Data Protection

Privacy Policy

Tailored for SabAI's AI Consulting & Drafting Services

PRIVACY POLICY & DATA PROTECTION NOTICE

Effective Date: March 2026

1. INTRODUCTION, SCOPE, AND OUR ABSOLUTE COMMITMENT

This Comprehensive Privacy Policy and Data Protection Notice describes how VARGA ISTVÁN BERTALAN – Sole Proprietor ("the Company," "we," "us," or "our") collects, processes, secures, utilizes, and ultimately destroys your personal data when you interact with the SabAI / Sabai Visa EU platform, accessible via sabaivisa.com, sabaivisa.com, and all associated subdomains, API endpoints, and related services (collectively, the "Service" or "Platform").

We recognize that Schengen C-Type Visa applications demand radical transparency. To draft legally sufficient Invitation, Sponsorship, and Relationship History letters, we must collect a massive digital footprint of your emotional, financial, and biographical data.

Because of this unparalleled sensitivity, our entire infrastructure is built upon a strict "Privacy by Design and Default" philosophy. Data protection is the core, foundational architecture of our software. Every line of code, every database query, and every third-party integration is evaluated first through the lens of data minimization and security.

As a Hungarian entity operating a specialized B2C SaaS platform, we operate under the strict, uncompromising supervision of the European Union’s data protection framework. This document is strictly compliant with, and governed by:

  • Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR).
  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Hungary).
  • Directive 2002/58/EC (ePrivacy Directive).
  • Act C of 2000 on Accounting (Hungary).

2. DATA CONTROLLER AND REPRESENTATION

We operate strictly as a Business-to-Consumer (B2C) platform designed for Thai-European couples. When you register to build your visa dossier, we act as the Data Controller. This means we determine the purposes and means of the processing of your personal data. The entity directly responsible for your personal data is:

VARGA ISTVÁN BERTALAN – Sole Proprietor Registered Address: 1078 Budapest, VII. district, Murányi utca 38., ground floor, door 9, Hungary Tax ID: 67025086-1-42 Registration Number: 42530889 Official Email: support@sabaivisa.com

By virtue of operating as a Sole Proprietorship under Hungarian law, the Controller maintains direct, personal, and unlimited legal accountability for the implementation of the security measures described herein.

3. LEGAL BASIS FOR PROCESSING: WHY AND HOW WE USE YOUR DATA

We do not engage in exploratory data mining, nor do we sell your relationship history to data brokers. Under GDPR Article 6 and Article 9, we rely exclusively on the following legal bases:

  • Art. 6(1)(b) GDPR (Contractual Necessity): We process your passport numbers, relationship history, and uploaded dossier contents because it is technically impossible for us to fulfill our core contract with you (drafting your legal letters and generating the SabAI Officer Audit) without this information.
  • Art. 6(1)(c) GDPR (Legal Obligation): Hungarian and EU laws require us to maintain accurate financial records. When you purchase a SabAI Pass, we process your billing details to generate a valid invoice through our sub-processor (Szamlazz.hu) for the Hungarian National Tax and Customs Administration (NAV).
  • Art. 6(1)(f) GDPR (Legitimate Interest): We process technical telemetry (IP addresses, browser fingerprints) to detect fraudulent login attempts, optimize our rendering engine, and secure our infrastructure.
  • Art. 9(2)(a) GDPR (Explicit Consent for Special Categories): Relationship evidence often reveals highly protected "Special Category Data". Because processing this exact data is the literal, stated purpose of SabAI, we require your explicit, affirmative consent via a mandatory checkbox during the onboarding process to handle this sensitive information legally.

4. COMPREHENSIVE CATEGORIES OF DATA COLLECTED

To successfully act as your digital consular officer and draft highly persuasive, embassy-standard legal documents, we require a deep and extensive data profile. We collect and process the following categories:

4.1 Account & Authentication Metadata

  • Access Credentials: Email addresses used for our secure license-key system or OAuth tokens.
  • Security & Session Logs: Exact login timestamps, browser fingerprints, operating system versions, and IP addresses to ensure session integrity.

4.2 Deep Profile & Biographical Data (The Master Flow)

Because SabAI generates precise, fact-based letters of Invitation and Sponsorship, we harvest extensive personal data during the 7-Step Onboarding Flow. This includes:

  • Identity & Contact Markers: Full legal names, dates of birth, exact passport numbers (including issue and expiry dates), national ID numbers, and primary phone numbers for both the Thai Applicant and the European Sponsor.
  • Logistics & Financial Mapping: Current residential addresses, detailed employment status (including employer details or unemployment context), exact Schengen travel itineraries (flight numbers, intended entry/exit dates across 29 Schengen states), accommodation proof, and explicit declarations of financial responsibility.
  • Deep Relationship Narrative: The precise chronological history of your partnership. We collect exhaustive data on exactly how, when, and where you first met, the specific evolution of your relationship, detailed meeting logs (dates and locations of prior physical visits), and summaries of your communication habits.

4.3 Evidence, Media, & The "Global Media Library"

  • Visual Evidence: Photographs documenting the timeline of your relationship, including locations and timestamps.
  • Technical Cryptographic Metadata: We generate a mathematical SHA-256 hash for every single image uploaded to prevent redundant storage and ensure permanent purging upon request.

4.4 Special Category Data (SENSITIVE - ARTICLE 9 GDPR)

By utilizing SabAI to compile a relationship dossier, you acknowledge that your uploads and chat context may deliberately or inadvertently reveal:

  • Racial or Ethnic Origin: Visually apparent through passport scans or family photographs.
  • Religious or Philosophical Beliefs: Evidenced through photos of cultural ceremonies or places of worship.
  • Sexual Orientation & Sex Life: Inherently revealed through the nature of a same-sex partner application or intimate private chat logs.
  • Biometric Data: Facial imagery contained within your portrait slots and photo uploads.

