Privacy Policy
Last updated: February 2026
1. Introduction
GoldenVisa.report is operated by YerBak LLC ("we," "us," or "our"), a limited liability company incorporated in the State of Delaware, United States. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our property intelligence platform and report generation services.
We serve investors across 45 countries and are committed to complying with applicable data protection laws including the EU General Data Protection Regulation (GDPR), the Turkish Personal Data Protection Law (KVKK, Law No. 6698), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other regional data protection frameworks.
For the purposes of the GDPR, YerBak LLC is the data controller of your personal data.
2. Information We Collect
2.1 Checkout & Account Information
- Email address (provided during Stripe checkout or account registration)
- Full name (if you create an account)
- Authentication credentials (email/password or Google OAuth token)
2.2 Property Data
- Property addresses and geographic coordinates you submit for report generation
- Country and city selections from the map picker
2.3 Payment Information
- Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other sensitive payment information on our servers
- We retain your Stripe session ID and purchase status for order management
2.4 Usage & Analytics Data
- Page views, session duration, and navigation patterns (via Google Analytics 4)
- Country and report type selections
2.5 Technical Data
- IP address, browser type and version, device type, and operating system
- Referral source and pages visited
2.6 Marketing & Acquisition Data
- UTM parameters (source, medium, campaign) from referring links
- Ad click identifiers (Google Click ID, Meta Click ID, X Click ID)
- These are used solely for measuring advertising effectiveness
3. How We Use Your Information
- Report generation: Generate and deliver property intelligence reports based on your submitted locations
- Order management: Process payments, send purchase confirmations, and deliver report download links
- Service improvement: Analyze usage patterns to enhance the Platform's features, content, and performance
- Customer support: Respond to your inquiries and process refund requests
- Marketing (with consent): Send information about new features, country coverage, or offers where you have opted in
- Legal compliance: Meet obligations under applicable tax, accounting, and data protection laws
4. Legal Bases for Processing (GDPR)
If you are located in the EU/EEA, UK, or Turkey, we process your personal data on the following legal bases:
- Contract performance (Art. 6(1)(b) GDPR): Processing necessary to fulfill your report purchase and deliver the ordered service
- Legitimate interest (Art. 6(1)(f) GDPR): Analytics, service improvement, fraud prevention, and platform security
- Consent (Art. 6(1)(a) GDPR): Marketing communications and advertising cookies/tracking pixels. You may withdraw consent at any time
- Legal obligation (Art. 6(1)(c) GDPR): Retaining payment records for tax reporting requirements
5. Third-Party Services & Data Sharing
We share your data with the following categories of third-party service providers, solely for the purposes described in this Policy:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, payment details |
| Google Maps Platform | Geocoding, places, maps, air quality, weather | Property coordinates |
| Google Earth Engine | Satellite imagery, flood risk, environmental analysis | Property coordinates |
| Supabase | Database, authentication, file storage | Account data, purchase records, reports |
| Vercel | Web hosting and edge delivery | IP address, request metadata |
| Resend | