Cybersecurity

Privacy Policy

Last updated: 9 June 2026

PassportTrail is a travel history tracking and visa compliance tool built for frequent travellers. We help you track border crossings, monitor visa compliance, and generate official travel history reports.

PassportTrail is operated by Haq Digital LLC, a limited liability company incorporated in the State of Wyoming, United States. Our registered address is 30 N Gould St Ste N, Sheridan, WY 82801. For privacy enquiries or data requests, contact us at support@passporttrail.com.

Personal data you provide:

  • Name and email address (account registration)
  • Home country and passport nationality
  • Passport details: nationality, issue date, expiry date
  • Passport number (stored encrypted using AES-256 encryption)
  • Travel history: countries visited, entry/exit dates, ports, visa types

Data collected automatically:

  • IP address (for GDPR consent records and security)
  • Browser type and version
  • Device type (mobile/desktop)
  • Pages visited and features used (via Plausible Analytics — cookie-free, no personal data. We may add additional analytics tools in future which will be reflected in an updated policy.)
  • Error logs (anonymised)

Data we do NOT collect:

  • We do not sell your data to third parties
  • We do not use your passport data for advertising
  • We do not share your travel history with governments or immigration authorities
  • We do not use cookies for tracking (we use Plausible Analytics which is cookie-free)

  • To provide the PassportTrail service and your travel history
  • To calculate visa compliance status (Schengen, UK, US, Canada rules)
  • To send passport and visa expiry reminders you have opted into
  • To process your subscription payment via LemonSqueezy
  • To respond to customer support requests
  • To comply with our legal obligations

  • Contract: processing necessary to provide the service you signed up for
  • Legitimate interest: security, fraud prevention, service improvement
  • Consent: marketing emails (you can withdraw at any time)
  • Legal obligation: responding to lawful requests from authorities

  • All data stored in Supabase (hosted on AWS ap-northeast-2, Seoul, South Korea)
  • Passport numbers encrypted at rest using AES-256 encryption via pgcrypto
  • All data transmission encrypted via TLS/HTTPS
  • Access limited to authorised personnel only
  • Regular security reviews conducted

Account Recovery

Your registered email address is your only account recovery key. If you forget your password, use the forgot password link on the login page to receive a reset email. If you no longer have access to your registered email address, contact support@passporttrail.com for assisted recovery. We recommend storing your login email in a safe place.

Data Retention & Lifecycle

  • Active accounts: data retained for the lifetime of your account
  • Deleted accounts: all personal data permanently deleted immediately upon deletion request
  • Anonymised analytics: retained indefinitely (no personal data)
  • Legal/financial records: retained for 7 years as required by applicable law

Inactivity: Free plan accounts inactive for 3 consecutive years (no login) will be notified at 33 months and 36 months before permanent deletion 7 days after the final notice. Lifetime accounts follow a 10-year inactivity threshold. Active Pro subscribers are never deleted due to inactivity.

Travel History Data — Retention Exemption

Travel history records (countries visited, entry and exit dates, ports of entry, visa types, and associated passport data) are classified as long-term regulatory compliance data. Travellers regularly require access to historical border crossing records spanning multiple years for visa applications, immigration interviews, tax residency assessments, and regulatory compliance filings.

  • Travel history text logs are explicitly exempted from automatic lifecycle deletion scripts. PassportTrail does not run scheduled deletion jobs that purge travel records based on account inactivity, subscription lapse, or time elapsed.
  • When a paid plan expires or is cancelled, accounts enter a 90-Day Frozen Vault state. After 90 days without reactivation, records are moved to a server archival state — a storage-efficiency measure that does not constitute deletion. Archived records remain fully restorable upon plan reactivation.
  • This retention exemption does not override a user's statutory rights — see GDPR Rights below.

GDPR Right to Erasure — Manual Account Deletion

Notwithstanding the travel history retention exemption above, every account holder retains an absolute GDPR Right to Erasure (the “right to be forgotten”) which PassportTrail fully honours. This right is exercised exclusively via the manual Account Deletion sequence accessible from Account Settings.

  • Upon submission of a verified account erasure request, all personal data — including travel history records, passport details, family member profiles, and associated identifiers — is permanently and irreversibly deleted immediately.
  • Financial and legal transaction records are retained for 7 years as required by law, but are anonymised and cannot be linked back to your identity after deletion.
  • Deleted data cannot be recovered. We recommend exporting your full travel history PDF before initiating account deletion.
  • Erasure requests submitted through channels other than the Account Settings deletion flow are not processed automatically and will require identity verification before action is taken.

You have the right to:

  • Access: request a copy of all data we hold about you
  • Rectification: correct inaccurate data
  • Erasure: request deletion of your data (“right to be forgotten”)
  • Portability: receive your data in a machine-readable format
  • Restriction: request we stop processing your data
  • Objection: object to processing based on legitimate interest
  • Withdraw consent: for marketing emails at any time

To exercise these rights: Contact Us or use the data deletion request form at passporttrail.com/gdpr. We will respond within 30 days. Identity verification required.

PassportTrail uses minimal cookies:

  • Essential cookies: session management, authentication (required, cannot be disabled)
  • Analytics: we use Plausible Analytics which is cookie-free and GDPR-compliant
  • We do not use advertising cookies or third-party tracking cookies

  • Supabase (database and authentication): supabase.com/privacy
  • LemonSqueezy (payment processing): lemonsqueezy.com/privacy
  • Resend (email delivery): resend.com/privacy
  • Vercel (hosting): vercel.com/legal/privacy-policy
  • Plausible Analytics (website analytics): plausible.io/privacy

Your data may be processed outside your country of residence. We ensure appropriate safeguards are in place (Standard Contractual Clauses for transfers outside the EEA).

PassportTrail accounts are intended for users aged 16 and over. We do not knowingly collect personal data directly from children under 16. However, account holders may add minor dependants (sons, daughters, stepsons, stepdaughters, or wards) as family member profiles under their own account for family travel record keeping. In this case the account holder (parent or guardian) is responsible for the accuracy of data entered on behalf of their minor dependant and consents to its processing on the minor dependant's behalf.

We will notify registered users by email of material changes.
Last updated: 4 June 2026

Contact Us