Skip to main content
Legal

Privacy Policy

Last updated: April 28, 2026

How Vidicy handles agency accounts, client visa documents, uploaded files, subprocessors, cookies, and data rights.

1. Information We Collect

At Vidicy, we collect information needed to operate agency visa review workflows. This includes:

  • Agency account information: Names, email addresses, authentication data, organization details, and role information for agency users.
  • Client and applicant details: Passport number, date of birth, nationality, visa history, travel dates, and related information entered or uploaded by an agency user.
  • Visa documents: Documents, images, and forms uploaded for review, which may include passports, bank statements, invitation letters, employment records, bookings, and other supporting materials.
  • Usage data: Information about how agency users interact with queues, reviews, reports, document checks, and support workflows.
  • Technical Data: IP address (stored with your session for security purposes), browser type, and device information collected automatically.

2. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following lawful grounds:

  • Contract Performance: Processing data is necessary to provide agency case queues, document checks, issue tracking, and client fix lists.
  • Consent: Agency users provide consent when creating an account and agreeing to our Terms of Service and this Privacy Policy. Consent may be withdrawn where applicable.
  • Legitimate Interest: We process certain data to improve our services, ensure platform security, and prevent fraud, where such interests are not overridden by your rights.

3. How We Use Your Information

We use the information we collect primarily to deliver our core services:

  • To analyze uploaded client documents and detect missing items, weak evidence, and inconsistencies.
  • To provide route-specific checklists, reviewer flags, and feedback for agency workflows.
  • To support document review and question-answering using context from the relevant case files.
  • To process transactions and send you related information, including confirmations and receipts.
  • To send technical notices, updates, security alerts, and support messages.

Important: We do not use agency client documents or data to train public models. Documents are processed solely to provide the review workflow.

4. Third-Party Data Processors

We rely on a small set of trusted third-party subprocessors to operate the product, including providers for automated document processing, hosting, payments, email delivery, authentication, monitoring, and account-security checks.

For the current public registry of subprocessors, their role in the service, and their website, see our Subprocessors page. Each provider operates under a Data Processing Agreement (DPA) or comparable contractual safeguards where applicable.

We do not sell, trade, or rent your personal information to any third party. Data is shared with processors solely for the purpose of operating our service.

5. International Data Transfers

Your data may be processed outside your country of residence. Specifically:

  • Personal data may be processed by automated document-processing providers in the United States.
  • Personal data may be processed by requirement lookup providers in the United States.
  • Data may be stored and served through Cloudflare's globally distributed infrastructure.
  • Email notifications may be processed by Resend in the United States.

These transfers are protected by Data Processing Agreements with each provider, which include Standard Contractual Clauses (SCCs) as approved by the European Commission where applicable.

6. Data Retention

We retain agency and client data for the following periods:

  • Account data: Retained until the account is deleted.
  • Client applications and uploaded documents: Retained until the relevant case, workspace, or account is deleted, unless a legal or operational retention obligation applies.
  • Review history: Retained as part of the relevant client case and deleted when the case is deleted.
  • Document embeddings (Vectorize): Deleted when the associated document or application is deleted.
  • Session data: Automatically expires after 30 days of inactivity.
  • Payment records: Retained as required by applicable tax and accounting laws.

7. Data Security

Security is critical when handling sensitive agency and client visa application materials. We implement multiple layers of protection:

  • Encryption in transit: All data is transmitted over TLS (HTTPS).
  • Encryption at rest: Uploaded documents are stored in Cloudflare R2 with AES-256 server-side encryption. Database records in Cloudflare D1 are encrypted at the storage layer.
  • Password security: Passwords are hashed using PBKDF2-SHA256 with 100,000 iterations and a 128-bit random salt. We use constant-time comparison to prevent timing attacks.
  • Session security: Session tokens use 256 bits of cryptographic entropy, are stored in httpOnly secure cookies, and automatically expire after 30 days. A maximum of 5 concurrent sessions per user is enforced.
  • Rate limiting: Authentication endpoints and API routes are protected by rate limiting to prevent brute-force attacks.
  • CSRF protection: All mutation requests are validated against a per-session CSRF token.

Document embeddings stored in Cloudflare Vectorize are numerical vector representations that cannot be reverse-engineered to recover the original document text.

8. Cookies and Tracking

We use the following cookies, all of which are necessary for the operation of our service:

  • session — Authentication session cookie (httpOnly, secure, 30-day expiry).
  • csrf-token — Cross-site request forgery protection (httpOnly, secure, 24-hour expiry).

We use Cloudflare Web Analytics for anonymous, aggregated performance metrics. This does not use cookies and does not track individual users.

We do not use any advertising trackers, retargeting pixels, or third-party analytics that track individual users.

9. Your Rights

Depending on your location, you may have the following rights under GDPR, UK GDPR, CCPA, or other applicable data protection laws:

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate personal data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your account and all associated data, including uploaded documents, evaluations, chat history, and document embeddings.
  • Right to Data Portability: Request your data in a structured, machine-readable format.
  • Right to Object: Object to certain types of data processing.
  • Right to Withdraw Consent: Withdraw your consent at any time by deleting your account.
  • Right to Lodge a Complaint: File a complaint with your local data protection authority.

How to exercise your rights: Agency users can delete review cases and their documents directly from the dashboard where available. To delete an entire account or exercise any other right listed above, please contact us at support@vidicy.com. We will respond to your request within 30 days.

10. Google API Services Usage Disclosure

Vidicy's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We only request the minimum required scopes necessary for authentication (such as email and basic profile information) unless explicit consent is provided for additional integrations.

11. Children's Privacy

Our service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on this page with a new "Last updated" date. We encourage you to review this policy periodically.

13. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or want to request the deletion of your data, please contact us at support@vidicy.com.