← Back to Home

Privacy Policy

Last Updated: January 26, 2026

1. Introduction

Obsidian Global Studio ("we," "us," or "our") operates VisaStack (the "Platform"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Platform.

VisaStack is a business-facing platform for employers, travel agencies, law firms, and service providers managing corporate mobility, immigration cases, and visa workflows.

We are committed to protecting your privacy and complying with applicable data protection laws, including:

  • GDPR (General Data Protection Regulation) - European Union
  • CCPA (California Consumer Privacy Act) - United States
  • PDPA (Personal Data Protection Act) - Singapore and other jurisdictions
  • Other applicable national and regional data protection laws

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use the Platform, you provide:

  • Account Information: Name, email address, password, phone number
  • Profile Information: Full name, date of birth, nationality, gender, contact details
  • Passport Information: Passport number, issue/expiry dates, issuing country
  • Travel History: Previous visas, entry/exit stamps, travel dates
  • Financial Information: Bank statements, income details, tax records (for visa applications)
  • Employment Information: Employer name, job title, salary, employment letters
  • Education Information: Degrees, institutions, transcripts
  • Family Information: Marital status, dependents, family members
  • Health Information: Medical conditions, vaccination records (if applicable)
  • Documents: Uploaded files (passports, visas, letters, photos, etc.)

2.2 Information Collected Automatically

  • Device Information: IP address, browser type, operating system, device identifiers
  • Usage Data: Pages visited, features used, time spent, click patterns
  • Cookies: Session cookies, preference cookies, analytics cookies (see Section 11)
  • Log Data: API requests, errors, performance metrics

2.3 Information from Third Parties

  • OAuth Providers: Google, LinkedIn (name, email, profile photo)
  • AI Services: Google Gemini (document extraction results)
  • Payment Processors: Transaction data (we do not store full credit card numbers)
  • Vendors: If connected to law firms or travel agencies, they may share case updates

2.4 Sensitive Personal Information

We collect sensitive personal information necessary for visa applications, including:

  • Passport and travel documents (contain nationality, photo)
  • Financial records (bank statements, income tax returns)
  • Health information (vaccination records, medical conditions)
  • Biometric data (passport photos, fingerprints if uploaded)

You provide this information voluntarily for visa application purposes. We handle it with the highest level of security and only share it with your explicit consent.

3. How We Use Your Information

We use your information to:

3.1 Provide Services

  • Create and manage your account
  • Store and organize your visa application documents
  • Extract data from documents using AI (Google Gemini)
  • Generate letters, templates, and visa guidance (VAM)
  • Track application progress and deadlines
  • Connect you with vendors (law firms, travel agencies)
  • Process payments and subscriptions

3.2 Improve and Personalize

  • Analyze usage patterns to improve features
  • Personalize content and recommendations
  • Develop new features and services
  • Test and optimize user experience

3.3 Communicate with You

  • Send transactional emails (account verification, password resets)
  • Notify you of document expiries and mission deadlines
  • Send product updates and feature announcements
  • Respond to support requests
  • Send marketing communications (with your consent)

3.4 Security and Compliance

  • Prevent fraud, abuse, and security threats
  • Enforce our Terms & Conditions
  • Comply with legal obligations (court orders, subpoenas)
  • Protect our rights and property
  • Maintain audit logs for accountability

3.5 Analytics and Research

  • Aggregate anonymized data for trends and insights
  • Generate platform statistics (e.g., "70% of users complete profiles")
  • Research visa application patterns (anonymized)

AI Training: We do NOT use your personal documents or data to train AI models. We use Google Gemini for document extraction only. Google's data usage is governed by theirPrivacy Policy.

4. Legal Basis for Processing (GDPR)

If you are in the EU/EEA, we process your data based on:

  • Consent: You explicitly consent to data collection for visa applications
  • Contract: Processing is necessary to provide services under our Terms
  • Legitimate Interests: Fraud prevention, security, service improvement
  • Legal Obligation: Compliance with laws, regulations, court orders

5. How We Share Your Information

5.1 With Your Consent

  • Connected Vendors: When you connect with law firms, travel agencies, or service providers, we share your profile and documents based on your consent settings (Consent Capsules)
  • Employers: If you're part of a corporate roster, your employer can access your application data
  • Export Requests: You can download or share your data with third parties

5.2 Service Providers

We share data with trusted third-party providers who assist us:

  • Cloud Storage: Firebase (Google Cloud), Vercel
  • Database: Neon (PostgreSQL on AWS)
  • AI Processing: Google Gemini (document extraction)
  • Email Delivery: Resend
  • Analytics: Vercel Analytics (anonymized)
  • Payment Processing: Stripe / PayPal (credit cards, subscriptions)

These providers are contractually obligated to protect your data and use it only as instructed.

5.3 Legal Requirements

We may disclose your information if required by:

  • Court orders, subpoenas, or legal process
  • Government or regulatory authorities
  • Law enforcement agencies investigating crimes
  • Emergency situations (threats to life or safety)

5.4 Business Transfers

If we are acquired, merge with another company, or sell assets, your information may be transferred to the new entity. We will notify you and provide options before transferring data subject to a different privacy policy.

5.5 Aggregated Data

We may share aggregated, anonymized data (e.g., "40% of users apply for Schengen visas") with researchers, partners, or the public. This data cannot identify you individually.

6. Data Security

We implement industry-standard security measures:

6.1 Technical Safeguards

  • Encryption in Transit: TLS/SSL (HTTPS) for all data transmission
  • Encryption at Rest: Database and file storage encryption
  • Access Controls: Role-based permissions (RBAC)
  • Authentication: Secure password hashing (bcrypt), optional 2FA
  • Firewalls: Network-level protection
  • Monitoring: Real-time security alerts and audit logs

6.2 Organizational Safeguards

  • Employee access limited on need-to-know basis
  • Confidentiality agreements with staff and contractors
  • Regular security training
  • Incident response procedures

6.3 Data Breach Notification

In the event of a data breach, we will notify affected users within 72 hours (as required by GDPR) via email and in-app notification. We will provide details on the breach, data affected, and steps you should take.

Important: No system is 100% secure. While we implement strong safeguards, we cannot guarantee absolute security. You are responsible for protecting your account credentials and notifying us immediately of unauthorized access.

7. Data Retention

We retain your data for as long as:

  • Active Account: As long as your account is active
  • Legal Requirements: 7 years for financial records, tax documents (standard accounting practice)
  • Pending Claims: Until legal disputes or claims are resolved
  • Legitimate Business Needs: Analytics, fraud prevention (anonymized after account closure)

7.1 Account Deletion

When you close your account:

  • Your profile and documents are marked for deletion within 30 days
  • Some data may be retained in backups for 90 days
  • Financial records retained for 7 years (legal requirement)
  • Anonymized analytics data may be retained indefinitely

7.2 Requesting Deletion

You can request immediate deletion of specific data (e.g., documents) or your entire account through Account Settings or by contacting privacy@obsidianglobal.studio.

8. Your Rights

8.1 GDPR Rights (EU/EEA Users)

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure ("Right to be Forgotten"): Delete your data (subject to legal exceptions)
  • Right to Restriction: Limit how we process your data
  • Right to Data Portability: Export your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests or direct marketing
  • Right to Withdraw Consent: Revoke consent at any time (doesn't affect prior lawful processing)
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

8.2 CCPA Rights (California Users)

  • Right to Know: What personal information we collect, use, and share
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the "sale" of personal information (we do not sell data)
  • Right to Non-Discrimination: Equal service regardless of exercising privacy rights

8.3 How to Exercise Your Rights

To exercise your rights:

  • In-App: Go to Account Settings → Privacy
  • Email: privacy@obsidianglobal.studio
  • Response Time: We respond within 30 days (may extend to 60 days for complex requests)

We may ask for verification (e.g., confirm your email address) to protect against unauthorized access.

9. International Data Transfers

Our Platform is hosted globally. Your data may be transferred to and processed in:

  • United States: Firebase (Google Cloud), Vercel
  • European Union: AWS (Neon database)
  • Other regions: Based on service provider infrastructure

When transferring data internationally, we use:

  • Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
  • Adequacy Decisions: Countries recognized by the EU as providing adequate protection
  • Encryption: All data encrypted in transit and at rest

10. Children's Privacy

The Platform is not intended for users under 18 years old. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately at privacy@obsidianglobal.studio, and we will delete it promptly.

Exception: Dependents (children) may be included in family visa applications, but the account holder must be 18+ and provide consent on their behalf.

11. Cookies and Tracking

11.1 What Are Cookies?

Cookies are small text files stored on your device that help us recognize you and remember your preferences.

11.2 Types of Cookies We Use

  • Essential Cookies: Required for authentication, security (cannot be disabled)
  • Functional Cookies: Remember your language, timezone, preferences
  • Analytics Cookies: Understand how you use the Platform (Vercel Analytics)
  • Marketing Cookies: Track conversions from ads (if applicable)

11.3 Managing Cookies

You can control cookies through:

  • Browser Settings: Most browsers allow you to refuse or delete cookies
  • Cookie Consent Banner: Choose which cookies to accept when you first visit
  • Account Settings: Manage analytics and marketing preferences

Note: Disabling essential cookies may prevent you from using the Platform.

11.4 Do Not Track (DNT)

We honor Do Not Track (DNT) signals from your browser and will not track your activity if DNT is enabled.

12. Third-Party Links

The Platform may contain links to third-party websites, services, or resources (e.g., embassy websites, travel booking sites). We are not responsible for their privacy practices. Please review their privacy policies before providing any information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

  • We will update the "Last Updated" date at the top
  • We will notify you via email or in-app notification for material changes
  • We will request your consent again if required by law
  • Continued use after changes constitutes acceptance

We encourage you to review this Policy periodically to stay informed about how we protect your data.

14. Contact Us

For questions, concerns, or requests related to your privacy or this Policy:

Data Protection Officer: Obsidian Global Studio

Email: sadat@obsidianglobal.studio

Website: obsidianglobal.studio/visastack

Address: Dhaka, Bangladesh

Note: If you are based in the EU or UK and require contact with a local representative, please email us and we will provide appropriate contact information.

Regulatory Authorities

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority:

  • EU: Your national Data Protection Authority (DPA)
  • UK: Information Commissioner's Office (ICO) - ico.org.uk
  • California: California Attorney General - oag.ca.gov

Summary: Your Privacy at a Glance

  • ✅ We collect only data necessary for visa applications
  • ✅ We never sell your data to third parties
  • ✅ We use AI for document extraction (not training)
  • ✅ We encrypt data in transit (HTTPS) and at rest
  • ✅ We share data only with your consent (Consent Capsules)
  • ✅ You can access, export, or delete your data anytime
  • ✅ We comply with GDPR, CCPA, and global privacy laws
  • ✅ We notify you within 72 hours of any data breach
View Terms & Conditions →Back to Home