Privacy Policy

Visa Run Inc. (DBA “Sherpa”)

Sherpa respects your privacy and is committed to protecting your personal data. This Policy will inform you as to how we look after your personal data when you visit our websites or use any of our services (regardless of where you visit our websites from or where you access and use our services) and tell you about your privacy rights and how the law protects you.

This Policy is provided in a layered format so you can navigate to the specific areas set out below. Please contact us if you require a large-print copy of this Policy, need assistance in understanding your rights under this Policy, or would like any of the information set out in this Policy provided to you or explained orally.

Contents

1. Important Information; Who We Are; Our Services
2. How Is Your Personal Data Collected?
3. How We Collect and Use Your Personal Data
4. AI-Powered Chatbot and Automated Systems
5. Monitoring, Analytics, and Service Improvement
6. Data Sharing
7. Transfers to Government Organizations
8. Data Security
9. Data Retention
10. Your Legal Rights
11. Automated Decision-Making and Profiling
12. Biometric Data and Non-Discrimination
13. If You Are Located in the United Kingdom or Europe
14. EU AI Act Compliance
15. If You Are Located in Canada
16. If You Are Located in California
17. Additional Jurisdictions
18. Glossary
19. How to Contact Us
    ‍

1. IMPORTANT INFORMATION; WHO WE ARE; OUR SERVICES

Purpose of This Policy

This Policy aims to provide you with information on how Sherpa collects and processes your personal data through your use of our website, including any data you provide through our websites when you purchase or use any services we provide. For the purposes of this Policy, references to our “websites” also include our plug-ins, applications, and AI-powered tools, which are used or accessed on third-party websites to receive our services.

It is important that you read this Policy together with any other privacy policy we provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data. This Policy supplements other notices and privacy policies and is not intended to override them.

You Must Be a Legal Adult to Purchase Our Services

Our websites and services are not intended for use by children or by anyone under the legal age of consent in the location where you access our websites or use our services (each, a “Minor”). We will only knowingly collect data relating to Minors if that data is provided to us by a legal adult making a purchase, and only if that data is required for us to facilitate an application for a visa or travel authorization in the name of that Minor submitted by you.

Who Is Responsible for This Privacy Policy

Visa Run Inc. (DBA Sherpa) is a Canadian company with its principal place of business at 489 - 340 King Street East, Toronto, Ontario, Canada M5A 1K8 and is the controller under applicable privacy laws responsible for the processing of your personal data described in this Privacy Policy.

Sherpa may operate through affiliated entities in the United States and the Netherlands. Where such affiliated entities process personal data, they do so on behalf of the Canadian organization and in accordance with this Privacy Policy.

Depending on the specific service provided, Sherpa may act either as a data controller or a data processor. Where Sherpa acts as a processor on behalf of a partner or customer, processing will be governed by the applicable data processing agreement.

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Policy. Our DPO can be contacted at dpo@joinsherpa.com.

For users located in the European Economic Area, we have appointed Datahub Consulting as our EU representative pursuant to Article 27 of the GDPR. For users located in the United Kingdom, our UK representative is Datahub Consulting Ltd. They can be contacted at the details further below in the policy.

When You Access the Sherpa Tools Through a Partner

Sherpa makes its visa application processing tools, AI-powered chatbot, and document preparation tools (collectively, the “Sherpa Tools”) available to you in two ways: directly through joinsherpa.com,  and through authorized partners (each, a “Partner”) on the Partner’s own websites or applications. If you accessed the Sherpa Tools through a Partner, this Section 1.5 explains how this Policy applies.

Independent controllers

Sherpa and the Partner act as independent data controllers for the personal data each party processes for its own purposes. Sherpa is the controller of personal data relating to the operation of the Sherpa Tools, your visa application, and submission to government authorities. The Partner is the controller of personal data relating to your account on the Partner’s platform, your payment, and the Partner’s commercial relationship with you. The Partner has its own privacy policy that you should read in addition to this Policy.

What we do not collect when you use a Partner

When you access the Sherpa Tools through a Partner, Sherpa does not collect or process your payment card details. Payment is handled exclusively by the Partner and the Partner’s payment processors. Sherpa receives only limited transaction reference information from the Partner sufficient to associate your visa application with the Partner’s order record.

Communications

Sherpa sends transactional and service-related messages relating to the Sherpa Tools (such as application status updates and document requests). The Partner sends commercial and account-related messages (such as order confirmations, payment receipts, and refund notifications), governed by the Partner’s privacy policy.

Exercising your rights.

You may exercise your data protection rights against Sherpa in respect of the data Sherpa controls by contacting privacy@joinsherpa.com. Rights in respect of personal data the Partner controls must be exercised against the Partner under the Partner’s privacy policy.

