Introduction and who we are
Welcome to the website of ChartaVisa by Charta Labs, LLC, (“ChartaVisa,” “we,” “us,” or “our”). This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when you use our website, application forms, customer support channels, payment flows, and related travel authorization or visa facilitation services.
Before using the Services or otherwise providing us with information, please carefully review this Policy. By accessing or using any part of the Services, or otherwise providing us with information, you acknowledge the applicability of this Policy. Additionally, and where we rely on consent for a specific activity, we will request that consent separately where required by law. Depending on your location, certain rights and obligations described in this policy may apply to you by law.
Charta Labs, LLC, operating as ChartaVisa, is the “Data Controller” of the personal information processed through the Services, unless otherwise stated. You can contact us at privacy@chartavisa.com or by mail at 4-75 48th Ave, Long Island City, NY 11109.
Effective Date: May 2026.
What ChartaVisa Does and Does Not Do
ChartaVisa is not a government authority, embassy, consulate, law firm, or immigration adviser. We provide administrative, technology-enabled, and document facilitation services. We do not issue visas or travel authorizations and do not guarantee approval by any government authority.
Information we collect
We may collect information in different ways, such as when you provide information directly to us, when we passively collect information from you, such as through a browser or device, or from third parties.
Information you provide directly to us
We may collect information from you when you provide such information directly to us, such as in the following situations: When you contact us with inquiries; When you respond to one of our surveys; When you register for access to our Services, or use or purchase certain of our Services like applying for travel visas; When you otherwise communicate with us, including through our support channels (email, online chat, or phone); When you request certain features (e.g. newsletters, updates); or When you otherwise provide us with information.
Some official forms may require information that is sensitive or high-risk under applicable law or in context, such as health-related answers, criminal or security-related responses, religion, biometric-style photographs, passport images, or other information required by a government authority.
Depending on the service requested and the requirements of the relevant government authority, we may collect: identity details; contact details; passport or travel document details and images; travel itinerary and accommodation details; answers required by official application forms; supporting documents; payment and transaction information; customer support communications; and technical, security, cookie, analytics, and fraud-prevention data. The information you provide directly to us may include, but is not limited to the following about you or others:
- Name
- Phone number
- Travel details, such as arrival date, port of arrival, reason for travel
- Address
- Date of birth
- City and country of birth
- Citizenship
- Gender
- Passport information, such as a passport number, issue and expiration date, photo, and place of issue
- Family information, such as the names of family members
- Professional details, such as occupation and employer name; and
- Financial information, such as payment-related information you provide to us and/or our payment processors.
We collect Sensitive Information (such as health-related answers, criminal/security responses, religion, passport images, or other data required by a government authority) only when strictly necessary for the application you request. To process this Sensitive Information (Special Categories of Personal Data under EU/UK law), we rely on your Explicit Consent and/or the need to Comply with a Legal Obligation (immigration requirements).
If you provide personal information about another person, including a child, family member, travel companion, or applicant, you confirm that you are authorized to provide that information and to instruct us to process it for the requested service.
Information that is passively or automatically collected: Device/Usage Information
We may automatically collect technical information such as IP address, approximate location inferred from IP address, browser type, device type, operating system, referring URLs, pages viewed, timestamps, error logs, and interactions with the Services. We may use security and diagnostics tools to understand errors and improve the Services. We apply key-based redaction to authentication tokens, passport numbers, and payment fields before any third-party diagnostic tool receives a log event.
Information collected from unaffiliated parties
If you choose to sign in using a third-party account, such as Google, we may receive limited profile information such as your name, email address, account identifier, and profile image, depending on your settings and the permissions you approve.
Please note that we may combine information that we collect from you and about you (including automatically-collected information) with information we obtain about you from our affiliates and/or non-affiliated third parties, and use such combined information in accordance with this Policy.
