Privacy Policy

EasyVisa FZ-LLC, registered in Dubai, UAE ("Company", "we"), is the data controller for personal data collected through the Service. Data Protection Officer (DPO): dpo@easyvisa.international

Categories of personal data we collect: (a) Identity data: name, date of birth, gender, nationality, passport number, national ID (b) Contact data: email, phone, postal address (c) Profile data: education, work experience, language proficiency, skills (d) Documents: passport scans, CVs, certificates, licenses, photos (e) Family data (beneficiaries): names, DOB, nationality (f) Financial data: payment method tokens (we do not store full card numbers; tokenized via PCI-compliant gateways) (g) Technical data: IP address, browser, device, OS, referrer (h) Behavioral data: pages visited, application progress, login history We DO NOT collect: full card numbers, CVV, biometrics (without explicit opt-in for KYC verification), social security numbers (unless required by destination country immigration).

We process personal data on the following legal bases: (a) Contract: to provide the Service you signed up for (b) Legal obligation: KYC, AML, anti-fraud, tax reporting (c) Legitimate interest: fraud prevention, service improvement, security (d) Consent: marketing communications (you can withdraw anytime) (e) Vital interest: in emergencies (e.g., medical info during relocation)

We use your data to: (a) Process your application and select candidates (b) Verify your identity and documents (c) Coordinate with destination employers and visa agencies (d) Process payments (e) Send transactional notifications (email, SMS, push) (f) Improve our service (g) Comply with legal obligations (h) Prevent fraud and ensure security

We share personal data with: (a) Destination employers (only after selection): your profile, CV, credentials (b) Visa partner agencies: documents required for visa application (c) Payment gateways (Stripe, Razorpay, Flutterwave, dlocal, PayTabs, 2C2P, Coinbase Commerce): tokenized payment data (d) Email providers (Resend, SMTP): email notifications (e) SMS providers (Twilio, MSG91): SMS notifications (f) Cloud infrastructure (Hetzner — EU; Cloudflare — global edge): hosting and security (g) Government authorities: only when legally required (h) Auditors and legal advisors: under strict NDA We DO NOT sell your data to third parties for marketing purposes.

Your data is primarily stored in the EU (Frankfurt, Germany). When transferring outside the EU/UK: (a) To USA: only Standard Contractual Clauses + Data Privacy Framework if applicable (b) To destination employers: only after explicit consent at selection time (c) To visa agencies: under DPA (Data Processing Agreement) Cross-border transfers comply with GDPR Articles 44-49.

(a) Active accounts: data retained for the duration of the account (b) Successful placement: 5 years after relocation (regulatory) (c) Cancelled/expired applications: 1 year then deleted (d) Audit logs: 7 years (legal requirement) (e) Payment records: 10 years (tax law) (f) Marketing data: until consent withdrawn Anonymized aggregate data may be retained indefinitely for analytics.

Under GDPR, DPDP Act, LGPD, PDPA, and POPIA, you have the following rights: (a) Access: request a copy of your data (b) Rectification: correct inaccurate data (c) Erasure ("right to be forgotten"): request deletion (subject to legal retention) (d) Restriction: limit our processing (e) Portability: receive your data in machine-readable format (JSON) (f) Objection: object to processing based on legitimate interest (g) Withdraw consent: anytime for consent-based processing (h) Complaint: lodge a complaint with your data protection authority To exercise rights: dpo@easyvisa.international (we respond within 30 days, free of charge for first request annually).

Technical safeguards: (a) Encryption at rest: AES-256 (b) Encryption in transit: TLS 1.3 (c) Password hashing: argon2id (memoryCost 64MB) (d) Multi-factor authentication: optional TOTP (e) Rate limiting and DDoS protection (Cloudflare) (f) Regular security audits and penetration tests (g) Audit logs (immutable, 7-year retention) (h) Backup and disaster recovery (daily, off-site) Organizational safeguards: (i) NDAs for all employees and contractors (j) Role-based access control (RBAC) (k) Need-to-know principle (l) Security awareness training (m) Incident response plan

We use the following types of cookies: (a) Strictly necessary: authentication, session management (no consent required) (b) Functional: language preference, theme (legitimate interest) (c) Analytics: PostHog (privacy-focused, EU-hosted, no third-party cookies) We DO NOT use: (a) Advertising cookies (b) Third-party tracking pixels (c) Cross-site tracking See our Cookie Policy for full details.

Our Service is not intended for users under 18 years old. Account holders must be 18+. Beneficiaries under 18 (children, minor relatives) may be added by their legal guardian (the account holder), and KYC documentation is required upon selection. We do not knowingly collect data from children under 16 without parental consent.

The selection algorithm uses automated processing combining: (a) Profile completeness score (b) Skill score (English level, experience, documents) (c) Cryptographic randomness (verifiable on Polygon blockchain) You have the right to request human review of any selection decision affecting you.

In the event of a personal data breach likely to result in high risk to your rights and freedoms, we will notify: (a) The competent data protection authority within 72 hours (b) Affected users without undue delay

We may update this Privacy Policy. Material changes will be notified via email at least 30 days before taking effect. The current version is always available at easyvisa.international/privacy.

Data Protection Officer: dpo@easyvisa.international Privacy questions: privacy@easyvisa.international EU representative: [TBD post-launch] UK representative: [TBD post-launch] EasyVisa FZ-LLC, [Dubai address TBD]