Changes to the Privacy Policy

We keep our Policy under regular review. If we make material changes to this Policy, we will notify you by posting the updated version on our websites with a revised “Last Updated” date and, where required by applicable law, by notifying you via email or through our services. It is important that you review and understand the terms of the most current version of this Policy whenever you visit our websites or purchase any of our services.

Third-Party Links

From time to time, our websites will include links to third-party websites, plug-ins, and applications. Selecting those links, enabling those connections, or using our service through a third-party website may allow third parties to collect or share data about you. We do not control those third-party websites and are not responsible for their privacy statements.

Governing Law

This Policy is governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict of laws principles. Nothing in this Policy limits or excludes the application of mandatory data protection laws applicable to you by reason of your country of residence, including the General Data Protection Regulation (for EEA and UK residents), the Lei Geral de Proteção de Dados (for Brazilian residents), or the California Consumer Privacy Act (for California residents), to the extent such laws cannot be contracted out of.

The Data We Collect About You

Personal data, or personal information, means any information about an individual from which that person can be identified. We collect, use, store and transfer different kinds of personal data about you, including: Identity Data, Contact Data, Financial Data, Technical Data, Profile Data, Usage Data, and Transaction Data.

To the extent required in relation to your use of certain services that we provide to facilitate your visa or travel authorization applications (and/or as required by Government Organizations), you will need to provide us with Transaction Data which may include Special and Sensitive Categories of Personal Data such as gender/sex, visible identifying marks, religion, ancestry, criminal record existence, health issue existence, and photographs.

Where such special categories of personal data are required for visa or travel authorization applications, processing occurs on the basis of your explicit consent and the necessity of processing for the establishment, exercise, or defense of legal claims, or where required by applicable immigration law.

2. HOW IS YOUR PERSONAL DATA COLLECTED?

We use different methods to collect data from and about you, including:

• Direct interactions: You give us your personal data by filling in forms or by corresponding with us by telephone, email, submitting a form online, or otherwise, including through our AI-powered Chatbot.
• Automated technologies or interactions: As you interact with our websites or use our services (including our Chatbot), we automatically collect Technical Data about your equipment, browsing actions, and usage patterns using cookies, server logs, pixel tags, and other similar technologies.
• Third parties or publicly available sources: We receive personal data about you from various third parties, including analytics providers, payment providers, and AI service providers (including providers of AI-powered customer support tools, document verification services, and fraud detection systems). A current list of our service providers is maintained at www.joinsherpa.com/subprocessors.
  ‍

3. HOW WE COLLECT AND USE YOUR PERSONAL DATA

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you to help facilitate your visa or travel authorization application.
• To carry out our obligations and enforce our rights arising from any contracts with you, including for billing and collection.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal obligation.
• Where you have provided your explicit consent for a specific processing purpose.
  ‍

Where we rely on legitimate interests as our legal basis for processing, we conduct and document Legitimate Interests Assessments (LIAs) to ensure that our interests do not override your fundamental rights and freedoms. You may request information about our LIA assessments by contacting privacy@joinsherpa.com.

Cookies

You can set your browser to refuse all or some browser cookies or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our websites and/or our services may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookies Policy.

Electronic Communications (CASL Compliance)

Where we send you commercial electronic messages, we do so in accordance with Canada’s Anti-Spam Legislation (CASL). We will obtain your express or implied consent before sending commercial electronic messages, and we include a clear and prominently placed unsubscribe mechanism in every commercial electronic message. You may withdraw your consent to receive commercial electronic messages at any time by using the unsubscribe mechanism provided or by contacting us at privacy@joinsherpa.com. We honour all unsubscribe requests within ten (10) business days.

Transactional and service-related messages (such as order confirmations, application status updates, and security notifications) are not considered commercial electronic messages under CASL and will continue to be sent as necessary to fulfil our contractual obligations to you.

4. AI-POWERED CHATBOT AND AUTOMATED SYSTEMS

4.1 Customer-Facing AI Chatbot

Sherpa offers an AI-powered chatbot (“Chatbot”) for customer support. The Chatbot uses artificial intelligence to provide general information, answer frequently asked questions, and assist with basic inquiries about our services.

AI INTERACTION NOTICE: When you interact with our Chatbot, you are communicating with an artificial intelligence system, not a human being. The Chatbot is an automated AI system that generates responses based on its programming and training data. If you prefer not to interact with the Chatbot, you may opt out of automated assistance at any time by typing “speak to a human” or “human agent” in the chat interface or by visiting support.joinsherpa.com to reach a human representative directly.

4.2 Third-Party AI Systems

Sherpa may utilize third-party artificial intelligence systems to enhance our services, including but not limited to data analysis, application processing support, fraud detection, document verification, and customer support automation.