Our use of your personal data and other information we collect
We use personal information to: create and manage your application; prepare, review, process, and, where applicable, submit visa or travel authorization requests; communicate with you; provide support; process payments; verify identity or eligibility information when needed; prevent fraud and abuse; maintain security; comply with law; manage disputes, refunds, and chargebacks; improve our Services; and send marketing only where permitted by law.
We may use aggregated or de-identified information to analyze and improve the Services, provided it cannot reasonably be used to identify you. We will not attempt to re-identify de-identified information except as permitted by law to test our de-identification safeguards.
Our disclosure of your personal data and other information
When necessary for the service you request, we may disclose your application information, passport or travel document details, supporting documents, and form responses to government authorities, immigration agencies, embassies, consulates, official application portals, or authorized government systems. This international transfer is strictly necessary for the performance of our contract with you (i.e., to submit your application on your behalf) or for taking steps at your request prior to entering into a contract. Once submitted, those authorities process your information under their own laws, systems, and privacy practices, which we do not control.
Business Transfers. As we develop our business, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, or during negotiations or due diligence in contemplation of such an event, information we collect may be disclosed.
Related Companies. We may also disclose your information to our affiliates and other related companies for purposes consistent with this Privacy Policy.
Agents, Consultants, and Third-Party Vendors. Like many businesses, we may use operational partners, service providers, or authorized agents where necessary to support a requested application, document handling, customer support, payment processing, fraud prevention, or legal compliance.
Consent. We may disclose your information to any third parties based on your consent to do so.
Legal Requirements. We may disclose information about you if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of ChartaVisa, (iii) act in urgent circumstances to protect the personal safety of our users or the public, or (iv) protect against legal liability.
We use service providers to host, store, secure, process, analyze, communicate, support, and operate the Services. These providers may process personal information only as needed to provide services to us and must protect it under appropriate contractual, technical, and organizational safeguards.
Partner and agent integrations (B2B API)
We offer a partner API that allows authorized third-party platforms — including AI assistants and travel-services partners — to interact with the Services on your behalf using an API key issued against your account.
When you use a partner integration, the partner may, on your behalf:
- Read your traveler profile, including your name, date of birth, nationality, full passport number, passport issue and expiry dates, gender, contact details, and URLs to the passport image and selfie you uploaded;
- Read the application form data you have submitted, including answers to questions required by the relevant government authority;
- Write or update the same data, including by uploading new passport images, selfies, or supporting documents to your application;
- Receive webhook notifications about status changes to your application. Webhook payloads are minimal and include only the event type, the application ID, a timestamp, and the new status — no passport number, image, selfie, or form data is sent in webhooks.
The partner you authorize is an independent controller of the personal information it collects from you directly (before passing data to us) and of the data it pulls from us via the API. Its own privacy policy applies to data it holds. We are not responsible for a partner's processing of your data.
We retain an internal audit log of every API call a partner makes on your behalf — including a hashed IP address, user agent, route, response status, and outcome — for fraud prevention, security, dispute resolution, and to honour your data-subject requests. Audit log entries are retained for 12 months and then deleted automatically by our agent-retention job.
You may revoke a partner's access at any time by rotating or revoking the API key from your account settings, or by emailing privacy@chartavisa.com.
Analytics and Advertising
We may use analytics tools to understand how visitors use our website, diagnose technical issues, measure performance, and improve the Services. Analytics tools may process technical information such as IP address, browser type, device type, pages viewed, referring pages, timestamps, and interactions with the Services.
We do not use passport details, passport images, uploaded documents, government form responses, health or security eligibility answers, sensitive information, or payment card details for targeted advertising, cross-context behavioral advertising, or unrelated marketing.
If we use advertising cookies, pixels, or similar technologies in the future, we will provide notice, consent, and opt-out choices where required by applicable law.
Your choices
Subject to applicable laws, you may have certain choices available regarding your information.
Account Information: You may access certain of your information and delete or modify that information by accessing and editing your account profile.
Marketing Emails:Subject to applicable laws, we may send you marketing emails. To opt out, you may click on the “unsubscribe” link in such emails. Please note that we may still send you transactional communications, such as about the status of your travel visa, even if you opt out of marketing emails.
