This notice explains how Schengen Visa Ltd (trading as Schengen Travel) collects, uses, stores and protects your personal data when you use this website or our visa, passport, legalisation and corporate services. It is written to comply with the UK GDPR and the Data Protection Act 2018.
Who we are
Schengen Travel is the trading name of Schengen Visa Ltd (Co. No. 13673211), a UK limited company registered in England & Wales. We are the data controller for personal data submitted via this website.
- Registered office: Salisbury House, 29 Finsbury Circus, London EC2M 5SQ
- ICO registration number: ZB308941
- Regulated immigration advice: Schengen Visa Ltd provides visa application support. Regulated UK immigration advice is provided by our associated firm, Kaya Legal Consultancy Ltd, registered with the Immigration Advice Authority (IAA ref F202100331)
- Privacy queries: [email protected]
- Phone: +44 20 3084 5533
We process personal data subject to the UK GDPR (Regulation (EU) 2016/679 as retained by section 3 of the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018.
Personal data we collect
| Category | Examples |
|---|---|
| Identity | Name, title, date of birth, nationality, passport number, immigration and travel history |
| Contact | Email, postal address, phone numbers |
| Financial | Billing address, payment method details (processed by Stripe; we do not store full card numbers) |
| Documents | Scans of passports, BRPs, bank statements, employer letters, education certificates |
| Special category — medical | TB clearance and other medical evidence required by specific consulates |
| Special category — biometric | Passport photographs and other biometric data required by specific consulates |
| Technical | IP address, device + browser metadata, language preference |
Lawful basis
| Activity | UK GDPR Art. 6 | UK GDPR Art. 9 (special category) |
|---|---|---|
| Visa application support (contract) | 6(1)(b) performance of a contract | n/a |
| Document pre-check including medical / biometric | 6(1)(b) | 9(2)(a) explicit consent (captured at upload time) |
| Marketing emails | 6(1)(a) consent | n/a |
| Fraud prevention, security, complaints | 6(1)(f) legitimate interests | n/a |
| Legal/regulatory obligations (AML, tax) | 6(1)(c) legal obligation | as required |
We do not rely on Art. 6(1)(e) “public interest” — that lawful basis is for public authorities, not a private consultancy.
How we collect data
Directly from you when you contact us, complete a form, upload documents, or pay via Stripe Checkout. Plus automatically (server logs, Cloudflare Web Analytics — cookieless, see Cookie Policy). For corporate and group bookings, we may also receive personal data about travelling employees from your employer or sponsor, who is responsible for ensuring it is shared with us lawfully.
How we use your data
- Process your visa, passport, legalisation or corporate enquiry
- Pre-check uploaded documents against consulate checklists
- Send transactional emails (receipts, document-ready notifications) via Resend (opens in new tab)
- Take payment via Stripe (opens in new tab)
- Comply with legal obligations (AML, tax)
- Defend or pursue legal claims
Who we share it with
- Consulate / visa application centre receiving your application (you instruct this)
- Stripe — payments processor (USA / UK, GDPR DPA in place)
- Resend — transactional email
- Cloudflare — web hosting, edge caching, WAF, R2 storage (UK / EU region)
- Cloudflare Turnstile — bot/abuse protection on our forms; processes your IP address and interaction signals at the moment of form submission to confirm you are human (no tracking cookies)
- Cloudflare Web Analytics — privacy-first, cookieless aggregate site statistics (page views, performance); no cross-site tracking and no personal profiles
- Bluehost — origin static hosting
- Kaya Legal Consultancy Ltd — our associated IAA-regulated firm (IAA ref F202100331), where your matter requires regulated UK immigration advice
- Our advisers and named staff — role-based access only
- We never sell your data to third parties.
International transfers
Where data leaves the UK / EEA, transfers rely on UK adequacy regulations (for EU/EEA) or Standard Contractual Clauses combined with the UK International Data Transfer Addendum (for other destinations).
How long we keep it
| Data | Retention | Reason |
|---|---|---|
| Uploaded documents (Document Pre-Check) | Up to 30 days after review | Auto-deleted by storage lifecycle once the service is live |
| Case file (correspondence, application copies) | 6 years after closure | Complaint trail, professional indemnity |
| Financial records | 6 years | UK tax law |
| Marketing list | Until you unsubscribe | UK GDPR consent |
| Server logs | 24 hours | Operational |
| Transactional email logs (Resend) | 90 days | Delivery audit; supports our erasure runbook |
| Cloudflare analytics | 6 months (aggregated, no personal data) | Operational |
Your rights
Under the UK GDPR you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erasure (“right to be forgotten”) — subject to our legal retention duties
- Restrict processing
- Object to processing (including direct marketing)
- Portability of data you provided
- Withdraw consent at any time where we rely on consent
- Lodge a complaint with the ICO (ico.org.uk/concerns (opens in new tab) / 0303 123 1113)
To exercise any of these, email [email protected]. We may ask you to verify your identity before we action a request, so that we do not disclose personal data to the wrong person. We respond within one month as required by Art. 12(3).
Security
We apply technical and organisational measures appropriate to the risk, in line with UK GDPR Art. 32, including:
- Encryption in transit (TLS) and at rest (AES-256), with managed encryption-key storage
- Role-based access control on a least-privilege basis, with multi-factor authentication on administrative accounts
- Audit logging of access to stored documents
- Regular security reviews and testing
For documents you upload through our Document Pre-Check service (currently being finalised ahead of launch), the following additional controls apply once it is live: a two-stage “quarantine then clean” storage model, malware scanning and re-rendering of each file before any adviser opens it, and stripping of metadata such as EXIF location data from images.
No method of transmission over the internet, or of electronic storage, is completely secure; while we use appropriate measures to protect your data, we cannot guarantee its absolute security.
Automated decisions
We do not make decisions about you based solely on automated processing that produce legal effects or similarly significantly affect you. Visa, passport and document assessments are always carried out by a named human adviser.
Cookies
We do not set non-essential cookies. See our Cookie Policy for full detail.
Children
Our services are intended for adults. Visa applications for minors are submitted by a parent or legal guardian on the child’s behalf; we process the child’s data only on that lawful basis.
Changes
We may update this policy. The current version is timestamped above. Material changes will be flagged on the home page for 28 days.