Privacy Policy
Last updated: 14 April 2026
The short version
- We collect only what is needed to prepare your visa applications — passport details, photos, and travel data.
- We never sell your data. We share it only with the services that make the platform work (database, payments, AI photo analysis).
- Your data is encrypted at rest and in transit. Row-level security means only you can see your data.
- You can export or delete all your data at any time from your settings page.
1. Who We Are
VisaVault is operated by JVANET PTY LTD, registered in Queensland, Australia.
- Contact: privacy@visavault.app
- Data Protection Contact: privacy@visavault.app
We are the data controller for the personal data we process.
2. What We Collect
Information You Provide
- Identity data: Full name, sex, date of birth, nationality, religion
- Contact data: Email address, phone number, permanent address
- Passport data: Passport number, type, expiry date
- Employment data (optional): Occupation, employer
- Photos: Portrait photograph, passport data page scan
- Travel data: Entry dates, ports, accommodation addresses, trip history
- Application data: Visa application details, government registration codes
Information Collected Automatically
- Account data: Email used for authentication, login timestamps
- Usage data: Pages visited, features used, application status changes (only if you consent to analytics cookies)
- Device data: Browser type, operating system, screen size (only if you consent to analytics cookies)
- Chat data: Messages sent to our AI travel assistant (if you use this feature)
Information We Do NOT Collect
- We do not collect financial data — payments are processed entirely by Stripe
- We do not track your location
- We do not collect biometric data — our AI photo analysis checks quality but does not perform facial recognition or store biometric identifiers
3. Why We Collect It
| Data | Purpose | Legal Basis |
|---|---|---|
| Identity, passport, contact | To prepare and validate your visa applications | Contract |
| Photos | AI quality checking and storage | Contract |
| Authentication, account communications, visa expiry reminders | Contract + Legitimate interest | |
| Travel history | Prefilling previous entry dates on new applications | Contract |
| Usage data | Improving the service | Consent (analytics cookies) |
| Chat messages | Providing AI travel assistance | Contract |
| Payment info (via Stripe) | Processing subscription payments | Contract |
4. How We Protect Your Data
- Encryption at rest: All data stored in Supabase is encrypted at rest using AES-256
- Encryption in transit: All connections use TLS 1.3
- Row-Level Security: Database policies ensure you can only access your own data
- Private storage: Photos are stored in a private bucket — only you and the system can access your photos
- Server-side API keys: Sensitive keys never leave the server
- No passwords stored: We use magic link authentication — there are no passwords to breach
- Access controls: Our team access is limited to what is necessary for support and maintenance
5. Who We Share Data With
We share your data only with services necessary to operate the platform:
| Service | What We Share | Why | Location |
|---|---|---|---|
| Supabase | All account data | Database hosting and authentication | Sydney, Australia |
| Anthropic (Claude AI) | Photos, chat messages | AI photo checking and chatbot | United States |
| Stripe | Email, subscription tier | Payment processing | United States / EU |
| Google Analytics | Anonymised usage data | Understanding site usage (consent only) | United States |
We do not sell your personal data. We never have and never will.
Important note about Anthropic:When we send your photos to Claude AI for quality analysis, the images are processed and the results returned. Under Anthropic's commercial API terms, data sent via the API is not used to train models. We do not store your images on Anthropic's servers — they are processed in memory and discarded.
6. International Data Transfers
Your data is primarily stored in Supabase's Sydney (Australia) region. Some processing occurs in the United States (Anthropic AI, Stripe). These transfers are protected by:
- Standard Contractual Clauses (EU)
- Data Processing Agreements with each provider
- Provider certifications (SOC 2, ISO 27001 where applicable)
7. How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Account and profile data | While your account is active + 30 days after deletion |
| Application data | While your account is active + 30 days |
| Photos | While your account is active — deleted immediately on account deletion |
| Chat history | 12 months from last message, then auto-deleted |
| Payment records | 7 years (Australian tax law requirement) |
| Analytics data | 26 months (then auto-deleted by Google Analytics) |
| Cookie consent records | 12 months from consent date |
8. Your Rights
Under GDPR (EU/UK)
- Access: Request a copy of all data we hold about you
- Rectification: Correct any inaccurate data
- Erasure: Delete your account and all associated data (“right to be forgotten”)
- Restriction: Request we limit processing of your data
- Portability: Export your data in a machine-readable format (JSON)
- Objection: Object to processing based on legitimate interest
- Withdraw consent: Change your cookie preferences or withdraw consent at any time
- Complaint: Lodge a complaint with your local supervisory authority
Under CCPA/CPRA (California)
- Know: What data we collect and why
- Delete: Request deletion of your data
- Opt-out: We do not sell personal data, so this right is automatically satisfied
- Non-discrimination: We will not treat you differently for exercising your rights
Under the Australian Privacy Act
- Access: Request access to your personal information
- Correction: Request correction of inaccurate data
- Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au
How to Exercise Your Rights
- Export your data: Settings → Download My Data
- Delete your account: Settings → Delete Account
- Change cookie preferences: Click “Cookie Settings” in the footer
- Contact us: privacy@visavault.app
We respond to all requests within 30 days.
9. Children
VisaVault is not intended for use by anyone under 18 years of age. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Changes to This Policy
We may update this policy from time to time. For material changes, we will notify you by email. The “Last updated” date at the top always reflects the current version.
11. Contact
- Privacy enquiries: privacy@visavault.app
- General support: support@visavault.app