Privacy Policy

MigraIQ ("we", "us", or "our") is an information and document preparation tool for visa applicants. We operate from Ontario, Canada. This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, your rights, and how to contact us with privacy-related questions.

We handle sensitive personal data — including immigration documents, passport copies, and financial records. We take that responsibility seriously and have designed our platform with privacy protections at its core.

This Policy applies to all visitors and users of migraiq.com, including individual applicants and agency users.

1. Who We Are

MigraIQ (Immigration Intelligence) is a software service operated from Ontario, Canada. For privacy enquiries: privacy@migraiq.com.

Canada's federal privacy framework (PIPEDA) has been recognised by the European Commission as providing adequate protection for personal data — meaning EU-to-Canada data transfers do not require additional transfer mechanisms. Our adequacy status was most recently confirmed in January 2024.

2. Personal Data We Collect

2.1 Account and Identity Data

• Name and email address (provided during registration via Clerk)
• Account creation date, last sign-in, and authentication tokens
• Subscription plan and billing status

2.2 Immigration and Application Data

This is the most sensitive category of data we process and is central to providing the service:

• Visa type, destination country, and intended travel dates
• Prior travel history, previous visas, any refusal history
• Employment status, employer name, job title, income level
• Financial indicators (bank balance descriptions, savings level)
• Ties to home country (property, family, employment, assets)
• Purpose and itinerary of travel
• Any other information you enter during your assessment

2.3 Uploaded Documents

• Passport copies, bank statements, employment letters, and any other files you upload
• Text and data extracted from those files by our AI processing service
• File metadata (name, type, upload date)

Documents are stored in encrypted form on Cloudflare R2 infrastructure and associated with your account. We use AI to analyse document content for gap identification and strength assessment. We do not use your documents to train AI models.

2.4 Payment Data

• Processed entirely by Stripe — we never see or store your card details
• We retain: plan purchased, amount, transaction ID, billing email, and date
• Stripe may collect additional information per their own privacy policy

2.5 Technical and Usage Data

• IP address, browser type, operating system, and device type
• Pages visited, features used, session duration, and referral source
• Application error logs and performance metrics

2.6 Communications Data

• Content of emails and support messages you send us
• Email delivery and engagement data (opens, clicks) for communications we send you

2.7 Advertising and Analytics Data (where consent is given)

• Cookie-based identifiers from advertising platforms (Google, Meta, LinkedIn, TikTok)
• Conversion events (e.g. sign-up or purchase following an ad interaction)
• Aggregated, pseudonymous analytics data

Advertising and analytics cookies require your explicit consent, collected via our cookie consent banner. See our Cookie Policy for details.

3. How We Collect Your Data

• Directly from you — when you register, complete assessments, upload documents, or contact us
• Automatically — server logs, error tracking, and (with consent) analytics and advertising cookies
• From third parties — Clerk provides authentication data when you sign in

4. Why We Process Your Data — Legal Bases

We process personal data on the following legal grounds. Canadian users are covered by PIPEDA's consent and legitimate purposes framework; EEA users are also covered by GDPR Article 6 (and Article 9 where applicable to sensitive data).

5. How We Use Your Data

• To run your visa strength assessment and generate your report and document checklist
• To provide AI-powered document analysis and application gap identification
• To process payments and manage your subscription or one-time purchase
• To send receipts, subscription notices, and service-related communications
• To detect and prevent fraud, abuse, and unauthorised access
• To improve the platform through aggregated, anonymised product analytics
• To send marketing emails where you have provided express consent — you may withdraw consent at any time by using the unsubscribe link in any email or by contacting us
• To measure advertising campaign performance (conversions, attribution) where you have consented to advertising cookies
• To comply with applicable laws and legal obligations

We do not sell your personal information. We do not use your immigration documents, assessment data, or uploaded files to train AI models — yours or anyone else's.

6. Data Processors and Sharing

We share personal data only with the trusted service providers listed below, who are contractually bound to process data solely on our instructions and to maintain appropriate security measures. We do not share personal data with third parties for their own marketing purposes.

We may also disclose data: (a) if required by law, court order, or regulatory authority; (b) to protect the rights, property, or safety of MigraIQ, our users, or the public; (c) in connection with a merger, acquisition, or sale of assets, in which case you will be notified by email and/or a prominent notice on the platform.

7. International Data Transfers

MigraIQ is based in Canada. The European Commission has confirmed that Canada provides adequate protection for personal data transferred from the EU under PIPEDA (most recently in January 2024), meaning EU-to-MigraIQ transfers require no additional safeguards.

When we transfer personal data from Canada or the EU/EEA to our US-based processors (Clerk, Supabase, Stripe, Resend), we rely on:

• The EU–US Data Privacy Framework (where the processor is certified); and/or
• Standard Contractual Clauses (SCCs) approved by the European Commission

Cloudflare's R2 storage infrastructure operates globally; data may be stored in datacentres across multiple regions. Cloudflare is subject to its own binding corporate rules and SCCs.

8. Agency Users — Our Role as Data Processor

If you use MigraIQ under an Agency plan and upload personal data belonging to your clients ("End Clients"):

• You (the Agency) are the data controller for your End Clients' data
• MigraIQ acts as a data processor, processing that data only on your instructions
• You are responsible for having a lawful basis to share your clients' data with us and for providing your clients with appropriate privacy notices informing them that their data is processed via MigraIQ
• You must not upload End Client data unless you have obtained all necessary consents or have another appropriate legal basis

Our obligations as processor include: processing data only as instructed, implementing appropriate technical and organisational security measures, assisting with data subject rights requests, and notifying you without undue delay of any relevant data breach.

9. AI Processing and Automated Analysis

We use AI services to analyse your uploaded documents and generate your Strength Report and document checklist. This involves:

• Sending document text (extracted via OCR) to an AI service for analysis
• Generating scored assessments and recommendations based on AI outputs

AI-generated outputs are informational only and do not constitute immigration or legal advice. Visa decisions are made by human immigration officers, not by our AI. You are not subject to any purely automated decision-making that produces legal effects or similarly significant effects within the meaning of GDPR Article 22.

We do not use your personal data to train, fine-tune, or improve AI models. Data sent to AI processors is subject to their own data processing agreements and is not retained beyond the scope of processing your request.

10. Data Retention

You may delete individual uploaded documents at any time from your case files. You may delete your entire account at any time from your account settings, which triggers deletion of all personal data within 30 days (except financial records retained for legal compliance).

11. Security

We implement industry-standard technical and organisational safeguards, including:

• Encryption in transit using TLS 1.2 or higher for all data transfers
• Encryption at rest (AES-256) for uploaded documents stored on Cloudflare R2
• Row-Level Security (RLS) on our database to ensure strict user data isolation
• Access controls and the principle of least privilege for staff and system access
• Regular security reviews of our application and third-party integrations
• No employee access to uploaded documents without specific, logged authorisation

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority within the timeframe required by applicable law (72 hours under GDPR; without unreasonable delay under PIPEDA). We will also notify affected individuals where the breach is likely to result in a high risk.

12. Your Privacy Rights

All users

Regardless of where you are located, you have the right to access, correct, export, or delete your personal data via your account settings. For requests that cannot be handled in-app, contact privacy@migraiq.com. We will respond within 30 days.

Canadian users (PIPEDA)

• Right to access your personal information
• Right to correct inaccurate information
• Right to withdraw consent (where consent is the basis), subject to legal or contractual restrictions
• Right to complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca)

EEA / UK users (GDPR / UK GDPR)

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure / "right to be forgotten" (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object to processing based on legitimate interests (Article 21)
• Right to lodge a complaint with your local supervisory authority (e.g. ICO in the UK, your national DPA in the EU)

California users (CCPA / CPRA)

• Right to know what personal information is collected and how it is used
• Right to delete personal information
• Right to opt-out of the sale or sharing of personal information — we do not sell or share personal information for cross-context behavioural advertising purposes
• Right to non-discrimination for exercising your rights

13. Children's Privacy

MigraIQ is not directed to children under 18 years of age. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact privacy@migraiq.com and we will delete it promptly.

14. Links to Third-Party Sites

Our platform may contain links to external websites. This Privacy Policy does not apply to those sites. We are not responsible for the privacy practices of third parties and encourage you to review their privacy policies before providing any personal information.

15. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and/or by displaying a prominent notice in the platform, at least 14 days before the changes take effect. Continued use of the service after the effective date constitutes acceptance of the updated Policy. The "Last updated" date at the top of this page reflects the most recent revision.

16. Contact and Complaints

For any privacy questions, data subject rights requests, or to report a concern:

• Email: privacy@migraiq.com
• Response time: within 30 days of receipt

If you are a Canadian resident and feel your concern has not been adequately addressed, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.

EEA residents may lodge a complaint with their local data protection supervisory authority. UK residents may contact the Information Commissioner's Office (ICO).