Privacy Policy

Contact data: your email address, name and, optionally, a phone number.

Application data: the destination, the visa type, and the answers the destination's official form requires, which can include passport details, dates of birth, addresses, travel plans and, for some destinations, a passport photo you upload. We collect this data only when you start an application.

Payment data: the amount, currency, date, payment state and a bank reference for each payment. We never see or store your full card number; card details are captured directly by our bank's payment gateway (Redsys / CaixaBank) inside their secure frame.

Technical and usage data: IP address, device and browser information, security logs, and, only with your consent, analytics and advertising measurement events (see our Cookie Policy).

Consent and communication records: your cookie choices, the legal texts you accepted and when, the transactional emails we sent you, and unsubscribe state.

To provide the service you request: preparing, reviewing, submitting and tracking your application, including saving an unfinished draft for 30 days so you can resume it. Legal basis: performance of a contract, Art. 6(1)(b) GDPR.

To comply with the law: tax and commercial record-keeping for paid applications, and responding to lawful requests from authorities. Legal basis: legal obligation, Art. 6(1)(c) GDPR.

To operate and protect the platform: security logging, fraud prevention, abuse detection and error monitoring. Legal basis: legitimate interest, Art. 6(1)(f) GDPR.

To measure and improve the site with analytics, and to measure advertising, only when you accept those cookie categories. Legal basis: consent, Art. 6(1)(a) GDPR, withdrawable at any time.

We do not sell your personal data. We use a small set of vetted providers acting as processors under GDPR Art. 28 agreements: a database, authentication, file storage and hosting provider (processing in the European Union); a content-delivery, edge-computing and security provider (including bot protection); Redsys / CaixaBank (card-payment processing); a transactional email provider; an error-monitoring provider (with personal data scrubbed before sending); Geoapify (optional address autocomplete while you type an address); and Google (Google Analytics 4 and Google Ads measurement, only after you consent to those categories). These categories of recipients are detailed in the sub-processor annex (section 11).

When you ask us to submit an application, the data the destination's official form requires is transmitted to that government's authority. The authority is an independent controller of the data it receives and processes it under its own rules.

We may also disclose data where the law requires it, for example to courts, tax authorities or law enforcement acting within their powers.

Our core systems are hosted in the European Union. Where a provider processes data outside the European Economic Area (for example some operations of our content-delivery and security provider, our error-monitoring provider, or Google in the United States), the transfer is protected by a European Commission adequacy decision (including the EU-US Data Privacy Framework where the provider is certified) or by Standard Contractual Clauses with supplementary safeguards.

Submitting your application to a destination outside the EEA necessarily transfers the application data to that country's authority. That transfer is necessary for the performance of your contract with us (Art. 49(1)(b) GDPR) and happens only at your request.

Draft applications: 30 days from their last update, then deleted, with a reminder email before expiry.

Payment and invoice records: kept while we provide the service and then for the periods required by Spanish tax and commercial law (in general four years under the General Tax Law and six years under the Commercial Code), after which they are deleted or anonymised. Your identity data for a submitted application (passport details, the answers on your government form and any uploaded passport photo) is deleted or anonymised shortly after the application is resolved, generally within about 30 days of approval, refusal or expiry, once it has been handled with the destination authority; only the anonymised payment record is kept for the legal period.

Email send log: up to 365 days. Security audit logs: up to 1 year. Access logs to identity data: up to 2 years. Consent records: kept as evidence of compliance for as long as the law allows us to need them.

Uploaded passport photos for unpaid drafts are removed together with the draft; for submitted applications they are removed shortly after the application is resolved, together with the rest of its identity data, leaving only the anonymised payment record for the legal tax and commercial period.

You have the right to access, rectify, erase, restrict and port your data, to object to processing based on legitimate interest, and to withdraw consent at any time without affecting prior lawful processing. To exercise these rights, contact our Data Protection Officer at the address above; we verify your identity (via the email on record or your tracking code) before acting.

We answer within one month, extendable by two further months for complex requests, and we may ask you to verify your identity first to protect your data. Note that the payment and invoice records we must keep for tax or commercial law cannot be erased before those periods end; your identity data, by contrast, is removed shortly after your application is resolved. We will tell you when a legal retention applies.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD; C/ de Jorge Juan, 6, 28001 Madrid; www.aepd.es; electronic office sedeagpd.gob.es) or with the supervisory authority of your EU country of residence.

All traffic is encrypted in transit (TLS). Identity data in applications is stored encrypted at rest, access to it is least-privilege, logged and audited, and database access is protected by row-level security. Payments are processed under the bank's PCI DSS scope; we never hold your card number.

In the event of a personal-data breach that risks your rights, we will notify the AEPD and, where required, you, within the legal deadlines.

Our service is not directed at minors. Applications for travellers under 18 must be created by a parent or legal guardian, who provides the minor's data under their own authority.

We do not make decisions with legal effect on you based solely on automated processing. Every application is reviewed by our team before submission; the decision on your visa or authorisation is made by the destination's government, not by us.

We will post any material change to this policy on this page and, where appropriate, notify you by email. The date of the version in force is the date of publication of this page.

This annex details, by category, the providers (sub-processors) that process personal data on our behalf, described in section 3. Each acts under a written GDPR Art. 28 contract, processes data only on our documented instructions, and is bound to equivalent security and confidentiality obligations. We keep this list current and publish material changes here.

Database, authentication, file storage and application hosting provider. Processing region: the European Union.

Content-delivery, edge-computing and security provider (including bot protection). Global edge network; any processing outside the European Economic Area is protected by a European Commission adequacy decision or Standard Contractual Clauses.

Redsys / CaixaBank: card-payment processing within the bank's PCI DSS scope. Processing region: Spain and the European Union.

Transactional email provider: delivery of transactional email. Any processing outside the European Economic Area is protected by Standard Contractual Clauses.

Error-monitoring provider: error monitoring, with personal data scrubbed before it is sent. Any processing outside the European Economic Area is protected by an adequacy decision (the EU-US Data Privacy Framework) or Standard Contractual Clauses.

Geoapify: optional address autocomplete while you type an address. Processing region: the European Union.

Google (Google Analytics 4 and Google Ads): analytics and advertising measurement, used only after you consent to those cookie categories. Processing in the United States, protected by the EU-US Data Privacy Framework and Standard Contractual Clauses.

We do not engage a new sub-processor with access to your personal data without a written Art. 28 contract imposing equivalent obligations, and we remain responsible to you for the data they handle.