We maintain your Personal Information for the period of time necessary to carry out our legitimate business interests and according to applicable laws. For information about specific retention periods, please contact us at privacy@hashicorp.com

What do we collect?Why do we collect it?Can you limit collection?
Contact data

(i.e., name, email, phone number, etc.)

  • In order to contact you regarding next steps for interviews, etc.
  • No, these are required for us to process applications
Resume data

(i.e., education experience, work experience, etc.)

  • To process your application and determine whether you are a fit for the organization.
  • No, these are required for us to process applications
Background check data

(i.e., name, email, phone number, criminal history, employment verification, etc.)

  • To confirm your identity and eligibility for employment with HashiCorp.
  • No, these are required for us to move forward with employment.

How we use personal information

Purposes of processing

In addition to those detailed above, we will not use or share your Personal Information in ways unrelated to those described below. We do not use automatic decision-making or profiling, and will not sell your Personal Information for any purpose without your prior consent.

  • Customer’s instructions. HashiCorp will only share and disclose Personal Information in accordance with a Customer’s instructions, including any applicable terms in the Customer’s agreement(s) with us, and in compliance with applicable laws and regulations.

  • Customer access. Owners, administrators and other Customer representatives and personnel, as defined in the Customer agreement(s) with us, may be able to access, modify, or restrict access to Personal Information.

  • To provide and maintain our products and make them more useful to you. To respond to support requests, prevent or address any issues, monitor usage, tailor communications and offers to you regarding our products that may be of specific interest to you, and to improve our products.

  • Administer events. We will use personal data provided to facilitate an event which may include providing information to third party vendors and partners. We may also provide information, including personal data, to third party event sponsors with your consent. To opt-out of this data sharing with third parties and/or request deletion please refer to the “Your Rights” section below.

  • To recruit candidates. We may use personal information candidates provide to fulfill our legitimate interest to recruit for open positions at HashiCorp.

  • Training and awareness. We may utilize different tools, such as call recording, which contain personal information, to help with the training and awareness of our employee-base. We only record calls with your explicit approval (which may be terminated or withdrawn at any time).

  • Research and development. We are always looking for ways to improve our products and user experience. We may use information to analyze and track interactions with our products, such as usage, activity patterns, trends, or areas for integration, to the extent necessary for legitimate interest in developing, improving, and troubleshooting our products, and providing you with more relevant content and service offerings that benefit our users and the public.

  • During a change to HashiCorp’s business. If HashiCorp is involved in a merger, acquisition, sale of all or a portion of our assets, or bankruptcy, your Personal Information would be an asset transferred to or acquired by the successor entity or third party. You acknowledge that such transfers may occur and that the transferee may process Personal Information in a manner different to that set out in this Privacy Policy. You will be notified by email and/or a prominent notice on our Websites of any change in ownership or uses of your Personal Information, as well as any choices you may have regarding your Personal Information.

  • Aggregated or de-identified information. We may disclose or use aggregated or de-identified Personal Information for any purpose. For example, we may share aggregated or de-identified information with prospects or partners for business or research purposes, such as showing a total count of active users accessing our products. We may use aggregated and de-identified Personal Information to further develop our own products and services as well.

  • To enforce our rights, prevent fraud, and for safety. HashiCorp may process your Personal Information to protect and defend the rights, property, or safety of HashiCorp or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues. In all such instances, use and disclosure will be limited as much as reasonably possible.

Legal basis for processing

Our legal basis for collecting and using the personal information described in the above sections will depend on the personal information concerned and the specific context in which we collect it. However, in most cases we collect the personal information to facilitate the business relationships we have with our Users where we have consent to do so, to fulfill contractual agreements, or to pursue our legitimate interests where these are not overridden by the interests, rights, or freedoms of Users. In some cases we may be required legally to collect or disclose personal information; in which case we will make this clear. In other cases, where we rely on an alternative legal basis, we will do so only with the appropriate legal requirements in place. A copy of our Data Protection Addendum (DPA) with further details is available here. For any questions on our legal basis for processing , please contact us at privacy@hashicorp.com.

Third Party Sharing

We may engage third party companies or individuals as service providers or business partners to process Personal Information and support our business. We may share Personal Information with third parties for a variety of reasons, including but not limited to:

  • Service providers, business partners, and subprocessors. Service providers, business partners, and subprocessors all help to support HashiCorp’s products and operations. For a full list of HashiCorp’s subprocessors that process Personal Information on our behalf, please refer to hashicorp.com/subprocessors.

  • To comply with laws. If we receive a valid request for information, we may disclose Personal Information if we reasonably believe disclosure is in accordance with or required to comply with the legal process, a government request, or any applicable law or regulation.

How long do we keep your data?

We only process and keep any Personal Information for as long as necessary to achieve the purpose for which the information was originally collected. The exact length of time we keep Personal Information depends on our processing purposes and the statutory retention period for that type of information. After the statutory period of time passes, or if storage of Personal Information is not needed, Personal Information is deleted or anonymized.

Security

HashiCorp takes appropriate administrative, technical, physical, and organizational security measures to protect your Personal Information from loss, theft, misuse and unauthorized access, disclosure, alteration, and destruction. We follow industry standards to protect the Personal Information submitted to us, both during transmission and once it is received, taking into account the nature of such information and the risks involved in processing, and comply with applicable laws and regulations. While we have taken reasonable steps to secure the Personal Information you provide to us, please be aware that despite our best efforts, no security measures are perfect or impenetrable, and no method of data transmission can be guaranteed against any interception or other type of misuse. For more information on our practices with regards to security and confidentiality please visit hashicorp.com/security.

If you have any questions about our security, or have reason to believe that your interaction with us is no longer secure, please contact us at security@hashicorp.com.

Policy for children

We do not knowingly solicit information from or market to children under the age of thirteen (13). If you are under age 13, please do not give us any Personal Information. We encourage parents and legal guardians to monitor their children’s Internet usage and to help us enforce our Privacy Policy by instructing them to never share Personal Information through our Websites without their permission. If you suspect or become aware of any data we have collected from children under age 13, please contact us immediately by emailing privacy@hashicorp.com or by using the contact information provided below.

Notice to all non-U.S. residents

Our servers are located in the U.S. If you are located outside of the U.S., please be aware that any information provided to us, including Personal Information, will be transferred from your country of origin to the U.S. HashiCorp transfers and processes data, including the data transfers under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), the UK and EU General Data Protection Regulation (GDPR), and in accordance with additional applicable laws and regulations.

Notice for residents of the European and Swiss Economic Areas

In order to comply with European Union and Swiss data protection laws, HashiCorp, Inc. utilizes a comprehensive data protection addendum (DPA) that includes compliant Standard Contractual Clauses (SCCs) for all third parties collecting, storing, or processing personal information. HashiCorp complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. HashiCorp has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. HashiCorp has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

HashiCorp is responsible and may be held liable for the processing of Personal Information we receive under DPF, and the subsequent transfers to a third-party acting as an agent on our behalf. With respect to Personal Information received or transferred pursuant to the DPF Frameworks, HashiCorp is subject to the regulatory enforcement and investigatory powers of the U.S. Federal Trade Commission, or any other authorized U.S. statutory body. In certain situations, HashiCorp may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Notice for California residents

The California Consumer Privacy Act (CCPA) is a new data privacy law that applies to certain businesses which collect Personal Information from California residents. The law went into effect on January 1, 2020. HashiCorp now offers data protection terms pursuant to the EU GDPR and UK GDPR in Europe and the same terms under the CCPA. Your rights under the CCPA are described below.

Please note that HashiCorp does not rent or sell any Personal Information.

In addition, California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits California residents to request and obtain from us, once a year and free of charge, 1) information about categories of Personal Information (if any) we disclosed to third parties for direct marketing purposes, and 2) the names and addresses of the third parties with which we shared Personal Information in the preceding calendar year.

If you are under 18 years of age, reside in California, and have a registered account with our Websites, you have the right to request removal of unwanted data that you publicly post on our Websites. To request removal of such data, please visit privacy.hashicorp.com to initiate the deletion directly, or contact us using the contact information provided below, and include the email address associated with your account and a statement that you reside in California. We will make sure the data is not publicly displayed on our Websites, but please be aware that the data may not be completely or comprehensively removed from our systems due to legal and regulatory requirements.

If you are a California resident and would like to make a request, please visit privacy.hashicorp.com to initiate the request directly or submit your request in writing to us using the contact information provided below.

International transfers

HashiCorp is headquartered in the United States and much of the data we process will be transferred or processed in the United States. We also store and process personal data in: (i) any country where we have active employees, and (ii) any country in which we engage service providers. As a result, we may transfer, access, or store personal data outside of the European Economic Area (“EEA”), Switzerland, the United Kingdom, or other countries that require legal protections for international data transfer. Please refer to our Transfer Impact Assessment (TIA) for further information. For international transfers of personal data, we implement measures as necessary to ensure we provide appropriate safeguards for the transferred personal data by using one of the following approaches:

  • We may enter into agreements with Standard Contractual Clauses or another lawful transfer mechanism approved by the European Commission, and as agreed with customers.

  • We may transfer personal data to countries with privacy laws that have been recognized by the country from which the data was transferred as providing similar data protections (“adequacy”).

  • We may rely on other transfer mechanisms approved by regulatory authorities in the country from which the data are transferred.

This applies only to HashiCorp practices, technologies, and services. This does not include links to websites and online services that are operated by other companies not under the control or direction of HashiCorp. If you provide or submit personal information to those websites or online services, the privacy policies on those websites or online services apply to your personal information. We encourage you to carefully read the privacy policies of any website you visit.

