VisaPilot CRM is designed to help immigration firms comply with GDPR. Multi-tenant isolation, role-based access, and audit logging are built in. Your clients' data is always yours.
1. GDPR Overview
The General Data Protection Regulation (GDPR) is a European Union law that governs how organizations collect, store, and process personal data of EU/EEA residents. It applies whether or not your organization is based in the EU.
VisaPilot CRM is committed to GDPR compliance both as a platform operator and as a data processor on behalf of our firm subscribers.
2. Our Roles Under GDPR
Tech Vanta LLC as Data Controller
For data we collect directly (firm account information, billing data, support communications), Tech Vanta LLC acts as the Data Controller — we determine the purposes and means of processing.
Tech Vanta LLC as Data Processor
For visa application data and client personal information entered by your firm, Tech Vanta LLC acts as a Data Processor — we process this data only on your instructions. Your firm is the Data Controller for your clients' data.
If you are an EU-based immigration firm using VisaPilot CRM, you should sign a Data Processing Agreement (DPA) with us. Contact legal@getvisapilot.com to request one.
3. Lawful Basis for Processing
| Data Type | Lawful Basis |
|---|---|
| Firm account & billing data | Contract performance (Article 6(1)(b)) |
| Visa application data entered by firms | Legitimate interests of the firm; GDPR Article 9(2)(f) for special category data |
| Security & access logs | Legitimate interests (Article 6(1)(f)) |
| Marketing emails (if opted in) | Consent (Article 6(1)(a)) |
4. Your Rights Under GDPR
If you are an EU/EEA resident, you have the following rights regarding your personal data:
- Right of Access (Article 15) — Request a copy of the personal data we hold about you. We will respond within 30 days.
- Right to Rectification (Article 16) — Request correction of inaccurate or incomplete data.
- Right to Erasure (Article 17) — Request deletion of your personal data where there is no compelling reason for its continued processing.
- Right to Restriction (Article 18) — Request that we temporarily stop processing your data while a dispute is resolved.
- Right to Portability (Article 20) — Receive your data in a structured, commonly used, machine-readable format (e.g., CSV/JSON export).
- Right to Object (Article 21) — Object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds.
- Right to withdraw consent — Where processing is based on consent, you may withdraw at any time without affecting prior processing.
How to Exercise Your Rights
Email privacy@getvisapilot.com with your request. Include your name, email address, and a description of your request. We respond within 30 days. We may need to verify your identity before processing the request.
Right to Lodge a Complaint
If you believe we have not handled your data correctly, you have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU DPAs is available at edpb.europa.eu.
5. Data Processing Agreement
If you are processing personal data of EU residents using VisaPilot CRM, GDPR requires a Data Processing Agreement (DPA) between your firm (as Controller) and Tech Vanta LLC (as Processor).
Our DPA covers:
- Subject matter and duration of processing
- Nature and purpose of the processing
- Types of personal data and categories of data subjects
- Obligations and rights of the controller
- Sub-processors we use (Stripe, AWS, etc.)
Request a DPA by emailing legal@getvisapilot.com.
6. International Data Transfers
VisaPilot CRM's infrastructure may process data outside the EU/EEA. We ensure adequate protection via:
- Standard Contractual Clauses (SCCs) — EU-approved clauses for transfers to third countries
- Sub-processor compliance — Stripe and AWS both have GDPR-compliant data processing terms
7. Data Protection
Tech Vanta LLC has designated a privacy contact responsible for data protection matters. Contact us at:
- Email: privacy@getvisapilot.com
- Subject line: GDPR Request — [Your Name]
8. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware
- Notify affected data controllers (firm subscribers) without undue delay
- Provide details of the breach, likely consequences, and measures taken
9. Contact for GDPR Matters
- Privacy requests: privacy@getvisapilot.com
- DPA / legal requests: legal@getvisapilot.com
- Company: Tech Vanta LLC — VisaPilot CRM
Need a Data Processing Agreement?
EU-based firms using VisaPilot CRM to process client personal data should sign a DPA with Tech Vanta LLC.
Request a DPA