Skip to content
Bordercase

Legal

Privacy Policy

This page is being finalised with legal review. Below is a summary of what it will cover.

Privacy Policy

Draft - pending legal review. This is the working version. Bordercase will publish a final reviewed policy before scaled launch. The principles here are how we operate today.

Who is responsible

Bordercase ("we", "us") is the data controller for personal data processed through bordercase.com. Contact: privacy@bordercase.com.

What we collect

Information you provide directly:

  • Account: email, magic-link verification, optional phone
  • Profile: name, nationality, second nationality, current country and city, preferred language and contact method
  • Onboarding submission: target countries, family composition, employment and income, budget and timeline, services needed, document readiness, risk-related answers, free-form context
  • Communications: messages you send via the contact form, replies to our emails, notes you add to your case

Information we collect automatically:

  • Session cookies for authentication
  • Google Analytics 4 cookies (after you accept the cookie banner): page views, referrers, device class, anonymised location. Used to understand site usage. We do not run advertising or retargeting on Google Analytics data.
  • Server logs (IP address, user agent) for security and abuse prevention

Information from third parties:

  • Stripe processes any payment. We receive transaction status, amount, currency, and a token to reconcile - we never see your card details
  • Resend delivers email. We receive delivery, open, and bounce status

Why we collect it (lawful basis)

  • Contract - to deliver the assessment, proposal, and any engagement you accept
  • Legitimate interest - security, fraud prevention, service improvement
  • Consent - marketing emails (bundled with your acceptance of the Terms when you start onboarding; you can unsubscribe at any time)

Sub-processors

We rely on these vendors to deliver the service. Each handles data under contract and supports international transfers under GDPR-compliant safeguards:

  • Supabase (database, authentication, storage)
  • Vercel (web hosting, edge runtime)
  • Stripe (payment processing)
  • Resend (transactional and notification email)
  • Google Analytics (Google LLC, usage analytics; data may be transferred to the United States under Standard Contractual Clauses)

How long we keep your data

  • Active cases: for as long as the case is open and for 7 years after final closure to support audit, dispute resolution, and partner reconciliation
  • Marketing emails: until you unsubscribe
  • Server logs: 30 days
  • Backups: rolling 30 days

Your rights

You can:

  • Request a copy of the personal data we hold about you
  • Correct inaccurate data (do this directly from your dashboard or by contacting us)
  • Request deletion (with limits where we have ongoing engagement or legal obligations)
  • Withdraw marketing consent at any time
  • Lodge a complaint with your local supervisory authority

Email privacy@bordercase.com with any request and we will respond within 30 days.

International transfers

Some sub-processors operate outside your country of residence. We use Standard Contractual Clauses and similar safeguards where required.

Children

Bordercase services are intended for adults. We do not knowingly collect data from anyone under 18 except as a dependent disclosed by the primary adult applicant.

Changes to this policy

We will revise this policy when laws, sub-processors, or our service change. The version date will be shown here once the policy is finalised.

For privacy, deletion, or terms questions, email hello@bordercase.com.