Resid10y

Privacy Policy

Last updated: April 27, 2026

1. Who We Are

Residay is operated by Ammar Sammour as a non-commercial personal project, based in the United Kingdom. For the purposes of the UK GDPR and the Data Protection Act 2018, Ammar Sammour is the data controller for personal data processed through this service. The service is currently a free closed beta — no fees are charged and no revenue is earned. We are reviewing whether registration with the Information Commissioner's Office (ICO) is required for our processing activities; once confirmed, our registration number (or documented basis for exemption) will appear here. You can reach us at privacy@residay.app for any privacy-related question, correction request, complaint, or to exercise your rights under the UK GDPR.

2. What We Collect

When you use Residay, we collect the following personal data:

  • Account information: Name and email address (provided via your authentication provider)
  • Travel history: Trip departure/return dates, countries visited, and travel purpose
  • Visa profile data: Visa type, qualifying period start date, and compliance calculations
  • AI chat conversations: Messages you send to our travel assistant
  • Device & diagnostic data: Device platform for push notifications, anonymised error traces, and technical logs needed to operate the service
  • Audit log entries: Security-relevant events such as account deletion and grant redemptions, together with IP address and a short metadata record

3. Sensitive Data

Your travel history combined with travel purpose (including a "medical" category) can reveal information that is close to — or falls within — the special categories of personal data defined in UK GDPR Article 9. We process this data on the basis of your explicit consent under Article 9(2)(a), which you provide by choosing to enter this information into a tool specifically designed for immigration-compliance tracking. You can withdraw this consent at any time by deleting the relevant entries from your account or deleting your account entirely.

4. How We Use Your Data

We use your data to provide visa compliance tracking, calculate absence days, generate compliance reports, and deliver AI-powered features including the travel assistant and document scanner. Our lawful basis for processing your data while you hold an active beta account is your consent (UK GDPR Article 6(1)(a)). For essential operational records (account creation, account deletion, security audit entries), we rely on our legitimate interests (Article 6(1)(f)). For special- category data, see Section 3 above.

5. Third-Party Processors

We share your data with the following processors to provide our services. Each processor is bound by a data-processing agreement (DPA) and may only process your data on our documented instructions.

  • Clerk — Authentication and account management (US)
  • Anthropic (Claude API) — AI chat, document scanning, and rule monitoring (US). Your trip data and uploaded documents are sent to Anthropic for processing. Anthropic does not use API data to train models.
  • Cloudflare R2 — Storage of exported PDF reports, encrypted at rest, auto-expiring after 7 days (global, primarily US/EU data centres)
  • Railway — Application and database hosting (PostgreSQL encrypted at rest and in transit)
  • Upstash — Redis cache and BullMQ job queue used for transient processing (for example, while a PDF export job is running). No long-term personal data is stored in this layer.
  • Resend — Transactional email delivery (US)
  • Sentry — Error monitoring and performance tracing (US). Receives stack traces and request context when an error occurs; sampled at 10% for performance traces in production. May incidentally process personal data embedded in error details.
  • PostHog — Product analytics (US). In the browser, analytics are loaded only after you accept analytics cookies. Our backend additionally records essential operational events (account creation, subscription changes, grant redemptions) on the basis of legitimate interest; once you accept analytics cookies, we also record aggregated product-usage events against your account.

6. AI Features & Data Processing

Our AI features send your trip data and compliance information to Anthropic's Claude API for processing. When you use the document scanner, uploaded images are sent to Claude for trip extraction and are not permanently stored by Residay. AI chat conversation history is stored in our database until you clear it. Anthropic's API data retention policy ensures that data sent via the API is not used for model training. AI responses may contain inaccuracies and are not a substitute for advice from a qualified immigration adviser.

