1. Who We Are
VisaBuddy is an immigration compliance tracking tool for F-1 international students in the United States. We are not affiliated with USCIS, DHS, or any US government agency. Nothing in this app constitutes legal advice — always consult your DSO or a licensed immigration attorney for your specific situation.
2. Information We Collect
We collect only what you provide to help you track your compliance:
- Account information: Email address, name, and profile photo (if using Google sign-in)
- Student profile: University name, program, program dates, degree level, home country
- DSO contact: Your Designated School Official's name, email, and phone
- Visa information: Visa type, passport expiry date, EAD dates, I-20 signature date
- Employment records: Employer names, dates, and OPT status you enter
- Travel records: Trip dates and destinations you log
- Documents: Document records and expiry dates you track
Immigration Document Identifiers — Special Category Data
VisaBuddy allows you to optionally store the following sensitive immigration identifiers for compliance tracking purposes. All three values are encrypted using AES-256-GCM encryption before being written to the database. The plaintext value is never stored, never logged, and never transmitted to any third party.
- SEVIS ID — your student record number (format: N + 9 digits)
- Passport number — from your travel document
- I-94 Admission Number — from your last US entry record
These fields are write-only: once saved, the decrypted values are never returned to the client or displayed in the app. They exist solely so you have a record that these documents are on file. You may delete them at any time from your profile settings.
Government non-disclosure: VisaBuddy does not share your SEVIS ID, passport number, I-94 number, or any other data with USCIS, ICE, DHS, CBP, or any government agency, absent a valid, specific, and legally compelled court order or subpoena directed to us. If we receive such an order, we will notify you to the extent legally permitted before complying.
3. How We Use Your Information
- To calculate compliance deadlines and alert you before they pass
- To provide personalized AI assistant answers based on your OPT status and profile
- To generate travel checklists and unemployment day counts
- To send deadline reminder emails (only if you have notifications enabled)
- To display your compliance dashboard and phase status
We do not sell your data. We do not use your data for advertising. We do not share it with third parties except as described in Section 4.
4. Third-Party Services
We use the following services to operate VisaBuddy. Each receives only the minimum data necessary:
- Supabase (database, authentication, file storage) — US-based servers. Your data is stored in Supabase's US region. Privacy Policy
- Groq (AI assistant) — only a non-identifiable summary of your compliance situation is sent (e.g., "Student on OPT active, 45 unemployment days used, EAD expires in 60 days"). Raw SEVIS IDs, passport numbers, and I-94 numbers are never sent to Groq. Privacy Policy
- Vercel (hosting and serverless functions) — Privacy Policy
- Resend (email delivery) — only your email address and deadline information are passed to send reminder emails you have requested
- Stripe (payments) — only used when you subscribe to a paid plan. We never see or store your payment card details. Stripe handles all payment processing under PCI DSS compliance. Privacy Policy
- PostHog (product analytics) — anonymous usage events only (page views, feature usage). No PII is sent to PostHog.
- Sentry (error monitoring) — error stack traces only. We scrub PII from error reports before they are sent.
5. Data Security
- SEVIS IDs, passport numbers, and I-94 numbers are encrypted at rest using AES-256-GCM before storage — the plaintext value is never persisted
- All data is transmitted over HTTPS (TLS 1.2+)
- Row-Level Security (RLS) policies in the database ensure each user can only access their own records — this is enforced at the database level, not just the application layer
- Document files are stored in private Supabase Storage buckets with per-user access controls
- Application logs never contain SEVIS IDs, passport numbers, I-94 numbers, or other sensitive immigration identifiers
- Admin access to the database does not expose decrypted immigration identifiers
6. Data Retention
We retain your data as long as your account is active.
- AI conversation history is automatically deleted after 90 days
- Account deletion — all your data is permanently deleted within 30 days of account deletion
- Inactive accounts — accounts with no activity for 24 months may be deleted with 30 days' email notice
7. Your Rights
Regardless of where you are located, you have the right to:
- Access all data we hold about you — request a full export at any time
- Rectification — correct any inaccurate data via your profile settings
- Erasure — delete your account and all associated data permanently (Profile → Settings → Delete Account)
- Portability — export your compliance data in machine-readable format
- Objection — opt out of any non-essential data processing at any time
If you are in the European Economic Area (EEA), UK, or Switzerland, you have additional rights under GDPR including the right to lodge a complaint with your local data protection authority.
To exercise any of these rights, email privacy@visabuddy.app. We respond within 30 days.
8. Business Transfers
If VisaBuddy is acquired, merged, or its assets are transferred to another company, your data may be transferred as part of that transaction. We will notify you by email at least 30 days before any such transfer takes effect, and you will have the option to delete your account before the transfer occurs. Any acquiring company would be required to honor this privacy policy or provide you with 30 days' notice of material changes.
9. Cookies
We use session cookies set by Supabase Auth to maintain your login state. These are strictly necessary for the app to function. We do not use advertising cookies, third-party tracking cookies, or persistent analytics cookies.
10. Children's Privacy
VisaBuddy is not intended for users under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us data, contact us at privacy@visabuddy.app and we will delete it promptly.
11. Changes to This Policy
We will notify active users of material changes to this policy via email at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.