This policy explains how VisaScreen by Vistro Labs collects, uses, and protects personal data in line with UK GDPR and the Data Protection Act 2018.
Last updated: May 2026
VisaScreen is a visa eligibility screening tool operated by Vistro Labs. This policy explains how we collect, use, and protect personal data when law firms use our platform and when visitors complete eligibility quizzes.
Product: VisaScreen
Company: Vistro Labs
Website: visascreen.co.uk
Contact: team@visascreen.co.uk
We process data for two categories of users:
Law firm subscribers (our direct customers)
- Name, email, and company name collected at signup
- Billing information processed by Lemon Squeezy (we never store card details)
- Usage data and login activity
Quiz visitors (end users on firm websites)
- Name, email, and phone number submitted via the quiz
- Quiz answers and eligibility results
- IP address and browser information
- GDPR consent timestamp and confirmation
Law firm subscriber data is used to provide the service, send lead notifications, process billing, and provide customer support.
Visitor data is collected on behalf of the law firm. In this context, VisaScreen acts as a data processor and the law firm is the data controller. We store visitor data securely and display it in the relevant law firm dashboard.
For subscriber data, we rely on contractual necessity and legitimate interest.
For quiz visitor data, we rely on explicit consent. The quiz includes a GDPR consent checkbox and we store consent confirmation with timestamp and IP address.
All data is stored on Supabase (London, UK region). Images are stored on Cloudinary (GDPR compliant CDN).
We do not sell personal data to third parties. Data is encrypted in transit and at rest. Access is restricted to authorised personnel only.
Law firm account data is retained while the account is active and for 90 days after cancellation.
Lead data is retained until the law firm deletes it or closes their account.
Widget analytics data is retained for 12 months.
We use the following sub-processors:
- Supabase (database and authentication) - EU/UK hosting
- Cloudinary (image storage) - GDPR compliant
- Lemon Squeezy (payments) - merchant of record
- Resend (transactional email) - email delivery
Individuals may have the right to:
- Access their data
- Rectify inaccurate data
- Erase data (right to be forgotten)
- Restrict processing
- Data portability
- Object to processing
To exercise these rights, email team@visascreen.co.uk.
Law firms using VisaScreen are data controllers for visitor data collected through their widget. Each law firm must maintain its own privacy policy explaining how it uses lead data collected via VisaScreen.
We use essential cookies only for authentication and core product functionality. We do not use advertising cookies, tracking cookies, or third-party analytics cookies.
VisaScreen is not directed at anyone under 18. We do not knowingly collect personal data from minors.
We may update this policy from time to time. If we make material changes, we will notify subscribers by email. Continued use of the service after changes constitutes acceptance of the updated policy.
Contact us: team@visascreen.co.uk
You also have the right to complain to the UK Information Commissioner's Office (ICO): ico.org.uk.