Cookies & Analytics:You can opt out of certain cookie-related and analytics processing by following the instructions in this Policy. Please visit the section “Region-Specific Notices and Rights” for notices and choices specific to certain geographic regions.
Retention of the information we collect
We retain personal information only for as long as reasonably necessary for the purposes described in this Policy, including to provide the Services, manage applications, provide customer support, prevent fraud and abuse, maintain security, comply with legal obligations, resolve disputes, process refunds or chargebacks, keep accounting records, and establish or defend legal claims.
Uploaded passport images, photos/selfies, and supporting documents are generally deleted or de-identified within 30 days after the final decision, approval, denial, cancellation, or closure of the relevant application, unless a longer retention period is necessary for fraud prevention, dispute resolution, chargebacks, legal compliance, customer support, accounting, or legal claims.
Application records, order records, support communications, payment-related records, and security logs may be retained for longer where necessary for legal, tax, accounting, fraud-prevention, dispute, security, or operational purposes.
When personal information is no longer needed, we delete, anonymize, or de-identify it in accordance with our retention procedures.
Security
We have implemented administrative, technical, and physical security measures to protect against the loss, misuse and/or alteration of your information. These safeguards vary based on the sensitivity of the information that we collect and store. However, we cannot and do not guarantee that these measures will prevent every unauthorized attempt to access, use, or disclose your information since despite our efforts, no Internet and/or other electronic transmissions can be completely secure.
International Transfer of Information
We are based in the United States, and we may process and store personal information in the United States and other countries where we, our service providers, or relevant government authorities operate.
Where required by applicable law, we use appropriate transfer mechanisms for international transfers of personal information. These may include adequacy decisions, the EU-U.S. Data Privacy Framework for certified providers, Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, or other lawful safeguards or derogations.
You may contact us at privacy@chartavisa.com for more information about the safeguards we use for international transfers where required by applicable law.
Children's privacy
Not directed at children under 16. We do not knowingly collect personal data from anyone under 16 in the EU/UK, or under 13 in the US. However, a parent, legal guardian, or authorized adult must submit an application on behalf of a minor where the requested visa, travel authorization, or document service permits or requires information about a minor.
We do not knowingly allow minors to create accounts, submit applications directly, or receive marketing from us. If you believe that a minor has provided personal information to us without appropriate authorization, please contact us at privacy@chartavisa.com and we will take appropriate steps in accordance with applicable law.
If you provide information about a minor, you confirm that you are the parent, legal guardian, or otherwise authorized adult and that you have authority to provide that information for the requested service.
Links to other websites and services
This Policy applies only to our Services. Our Services may contain links to other websites not operated or controlled by ChartaVisa: the “Third-Party Sites”. The policies and procedures we described here do not apply to the Third-Party Sites. Inclusion of such links does not imply our endorsement or review of the Third-Party Sites. We encourage our users to be aware when they leave our Services and to read the privacy statements of every site they visit that collects their information.
Third-Party Service Providers
We use trusted third-party service providers to operate, secure, process, improve, and support the Services. These providers may process personal information only as necessary to provide services to us, to comply with legal obligations, to prevent fraud or abuse, to maintain security, or as otherwise described in this Privacy Policy.
Our service providers are required to process personal information under appropriate contractual, confidentiality, security, and data protection obligations. Where required by applicable law, we enter into data processing agreements and use appropriate safeguards for international transfers of personal information.
The third-party providers we currently use include:
- Stripe. We use Stripe to process payments, refunds, disputes, chargebacks, and payment-related webhooks. Stripe may receive payment details, billing information, transaction information, customer name, email address, payment status, dispute information, and related fraud-prevention data. We do not intend to store full card numbers, CVV codes, or complete payment card credentials on our own systems.
- Google OAuth 2.0. We use Google OAuth 2.0 to allow users to sign in with Google. If you choose to use this feature, Google may provide us with limited profile information, such as your name, email address, Google account identifier, and profile picture, depending on your Google account settings and the permissions you approve.
