Privacy Policy

Your data, handled with care.

Stamp'd handles passport data, identity details, and travel documents — some of the most sensitive information you own. This policy explains exactly what we collect, why, and how we protect it.

Last updated: June 5, 2026

This policy applies to the Stamp'd web application at getstampd.org and all services operated under it. By using Stamp'd, you agree to the practices described here.

01

Who We Are

Stamp'd ("we", "us", or "our") is a travel intelligence platform that helps travellers understand visa requirements, manage travel documents, and prepare for international trips. We are operated as an early-stage startup.

For all privacy enquiries contact us at hello@getstampd.org.

02

Data We Collect

Account & Identity

  • Full name (as it appears on your passport)
  • Email address
  • Date of birth
  • Country of nationality

Passport & Document Data

  • Passport number and expiry date
  • Passport issuing country
  • Passport photograph — uploaded image used only for auto-fill during onboarding, stored encrypted
  • Additional passport details for multi-passport holders
  • Uploaded travel documents (visas, insurance, tickets, accommodation, etc.)

Trip & Travel Data

  • Trip names, destinations, and travel dates
  • Traveller type preferences (solo, business, family, student)
  • Checklist completion, budget entries, itinerary blocks, reminders

Usage & Technical Data

  • IP address and approximate location (via Cloudflare)
  • Browser, device, and OS type
  • Pages visited and session behaviour (Microsoft Clarity — only if you accept cookies)
  • Authentication logs and access timestamps
  • Features you use within the app, including countries you search for visa requirements — used in aggregate to understand travel trends

Waitlist Data

If you joined the waitlist, we store only your email address to notify you when early access opens.

03

How We Use Your Data

  • To provide personalised visa requirements and travel readiness based on your passport and destination
  • To auto-populate your profile using passport OCR during onboarding
  • To store and display your travel documents in the Document Vault
  • To send transactional emails (account confirmation, waitlist updates) via Resend
  • To authenticate you securely and maintain your session via Supabase Auth
  • To improve the product using anonymised session analytics (Clarity — consent only)
  • To prevent abuse and enforce our Terms of Service
We do not sell your data to third parties. We do not use your passport data for advertising or profiling beyond the travel features described above.

We may share anonymised, aggregated travel trend data — such as popular destinations by month — with commercial partners. This data contains no personal information and cannot be used to identify any individual user. You can opt out of contributing to this aggregated data at any time in your Settings.

04

Data Storage & Security

All data is stored on Supabase, hosted on AWS us-east-1.

Platform-level protections

  • AES-256 encryption at rest for all database and storage data
  • TLS 1.2+ encryption in transit for all connections
  • Row-Level Security (RLS) — every query is scoped to the authenticated user; no user can access another's data
  • Supabase holds SOC 2 Type II certification

Passport images

Stored in a private, access-controlled bucket. Only accessible to the authenticated user who uploaded them. Never shared with third parties or used to train ML models.

Our practices

  • All API routes validate authentication before processing requests
  • Sensitive fields (passport numbers) are never logged
  • Production access is restricted to authorised team members only
  • Regular security reviews of code and dependencies
05

Cookies & Tracking

Strictly necessary (always active)

  • Supabase auth session cookie — keeps you signed in
  • Cookie consent preference — remembers your choice so we don't ask again

Analytics cookies (only after you click Accept)

  • Microsoft Clarity — session recordings and heatmaps to help us understand usability. No personally identifiable information is captured in recordings.

You can withdraw consent at any time. We do not use advertising or marketing cookies.

06

Third-Party Services

We share data with the following sub-processors only to the extent required to operate the service:

VendorPurposeLocationPolicy
SupabaseDatabase, authentication, file storageUSA (AWS us-east-1)View ↗
ResendTransactional email deliveryUSAView ↗
CloudflareCDN, DNS, DDoS protectionGlobalView ↗
Microsoft ClaritySession recordings & heatmaps (consent-gated)USAView ↗
VercelApplication hosting and deploymentGlobal edgeView ↗

All sub-processors are required to maintain appropriate data protection standards. Where required by GDPR, we enter into Data Processing Agreements (DPAs).

07

Your Rights

All users

  • Access — request a copy of all personal data we hold about you
  • Correction — request that inaccurate data be corrected
  • Deletion — request permanent deletion of your account and all associated data
  • Portability — receive your data in a machine-readable format (JSON/CSV)

EU / UK users (GDPR / UK GDPR)

  • Restriction — request that we restrict processing of your data
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — for any consent-based processing (e.g. analytics cookies)
  • Lodge a complaint with your local Data Protection Authority (DPA)

California users (CCPA)

  • Right to know what personal information is collected and how it is used
  • Right to opt out of sale — we do not sell your data
  • Right to non-discrimination for exercising your privacy rights

Account Deletion

You can delete your account from Settings. All profile data, passport data, documents, and trip history will be permanently erased immediately. You can also email hello@getstampd.org for assistance.

To exercise any right, email hello@getstampd.org. We respond within 30 days.

08

Children's Privacy

Stamp'd is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has created an account, contact us immediately at hello@getstampd.org and we will delete it.

09

Data Retention

  • Account & profile data — retained while your account is active
  • Trip and document data — retained while active; deleted immediately on account deletion
  • Passport images — retained until you delete them or your account is closed
  • Visa cache data — retained for 7 days (API response cache to reduce external calls)
  • Feature usage and search behaviour (intent events) — retained for 12 months, then deleted
  • Waitlist emails — retained until early access launches or you unsubscribe
  • Authentication & security logs — retained for 90 days
10

International Data Transfers

Stamp'd is operated globally. Your data may be processed in the United States where most of our infrastructure (Supabase / AWS) is hosted.

For EEA and UK users, we rely on Standard Contractual Clauses (SCCs) with our sub-processors to ensure adequate protection for international transfers in accordance with GDPR Chapter V.

11

Policy Changes

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Continued use of Stamp'd after changes take effect constitutes acceptance of the revised policy.

12

Contact Us

For any privacy questions, data requests, or complaints:

Email

hello@getstampd.org

Website

getstampd.org

We aim to respond to all privacy requests within 30 days.

© 2026 Stamp'd · hello@getstampd.org · Last updated June 5, 2026