Privacy policy

Last Updated: June 8, 2025

1.  Who We Are

Welcome to Migroot Ltda (“Company”, “Migroot”, “we”, “our”, or “us”). We operate the Migroot web application (the “Service”), which helps individuals collect, manage and submit immigration‑related documents. For all processing described below, Migroot acts as the Data Controller. Questions can be sent to support@migroot.io

2. Scope of this Policy

This Policy explains how we collect, use, disclose and protect personal data when you:

  • create or use a Migroot account;
  • upload or otherwise provide documents to the Service;
  • interact with our support team (“Buddies” and “Supervisors”);
  • receive our e‑mails, browser notifications or other communications.

It also describes your rights under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Spanish LOPDGDD 3/2018.

3.  Personal Data We Process

| Category | Typical examples | Legal basis | Retention |

|----------|------------------|--------------|-----------|

| Identity & contact | Full name, e‑mail, phone, postal address, Outseta UID | Art. 6 (1)(b) – contract | Account lifetime + 12 mo backup |

| Sensitive documents | Passport scans (photo + MRZ), IDs, visas, birth/marriage certificates, criminal‑record certificates, bank statements, proofs of entrepreneurship/employment | Art. 6 (1)(b) and Art. 9 (2)(a) – explicit consent | Until immigration case closes + 18 mo archive |

| Usage data | Login timestamps, IP, device, event logs | Art. 6 (1)(f) – legitimate interest (security & analytics) | 12 mo |

| Billing | Payment tokens, subscription plan (via Outseta) | Art. 6 (1)(b), tax law | 6–10 yrs |

\“Legal basis” refers to the GDPR article that permits the processing.

4.  Why We Use Your Data

  • Deliver the contracted immigration services.  
  • Verify identity and comply with anti‑fraud/AML obligations.  
  • Communicate application status, reminders and support messages.  
  • Improve and secure the Service (debugging, analytics, preventing abuse).  
  • Comply with legal obligations (tax, accounting, lawful government requests).

5.  Sharing & Recipients

We share personal data only when necessary for the purposes above:

  • Government authorities & consulates – to file immigration paperwork or when lawfully required.
  • Translation / legal partners – vetted processors under GDPR art. 28 contracts.
  • Cloud service providers – Google Ireland Ltd. (Google Drive & Google Cloud) and Outseta Inc. (CRM & authentication). Each holds a signed Data Processing Agreement (DPA) with Migroot and stores data exclusively in the EEA unless otherwise noted.
  • Internal staff – Buddies, Supervisors and Admins assigned to your case, subject to role‑based access control and contractual confidentiality obligations (including NDAs where required).

We never sell personal data and we do not permit third‑party advertising in the Service.

6. International Transfers

Where our processors replicate data outside the European Economic Area, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards. Copies of relevant transfer mechanisms are available on request.

7.  Data Security

We implement appropriate technical and organisational measures (TOMs), including:

  • End‑to‑end TLS encryption in transit.
  • AES‑256 encryption at rest provided by Google Drive / Google Cloud by default.
  • Per‑file access controls (Google Drive permissions) and least‑privilege role‑based access in our backend.
  • Quarterly penetration tests and an annual Data Protection Impact Assessment (DPIA) review.
  • Continuous security logging and an incident‑response plan; if a personal‑data breach occurs, we will notify the competent supervisory authority within 72 hours (GDPR arts. 33–34) and affected users without undue delay when required.

8  Data Retention & Deletion

  • Open case – data is kept until your immigration process is completed or you request deletion.  
  • Closed case – archives are purged after 18 months unless longer retention is required by law.  
  • Back‑ups – encrypted backups are overwritten after 60 days.  

You can delete documents individually or close your account entirely via support@migroot.io.

9  Your Rights

You have the right to:

  • Access your personal data (Art. 15).  
  • Rectify inaccurate or incomplete data (Art. 16).  
  • Erase data (“right to be forgotten”, Art. 17).  
  • Restrict or object to processing (Arts. 18–21).  
  • Receive data in portable form (Art. 20).  
  • Withdraw consent at any time (Art. 7(3)).  

Contact support@migroot.io or use in‑app controls; we will respond within one month. You may also complain to the Spanish Data Protection Agency (AEPD) or your local authority.

10.  Children’s Data

The Service is designed for adults, but we may process minors’ personal data (e.g. passports, birth certificates) when they migrate together with their parent or legal guardian who uses Migroot. By uploading such documents, the parent/guardian confirms that they have the legal right to provide the data and act on the child’s behalf.

11.  Changes to This Policy

We may update this Policy to reflect legal or operational changes. We will notify users by e‑mail or in‑app banner at least 15 days before changes take effect. The revision date at the top will be updated.

12.  Contact

Questions about this policy? Concerns? Just want to chat? Contact us at:

Address: R. Vitória Régia, 250 - Paiva, Cabo de Santo Agostinho - PE, 54522-170
Email: support@migroot.io
Phone: +55 (81) 99756-8593

Remember, we're here to help, not to hide behind legal jargon. We believe in being transparent, just like our office windows (which we really should clean more often).

Create free accountLogin
Resources
BlogTax Agreement
Checker
Find us
ProductHuntLinkedInFacebookInstagramX
For users
SupportTerms of servicePrivacy policyCookie policy
© Copyright 2024. All Rights Reserved.