EU GDPR Compliant

GDPR Compliance

Our commitment to protecting your data rights under the General Data Protection Regulation

Last updated: March 1, 2026

Your Data Rights Under GDPR

Right to Access

You can request a copy of all personal data we hold about you. We will provide this within 30 days.

Right to Rectification

You can request correction of any inaccurate or incomplete personal data we hold about you.

Right to Erasure

You can request deletion of your personal data, subject to legal retention requirements.

Right to Restriction

You can request that we limit how we use your data in certain circumstances.

Right to Portability

You can receive your data in a structured, machine-readable format for transfer to another service.

Right to Object

You can object to processing of your data for direct marketing or legitimate interest purposes.

About GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to organizations that process personal data of individuals in the European Union (EU) and European Economic Area (EEA), regardless of where the organization is located.

Migration Desks is committed to GDPR compliance and respecting the data privacy rights of all our users, including those in the EU/EEA.

Legal Basis for Processing

Under GDPR, we must have a valid legal basis for processing your personal data. We rely on the following legal bases:

  • Contractual Necessity: Processing necessary to perform our contract with you (e.g., providing the Service, managing your account)
  • Legitimate Interests: Processing necessary for our legitimate business interests, balanced against your rights (e.g., improving our Service, fraud prevention)
  • Legal Obligation: Processing necessary to comply with legal requirements (e.g., record-keeping, reporting to authorities)
  • Consent: Where you have given explicit consent for specific processing activities (e.g., marketing communications)

Data Controller Information

For GDPR purposes, Migration Desks acts as the data controller for personal data processed through the Service. Our contact details are:

  • Company: Migration Desks
  • Address: 14 McKay Rd, Rowville VIC 3178, Australia
  • Data Protection Officer: info@migrationdesks.com

Data Processing Activities

We process personal data for the following purposes:

Account Management

  • Creating and managing user accounts
  • Authentication and access control
  • Billing and subscription management

Service Delivery

  • Managing visa applications and client records
  • Document storage and verification
  • Communication between agents and clients
  • Appointment scheduling and reminders

Service Improvement

  • Analyzing usage patterns to improve features
  • Technical support and troubleshooting
  • Security monitoring and fraud prevention

International Data Transfers

Your data may be transferred to and processed in countries outside the EU/EEA, including Australia and the United States. When transferring data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): EU-approved contractual terms with data processors
  • Adequacy Decisions: Transfers to countries recognized by the EU as providing adequate protection
  • Binding Corporate Rules: Where applicable, approved internal data protection policies

Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy or as required by law. Retention periods include:

  • Active accounts: Data retained while your account is active
  • Closed accounts: Account data deleted within 90 days, subject to legal requirements
  • Visa application records: Retained for 7 years per regulatory requirements
  • Financial records: Retained for 7 years per tax and accounting laws
  • Marketing data: Retained until you withdraw consent or opt out

Data Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • 256-bit AES encryption at rest
  • TLS 1.3 encryption in transit
  • Regular security assessments and penetration testing
  • Access controls and authentication mechanisms
  • Employee training on data protection
  • Incident response and breach notification procedures

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected individuals without undue delay if there is a high risk
  • Document all breaches and remediation actions taken

Exercising Your Rights

To exercise any of your GDPR rights, you can:

  • Contact our Data Protection Officer at info@migrationdesks.com
  • Use the data management tools in your account settings
  • Submit a formal request through our support portal

We will respond to your request within 30 days. In complex cases, we may extend this period by an additional 60 days, notifying you of the extension.

Complaints

If you believe we have not handled your data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority. For EU residents, this is typically the data protection authority in your country of residence.

We encourage you to contact us first so we can address your concerns directly.

Sub-Processors

We use the following sub-processors to help deliver our Service:

Sub-ProcessorPurposeLocation
Amazon Web ServicesCloud hosting and infrastructureAustralia, USA
StripePayment processingUSA
SendGridEmail deliveryUSA
TwilioSMS notificationsUSA

Updates to This Policy

We may update this GDPR Compliance page to reflect changes in our practices or legal requirements. Material changes will be communicated to you via email or through the Service.

Contact Us

For any questions about GDPR compliance or to exercise your rights: