Privacy Policy

Last updated: May 2026

Self Migrate (selfmigrate.app) is operated by Benjamin Vermeulen, trading as TVG. This page explains what personal information we collect, how we use it, who we share it with, and the rights you have over it. The plain-language summary at the top of each section is the operative version; the legal basis text is for compliance reference.

Information Officer

Our Information Officer (the role POPIA defines) is Benjamin Vermeulen. Reach out for any privacy-related question or to exercise your rights:

• Email: hello@selfmigrate.app
• Privacy-specific: privacy@selfmigrate.app
• Registered with the South African Information Regulator under POPIA.

What We Collect

• Account information — email address, name, and password (hashed) when you create an account.
• Migration profile — age, qualifications, English test scores, work history, country preferences. You choose what to enter; nothing here is mandatory.
• Calculator and checklist data — visa points calculations, country-comparison ratings, and document checklists you save.
• AI chat history — conversations with our AI assistant, kept for the regulatory-audit purposes described below.
• Subscription / payment metadata — your subscription tier and a reference to your subscription record in Lemon Squeezy. We never see or store card numbers ourselves; all card data lives with the payment provider.
• Usage data — pages visited, features used, referrer source, approximate device / browser / country-level location. Collected via Vercel Analytics (first-party, cookie-less) and — only with your explicit consent — Google Analytics 4. See the Cookies section for the storage details and how to withdraw consent.
• Feedback you submit — messages you send via the in-product feedback widget (chat bubble, bottom-right), including the category you picked, your message, the page you were on when you submitted, and (if you provide one) your email address so we can follow up. Used only to improve the product and to reply to you. Stored in our Supabase database alongside other account data.

Lawful Basis for Processing

Where GDPR / POPIA require it, we identify a lawful basis for each processing purpose:

• Contract performance— account authentication, providing free and paid features, processing subscription payments. We can't deliver the service without this.
• Legitimate interest — basic analytics (understanding which features are used), security event logging, and abuse prevention. You can object to any of these by emailing the Information Officer.
• Consent — any optional marketing emails or cookies that fall outside the strictly-necessary set. You can withdraw consent at any time.
• Legal obligation — retention of AI interaction logs for the audit purposes described below; retention of financial records for tax compliance.

How We Use Your Data

• To provide and improve our immigration information tools
• To save your calculations, profile, and checklists to your account
• To bill subscriptions and surface invoices via the relevant billing provider
• To maintain audit logs of AI interactions, as we operate alongside (without being registered with) MARA / CICC / IAA
• To send transactional emails (account confirmation, payment receipts, subscription changes)

Third-Party Services

We use the following services to operate the platform. Each is a separate data controller or processor as appropriate:

• Supabase — authentication, database, and file storage (hosted in Australia)
• Vercel — website hosting, edge network, and analytics (US/EU edge nodes)
• xAI — AI language models for chat and document analysis (US)
• Resend — transactional email delivery (US)
• Sentry — error and performance monitoring (US)
• Google Analytics 4 — page-view and event analytics (US). Only loaded after you accept on the consent banner; gated by our consent-management platform.
• Iubenda — consent-management platform (Italy / EU). Renders the cookie banner, classifies categories of cookies, records your consent choice on a tamper-evident ledger, and auto-blocks third-party tracker scripts (including Google Analytics) until you decide. Iubenda is our data processor for consent records and operates under the EU GDPR by default.
• Lemon Squeezy — Merchant of Record for all subscriptions. They process card data, collect any applicable VAT / GST / sales tax on our behalf, and are legally the seller of record for the transaction.

We do not sell your personal data to third parties.

Cross-Border Data Transfers

Several of the services above process data outside South Africa. Where the destination country lacks an adequacy decision under the relevant privacy framework, we rely on Standard Contractual Clauses (SCCs) signed with each processor as the legal basis for the transfer. The processor list above identifies the country where each service processes data.

Privacy Law Coverage

• POPIA (South Africa) — for our South African users and data subjects
• Australian Privacy Principles — for Australian data subjects
• PIPEDA (Canada) — for users in Canada
• NZ Privacy Act 2020 — for users in New Zealand
• GDPR — for users in the EU or EEA
• UK GDPR — for users in the United Kingdom

Data Retention

• Account data — kept while your account is active. After you request deletion, we keep a recoverable copy for 30 days so you can reverse an accidental request, then hard-delete.
• AI interaction logs — retained for 5 years as a compliance audit trail across the destination-country regulators (MARA, CICC, IAA) we operate alongside. A daily cron deletes rows older than this window.
• Financial records — invoices, payment records, and tax-relevant subscription metadata are retained for 5 years to comply with SARS record keeping rules (and the equivalent obligations of our international merchant of record).

Automated Decision-Making

The Document Vault feature uses an AI model to classify uploaded documents into passed, needs_changes, or failed against a published list of criteria. This is information, not advice — it is not a binding determination and has no legal effect on any visa application. If you believe an automated classification is wrong, you can request human review by emailing privacy@selfmigrate.app. We will revisit the document and the criteria with you.

Cookies

We split cookies and similar browser storage into two buckets: strictly necessary(always on; the product can't work without them) and consent-gated(off by default; loaded only after you opt in on the Iubenda consent banner). Iubenda also installs its own small set of cookies to remember your consent decision so we don't keep prompting you.

Strictly necessary

• Supabase auth cookies (sb-access-token, sb-refresh-token) — required to keep you signed in
• selfmigrate_profile_v1 — first-party cookie holding your migration profile so the country-comparison page works without an account; 180-day lifetime
• _iub_cs-* (Iubenda consent cookies) — first-party cookies that remember which categories you accepted or rejected, plus a tamper-evident ID linked to the consent record on Iubenda's ledger. No personal data; required for the banner not to re-prompt on every page load.
• Vercel Analytics — first-party, cookie-less in the default configuration; no cross-site tracking

Consent-gated (off by default)

• Google Analytics 4 (_ga, _ga_*) — first-party cookies set by gtag.js after you accept the “Measurement” category on the Iubenda banner. Used to measure page views, navigation paths, traffic sources, and roughly which country the visit came from. Default 14-month retention in Google's configuration. Iubenda's autoblocking script prevents gtag.js from loading at all until you accept; US-state-privacy signals (e.g. Global Privacy Control) are honoured automatically without you having to interact with the banner.

How to change or withdraw consent

You can revisit your decision at any time:

• Cookie settings link in the footer (and on /dashboard/settings for logged-in users) — opens the Iubenda preferences modal where you can flip individual categories or reject all.
• Clear site datafor selfmigrate.app in your browser's privacy settings — this drops the _iub_cs-* cookies and the banner re-prompts on the next visit.

We do not use advertising cookies. We do not sell or share analytics data with third-party data brokers. GA4 stores truncated IP addresses by default (full IPs are dropped server-side before logging).

Your Rights

You have the right to access, correct, restrict, or delete your personal data, to object to processing on a legitimate interest basis, and to data portability. Email privacy@selfmigrate.app to exercise any of these.

You also have the right to lodge a complaint with the regulator in your country:

• South Africa — Information Regulator
• EU / EEA — Your national supervisory authority
• United Kingdom — Information Commissioner's Office (ICO)

Contact

Privacy questions or rights requests: privacy@selfmigrate.app. General questions: hello@selfmigrate.app.