Where we utilize third-party AI systems to process your personal data, we do so on the basis of:

• (a) Contractual necessity, where such processing is required to deliver the services you have requested;
• (b) Legitimate interests, in improving service quality, security, and fraud prevention, where we have conducted a balancing test and determined that your rights and interests are not overridden; or
• (c) Explicit consent, which we will obtain separately where required by applicable law.
  ‍

You may withdraw consent at any time without affecting the lawfulness of processing based on consent prior to withdrawal. All third-party AI service providers are contractually prohibited from using your personal data for their own purposes, including model training or improvement.

4.3 Critical Limitations

YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT:

• (a) NOT LEGAL OR IMMIGRATION ADVICE: Neither the Chatbot nor any AI system provides legal advice, immigration advice, tax advice, or any other professional advice. No attorney-client, advisor-client, or professional relationship is created. All information is general in nature and does not constitute advice tailored to your specific circumstances.
• (b) NO GUARANTEE OF ACCURACY: AI technology has inherent limitations. Responses and outputs may be inaccurate, incomplete, outdated, or inappropriate for your specific situation. You must independently verify all information.

• (c) NOT A SUBSTITUTE FOR PROFESSIONAL CONSULTATION: For legal, immigration, financial, or other professional matters, consult qualified professionals. The Chatbot cannot and does not replace professional advice.
• (d) NO BINDING COMMITMENTS: Neither the Chatbot nor any automated system can make binding commitments, modify our Terms, guarantee outcomes, or authorize refunds on Sherpa’s behalf. Only authorized Sherpa personnel may do so.
• (e) AUTOMATED SYSTEM: The Chatbot is an automated system that may not understand context, nuance, or the full circumstances of your situation.
• (f) IMMIGRATION OUTCOMES: Sherpa disclaims liability for any immigration outcomes, delays, rejections, or losses arising from immigration authorities’ decisions, inaccuracies in user-provided information, changes in immigration laws, or reliance on AI-generated information.
• (g) NO AUTOMATED VISA DECISIONS: Sherpa does NOT use AI or automated systems to make final decisions regarding your visa eligibility or application outcomes. While AI systems may assist in processing and reviewing application information, all substantive decisions affecting your visa application involve meaningful human review and oversight. Final visa and travel authorization decisions remain solely with the applicable Government Organizations.
  ‍

You agree that any information provided by the Chatbot or other automated systems is for general informational purposes only and must not be relied upon as the sole basis for travel, immigration, legal, or financial decisions.

4.4 Your Responsibilities When Using AI Systems

• Do not rely solely on AI responses for important decisions
• Verify information through official sources or qualified professionals
• Do not submit sensitive personal information (passwords, full payment details, government ID numbers) to the Chatbot unless specifically prompted through secure channels
• Contact human support for complex, urgent, or sensitive matters, you may request human assistance at any time by visiting support.joinsherpa.com
• You have the right to request human review of any matter initially handled by our AI systems by visiting support.joinsherpa.com
  ‍

4.5 Data Processing in AI Interactions

• Chatbot conversations are logged and may be analyzed to improve our services and for quality assurance purposes
• Personal data shared in Chatbot interactions is processed in accordance with this Policy
• We may use aggregated, anonymized, and de-identified data derived from Chatbot interactions to improve the quality and accuracy of our services. Where anonymization is applied, we use industry-standard techniques to ensure that data cannot reasonably be re-identified. We do not use identifiable personal data from Chatbot conversations to train machine learning models without obtaining your explicit consent.
• Where we engage third-party AI service providers, we contractually prohibit such providers from using your personal data for their own model training or improvement purposes
• Chatbot conversation data is retained in accordance with our data retention policies set out in Section 9
  ‍

4.6 Limitation of Liability for AI Systems

TO THE MAXIMUM EXTENT PERMITTED BY LAW, SHERPA SHALL NOT BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS, OR EXPENSES ARISING FROM YOUR USE OF OR RELIANCE ON THE CHATBOT OR ANY AI SYSTEM, INCLUDING BUT NOT LIMITED TO DAMAGES ARISING FROM INACCURATE INFORMATION, MISUNDERSTANDINGS, TECHNICAL ERRORS, THIRD-PARTY AI SYSTEM FAILURES, OR YOUR DECISIONS BASED ON AI-GENERATED RESPONSES.

