Privacy Policy

This Privacy Policy explains how Complyora (“we”, “us”, “our”) collects, uses, discloses, and protects your personal information when you use the website at complyora.com and the services offered there, including the U.S. and U.K. visa-photo tools (collectively, the “Services”).

“Personal information” means information about an identifiable individual, as defined in section 2(1) of the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), referred to in this policy as PIPEDA.

Our handling of personal information is governed by PIPEDA. Under section 5(1) of PIPEDA, we are required to comply with the ten fair information principles set out in Schedule 1 of the Act. We collect and use your personal information on the basis of (a) the contract you enter with us when you purchase a photo, (b) compliance with our legal obligations, (c) our legitimate interests in providing and improving the Services in a way that does not override your rights, and (d) where applicable, your express consent.

Complyora is an independent photo compliance tool and is not affiliated with the U.S. Department of State, His Majesty’s Passport Office, or any government agency.

For any questions about this policy, your personal information, how the Services work, or to make a privacy request, please email us at [email protected].

We may need to verify your identity before responding to a request about your personal information, for your protection and ours.

We collect only what we need to deliver the Services:

• The photo you upload for processing, and the processed copies we produce from it.
• Your email address — for your receipt, the link to download your finished photo, and support replies.
• Payment information — your payment is processed by a third party. We receive a payment reference, the amount, the date, and the card-issuing country, but we never see or store your card number, expiry date, or CVV.
• Billing address and tax information — when tax applies, the billing address you provide at checkout (country, province or state, city, postal code, street) and the tax amount calculated, so we can meet Canadian and other applicable tax obligations.
• Technical information — your IP address, browser and device type, and basic activity within the Services (for example, that you started a checkout). This information helps us secure the Services and improve them.
• Compliance-check measurements — when our tool analyses your photo it derives non-identifying measurements (such as face position, blur level, lighting, and background uniformity). These measurements are stored alongside your job and deleted on the same schedule as the photo itself.
• Pre-payment acknowledgements — when our tool warns you that something in your photo might fail the compliance check and you proceed anyway, we record the warning shown, your acknowledgement, the time, your IP address, and your browser identifier. This record is used only to defend against payment disputes and chargebacks.
• Information from third parties — the third party that handles your payment gives us payment confirmation, the part of your card we are permitted to see (such as the card-issuing country and the last four digits on dispute records), and similar transaction metadata.

We do not collect a user account, password, identity document, date of birth, government identifier, biometric template, or any sensitive category of information beyond the photograph itself.

We collect and use your personal information only for the purposes identified to you here, as required by Schedule 1, Principle 2 of PIPEDA. Those purposes are:

• To deliver the Services — processing your photo, taking payment, sending you the result by email, and responding to support requests.
• To meet legal obligations — for example, retaining invoice and tax records as required by the Income Tax Act (R.S.C. 1985, c. 1 (5th Supp.)), section 230(4), which obliges us to keep tax-relevant books and records for six years after the end of the last taxation year to which they relate.
• To pursue or defend against claims — including payment disputes, chargebacks, fraud investigations, and consumer complaints.
• To secure and improve the Services — including measuring how the Services are used, detecting abuse, and preventing fraud.

We do not send marketing email. We do not collect the consent that Canada’s Anti-Spam Legislation (S.C. 2010, c. 23), section 6(1), would require to do so. The only emails you will receive are transactional (your photo is ready, your payment was not captured, a reply to a support request you sent).

The principal retention period is 180 days. We chose this period because card-network dispute and chargeback rules (notably Visa and Mastercard) allow a cardholder to challenge a transaction for roughly 120 days after the purchase, and we need the underlying photo and order record on file to respond to such a challenge. After 180 days the dispute window has closed and we no longer need the data to defend a refund or chargeback claim.

How long we keep what:

• Uploaded photo and processed photo: automatically deleted within 180 days.
• Order metadata in our system (email, billing address, tax amount, payment reference, acknowledgement evidence): also deleted within 180 days.
• Tax and invoice records retained by us as required by the Income Tax Act: 6 years.
• Payment records held by third parties: retained by them in accordance with their own privacy policies, which are independent of this one.
• Email delivery information (including bounce and complaint records used to suppress future sending): retained by a third party for as long as needed to operate that suppression list.

