Section 01
Overview
The EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and the UK GDPR are the data-protection regimes that govern personal data of individuals located in the European Economic Area and the United Kingdom respectively. SwiftPass processes personal data of applicants worldwide — including EEA and UK residents — and this notice explains how we comply with both frameworks.
Section 02
Data controller
For personal data submitted to SwiftPass in connection with our visa-application services, the data controller is:
SwiftPass Global LLC
Entity
Delaware LLC · EIN 98-1841660 · D-U-N-S 144900795
Registered office
131 Continental Dr Suite 305, Newark, DE 19702, USA
Data Protection Officer
legal@swiftpassimmigration.comPrivacy inquiries
privacy@swiftpassimmigration.comFor EEA-located data subjects, we will appoint an Article 27 representative if and when one becomes legally required by virtue of processing volume. UK data subjects may contact the DPO at the address above.
Section 03
Lawful bases for processing
Under Article 6 GDPR we process your personal data on one or more of the following lawful bases:
Contractual necessity — Art. 6(1)(b)
Processing your visa application is the service you've purchased. Without your name, passport, contact and travel details, we cannot perform the contract.
Legal obligation — Art. 6(1)(c)
Retention of payment records and certain identity data is required under US, UK, and EU financial and immigration law.
Legitimate interest — Art. 6(1)(f)
Fraud prevention, service-security monitoring, and product analytics in anonymized form. Balanced against your rights with a documented Legitimate Interest Assessment (LIA) on request.
Consent — Art. 6(1)(a)
Marketing emails, non-essential cookies, and any optional processing. Consent is granular, freely given, and can be withdrawn at any time without affecting the lawfulness of earlier processing.
Vital interests — Art. 6(1)(d)
Limited to medical emergencies during an active trip we have facilitated — e.g. sharing your contact details with an embassy for assistance.
Section 04
Categories of personal data
Identity data
Full name, date of birth, nationality, passport number, photograph.
Contact data
Email, phone number, postal and billing address.
Travel data
Destination country, travel dates, purpose of visit, itinerary.
Financial data
Payment tokens via PCI DSS Level 1 processors. We never store full PANs.
Supporting documents
Bank statements, employment letters, accommodation proof, invitation letters.
Communications
Support tickets, chat transcripts, voice recordings (retained up to 90 days).
Technical data
IP address (geolocated to country only), browser, device, log timestamps.
Marketing data
Consent state, preferences, and engagement signals (where you have opted in).
Section 05
Your data-subject rights
Under GDPR Articles 15–22 and the equivalent UK GDPR provisions, you have the following rights over the personal data we hold about you:
Right of access — Art. 15
Receive a copy of your personal data and the processing details.
Right to rectification — Art. 16
Have inaccurate or incomplete data corrected.
Right to erasure — Art. 17
Request deletion of your data, subject to legal retention obligations.
Right to restriction — Art. 18
Pause processing in defined circumstances (e.g. while accuracy is contested).
Right to data portability — Art. 20
Receive your data in a structured, commonly used, machine-readable format.
Right to object — Art. 21
Object to processing based on legitimate interests or direct marketing.
Automated decisions — Art. 22
We do not make solely automated decisions with legal effect on you.
Right to withdraw consent — Art. 7(3)
Withdraw consent at any time, without affecting prior lawful processing.
Section 06
How to exercise your rights
1. Email the DPO
Send your request to legal@swiftpassimmigration.com with the subject line "GDPR request — [right]". Include enough detail for us to verify your identity (e.g. account email, application ID).
2. Identity verification
We may ask you to confirm identity using your registered account before disclosing or modifying personal data. This is a GDPR-required safeguard, not a delay tactic.
3. Response within 30 days
We respond within one calendar month (Art. 12(3)). Extendable by a further two months for complex requests — we will tell you within the first month if so.
4. No charge — usually
Requests are free. We may charge a reasonable admin fee or refuse manifestly unfounded or excessive requests (Art. 12(5)).
5. Appeal to the regulator
If you are unhappy with our response, you may lodge a complaint with your local supervisory authority (see Section 10).
Section 07
International data transfers
SwiftPass is operated from the United States. Some service providers (cloud hosting, email, analytics) also process data in the United States or other third countries. Where we transfer personal data of EEA or UK data subjects outside the EEA / UK to a country without an adequacy decision, we rely on the following safeguards:
EU Standard Contractual Clauses (2021/914)
In place with every sub-processor receiving EEA personal data, supplemented by the supplementary measures recommended by the EDPB.
UK International Data Transfer Addendum (IDTA)
In place with every sub-processor receiving UK personal data, alongside the UK Addendum to the EU SCCs where applicable.
Transfer Impact Assessments
Documented per recipient, reviewed annually, and updated when law changes (e.g. EU–US Data Privacy Framework status).
Onward transfers
Sub-processors are contractually prohibited from onward-transferring your data without equivalent safeguards.
Section 08
Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law:
Active applications
Processing + 90 daysExtended if appeal or dispute is open
Completed applications
Up to 7 yearsRequired for legal, tax, and regulatory compliance
Payment records
7 yearsRequired under US and EU financial regulations
Voice recordings
90 daysAutomatic deletion thereafter
Marketing data
Until you unsubscribeSuppression list retained indefinitely (legal obligation)
Security & access logs
12 monthsFor fraud detection and incident response
Section 09
Security & breach notification
We implement technical and organisational measures appropriate to the risk under Article 32 GDPR: AES-256 encryption at rest and in transit, role-based access control, audited admin actions, SOC 2 Type II–certified hosting, quarterly third-party penetration testing, and a documented incident-response plan.
In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours (Art. 33) and affected data subjects without undue delay where the risk is high (Art. 34).
Section 10
Supervisory authorities
You have the right to lodge a complaint with the data-protection regulator in your country of residence, place of work, or place of the alleged infringement. Common authorities for SwiftPass applicants include:
United Kingdom — ICO
Information Commissioner's Office, ico.org.uk
Ireland — DPC
Data Protection Commission, dataprotection.ie
Germany — BfDI
Bundesbeauftragte für den Datenschutz, bfdi.bund.de
France — CNIL
Commission Nationale Informatique & Libertés, cnil.fr
Netherlands — AP
Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl
Italy — Garante
Garante per la Protezione dei Dati Personali, garanteprivacy.it
Section 11
Data Protection Officer
SwiftPass has appointed a Data Protection Officer who oversees GDPR compliance, advises the business on processing decisions, and serves as the single point of contact for data subjects and supervisory authorities.
SwiftPass Global LLC — DPO
Privacy line
privacy@swiftpassimmigration.comResponse time
Within 30 days (Art. 12(3) GDPR)
Registered office
131 Continental Dr Suite 305, Newark, DE 19702, USA
For the full picture of how we handle personal data, including categories, sharing, retention, and security, see the Privacy Policy and the Cookie Policy.