Privacy Policy

VisaBinder is operated by Valonovo Pty Ltd (ABN 64 694 036 489) of Level 1, 63–73 Ann Street, Surry Hills NSW 2010, Australia (“we”, “us”, “our”, “VisaBinder”).

This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with the VisaBinder website, application, and services (the “Service”). We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy should be read together with our Terms of Service.

The personal information we collect about you depends on how you use the Service. We collect:

• Account information — your email address, password (hashed), display name, and authentication metadata such as sign-in timestamps.
• Payment information — we do not collect or store your full payment card details ourselves. Payments are processed by Stripe (see Section 5). We receive limited transaction information from Stripe such as the last four digits of your card, transaction ID, status, and billing country.
• Pack and relationship information — the visa stage you select (subclass 820 or 801), partner names, relationship start date, and any other evidence-pack metadata you enter into the onboarding wizard or pack workspace.
• Files you upload — messaging exports, photos, leases, statements, screenshots, and other supporting documents that you choose to add to your evidence pack. These files may contain personal information about you, your partner, and third parties (such as friends and family).
• Generated documents — the category PDFs and cover sheets we generate from your evidence.
• Communications — the content of any emails or messages you send to us, including via hello@visabinder.com.au.
• Technical and usage information — IP address, browser type and version, device and operating system information, referrer, pages viewed, time spent, error reports, and approximate location derived from IP. This is collected through standard server logs, error monitoring, and privacy-friendly (cookieless) analytics.

Sensitive information. In some cases, files you upload may contain “sensitive information” as defined in the Privacy Act (for example, information revealing race, religion, sexual orientation, or health). By uploading such files, you consent to us collecting and handling that information for the purpose of providing the Service to you.

Third-party information. Files you upload may contain personal information about individuals other than yourself. You are responsible for ensuring you have the right to share that information with us. Where reasonably possible, you should let those individuals know you are using the Service to compile evidence that includes information about them.

Anonymity and pseudonymity. Because the Service ties evidence to a specific account and relies on email-based account recovery, it is not practicable to provide the Service anonymously or under a pseudonym.

We collect personal information:

• directly from you when you sign up, pay, or use the Service;
• automatically through your interactions with the Service (essential cookies, server logs, error monitoring, and cookieless analytics); and
• from our third-party providers (such as Stripe for payment confirmations, or Google for sign-in if you choose Google OAuth).

Browser-side processing. Where it is practical to do so, we process your raw files in your web browser before transmission — for example, parsing a messaging-app export and extracting only the messages you choose to include. In those cases, only the selections you choose to include are sent to and stored by our servers.

We use personal information to:

• provide, operate, and maintain the Service, including creating and securing your account, generating your evidence pack PDFs, and delivering the files to you;
• process your payment and issue receipts;
• communicate with you about your account, including transactional emails (e.g. receipts, pack-export-ready notifications, inactivity warnings, and 801 stage 2 reminders);
• respond to your enquiries and support requests;
• detect, prevent, and respond to fraud, abuse, security incidents, and unlawful activity;
• debug, monitor, and improve the Service (e.g. via error reports and aggregated usage analytics); and
• comply with our legal obligations, including responding to lawful requests from regulators or law enforcement.

We do not sell your personal information, and we do not use your evidence files for advertising, model training, or any purpose other than providing the Service to you.

We share personal information only with service providers and recipients that need it to help us run the Service or comply with our legal obligations. Our key third-party providers are:

• Supabase — database, authentication, and file storage. Your files and database records are hosted in Supabase’s Sydney region (ap-southeast-2), encrypted at rest, and protected by row-level security so only you can access them.
• Vercel — web application hosting and edge compute.
• Stripe — payment processing. Card details are submitted directly to Stripe and are not stored on our servers.
• Resend — transactional email delivery (e.g. receipts, pack-ready notifications, inactivity warnings).
• Sentry — error monitoring. We use Sentry’s EU-region project, which receives technical error information and limited contextual data needed to diagnose issues. Session replay is disabled, and the files you upload are never sent to Sentry.
• Vercel Web Analytics — privacy-friendly, cookieless aggregate website analytics (page views and basic events). No tracking cookies are set and no cross-site profile is built.
• Cloudflare (Turnstile) — bot protection on sign-up and sign-in forms.
• Google — if you choose to sign in with Google, basic profile information (email, name, profile image URL) is shared with us in accordance with Google’s OAuth consent flow.