7. Data Retention

  • Account data: Retained while your account is active; deleted within 30 days of account deletion
  • Trip & visa profile data: Retained with your account; deleted alongside it
  • AI chat history: Retained for up to 12 months from creation, or until you clear it via the chat interface (whichever is sooner)
  • AI usage logs (model, tokens, cost): Retained for up to 24 months for billing reconciliation and cost analysis
  • Audit log entries: Retained for 12 months from the date of the event, after which they are deleted by an automated retention job
  • Exported reports: PDF exports auto-expire and are deleted after 7 days; CSV and Excel exports are streamed directly to you and not stored on our servers
  • Scanned documents: Processed in memory and not permanently stored
  • Database backups: Encrypted point-in-time backups are retained for up to 35 days on a rolling schedule. When you delete your account, your data is removed from the live database immediately, and purged from backup rotation within that window.

8. International Data Transfers

Most of our processors are based in the United States. When personal data is transferred from the UK to the US or other countries outside the UK, we rely on the following transfer mechanisms under UK GDPR Articles 44–49:

  • UK Extension to the EU-US Data Privacy Framework for processors that are certified under the DPF (including Clerk, Anthropic, Sentry, and Resend at the time of writing)
  • Standard Contractual Clauses (SCCs) with the UK International Data Transfer Addendum, as incorporated into each processor's data-processing agreement, for any processor that is not DPF-certified

A current list of certifications can be checked via the Data Privacy Framework public list. We review transfer mechanisms periodically and will update this policy if they change.

9. Automated Decision-Making

Residay's calculators apply deterministic day-counting rules to the trips you enter and report the results (for example, "within limit" or "over limit"). These outputs are decision-support information, not automated decisions within the meaning of UK GDPR Article 22. Residay does not make immigration decisions about you — those are made by the relevant government authority (for example, the Home Office or a Schengen member state). You are responsible for verifying any result with a qualified immigration adviser before acting on it.

10. Your Rights

Under the UK GDPR and the Data Protection Act 2018, you have the right to:

  • Access your personal data. A full machine-readable export is available from the Data & Privacy section of your account settings.
  • Export your visa compliance data in CSV, Excel, or PDF format
  • Delete your account and all associated personal data from your account settings
  • Rectify inaccurate data by editing your trips and profile directly
  • Restrict our processing of your data in specific circumstances (for example while a rectification request is outstanding) — contact us to exercise this right
  • Object to analytics processing by declining cookies and, where applicable, withdraw consent to analytics at any time
  • Lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your data properly. Details are at ico.org.uk/make-a-complaint.

11. Cookies

We use essential cookies for authentication (Clerk) and optional analytics cookies (PostHog) only with your consent. See our Cookie Policy for details.

12. Security

Your data is encrypted in transit (TLS) and at rest (database and file storage). We use row-level security to ensure users can only access their own data. Authentication is handled by Clerk with industry-standard token verification.

13. Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of it where statutorily required. If the breach is likely to result in a high risk to you personally, we will notify you directly without undue delay.

14. Children's Data

Residay is not directed at children. Our Terms of Service require users to be at least 16 years old, and we do not knowingly collect personal data from children under that age. If you believe a child has provided us with their personal data, please contact us at privacy@residay.app and we will delete it without undue delay.

15. Notice to California Residents

This section applies if you are a California resident and supplements the rest of this policy. Under the California Consumer Privacy Act (CCPA), as amended by the CPRA, you have the following rights in respect of the personal information we process about you:

  • Right to know what personal information we collect, use, disclose, and for what purpose — all disclosed in sections 2–6 above.
  • Right to delete your personal information — exercisable from your account settings or by contacting us.
  • Right to correct inaccurate personal information — you can edit trips and profile data directly, or ask us to correct account-level fields.
  • Right to data portability — available via the "Download all my data" action in your settings.
  • Right to opt out of "sale" or "sharing" of personal information. Residay does not sell your personal information and does not share it for cross-context behavioural advertising. We honour Global Privacy Control (GPC) signals.
  • Right to limit use of sensitive personal information — travel purpose entries (including medical) are used only to provide the service to you; we do not infer characteristics from them for marketing.
  • Right to non-discrimination — we will not deny service, charge different prices, or lower service quality because you exercised any of the rights above.

To exercise any of these rights, contact us at privacy@residay.app. We will verify your request by asking you to confirm ownership of the email address associated with your account. You may also authorise an agent to act on your behalf by providing written authorisation.

16. Contact

For privacy-related requests or questions, contact us at privacy@residay.app.