5. AI PROCESSING PROTOCOLS & SUB-PROCESSORS

SabAI utilizes advanced Artificial Intelligence (via the OpenAI Assistant API V2 and GPT-4o-mini Vision) to act as an AI Ghostwriter and SabAI Officer Auditor. We have configured these integrations to be strictly "Privacy-First".

5.1 The OpenAI Privacy Firewall

  • Data Minimization (Vision AI): We do not send your high-resolution original photos to the AI. The SabAI Officer Audit utilizes a local rendering engine to generate a compressed "Audit Screenshot" of your page, sent alongside a structured text sheet.
  • Absolute No-Training Guarantee: We utilize commercial, enterprise-grade OpenAI API endpoints. Under strict contractual terms, absolutely none of the visual or textual data you input into SabAI is retained by OpenAI to train their foundational models. Your private data is discarded by the API after the document is drafted or the audit is complete.

5.2 Critical Infrastructure Sub-Processors

  • Vercel & Supabase (Hosting & Database): We strictly provision our PostgreSQL databases and Private Storage Buckets in the EU-Central-1 (Frankfurt, Germany) server regions. Your core relationship data stays securely within the borders of the European Economic Area (EEA).
  • Stripe (Payments): All financial transactions for Passes and Order Bumps are handled securely by Stripe. We never process or store your raw credit card numbers.
  • Szamlazz.hu (Invoicing): Used strictly for generating automated, Hungarian tax-compliant invoices.
  • Hostinger / Nodemailer: Used to route transactional emails and secure login links.

6. AUTOMATED DECISION-MAKING & PROFILING (ARTICLE 22 GDPR)

SabAI does NOT engage in legally binding automated decision-making. The SabAI Officer Audit provides a simulated review, flags missing evidence, and suggests textual improvements strictly as an assistive tool to reduce user anxiety and prevent clerical errors.

This AI tool operates completely in a silo. It does not communicate with VFS Global, any government embassy, or immigration database. It produces zero legal effects on your person. The consequential decision to submit the dossier relies entirely on you and the sovereign judgment of human consular officials.

7. "PRIVACY BY DESIGN" SECURITY ARCHITECTURE

We protect your highly sensitive data using a multi-layered security stack:

  • AES-256 Encryption at Rest: Your profile data, trip logs, passport details, and textual captions are symmetrically encrypted within our Supabase database.
  • TLS 1.3 Encryption in Transit: Every byte of data is wrapped in a secure cryptographic tunnel.
  • The "Signed URL" System: Our Supabase media storage architecture is entirely private. When you open your album, we generate temporary, signed access tokens that expire in 3600 seconds. No permanent public links to your relationship photos ever exist.

8. DATA RETENTION AND "THE FINAL PURGE" (ARTICLE 5)

We believe in the "Right to be Forgotten". We do not hold your data a day longer than necessary.

  • Active Lifecycle: Your data is fully accessible as long as your Pro Pass is active.
  • Embassies' Post-Dossier Window: Upon Pass expiration, we retain your data for ninety (90) days. This allows you to handle "Requests for Evidence" or re-download your files if needed.
  • Automated Permanent Destruction: On day ninety-one (91) after your pass expires, all account data, relationship narratives, and generated PDFs are permanently deleted from our primary storage.
  • Surgical Deletion ("Reset Data"): You may use the "Reset Data" tool at any time to immediately and surgically delete your timeline without waiting for the automated cycle.
  • Legal Exceptions: Per the Hungarian Act C of 2000 on Accounting, we are legally obligated to retain basic billing invoices for eight (8) years. This exception applies exclusively to the sterile financial record of the transaction, not your relationship data.

9. YOUR GDPR RIGHTS AND EXACTLY HOW TO EXERCISE THEM

You hold absolute, legally enforceable power over your digital footprint. You may contact us at any time, free of charge, to exercise the following rights:

  • Right to Access: Request a comprehensive export of the profile data we hold.
  • Right to Erasure ("Right to be Forgotten"): Request total, platform-wide account closure and data purge.
  • Right to Rectification: Correct any inaccurate account details.
  • Right to Restriction & Objection: Temporarily halt or object to our processing.

How to Execute Your Rights:

  1. Email your formal request to support@sabaivisa.com.
  2. We will verify your identity by sending a secure link to the registered email address.
  3. Our Data Protection team will process your request without undue delay, and within the statutory deadline of 30 days.

10. DATA BREACH INCIDENT RESPONSE PROTOCOL

In the highly unlikely event of a severe data breach that compromises our encrypted databases (e.g., unauthorized exposure of passport data or intimate photos), we will execute our stringent incident response plan. We will formally notify the Hungarian National Authority (NAIH) within 72 hours and notify all affected users directly via email without undue delay, detailing the breach and immediate mitigation steps.

11. COMPLAINTS AND SUPERVISION

If you feel we have mishandled your Special Category Data, you have the absolute right to lodge a formal complaint with our lead supervisory authority:

Hungarian National Authority for Data Protection and Freedom of Information (NAIH) Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary Website: www.naih.hu Email: ugyfelszolgalat@naih.hu

12. MODIFICATIONS AND UPDATES TO THIS POLICY

Any material changes that significantly affect your rights or change the way we process Special Category Data will be communicated to you via a prominent notice on your dashboard and via a direct email alert at least thirty (30) days before the changes take legal effect. Your continued use of the Service following the effective date constitutes your explicit understanding and acceptance of the new terms.