5. MONITORING, ANALYTICS, AND SERVICE IMPROVEMENT

We monitor and analyze data to maintain and improve our services. This includes:

5.1 Service Performance Monitoring

• Real-time monitoring of website and service availability
• Analysis of system performance and error detection
• Security monitoring to detect and prevent unauthorized access or fraud
  ‍

5.2 Usage Analytics

• Analysis of how users interact with our websites and services
• Understanding customer needs, preferences, and behavior patterns
• Generating aggregated insights for business intelligence and service improvement
  ‍

5.3 Quality Assurance

• Monitoring customer service interactions (including Chatbot conversations) for quality purposes
• Analyzing feedback and survey responses to improve our services
• Evaluating the effectiveness of our communications
  ‍

5.4 How We Conduct Monitoring

• Monitoring occurs in real-time and through periodic analysis
• We use automated tools and manual review processes
• Personal data used for analytics is processed under our legitimate interests legal basis, with appropriate safeguards including documented Legitimate Interests Assessments
• All monitoring activities comply with our data retention and security policies
  ‍

5.5 Safeguards

• Data used for analytics is anonymized or pseudonymized where possible
• Access to monitoring data is restricted to authorized personnel only
• We do not use monitoring to make automated decisions that produce legal or significant effects on individuals
• You may object to certain analytics processing by contacting us (see “Your Legal Rights”)
  ‍

6. DATA SHARING

We will share your personal data with the external parties set out below to the extent necessary for the purposes set out in this Policy:

• Service providers who provide payment processing and IT and system administration services (legal basis: contractual necessity, legitimate interests)
• AI and Chatbot service providers who provide AI-powered customer support and application processing support services (legal basis: contractual necessity, legitimate interests; processing governed by data processing agreements)
• Canada Revenue Agency and other tax authorities that require reporting of processing activities (legal basis: legal obligation)
• Government Organizations that require your personal data for visa or travel authorization applications (legal basis: contractual necessity, consent)
• Third parties in connection with business transfers (mergers, acquisitions, asset sales) (legal basis: legitimate interests)
• Professional advisors, regulators, and auditors, as required by law (legal basis: legal obligation, legitimate interests)
  ‍

A current list of our subprocessors and service providers, including AI service providers, is available at joinsherpa.com/subprocessors, where customers may subscribe to notifications of material changes. We will provide notice of material changes to our subprocessor list by updating the list at the URL above and, where required by applicable law, by notifying affected users via email or through our services. Changes are posted at least thirty (30) days prior to the new subprocessor commencing processing of personal data.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes, including the training or improvement of machine learning models or AI systems.

7. TRANSFERS TO GOVERNMENT ORGANIZATIONS

Due to the nature of the services we provide, we will be required from time to time to transfer your personal data outside the country where it is received by us to certain Government Organizations for the purpose of facilitating your visa or travel authorization applications. We will ask for your consent before we provide your personal data to those Government Organizations.

Please be aware that those Government Organizations are independent from us. Each Government Organization is receiving and using your personal data because you requested and gave us permission to send that data. We have no responsibility for or ability to control any Government Organization, including how they secure, use, process, and transmit your personal data.

Government authorities receiving your data act as independent controllers and process your data under their own legal frameworks and privacy policies.

For information about the safeguards applicable to international transfers of personal data, including transfers to Government Organizations in countries that may not have data protection laws equivalent to those in your jurisdiction, please see Section 13 (United Kingdom and Europe), Section 15 (Canada), Section 16 (California), and Section 17 (Additional Jurisdictions).

8. DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.

8.1 Technical Safeguards

• Encryption: All personal data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher
• Access Controls: Role-based access controls limit data access to authorized personnel only
• Authentication: Multi-factor authentication is required for access to systems containing personal data
• Monitoring: 24/7 security monitoring and intrusion detection systems
• Payment Card Security: Payment card data is handled by partners in accordance with PCI-DSS compliance
  ‍

8.2 Organizational Safeguards

• Employee Training: All personnel handling personal data undergo regular privacy and security training
• Background Checks: Personnel with access to sensitive data undergo appropriate background verification
• Confidentiality Agreements: All employees and contractors are bound by strict confidentiality obligations
• SOC 2 Compliance: Our security practices are independently audited under the SOC 2 Type II framework
  ‍

8.3 Incident Response

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. Specific notification timelines are set out in the jurisdiction-specific sections of this Policy.

The transmission of information via the internet is not completely secure. Although we do our best to protect your personal data, we cannot guarantee its security when transmitted to our websites. Any transmission of personal data is at your own risk.

8.4 Security

Appropriate technical and organizational measures have been implemented by Sherpa and any third party to comply with applicable data protection laws.

9. DATA RETENTION

Retention periods reflect legal obligations related to financial recordkeeping, dispute resolution, regulatory compliance, and fraud prevention.

We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We will retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation.

In some circumstances, you can ask us to delete your data, see below for further information about your legal rights. In some circumstances, we will anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we will use this information indefinitely without further notice to you.