We may also disclose personal information where required by law (for example, to comply with a court order, subpoena, or lawful request from a regulator or law enforcement agency), to enforce our Terms of Service, to protect the rights, property, or safety of any person, or in connection with a corporate transaction such as a merger, acquisition, or sale of assets (in which case we will require the recipient to honour this Privacy Policy).

Some of our service providers store or process personal information outside Australia. The countries to which personal information may be disclosed include:

• United States — Stripe, Resend, Google (OAuth), Cloudflare, and Vercel may process information in the United States.
• European Union — Sentry processes error data in our EU-region project.

Your evidence files and primary database records remain in Australia (Supabase Sydney region). Where we transfer personal information overseas, we take reasonable steps to ensure the recipient handles it consistently with the Australian Privacy Principles, including by using providers that publish their own privacy and security commitments.

We use cookies only where they are essential to operate the Service — to keep you signed in, remember your preferences, and secure the Service. We do not use analytics or advertising cookies; our website analytics are cookieless. For more detail, see our Cookie Policy.

You can control cookies through your browser settings. Blocking essential cookies may prevent parts of the Service from working.

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. These steps include:

• encryption in transit (HTTPS) and at rest;
• row-level security in our database so each user can only access their own records;
• access controls and least-privilege administration;
• industry-standard authentication, including support for strong passwords and (optionally) Google sign-in; and
• logging and monitoring of unusual activity.

No system can be guaranteed to be 100% secure. If you believe your account has been compromised, please contact us promptly at hello@visabinder.com.au.

We keep personal information for as long as we need it for the purposes set out in this Privacy Policy, or as required by law.

• Active accounts. We retain your account, evidence files, and generated PDFs while your account remains active.
• Inactivity-based deletion. After 24 months of inactivity, we permanently delete your uploaded files and generated PDFs from our storage. We email you a warning at approximately 22 months of inactivity so you can sign in to keep your pack.
• Account-record retention. Your account record (email and basic profile) may be retained after file deletion so you can return and start a new pack. You can fully delete your account at any time from your account settings.
• Financial and tax records. We may retain transaction records (such as invoices and receipts) for the period required by Australian tax and financial-services law, even after you delete your account.
• Backups and logs. Routine backups and security/operational logs may persist for a short additional period after deletion before being overwritten.

We send you transactional emails about your account and pack (for example, receipts, pack-ready notifications, inactivity warnings, and 801 stage 2 reminders). You can unsubscribe from non-essential reminder emails using the unsubscribe link in those emails. We do not send unrelated marketing email without your consent.

Under the Privacy Act and the APPs, you have the right to:

• Access the personal information we hold about you. Most account and pack data is directly visible to you in the Service; for anything else, email hello@visabinder.com.au.
• Correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. You can update most account information directly in your settings.
• Delete your account and the associated files at any time from your account settings, or by emailing us.
• Withdraw consent where we rely on your consent to process information (for example, the consent you give when you upload files containing sensitive information, as described in Section 2). You can withdraw that consent by ceasing to upload such files and asking us to delete any already uploaded. Withdrawing consent does not affect processing carried out before withdrawal.
• Make a complaint about how we have handled your personal information (see Section 12).

If you have a privacy complaint, please email us at hello@visabinder.com.au with a description of your concern. We will acknowledge your complaint within a reasonable time and aim to resolve it within 30 days.

If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

The Service is intended for adults aged 18 and over. We do not knowingly collect personal information directly from children. If you believe a child has provided us with personal information, please contact us at hello@visabinder.com.au and we will take reasonable steps to delete that information.

Evidence files uploaded by adult users may contain images or information about children (for example, photos of family members). You are responsible for ensuring you have the right to include that information in your evidence pack.

We may update this Privacy Policy from time to time. If we make a material change, we will notify you by email and/or by a notice in the Service before the change takes effect. The updated policy will apply from the effective date specified at the top of this page.

If you have any questions about this Privacy Policy or how we handle your personal information, please email us at hello@visabinder.com.au.