Privacy and Security

1. Who is the controller?

GlobePass Travel Documents Ltd., Dubai Silicon Oasis, UAE, is the controller of personal data collected via this website and the GlobePass mobile app. You can contact our Data Protection Officer at dpo@globepass.example for any privacy matter.

2. What we collect

We collect only what we need to issue your IDP and operate the service. Specifically:

• Identity data: your name, date of birth, photo, license number, license category, issuing country.
• Contact data: email address, phone number, shipping and billing addresses.
• Payment data: tokenised — we never see the full card number. Stripe and PayPal process the payment and return a token to us.
• Usage data: pages visited, links clicked, device and browser type, anonymised IP address.
• Customer service data: the messages you send us via chat or email.

3. Why we collect it

We use your personal data to: (i) verify your identity and translate your license; (ii) print, ship and track your booklet; (iii) provide customer service; (iv) prevent fraud; (v) comply with legal obligations including anti-money-laundering rules; and (vi) — only with consent — to send you renewal reminders and product updates.

4. Who we share it with

We share the minimum data required, only with:

• Sub-processors: Stripe (payments), AWS (hosting in Frankfurt, Germany), Twilio (transactional emails), DHL and FedEx (shipping).
• Translators: contracted under strict NDAs, who see only the language fields needed for translation.
• Authorities: when legally compelled to do so by a court order in a jurisdiction where we operate.

We never sell your data, exchange it for advertising, or share it with credit bureaus.

5. Where we store it

All personal data is stored on encrypted AWS infrastructure in Frankfurt (eu-central-1), Germany. Backups are stored in Ireland. Data is encrypted at rest (AES-256) and in transit (TLS 1.3).

If you are a resident of the European Union or United Kingdom, your data does not leave the EU/EEA region. UAE-domiciled data is governed by the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021).

6. How long we keep it

Identity and order data are kept for the validity of your IDP plus 6 years thereafter, in line with anti-money-laundering record-keeping rules. Customer service messages are kept for 36 months. Usage data is anonymised after 24 months. You may request earlier deletion (see Section 8).

7. How we secure it

We follow industry standards in line with ISO 27001 and SOC 2 Type II controls. Highlights:

• All access to production data is logged and audited.
• Two-factor authentication is mandatory for all staff.
• External penetration tests are run every six months by an independent firm.
• Documents you upload are stored in object storage with per-customer encryption keys.

8. Your rights

You have the right to access, correct, delete, restrict or port your personal data, and to object to processing. You can exercise any right by emailing dpo@globepass.example from the email address on your account. We respond within 30 days.

EU/UK residents are additionally entitled to the rights set out in our GDPR Privacy Policy, and have the right to lodge a complaint with their local supervisory authority.

9. Cookies

See our Cookie Policy for a complete list of cookies, why we use them, and how to opt out.

10. Changes

Material changes to this Policy are emailed to all active customers at least 30 days in advance. The "Last updated" date at the top reflects the most recent version.