- Google Cloud Vision API. We use Google Cloud Vision API to help read information from passport or travel document images through optical character recognition (OCR), where this feature is available. This helps us auto-fill or validate parts of your application and reduce manual entry errors. When this feature is used, the passport or travel document image is transmitted to Google Cloud Vision API for processing. We do not use passport images or OCR results for advertising or unrelated marketing.
- Google Places API. We use Google Places API to provide address autocomplete and address detail suggestions. When you use address autocomplete, typed address queries, partial addresses, place identifiers, and related technical information may be processed by Google to return address suggestions and place details.
- Google Fonts. We may use Google Fonts to display web fonts on our website. When your browser loads fonts from Google, Google may receive technical information such as your IP address, browser details, and user agent. We do not send application form data, passport information, or payment information to Google Fonts.
- Neon. We use Neon to provide our PostgreSQL database infrastructure. Neon may process and store information contained in our application database, including user account information, traveler profiles, applications, orders, application status, and related operational records.
- Hostinger. We use Hostinger to host and operate parts of our application infrastructure. Hostinger may process technical hosting data and may store or process uploaded documents, passport scans, photos/selfies, application data, logs, and other information necessary to operate the Services. As our Processor, Hostinger is contractually bound to uphold strict security and confidentiality safeguards for all personal data processed.
- Error monitoring. We may use error monitoring and diagnostics tools, such as Sentry, to detect, investigate, and fix technical errors. If enabled, these tools may process technical data such as error logs, stack traces, URLs, browser and device data, and limited user identifiers. We configure these tools to ensure that they do not capture or record sensitive form fields, passport numbers, payment card data, passport images, selfies, or other uploaded documents.
We may update our service providers from time to time as our business and technology stack changes. If a provider materially changes how we process personal information, we will update this Privacy Policy where required by law.
Changes to this policy
We reserve the right to change this Policy at any time including to reflect changes in the law, our data collection and use practices, the features of our Services, or advances in technology. Please check this page periodically for changes. Your continued use of the Services following the posting of changes to this Policy will mean you accept those changes.
If we make material changes, we will take reasonable steps to notify you, such as by posting a prominent notice or contacting you where appropriate.
Region-Specific Notices and Rights
Residents of the European Economic Area or the United Kingdom
Under applicable law, ChartaVisa is considered the “data controller” of the personal data we handle under this Policy. Our contact information appears in the “Contact Us” section of this policy.
The laws of some jurisdictions such as the laws of the European Union and the United Kingdom require data controllers to tell you about the legal ground that they rely on for using, sharing, or disclosing your information. To the extent those laws apply, our legal grounds are as follows:
Contractual Commitments: We may use, share, or disclose information to honor our contractual commitments to you, e.g. to comply with our Terms of Service, sales agreement (e.g. for purchase of our travel visa services), or other contracts between us.
With Your Consent: Where required by law, and in some other cases, we use, share, or disclose information on the basis of your consent. Where we process your personal data with your consent, you may subsequently withdraw consent at any time by contacting us (using the contact instructions of our contact us section), without affecting the lawfulness of processing based on consent before its withdrawal.
Legitimate Interests: In many cases, we use, share, or disclose information on the ground that it furthers our legitimate business interests in ways that are not overridden by the interests or fundamental rights and freedoms of the affected individuals, such as customer service, certain promotional activities, analyzing and improving our business, providing security for our Services, preventing fraud, and managing legal issues.
Legal Compliance: We need to use, share, and disclose information in certain ways to comply with our legal obligations, such as applicable accounting standards and to make mandatory disclosure to law enforcement and regulatory authorities. Laws of the European Economic Area and the United Kingdom may permit you request that we:
- provide access to and/or a copy of certain information we hold about you;
- prevent the processing of your information for direct-marketing purposes (including any direct marketing processing based on profiling);
- update information that is out of date or incorrect;
- delete certain information that we are holding about you;
- restrict the way that we process and disclose certain of your information;
- transfer your information to a third-party provider of services;
- and revoke your consent for the processing of your information.