10. YOUR LEGAL RIGHTS

Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to:

• Request access to your personal data (data subject access request)
• Request correction of the personal data that we hold about you
• Request erasure of your personal data
• Object to processing of your personal data
• Request restriction of processing of your personal data
• Request the transfer of your personal data to you or to a third party (data portability)
• Withdraw consent at any time where we are relying on consent to process your personal data
• Not be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects
  ‍

Response Timeframes

We commit to the following response timeframes for data subject requests:

• Acknowledgment: Within 48 hours of receipt.
• Substantive response: Within one (1) month of receipt (GDPR/UK GDPR), or within thirty (30) days of receipt (PIPEDA, CCPA/CPRA).
• Complex requests: Up to sixty (60) days from receipt with notice provided within the initial response period explaining the delay and the reasons for the extension.
• Urgent requests: Where you demonstrate a risk of significant harm, we will use best efforts to respond within seven (7) days.
  ‍

Additional jurisdiction-specific rights and timeframes are set out in Sections 13 through 17 of this Policy.

11. AUTOMATED DECISION-MAKING AND PROFILING

11.1 Your Rights Regarding Automated Decision-Making

Under GDPR Article 22 and applicable privacy laws, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

11.2 Our Use of Automated Processing

• Customer Support: Our AI Chatbot uses automated natural language processing to respond to inquiries and provide general information
• Service Optimization: We use automated analysis to improve our services and user experience
• Fraud Prevention: We employ automated systems to detect and prevent fraudulent transactions. Fraud prevention flags are always reviewed by a human operator before any action is taken on a user’s account or transaction.
• Document Verification: We may use automated tools to assist in verifying document authenticity
• Application Processing Support: AI systems may assist in reviewing and organizing application information to support human decision-making. No automated system makes final determinations regarding your application.
  ‍

11.3 What We Do NOT Do—Critical Limitations

Consistent with our Terms & Conditions, you expressly acknowledge and agree that:

• We do NOT profile users in a way that affects their eligibility for services
• We do NOT make decisions that produce legal or significant effects based solely on automated processing
• Neither our Chatbot nor any AI system provides legal advice, immigration advice, tax advice, or any other professional advice
• No attorney-client, advisor-client, or professional relationship is created through AI interactions
• Our Chatbot cannot make binding commitments, modify terms, guarantee outcomes, or authorize refunds on Sherpa’s behalf
  ‍

11.4 Human Involvement and Oversight

• All consequential decisions regarding your visa or travel authorization involve meaningful human review by qualified personnel
• Visa and travel authorization decisions remain solely with the applicable Government Organizations
• You can request a human review of any automated response or recommendation
• Our human support team is available, request assistance by visiting support.joinsherpa.com or typing “speak to human” in the chat interface
  ‍

11.5 Your Rights

You have the right to:

• Obtain human intervention in any decision that affects you
• Express your point of view regarding automated decisions
• Contest decisions made with significant automated involvement
• Request information about the logic involved in automated processing, subject to the protection of trade secrets and intellectual property
  ‍

12. BIOMETRIC DATA AND NON-DISCRIMINATION

12.1 Definition of Biometric Data

For the purposes of this Policy, “biometric data” means personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that person.

12.2 What We Do NOT Collect or Process

We explicitly do NOT collect, process, or store the following biometric identifiers:

• Retina or iris scans
• Fingerprint data (beyond what may be visible in passport photographs)
  ‍

Passport photographs are used solely for submission to the relevant government authority and are not used for biometric identification by Sherpa.

• Blood samples or DNA data
• Voice prints or voice recognition data for identification purposes
• Facial recognition data for mass surveillance or remote biometric identification
• Gait analysis or behavioral biometrics
  ‍

12.3 What We Collect for Visa Applications

When required by Government Organizations for visa or travel authorization applications, we may process:

• Passport-type photographs (as required by the relevant Government Organization)
• Scanned copies of identity documents containing photographs
  ‍

12.4 Use Restrictions

• Biometric data is processed ONLY for the specific purpose of facilitating your visa or travel authorization application
• We do NOT use biometric data for profiling, behavioral analysis, or automated decision-making
• We do NOT use AI or automated systems to analyze, categorize, or make inferences based on biometric data
• Biometric data such as passport photographs or identity document images are retained only for the duration necessary to complete your application and any legally required record-keeping period, after which they are securely deleted or anonymized.
  ‍

12.5 Enhanced Safeguards for Biometric Data

• Biometric data receives the highest level of protection under our security measures
• Access is strictly limited to personnel directly involved in processing your application
• Biometric data is encrypted at rest and in transit
• Upon completion of your application (or upon your request), biometric data is securely deleted in accordance with our retention policies
  ‍

12.6 Commitment to Non-Discrimination

Sherpa is committed to fair and non-discriminatory treatment of all users. In our use of technology and data processing:

We Do Not:

