Privacy Policy

Controller: [LEGAL COMPANY NAME] Registered address: [ADDRESS] Email: [PRIVACY EMAIL] Website: [WEBSITE URL] For the purposes of data protection law, we are usually the controller of the personal data described in this Privacy Policy.

ReviewMyVisa helps users organise information, analyse uploaded documents, identify potential issues, and generate guidance, summaries, and readiness insights for visa preparation. Depending on the features you use, our Services may include account creation and login, profile management, visa-review workflows and checklists, document upload and processing, AI-assisted analysis of user-provided information and documents, and billing or credit or token purchase flows.

To help protect your privacy, we provide controls that let you remove or redact personal information before uploading documents, choose whether to upload full documents or only the sections needed for analysis, and delete uploaded documents after successful processing where that option is available in the product. You are responsible for reviewing your documents before upload and for removing personal information that you do not want us or our service providers to process. We ask you to upload only information that is reasonably necessary for the feature you are using. UK GDPR requires personal data to be adequate, relevant, and limited to what is necessary.

We may collect and use the following categories of personal data.

Some documents used in visa and immigration contexts may contain special category data, which is personal data requiring additional protection, such as information revealing racial or ethnic origin, religious beliefs, health information, or biometric data. Under UK GDPR, processing this type of data requires both an Article 6 lawful basis and a separate Article 9 condition. Where our Services process special category data contained in documents you choose to upload, we do so only where we have an appropriate legal basis and condition to do so. This will usually be because the processing is necessary to provide the Services you have requested and, where required, because you have given your explicit consent for us to process that information for visa-readiness, document-analysis, and related support purposes. ICO guidance says valid consent must involve genuine choice and a clear affirmative action, and consent requests should be separate, prominent, and easy to understand. Where explicit consent is required, we will ask for it through a clear, specific opt-in action within the product before sensitive documents are submitted for analysis. You may withdraw your consent at any time. However, if you withdraw consent after providing sensitive documents, we may be unable to continue providing some or all related features. ICO guidance states that people must be able to withdraw consent easily at any time. We strongly encourage you to redact or remove sensitive information that is not necessary before uploading.

Documents used in immigration matters may sometimes contain information relating to criminal convictions, alleged offences, investigations, or similar matters. This type of information is subject to additional legal restrictions under UK data protection law. Unless we expressly request it and identify an appropriate legal basis and condition for doing so, please do not upload criminal offence data that is not strictly necessary. Where such data is uploaded, we may refuse to process it, ask you to redact it, or delete it if we determine that it is unnecessary or inappropriate for our Services.

Our Services are not intended for children under [16] without the involvement of a parent, guardian, school, or authorised representative. If you believe a child has provided personal data to us unlawfully, please contact us so we can review the matter and, where appropriate, delete the data.

We use personal data to create and manage user accounts, authenticate users and maintain sessions, provide visa-readiness, document analysis, and AI-assisted support features, extract and compare information from documents and user inputs, generate summaries, flags, scores, and recommendations, process payments and account administration, respond to enquiries and provide customer support, improve security and detect misuse, maintain service quality and troubleshooting records, improve and develop our Services and workflows, comply with legal, regulatory, tax, accounting, and law-enforcement obligations, and send service messages and, where permitted, product updates or marketing communications.

Depending on the context, we rely on one or more lawful bases under Article 6 UK GDPR. The lawful bases include consent, contract, legal obligation, and legitimate interests.

We may use third-party AI, machine learning, cloud, OCR, extraction, storage, analytics, and support providers to help us operate the Services. This may include providers such as OpenAI, Anthropic (Claude), and other equivalent vendors, together with hosting and infrastructure providers. These providers may process personal data on our behalf as processors or, in some cases, as independent controllers depending on the feature and contractual setup. Where required, we aim to put appropriate written terms in place and limit what they receive to what is reasonably necessary for the relevant feature. We may use AI to analyse uploaded documents, extract and structure information, identify inconsistencies or missing evidence, generate summaries, explanations, and recommendations, and produce visa-readiness insights, flags, or scores. These outputs may involve profiling or automated analysis. However, we do not intend for the Services to make solely automated decisions that produce legal effects or similarly significant effects on you. ReviewMyVisa provides support information only. Final immigration outcomes are determined by users, advisers, or relevant authorities, not by our platform. You should not rely on AI output alone. You are responsible for reviewing outputs and deciding how to use them.

We do not use your uploaded documents or private account content to train general-purpose AI models for third parties unless we clearly tell you otherwise and obtain any required permission. We may use limited operational data, such as aggregated usage metrics, reliability and security logs, and de-identified information where feasible, to maintain, protect, and improve our Services. If we introduce any feature that involves a different approach, such as using content to improve models beyond what is needed to provide the Service, we will update this Privacy Policy and, where required, obtain consent.

