GDPR & Data Protection

Last updated: 8 June 2026

For users in the EU, EEA and UK. This notice supplements our Privacy Policy. It explains the lawful bases we rely on, your rights, international transfers, and paxID's encrypted-vault design.

1. Controller and representatives

The controller of your personal data is paxID LLC, Delaware, USA. Contact: privacy@paxid.com.

Before launching to users in the EU/EEA or UK where Article 27 representative rules apply, paxID will appoint and publish the contact details of the required EU/EEA and/or UK representative. This page is a pre-launch notice and must be completed with those details before launch in those markets.

2. Privacy by design — the vault

paxID separates protected vault data from app data. Vault data is encrypted on your device and backed up to paxID only as encrypted data we cannot read. This includes surnames, passport and identity-document numbers, issue dates, addresses, phone numbers, additional emails, saved card details and similar protected details. Outside the vault, paxID stores only the data needed to operate the account, check travel requirements, support trips, provide bookings and eSIM services, process payments, and meet legal obligations.

3. Lawful bases

Contract: account creation, authentication, encrypted vault sync, trip planning, entry-requirement checks, bookings, eSIM services, payment processing, support and service messages.
Legitimate interests: security, fraud prevention, debugging, service improvement, abuse prevention, basic analytics, dispute handling, and protecting paxID, users and partners.
Consent: optional marketing, waitlist communications where required, optional document scanning where consent is the chosen basis, optional analytics where required, and other optional processing clearly presented in the app.
Legal obligation: tax, accounting, sanctions screening, consumer-protection duties, payment disputes, regulatory requests and legally required records.
Vital or public-interest grounds: only if an emergency or law requires processing for that purpose.

4. Special category and sensitive-context data

paxID is a travel-readiness product and may process identity documents, nationality, country of birth, date of birth, travel routes, family travel details and documents you upload or forward. Some of this may be sensitive by context even when it is not a special category under the GDPR. We minimise readable storage, keep protected fields in the encrypted vault where practical, and run higher-risk processing such as document scanning only when you choose to use it.

5. Your rights

Subject to legal limits, you may have the right to access, rectify, erase, restrict, port and object to processing of your personal data. You may withdraw consent where processing is based on consent. You also have the right to object to processing based on legitimate interests. Many vault corrections and deletions happen directly on your device because paxID cannot read the vault. For account, trip, upload, forward, eSIM, payment-reference or support data, contact privacy@paxid.com. We respond within the statutory time limits.

6. Required data

Some data is required to provide the service. For example, we need your email to create an account, limited travel and document metadata to check requirements, trip details to prepare readiness results, and payment data to complete purchases. If you do not provide required data, some features may not work. Optional features, such as document scanning or marketing emails, can be skipped.

7. International transfers

paxID is operated from the United States and may use providers in other countries. We do not have to store EU/EEA or UK user data only in Europe, but transfers outside the EU/EEA or UK require safeguards. Depending on the transfer, paxID relies on adequacy decisions, EU Standard Contractual Clauses, the UK International Data Transfer Agreement or UK Addendum, processor agreements, transfer risk assessments, and technical safeguards. Encrypted vault backups are transferred only in encrypted form, but remain personal data.

8. Processors and recipients

We use processors and recipients for hosting, storage, databases, payment processing, fraud prevention, eSIM connectivity, travel booking infrastructure, document OCR, AI-assisted parsing, email, support, monitoring and push notifications. We require processors to protect personal data, use it only for agreed purposes, and support deletion, security and transfer obligations where applicable. Final launch notices may identify key processors by name once the launch vendor set is locked.

9. Retention and deletion

We keep data only for as long as needed for the service, legal duties, disputes, security and accounting. You can delete vault items, trips, uploaded documents and your account in the app. Account deletion deletes or anonymises account data and removes encrypted vault backups, subject to records we must retain for legal, tax, fraud, payment, dispute or security reasons.

10. Automated decisions

Entry-requirement and readiness results are generated by applying data sources and rules to trip and document details you provide. paxID does not make solely automated decisions that produce legal or similarly significant effects on you within the meaning of GDPR Article 22. Border, immigration, airline and payment decisions are made by the relevant authority, airline, supplier or payment provider, not by paxID.

11. Complaints

Please contact us first at privacy@paxid.com. You also have the right to complain to your local data protection supervisory authority. In the UK, this is the Information Commissioner's Office. In the EU/EEA, this is usually the authority in the country where you live, work, or where the issue occurred.