• Use AI or automated systems to profile, categorize, or make decisions based on race, ethnicity, national origin, religion, political opinions, sexual orientation, gender identity, or other protected characteristics
• Deploy AI systems that create or reinforce bias against any group
• Use predictive analytics that could result in discriminatory treatment
• Allow AI systems to make or substantially influence decisions affecting your visa application without human oversight
  ‍

Equal Treatment:

• All users receive the same level of service regardless of their personal characteristics
• Our AI Chatbot and automated systems are designed to provide consistent, unbiased responses
• We regularly review our systems for potential bias and take corrective action where needed
  ‍

Protected Characteristics Data:

While Government Organizations may require certain sensitive data (such as nationality, gender, or religion) for visa applications, Sherpa uses this information SOLELY for the purpose of completing your application as required. We do not use this data for profiling, marketing, or any purpose beyond what is strictly necessary for visa processing.

13. IF YOU ARE LOCATED IN THE UNITED KINGDOM OR EUROPE

The provisions in this section are supplemental terms which apply in addition to the remainder of this Policy if you are located in the United Kingdom or Europe.

We will comply with applicable data protection law. For the purposes of applicable data protection law, Sherpa is the controller of your personal information.

You have the right to make a complaint at any time to the relevant data protection authority. The relevant data protection authority in the United Kingdom is the Information Commissioner’s Office (ICO), and you can contact the ICO by calling +44 303 123 1113 or using its live chat service. We would, however, appreciate the opportunity to address your concerns before you approach the data protection authority.

Transfers Out of the United Kingdom and Europe

Your personal data may be transferred to and processed in countries outside your country of residence, including Canada (where Sherpa is headquartered), the United States (where certain service providers are located), and countries where government visa authorities are located. These countries may have data protection laws that differ from those in your jurisdiction.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland:

• (a) TRANSFERS TO CANADA: Transfers to Sherpa in Canada are covered by the European Commission’s adequacy decision recognizing Canada (for commercial organizations subject to PIPEDA) as providing adequate data protection. We monitor the status of this adequacy decision and will implement supplementary measures if required.
• (b) TRANSFERS TO THE UNITED STATES: Where we transfer personal data to service providers in the United States, such transfers are made to recipients certified under the EU-US Data Privacy Framework (and/or the UK Extension to the EU-US Data Privacy Framework for UK users), or pursuant to Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK’s International Data Transfer Agreement (IDTA) as applicable. You acknowledge that data stored with US-based service providers may be subject to US laws, including the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which may permit US government authorities to access data pursuant to valid legal process.
• (c) TRANSFERS TO GOVERNMENT AUTHORITIES: Visa processing inherently requires the transfer of your personal data to government authorities in your destination country. Such transfers are necessary for the performance of your contract with us (Article 49(1)(b) GDPR). Where additional consent is required, you provide such consent by submitting your visa application through our services (Article 49(1)(a) GDPR).
• (d) ACKNOWLEDGMENT OF RISK: You acknowledge that visa processing inherently requires transfer of your personal data to government authorities in countries that may not have data protection laws equivalent to those in the EEA, UK, or Switzerland. We will inform you of the specific risks associated with each transfer at the time you submit your application.
  ‍

For more information about the safeguards we use for international data transfers, please visit support.joinsherpa.com to contact our team.

Data Breach Notification (UK/EU)

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, in accordance with GDPR Article 34.

14. EU AI ACT COMPLIANCE

14.1 AI System Classification

In accordance with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), we provide the following information about our use of AI systems:

• Our customer service Chatbot is classified as a LIMITED RISK AI system under the EU AI Act
• As a limited risk system, we are subject to transparency obligations
• Our AI systems are not classified as high-risk under Annex III of the EU AI Act
  ‍

14.2 Transparency Measures

• We clearly notify users when they are interacting with our AI Chatbot through an AI Interaction Notice
• When you interact with our Chatbot, you are communicating with an artificial intelligence system, not a human being
• Our AI systems are designed to ensure users understand they are communicating with an automated system
• You may request human assistance at any time by visiting support.joinsherpa.com or typing “speak to human” or “human agent” in the chat interface
  ‍

14.3 Human Oversight and Decision-Making

• We do not use high-risk AI systems for decision-making that significantly affects individuals
• All substantive decisions regarding your visa or travel authorization applications involve human review
• Visa and travel authorization decisions remain solely with the applicable Government Organizations
• Our Chatbot is used for informational and customer service purposes only and cannot make binding decisions
  ‍

14.4 Prohibited Practices—We Do Not:

• Use AI to manipulate persons or exploit vulnerabilities
• Engage in social scoring or behavioral prediction for detrimental purposes
• Use real-time remote biometric identification systems in publicly accessible spaces
• Deploy AI systems that categorize individuals based on biometric data to infer sensitive characteristics (race, ethnicity, religion, sexual orientation, political opinions, or other protected characteristics)
• Create or expand facial recognition databases through untargeted scraping
• Use emotion recognition systems in the workplace or for service delivery decisions
• Use AI for automated decision-making that produces legal or similarly significant effects without human oversight
  ‍

14.5 Your Rights Under the EU AI Act

You have the right to:

• Be informed when you are interacting with an AI system
• Request human intervention for any matter handled by our AI systems
• Lodge complaints with the relevant supervisory authority regarding AI system compliance
• Access information about how our AI systems function, subject to the protection of trade secrets and intellectual property
  ‍

15. IF YOU ARE LOCATED IN CANADA

The provisions in this section are supplemental terms which apply in addition to the remainder of this Policy if you are located in Canada.

