Legal
Privacy Policy
Last updated: March 2026
VisaPath AI (“we”, “us”, “our”) is committed to protecting your personal data in accordance with the UK GDPR and EU GDPR. This policy explains what data we collect, why we collect it, and your rights.
1. Data We Collect
- Account data: email address, name, password hash (bcrypt, never stored in plain text).
- Profile & immigration data: nationality, passport number (AES-256 encrypted at rest), BRP number (encrypted), NHS & NI numbers (encrypted), visa history, employment history.
- Payment data: Stripe customer ID, subscription status. Full card details are never stored — processed exclusively by Stripe.
- Security logs (audit logs): IP address, user-agent, action performed, timestamp. Retained for 90 days; anonymised if you delete your account.
- Analytics (optional, consent-gated): page views, feature interactions via PostHog — only if you have given explicit consent.
2. Legal Basis for Processing (Art. 6 GDPR)
| Data type | Legal basis |
|---|---|
| Account & profile data | Contract (Art. 6(1)(b)) — necessary to provide the service |
| Security & audit logs | Legitimate interest (Art. 6(1)(f)) — fraud prevention and security |
| Analytics (PostHog) | Consent (Art. 6(1)(a)) — opt-in only, revocable at any time |
| Marketing emails | Consent (Art. 6(1)(a)) — opt-in, with unsubscribe on every email |
3. Data Retention
| Data category | Retention period |
|---|---|
| Account & profile data | Until you delete your account |
| Audit logs (non-anonymised) | 90 days (purged monthly by automated job) |
| Anonymised audit logs | 2 years (purged monthly by automated job) |
| Database backup snapshots | 30 days (Neon managed backups) |
| Analytics data (PostHog) | Per PostHog's retention policy (see sub-processors) |
4. Sub-Processors
| Processor | Purpose | Location | Certifications |
|---|---|---|---|
| Stripe | Payment processing | US | PCI-DSS Level 1, SOC 2 |
| Resend | Transactional email delivery | US | SOC 2 |
| PostHog | Analytics (consent-gated) | EU / US | SOC 2 |
| Neon | PostgreSQL database hosting | EU / US | SOC 2 |
| Vercel | Application hosting & CDN | US | SOC 2 |
| Upstash | Redis (rate limiting, caching) | EU / US | SOC 2 |
5. International Data Transfers
Some sub-processors operate in the United States. Transfers from the UK/EEA to the US are protected by Standard Contractual Clauses (SCCs) under UK IDTA / EU SCCs (2021) with Stripe, Vercel, and Resend. PostHog and Upstash offer EU-region hosting where selected.
6. Your Rights
Under UK/EU GDPR you have the right to:
- Access — download a copy of all your data via Settings → Export my data.
- Erasure — delete your account via Settings → Delete account. Audit logs are anonymised (PII removed) within seconds; anonymised records are purged after 2 years.
- Rectification — update your profile at any time.
- Restriction & Objection — contact us to restrict processing or object to legitimate-interest processing.
- Portability — your data export is machine-readable JSON.
- Withdraw consent — opt out of analytics in Settings → Privacy at any time.
7. Children
VisaPath AI is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact us and we will delete it promptly.
8. Security Measures
We use AES-256-GCM encryption for all sensitive document numbers and OAuth tokens at rest. Passwords are hashed with bcrypt (cost factor 12). All data in transit is protected by TLS 1.2+. We conduct regular security audits and maintain a responsible disclosure programme.
9. Contact & Complaints
Data Controller: VisaPath AI Ltd.
Email: privacy@vispathai.com
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) (UK) or your local supervisory authority (EU).