Privacy Policy
Last updated: May 2026
1. Introduction
BorderProof ("we," "us," or "our") operates the BorderProof platform, a technology and informational service that helps users explore visa and immigration pathways. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our website and services.
2. Information We Collect
We collect the following categories of information:
Account Information
When you create an account, we collect your full name, email address, phone number, country code, and avatar (if provided).
Eligibility Assessment Data
When you use our eligibility checker, we collect information you provide including: citizenship, country of residence, age, passport expiry date, employment status, occupation, years of experience, whether you have a job offer, remote work status, income and currency, willingness to invest, education level, English proficiency, marital status, number of dependents, and destination preferences.
Eligibility assessment results are stored temporarily (24 hours) for session continuity and are automatically deleted.
Sensitive Personal Data
Our eligibility assessments may collect criminal record history and visa refusal history. This information is collected because many visa programs consider these factors in their eligibility criteria. Providing this information is voluntary, but omitting it may affect the accuracy of your eligibility results.
CV/Resume Data
If you upload a CV or resume, the document content is sent to Google Gemini AI for data extraction. Information extracted may include your name, work experience, job titles, employers, education history, skills, and qualifications. Data extracted from your CV/resume is stored in your eligibility profile for matching purposes. The original file is not retained after processing.
Saved Content
We store information about visas you save, searches you perform, and articles you bookmark.
Usage & Technical Data
We automatically collect information about how you use our platform, including pages visited, features used, IP address, browser type, device information, and session data.
Contact Form Data
If you contact us through our website, we collect your name, email address, phone number, and message content. This information is sent to HubSpot for customer relationship management.
3. How We Use Your Information
We use the information we collect to:
- Provide visa eligibility results and pathway recommendations
- Personalise your experience and recommendations
- Save your preferences, saved visas, and search history
- Send marketing communications such as visa pathway updates, feature announcements, and eligibility-related content (only with your consent)
- Manage customer relationships via our CRM
- Analyse usage patterns to improve our services
- Manage feature rollouts and platform configuration
- Maintain the security and integrity of our platform
4. Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA) or United Kingdom, we process your data on the following legal bases:
- Consent: For marketing communications and CV/resume uploads for AI processing.
- Contract performance: For providing our core service, including storing your profile and eligibility data to generate visa eligibility results.
- Legitimate interests: For analytics, platform security, and service improvement.
5. Third-Party Services
We use the following third-party services to operate our platform:
- Supabase: Provides authentication and database services. All profile and eligibility data is stored in Supabase with row-level security (RLS) enforced.
- Google Gemini AI: Processes CV/resume uploads for data extraction. Your document data may be processed outside your country of residence.
- HubSpot CRM: For users who opt in to marketing communications, we share profile and eligibility data with HubSpot including email, name, occupation, employment status, job offer status, income range, education level, destination preferences, and behavioural events. HubSpot places a tracking cookie on your device.
- Google Analytics (GA4): Collects browsing behaviour, session data, and usage patterns.
- LaunchDarkly: Manages feature flags and platform configuration. For logged-in users, receives user ID and email address.
We do not sell your personal data to any third party.
6. Cookies and Tracking
Our platform uses the following cookies and tracking technologies:
Cookie Categories
| Category | Description | Scripts | Default |
|---|---|---|---|
| Essential | Required for the site to function | None (core functionality only) | Always on |
| Functional | Feature flags and personalisation | LaunchDarkly | On |
| Analytics | Usage analytics to improve the product | Google Analytics (GA4) | Off |
| Marketing | Product updates and communications | HubSpot tracking | Off |
You can manage your cookie preferences at any time from the footer or your Profile Settings.
localStorage:We store eligibility wizard state, saved items, and eligibility results (with a 30-minute expiry) in your browser's local storage.
You can manage cookies through your browser settings. Disabling certain cookies may affect the functionality of the platform.
7. Data Retention
We retain your data for the following periods:
| Data type | Retention |
|---|---|
| Active accounts | Retained while account is active |
| Inactive accounts | Deleted after 24 months of inactivity (warning email at 22 months) |
| Proof documents | Deleted 12 months after proof completed or abandoned |
| Anonymous eligibility profiles | Deleted after 90 days |
| Assessment results | Deleted after 24 hours |
| Consent records | Retained 3 years for regulatory audit |
| Purchase records | Retained 7 years for tax compliance |
8. International Data Transfers
Your personal data may be transferred to and processed in countries outside your country of residence, including the United States and other jurisdictions, through our use of Supabase, Google (Gemini AI and Analytics), HubSpot, and LaunchDarkly. These transfers are necessary to provide our services to you.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data. These include row-level security (RLS) policies on our database, HTTPS/TLS encryption for all data in transit, server-side API key management, and secure authentication through Supabase Auth. However, no system is 100% secure, and we cannot guarantee the absolute security of your data.
10. Your Rights
Under GDPR (EEA/UK residents) and CCPA (California residents), you have the following rights and ways to exercise them:
- Right to access: Download all your data from Profile Settings → Privacy & Data.
- Right to deletion: Delete your account from Profile Settings → Privacy & Data. Takes effect after a 14-day cooling-off period.
- Right to rectification: Update your profile data at any time from your Profile Settings.
- Right to restrict processing: Manage cookie preferences to control which data processing occurs.
- Right to data portability: Your data export is in machine-readable JSON format.
Under CCPA (California residents): You have the right to know what personal information we collect and how it is used, request deletion of your personal information, and opt out of the sale of personal information (we do not sell your data). We will not discriminate against you for exercising your rights.
To exercise any of these rights, please contact us at privacy@borderproof.com or use the self-service tools in your Profile Settings.
11. Credential Anonymization
If you delete your account, any issued credentials remain verifiable but your name is removed from the credential record. This ensures the integrity of the credential verification system while honouring your right to erasure.
12. Marketing Communications
We only send marketing communications to users who have opted in during account creation. Marketing communications may include visa pathway updates, feature announcements, and eligibility-related content. You can opt out at any time by using the unsubscribe link in any marketing email or by contacting us. Your marketing consent preference and the timestamp of your consent are recorded.
13. Children's Privacy
BorderProof is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly.
14. Data Breach Notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users within 72 hours via email and/or platform notification. We will also notify relevant supervisory authorities as required by applicable law.
15. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users, and the "Last updated" date at the top of this page will be revised. Continued use of the platform after changes constitutes acceptance of the updated policy.
16. Contact
If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at privacy@borderproof.com.