We will only use your personal information in accordance with this Policy unless otherwise required by applicable law. Privacy laws in Canada generally define “personal information” as any information about an identifiable individual.

Consent

In accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and its Principle 4.3, we obtain meaningful consent for the collection, use, and disclosure of your personal information. The form of consent (express or implied) depends on the sensitivity of the information and your reasonable expectations. You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice.

Disclosure of Your Information

We may disclose personal information that we collect or you provide as described in this Policy. We may also disclose your personal information to comply with any court order, law, or legal process, or if we believe disclosure is necessary to protect our rights, property, or safety.

Transferring Your Personal Information

We may process, store, and transfer your personal information in and to a foreign country, including the United States, with different privacy laws that may or may not be as comprehensive as Canadian law. In these circumstances, the governments, courts, law enforcement, or regulatory agencies of that country may be able to obtain access to your personal information through the laws of the foreign country.

Data stored with service providers in the United States may be subject to US laws, including the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which may permit US government authorities to access data pursuant to valid legal process. We implement contractual and technical safeguards to protect your information during such transfers.

Accessing and Correcting Your Personal Information

By law, you have the right to request access to and to correct the personal information that we have in our possession. We will provide access to that personal information, subject to exceptions set out in applicable privacy legislation. We will respond to your access request within thirty (30) days of receipt. We may charge you a reasonable fee to access your personal information; we will notify you of any fee in advance.

Breach Notification

In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm to you, we will: (a) report the breach to the Office of the Privacy Commissioner of Canada as required under PIPEDA Section 10.1; and (b) notify you of the breach as soon as feasible, providing information about the incident, the personal information involved, and the steps we are taking to reduce the risk of harm.

Complaints

You have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) if you believe we have not handled your personal information in accordance with applicable law. The OPC can be reached at www.priv.gc.ca or by calling 1-800-282-1376. We encourage you to contact us first at privacy@joinsherpa.com so that we have the opportunity to address your concerns directly.

16. IF YOU ARE LOCATED IN CALIFORNIA

The provisions in this section are supplemental terms which apply in addition to the remainder of this Policy if you are a California resident. These provisions are provided in accordance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”).

16.1 Categories of Personal Information

In the preceding twelve (12) months, we have collected the following categories of personal information as defined under the CCPA:

• Identifiers: Name, email address, IP address, account name, passport number, and other government-issued identification numbers.
• Personal information under Cal. Civ. Code §1798.80(e): Name, address, telephone number, passport number, financial information (payment card details).
• Protected classification characteristics: Age, gender, national origin, citizenship, and religion (only as required for visa applications).
• Commercial information: Records of services purchased, transaction history.
• Internet or electronic network activity: Browsing history, search history, and information regarding interactions with our websites and services.
• Geolocation data: General location information derived from IP address.
• Sensory data: Photographs submitted for visa applications.
• Inferences: Inferences drawn from the above to create a profile about preferences (for service improvement purposes only).
  ‍

16.2 Your Rights Under the CCPA

As a California resident, you have the following rights:

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting or selling the information, and the categories of third parties with whom we share your personal information.
• Right to Delete: You may request that we delete any personal information we have collected about you, subject to certain exceptions permitted by law.
• Right to Correct: You may request that we correct inaccurate personal information that we maintain about you.
• Right to Opt Out of Sale or Sharing: You have the right to opt out of the “sale” or “sharing” of your personal information, as those terms are defined under the CCPA.
• Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of your sensitive personal information to uses that are necessary to perform the services you have requested.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
  ‍

16.3 Sale and Sharing of Personal Information

Sherpa does not sell your personal information as defined under the CCPA. Sherpa does not share your personal information for cross-context behavioral advertising purposes. We share personal information with service providers and contractors solely for business purposes as described in this Policy, pursuant to written agreements that restrict the use of such information.