Once a retention period ends, we delete the information or irreversibly anonymise it, in line with Schedule 1, Principle 5 of PIPEDA (Limiting Use, Disclosure, and Retention).

We do not sell your personal information, and we do not share it with advertisers or data brokers.

We share personal information with a small number of third parties that help us operate the Services. Each third party is bound by a contract to use your information only for the purposes for which we provide it, in line with Schedule 1, clause 4.1.3 of PIPEDA (Principle 1 — Accountability for information transferred to a third party for processing).

For operational-security reasons we do not publish vendor names or a breakdown of which personal information goes to which third party. You can request that information by contacting us at the email address in the Contact section, and we will respond.

Transfers outside Canada. Some third parties may process your personal information on servers located in the United States or elsewhere. Where personal information is transferred outside Canada, it may be subject to the laws of those countries, including lawful access by foreign authorities. We rely on contractual safeguards with each third party to require a comparable level of protection, consistent with Schedule 1, clause 4.1.3 of PIPEDA.

We may also disclose your personal information to a Canadian public authority where we are required to do so by law (for example, in response to a court order or a lawful demand from a regulator).

Under PIPEDA you have the following rights. To exercise any of them, contact us at [email protected]. For access requests we will respond within 30 days, as required by section 8(3) of PIPEDA. For other requests we will respond as soon as reasonably practicable.

• Access — request a copy of the personal information we hold about you (Schedule 1, Principle 9).
• Correction — ask us to correct personal information you believe is inaccurate or incomplete (Schedule 1, Principle 6).
• Withdraw consent — withdraw any consent you have given for an optional use of your information, subject to legal or contractual restrictions and reasonable notice (Schedule 1, Principle 3). Note that withdrawing consent to a use that is necessary to provide the Services may mean we can no longer deliver them.
• Challenge our handling of your information — raise a complaint with us directly (Schedule 1, Principle 10). If we cannot resolve your concern, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC): see priv.gc.ca.

Early deletion. Although PIPEDA does not grant a freestanding right to erasure, our retention practice (Schedule 1, Principle 5 — Limiting Retention) is to delete the photo and the order record within 180 days regardless. If you would like the data associated with your order deleted sooner, email us and we will action it.

Please be aware that requesting early deletion forecloses your ability to claim a refund or to dispute the charge afterwards. We rely on the photo, the order metadata, and the warning-acknowledgement record to investigate refund claims and to respond to card-network disputes; once that material is deleted at your request, we have no way to verify what we delivered and cannot process a related refund or rebut a chargeback. If you may want to claim a refund, wait until your situation is resolved before requesting deletion.

The Services are intended for adults. We do not knowingly collect personal information from children under 13 years of age. If you believe a child has used the Services and that we hold their personal information, please contact us and we will delete it.

We use a small number of cookies and similar technologies (such as local storage), grouped into two categories:

• Necessary — required for the Services to work, for example to remember which step of the upload flow you are on and to protect against bots. These cannot be disabled because the Services do not function without them.
• Analytics — count usage anonymously, keyed by a random job identifier rather than your email. They help us understand which parts of the flow are working well and which are confusing. They are not used for advertising or for tracking you across other websites.

We do not use advertising cookies, retargeting pixels, or cross-site trackers. We do not share data with advertising networks. If you would like to disable analytics cookies, you can do so through your browser settings.

We apply security safeguards appropriate to the sensitivity of the information, as required by Schedule 1, Principle 7 of PIPEDA. These include private cloud storage with access restricted to specific server processes, encryption in transit, short-lived signed URLs for file uploads and downloads, and automatic deletion of the photo and job data after 180 days.

Complyora may update this Privacy Policy from time to time. The “Last updated” date at the top of the page reflects the most recent change. Material changes will be highlighted on the Services. Your continued use of the Services after a change takes effect means you accept the updated policy.

By using the Services you accept this Privacy Policy. If you do not agree, please do not use the Services.

Operator: Complyora — an independent photo compliance tool, not affiliated with the U.S. Department of State, His Majesty’s Passport Office, or any government agency.