We may share personal data with hosting, storage, cloud, and infrastructure providers; AI and document-processing vendors where you use those features; payment processors and billing providers such as Stripe; analytics, logging, and customer-support providers if enabled; professional advisers, auditors, insurers, and legal counsel; regulators, courts, government bodies, or law-enforcement authorities where required or permitted by law; and actual or prospective buyers, investors, lenders, or advisers in connection with a merger, financing, acquisition, reorganisation, or sale of assets, subject to appropriate confidentiality protections. We do not sell your personal data.

Some of our suppliers or their sub-processors may be located outside the UK. Where personal data is transferred internationally, we aim to use safeguards required by law, which may include adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, and transfer risk assessments or supplementary measures where needed. UK GDPR requires safeguards for restricted transfers of personal data outside the UK framework. You acknowledge that use of third-party AI or cloud providers may involve international processing.

We ask users to upload only the information that is reasonably necessary for the relevant purpose. You must not upload information that is unnecessary for your use of the Services, third-party personal data unless you have the right to provide it, criminal offence data unless clearly required, or documents containing sensitive information that you could reasonably redact but chose not to. We reserve the right to remove, redact, refuse to process, or delete uploaded content where we believe it creates unnecessary privacy, legal, or security risk.

We keep personal data only for as long as necessary for the purposes described in this Policy, including to provide the Services, maintain records, resolve disputes, enforce our terms, and comply with legal obligations. ICO guidance says privacy information should explain retention periods or the criteria used to determine them. Our retention approach may include the following: • Account data is retained while your account is active and for a reasonable period afterwards. • Billing and transaction records are retained for tax, accounting, and compliance purposes. • Support and audit logs are retained for security, troubleshooting, and dispute resolution. • Uploaded documents are retained only as long as needed for processing and related support purposes, unless you delete them earlier or law requires longer retention. • Derived outputs, such as summaries or structured results generated from your content, may remain available in your account until you delete them or delete your account, depending on product controls. Where the product gives you the option to delete uploaded documents after successful processing, deleting them will remove them from active use, subject to limited backup, security, legal, fraud-prevention, or archival retention where necessary. You may contact us to request more detail about applicable retention periods.

Where we make document-deletion tools available, you may delete uploaded files after successful processing. Please note that deletion requests may not instantly remove all copies from backups or disaster-recovery systems. We may retain limited metadata, logs, derived outputs, or records where necessary for security, fraud prevention, billing, legal compliance, or dispute resolution. If a document has already been processed, generated outputs based on that document may remain in your account unless separately deleted.

We use technical and organisational measures intended to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. These measures may include access controls, encryption in transit, role-based permissions, secure hosting, logging, monitoring, and vendor due diligence. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Under UK data protection law, you may have the right to access your personal data, correct inaccurate data, request erasure in certain circumstances, restrict processing in certain circumstances, object to processing in certain circumstances, receive certain data in portable form, withdraw consent where processing is based on consent, and complain to the Information Commissioner's Office. ICO guidance says individuals must be informed of these rights as part of the privacy information you provide. To exercise your rights, contact us at [PRIVACY EMAIL]. We may need to verify your identity before responding. We may also refuse or limit requests where the law allows us to do so. You also have the right to complain to the Information Commissioner's Office if you are unhappy with how we handle your personal data.

Where permitted by law, we may send you service messages and limited product updates. Where marketing consent is required, we will ask for it. You can unsubscribe from marketing emails at any time using the unsubscribe link or by contacting us.

We may use cookies and similar technologies for authentication, security, and service performance. This can include authentication or session cookies required to keep you logged in and secure access to protected content, and security cookies used to protect access to content, such as signed cookies used through a CDN. Where legally required, we will ask for consent before placing non-essential cookies, such as certain analytics or marketing cookies. ICO guidance says cookie consent must be based on a clear positive action for non-essential cookies. More detail is available in our [Cookie Policy / Cookie Notice].

Our Services may contain links to third-party websites, services, or integrations. We are not responsible for the privacy practices of third parties. You should review their privacy notices separately.

If we undergo a merger, acquisition, investment, restructuring, insolvency process, or sale of all or part of our business or assets, personal data may be disclosed to relevant parties under appropriate confidentiality and legal safeguards.

We may update this Privacy Policy from time to time to reflect changes to our Services, suppliers, legal obligations, or business practices. We will post the updated version on this page and update the "Last updated" date. Where required, we will also notify you more directly.

If you have questions about this Privacy Policy or how we handle personal data, contact: [LEGAL COMPANY NAME] [ADDRESS] [PRIVACY EMAIL]