Please note, however, that certain information may be exempt from such requests in some circumstances, which may include needing to continue processing your information for our legitimate interests or to comply with a legal obligation. We may request you provide us with information necessary to confirm your identity before responding to your request. To exercise any of these rights, please contact us as described in the “Contact Us” section of this Policy.
You may exercise your rights by contacting us at privacy@chartavisa.com. To help us process your request, you may include ‘Privacy Request’ in the subject line and use the email associated with your account or application. For all Data Subject Rights requests made by residents of the EEA or UK, you must put the statement “Your EU Data Subject Rights” in the subject field of your request. Our EU representative is Sergio Merchan, reachable at sergio@chartavisa.com.
In addition to those rights, you have the right to lodge a complaint with the relevant supervisory authority. However, we encourage you to contact us first (see contact us section), and we will do our very best to resolve your concern.
Rights of California Consumers
If we are subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act, California residents may have rights to know, access, correct, delete, opt out of sale or sharing, limit certain uses of sensitive personal information, and not be discriminated against for exercising privacy rights.
We do not use passport details, passport images, uploaded documents, government form responses, health or security eligibility answers, sensitive information, or payment card details for targeted advertising.
If we engage in activities that are considered a “sale” or “sharing” of personal information under California law, we will provide a clear method to opt out and will honor opt-out preference signals where required by applicable law.
To submit a California privacy request, contact us at privacy@chartavisa.com or through our Contact Us page. We may need to verify your identity before responding to your request.
Retention of Your Personal Information.Please see the “Retention of the Information We Collect”. California law permits California residents to request and obtain from ChartaVisa once a year, free of charge, a list of the third parties to whom ChartaVisa may have disclosed their personal information (if any) for their direct marketing purposes in the prior calendar year, as well as the type of personal information disclosed to those third parties. We do not engage in such activity.
Residents of Other U.S. States with State Privacy Laws
Residents of certain U.S. states may have additional privacy rights depending on where they live and whether the relevant law applies to us. We will respond to verified requests as required by applicable law. Those laws may permit you to request that we: Confirm whether or not we are processing your personal information and provide you with access such personal information; Correct inaccuracies in your personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information; Delete your personal information; Provide you a copy of personal information that you previously provided to us and we still keep in our systems; and Opt you out of the processing of the personal information for purposes of targeted advertising, the sale of personal information, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
Certain information may be exempt from such requests under applicable law. We need certain types of information so that we can provide the Services to you. If you ask us to delete it, you may no longer be able to access or use the Services.
If you would like to exercise any of these rights, please submit a request from our Contact Us page. You will be required to verify your identity before we fulfill your request. To do so, you will need to provide the information requested by us.
Your rights and our responses will vary based on your state or country of residency. You may be located in a jurisdiction where we are not obligated, or are unable, to fulfill a request. In such a case, your request may not be fulfilled.
If we deny your request to exercise any of the rights above, you may appeal that denial by using our Contact Us page form with the subject line, “Data Request Appeal” to provide us with information about why you are appealing our decision. We will respond to appeal requests where required under applicable law.
Other Countries
When Canadian privacy laws apply, we process personal information in accordance with applicable principles of accountability, consent, limited collection, limited use and retention, safeguards, openness, access, and correction.
When Brazilian data protection law applies, Brazilian users may have rights under the LGPD, including access, correction, deletion, portability, information about sharing, and review of certain automated decisions, subject to legal limits.
When the Act on the Protection of Personal Information of Japan, as amended from time to time, the “APPI” applies to our processing of personal information, we handle personal information in accordance with the APPI and applicable guidance issued by Japan's Personal Information Protection Commission.
Contact us
For privacy requests, contact privacy@chartavisa.com.
For legal requests, contact legal@chartavisa.com.
For customer support, contact support@chartavisa.com.
Mailing address:
Charta Labs, LLC
4-75 48th Ave
Long Island City, NY 11109
United States