16.4 How to Exercise Your Rights

To exercise any of your CCPA rights, you may submit a request by:

• Emailing privacy@joinsherpa.com with the subject line “California Privacy Rights Request”
• Writing to us at: Visa Run Inc. (DBA Sherpa), 498 - 340 King Street East, Toronto, Ontario, Canada M5A 1K8
  ‍

We will verify your identity before processing your request. We will respond to verifiable consumer requests within forty-five (45) days of receipt. If we require more time (up to an additional forty-five (45) days), we will notify you in writing of the reason and the extension period.

16.5 Authorized Agent

You may designate an authorized agent to make a request on your behalf. To do so, you must provide the agent with written permission, and we may require you to verify your identity directly with us.

16.6 Financial Incentives

We do not offer financial incentives or price or service differences in exchange for the retention or sale of personal information.

17. ADDITIONAL JURISDICTIONS

The provisions in this section are supplemental terms which apply in addition to the remainder of this Policy if you are located in one of the jurisdictions described below. As Sherpa’s international operations expand, this section may be updated to include additional jurisdiction-specific provisions.

17.1 Brazil (Lei Geral de Proteção de Dados — LGPD)

If you are located in Brazil, the following provisions apply in accordance with the Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018).

Legal Bases for Processing

Under the LGPD, we process your personal data on one or more of the following legal bases (Article 7): consent (where we have obtained your free, informed, and unambiguous consent for a specific purpose); contractual necessity; legal or regulatory obligation; legitimate interests (except where your fundamental rights and freedoms override those interests); and protection of credit.

Your Rights Under the LGPD

As a data subject under the LGPD, you have the following rights (Article 18):

• Confirmation of the existence of processing and access to your personal data
• Correction of incomplete, inaccurate, or out-of-date data
• Anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD
• Data portability to another service or product provider
• Deletion of personal data processed with your consent
• Information about entities with which we have shared your data, the possibility of denying consent and its consequences, and withdrawal of consent
  ‍

Data Protection Officer and Complaints

For inquiries related to the processing of your personal data under the LGPD, you may contact our Data Protection Officer (Encarregado) by visiting support.joinsherpa.com. You have the right to file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) if you believe your personal data has been processed in violation of the LGPD.

International Data Transfers

Your personal data may be transferred to and processed in countries outside of Brazil, including Canada and the United States, in accordance with Chapter V of the LGPD. Such transfers are made pursuant to Standard Contractual Clauses or other lawful transfer mechanisms recognized by the ANPD.

17.2 Other Jurisdictions

Sherpa operates internationally and may process personal data of individuals located in additional jurisdictions, including Malaysia, the Philippines, and India. Where local data protection laws in these jurisdictions impose additional obligations or grant additional rights, we comply with those requirements. If you are located in a jurisdiction not specifically addressed in this Policy and have questions about how your personal data is processed, please contact us by visiting support.joinsherpa.com.

18. GLOSSARY

AI System: Any machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment, and that infers from inputs how to generate outputs such as predictions, content, recommendations, or decisions.

Biometric Data: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that person, such as facial images, fingerprints, or iris scans.

Cardholder Data: A subset of personal data, meaning bank account or credit/debit card account numbers that identify the issuer and the particular cardholder account, plus cardholder name, expiration date, and sensitive authentication data.

CCPA: The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.

Chatbot: Sherpa’s AI-powered customer support system that uses artificial intelligence to provide general information and assist with inquiries. The Chatbot is an automated system, not a human representative.

Government Organization: Third-party consultants or companies, government organizations, or their authorized agents which your personal data is submitted to for the purpose of facilitating your application for a visa or travel authorization.

High-Risk AI System: An AI system classified as high-risk under Annex III of the EU AI Act, subject to the conformity requirements of Chapter 3, Section 2 of the EU AI Act.

Legitimate Interest: The interest of our business in conducting and managing our business to enable us to give you the best service and the best and most secure experience.

LGPD: Lei Geral de Proteção de Dados (Law No. 13,709/2018), Brazil’s General Data Protection Law.

PIPEDA: The Personal Information Protection and Electronic Documents Act, Canada’s federal private-sector privacy law.

Special Categories of Personal Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning sex life or sexual orientation.

19. HOW TO CONTACT US

If you have any questions or comments about this Policy or our privacy practices, please contact us:

• Legal: legal@joinsherpa.com
• Privacy: privacy@joinsherpa.com
• Support: support@joinsherpa.com
• Address: Visa Run Inc. (DBA Sherpa), 489 - 340 King Street East, Toronto, Ontario, Canada M5A 1K8
• EU DPO Representative: Datahub Consulting, Paseo del Club Deportivo, 1, Edificio 4, Planta 1, 28223, Pozuelo de Alarcón, Madrid, Spain: dpo@joinsherpa.com
• UK DPO Representative: Datahub Consulting Ltd, 167-169 Great Portland Street, 5th Floor, London, W1W 5PF, United Kingdom: dpo@joinsherpa.com
  ‍