Privacy Policy

1) Who We Are & Scope

Presence Proof ("Presence Proof," "we," "us," "our") provides a manual-first platform that helps global citizens, expatriates, and their advisors calculate and document physical presence for tax, visa, residency, and citizenship workflows.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data and describes your rights under GDPR/UK GDPR, CCPA/CPRA, and other applicable laws. It is tailored to high-stakes use cases such as FEIE/IRS, Schengen 90/180, naturalization, and residency-by-investment.

2) Data We Collect & Data Minimization

Data Minimization Principle

We follow the principle of data minimization: we collect only what is needed to provide the Service. Optional fields (e.g., nationality, visa status) are not required unless you want functionality that depends on them. You can delete travel logs or evidence you no longer need via your account.

2.1 You Provide

Account & Profile

Name, email, password (encrypted), optional nationality/citizenship/residency/visa context.

Travel Logs

Manual entries of dates/countries/cities/notes; imported history.

Evidence Uploads (may include sensitive/special-category data)

Examples: boarding passes, contracts, passport/visa pages.

Your responsibility:

Upload only documents necessary for your compliance records. Before uploading, redact sensitive information not required for verification (e.g., financial account numbers, health data, or ID numbers beyond what's needed to prove travel dates).

Biometric data in passport scans:

Passport photos are biometric data under GDPR when used for identification. We process such images only as necessary to support your compliance records, do not use facial recognition, and do not share biometric data with third parties. By uploading identity documents, you consent to our processing of any biometric data therein for the limited purposes described.

Support

Messages/attachments you send us.

Payments

Handled by processors (e.g., Stripe). We do not store card numbers.

2.2 Collected Automatically

•
Usage & Device:IP, device/OS, browser, timestamps, referrer, generalized location (city/region).
•
Cookies/Local Storage:Session/authentication, preferences; analytics subject to consent where required.
•
Diagnostics:Error/performance logs (aggregated/pseudonymized where feasible).

2.3 From Third Parties (If You Connect)

Limited, permissioned data from identity providers, cloud storage, or professional tools you explicitly authorize.

3) How We Use Data (Purposes & Legal Bases)

Purposes

•Provide and secure the Service; generate presence calculations and auditable reports.
•Operate advisor access you enable (see §7).
•Communicate about service, billing, and support.
•Fulfill legal/contractual obligations; prevent fraud; ensure security.

Product Improvement Analytics

We analyze usage to improve calculations and features using:

→Aggregated metrics (e.g., "X% of users ran a Schengen report last month"),
→Anonymized data stripped of identifiers so individuals are not identifiable,
→No analysis of individual travel histories or calculation results for marketing purposes.
→If we ever need pseudonymized analysis for a specific defect investigation, we will request explicit opt-in consent and apply strict access controls.

Legal Bases (GDPR/UK GDPR)

Contract performance; legitimate interests (security, maintenance, improvement); consent (cookies, certain integrations/communications); legal obligation.

4) Automated Calculations & Human Review

Presence Proof calculates day counts using automated logic. Laws are complex and evolving. You have the right to request human review and to contest a calculation by contacting our support team. Always assess whether a scenario is legally critical and, where appropriate, obtain professional advice before filing or applying.

5) Retention

Active accounts

Retained while your account remains active.

After deletion

Personal data removed from production systems within 30 days and from immutable/backups within 90 days, except where law requires longer retention (e.g., financial records).

Legal holds

If we receive a lawful preservation request, deletion pauses until the hold is lifted.

6) Security

TLS in transit
Encryption at rest (e.g., AES-256)
Role-based access controls; least-privilege
Audit logging
Periodic security testing

No system is perfectly secure—protect your credentials and enable available security controls.

7) Advisor Access (CPAs, Lawyers, Immigration/Wealth Advisors)

You may invite a professional advisor and assign permissions; you can revoke access at any time.

Advisors who manage multiple client files generally act as independent controllers for their client relationships; Presence Proof acts as a processor. Advisors must accept our Data Processing Addendum (DPA) and confidentiality terms.

8) International Transfers, Sub-processors & Data Residency

We use vetted vendors (hosting, database, payments, email, analytics). Personal data may be processed in the U.S. and other countries. For EEA/UK transfers, we use Standard Contractual Clauses and conduct Transfer Impact Assessments as required.

Sub-processor List

We maintain a public, versioned list naming each sub-processor, region, and purpose, with DPA/SCC references and 30-day advance change notices: [link to Sub-processor List].

EU/UK data residency

We are developing EU-region hosting for customers who require data localization. Expected availability: Q2 2025. Join the early-access waitlist: [link]. Until then, transfers to/from the EEA rely on Standard Contractual Clauses with appropriate safeguards detailed in our DPA.

9) Government & Law-Enforcement Requests; Transparency

We disclose data only when legally required (valid subpoena, court order, or equivalent). User notice is provided before disclosure unless prohibited by law or there is a clear risk of harm or fraud. We may challenge overbroad or unlawful requests.

Transparency Reporting

Beginning Q2 2025, we will publish an annual Transparency Report showing counts, types, and jurisdictions of requests and our response rates, available at: [link].

10) Your Rights

GDPR/UK GDPR Rights

•Access and rectification
•Erasure and portability
•Restriction and objection
•Consent withdrawal

California (CCPA/CPRA) Rights

•Right to know and access
•Delete and correct
•Limit use of sensitive data
•Non-discrimination

We do not "sell" or "share" personal information as defined by CPRA.

To exercise rights, email privacy@presenceproof.com; we'll verify and respond within statutory timeframes.

11) Portability & Deletion (Self-Service)

Export travel logs, reports, and (where feasible) evidence in CSV/JSON/PDF. Delete items or your full account (see §5 for timing).

If you participated in an advisor workspace, coordinate with the advisor regarding their independent records.

12) Cookies & Similar Technologies

Essential cookies

Authentication, security, preferences — always on.

Analytics cookies

Opt-in where required, controllable via our cookie banner/settings.

We do not use third-party marketing cookies unrelated to Presence Proof. See our Cookie Policy for details.

13) Data Breach Notification

If a personal-data breach is likely to result in risk to your rights and freedoms, we will notify regulators within 72 hours (where required) and notify affected users without undue delay, including what happened, data involved, mitigation, and steps you can take.

14) Children

Not intended for under-18s. We do not knowingly collect children's data.

15) EU Representative & DPO

Current status: We currently do not meet thresholds requiring an EU representative or DPO. If this changes, we will update this section and notify affected users. (If/when appointed, we will list representative/DPO details here.)

16) Changes & Contact

We may update this Policy; material changes will be announced via email or in-app notice with the effective date.

Privacy & Rights: privacy@presenceproof.com

Security Incidents: security@presenceproof.com

Legal & Contracts: legal@presenceproof.com