Your rights

We recognize, under the EU-U.S. Data Privacy Framework Principles, the Swiss-U.S.Data Privacy Framework Principles, CCPA, the EU GDPR, the UK GDPR, the Brazilian General Data Protection Law (LGPD), and other applicable privacy laws, that you may have certain rights in regards to your Personal Information. We feel that your privacy and ability to preserve and exercise your rights is very important. You are encouraged to review and understand these rights as they pertain to you and your Personal Information. In certain circumstances, these rights include, but are not limited to:

  • Right to be Informed: This means we have to tell you why we process your Personal Information, our retention periods, and who it will be shared with.

  • Right of Access: This means we have to provide you with a copy of your Personal Information we process upon your request.

  • Right to Rectification: This allows you to have inaccurate Personal Information rectified, or completed if it is incomplete.

  • Right to Erasure: This allows you to have your Personal Information erased.

  • Right to Restrict Processing: This means you can limit the way we use their data.

  • Right to Data Portability: This allows you to receive a copy of your Personal Information in a structured, commonly used and machine-readable format and gives you the right to transmit the data to another controller without hindrance.

  • Right to Object: This allows you to object to the processing of your Personal Information at any time.

  • Right to Non-Discrimination: The CCPA prohibits covered businesses from discriminating against consumers for exercising their CCPA rights. This means we cannot charge a different price, deny access to our products, or impose penalties for exercising your rights under the CCPA.

  • Right to Withdraw Consent: This means you can withdraw your consent at any time.

In support of these rights, you may exercise any of the above rights, with respect to your Personal Information. You may update, correct, or delete your Personal Information; if you wish to delete or suspend your account, please note that we may retain certain information as required by law or for legitimate business purposes. If you have become aware that an account has been created about you without your knowledge or consent, you may contact us to request deletion of that said account. You may visit privacy.hashicorp.com to initiate the deletion or contact us by emailing privacy@hashicorp.com

For your protection, we may only respond with the Personal Information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will respond to your request within 30 days.

A note for cloud product users before submitting a request:

In order to process a user’s request to delete personal information within HashiCorp Cloud Product/Terraform Cloud Product (HCP/TFC) under the purview of GDPR, HashiCorp first requires that any of the following conditions (should they exist) be resolved:

  • User is the owner of an HCP Organization that has unpaid invoices or failed payments.

    • Please pay your unpaid invoices before submitting a GDPR request for deletion of personal information.

  • User is the owner of an HCP Organization that has other users.

  • User is the owner of an HCP Organization that is linked to an active Contract.

  • User is the owner of an HCP Organization that is linked to a Terraform Organization for billing.

  • User is the owner of an HCP Organization that has running resources (Consul, Vault, Packer, TFC, Service Principals, etc).

  • User is the owner of an HCP Organization that has unpaid usage.

    • Please delete all running resources and remove your credit card on file to get that usage invoiced, then pay the invoice before submitting a GDPR request for deletion of personal information.

  • User is the owner of a TFC Organization.

Details about managing your payment methods may be found here. For inquiries regarding these items please reach out to support@hashicorp.com.

Changes to this policy

If we make material changes to this Policy, we will revise the “Last Updated” date at the top of this Policy, and in some cases, where required by law, we may provide you with more prominent notice (such as adding a statement to our homepage or sending you an email notification). Any changes or modifications will be effective immediately upon posting of the updated Privacy Policy.

We encourage you to review the Policy whenever you access the Websites to stay informed about our information practices and the ways you can help protect your privacy.

Contact us

For any and all privacy-related matters, questions or comments, or to exercise a right under the EU’s GDPR, the UK’s GDPR or the CCPA, you may contact us in writing or by email. Our contact information is as follow:

HashiCorp, Inc.

℅ Security and Privacy Office

101 Second Street, Suite 700

San Francisco, CA 94105

United States

Phone: +1 (415) 301-3250

Email: privacy@hashicorp.com

Website: privacy.hashicorp.com

If you are a resident of the European Economic Area, please contact our EU/UK representative:

Technology Law Boutique

Beekstraat 11, 2800 Mechelen, Belgium

VAT: BE0648.736.691

Phone: +32 473 88 69 65

Email: edaems@techlawboutique.com stephanie@techlabboutique.com

Website: www.technologylawboutique.com


In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, HashiCorp commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact HashiCorp.com at: [privacy@hashicorp.com](mailto:privacy@hashicorp.com).

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, HashiCorp commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit [https://feedback-form.truste.com/watchdog/request](https://feedback-form.truste.com/watchdog/request) for more information or to file a complaint. The services of TRUSTe are provided at no cost to you.

If these processes do not result in a resolution, you may then contact your local data protection authority, the U.S. Department of Commerce, and/or the Federal Trade Commission for assistance. Under certain conditions, you may invoke binding arbitration when other dispute resolution procedures have been exhausted and upon written notice to HashiCorp at [privacy@hashicorp.com](mailto:privacy@hashicorp.com).

Virginia Residents: If you wish to file a complaint regarding inaction on a consumer request (S.B. 1392 § 59.1-573(C)) you may contact the Attorney General of Virginia at https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint.