Privacy Policy
Last updated: 2026-06-24
Our Promises to You
1. Your passport never reaches our servers
Your passport and form data are encrypted locally on your device (WebCrypto AES-GCM in your browser localStorage). They never reach our servers.
2. We hold no key that could decrypt your passport
The encryption key is generated by your browser and stored only on your device. We do not hold any keys that could decrypt your passport data. This is permanent and non-negotiable.
3. Cloud OCR is ephemeral
For passport image recognition, the photo briefly leaves your device to reach a cloud OCR provider, then is discarded. We do not store the original image on our servers.
4. We only know "who you are + how many credits + what you paid"
Our database stores only: your account identity (email + auth provider), credit balance, payment records, and OCR usage audit (timestamp + success/fail status, NO PII). We do not store form content, passport details, or trip data.
5. We charge only when service succeeds
We charge per successful complete service. If our auto-fill plugin fails before you click "Confirm" on the official website, no credit is consumed.
6. Analytics without cookies
We use Umami self-hosted analytics for basic visit statistics. Umami does NOT use cookies and does NOT collect personal identifiers.
Third-Party Service Disclosure
For services we cannot self-host, we use these providers. We do not vouch for their internal data practices — you decide whether to use these features after reading their respective policies.
OCR Recognition
- Chinese mainland passports (passport ISO = CN): Tencent Cloud OCR (operated in mainland China)
- All other passports: Microsoft Azure Document Intelligence (prebuilt-idDocument, F0 Free Tier)
- Their respective policies: Tencent Cloud Privacy | Microsoft Privacy
Payment
- Stripe Inc. (Hong Kong entity)
- Stripe handles your card data; we never see your full card number.
- Stripe Privacy Policy
Authentication
- Supabase Auth (PostgreSQL-based)
- Google OAuth provider (for "Sign in with Google" option)
- Resend (for transactional emails like feedback receipts)
Error Tracking
- Self-hosted GlitchTip (Sentry-compatible, our own server, your error logs stay with us)
Your Rights
GDPR / CCPA / China PIPL etc. grant you the following data protection rights. Email support@<domain> to exercise them; we respond within 30 days:
- Access: Request a copy of all data we hold about you.
- Deletion: Request deletion of your account and all associated data.
- Export: Request your data in machine-readable format (JSON).
- Correction: Correct inaccurate data we hold about you.
- Objection: Object to specific data processing activities.
For EU users, you also have the right to lodge a complaint with your local data protection authority.
Data Transfers
- Account / credit data: stored in our self-hosted PostgreSQL (Supabase).
- Passport / form data: never leaves your device (encrypted locally).
- OCR images: briefly transit through Tencent Cloud (CN region) or Microsoft Azure (global region) depending on passport selection.
Minors
visayes is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has provided us data, email support@<domain> for immediate deletion.
Data Breach Notification
In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
Changes
We may update this policy. Material changes will be announced via email + in-product notification. Continued use after notice constitutes acceptance.
Contact: support@<domain>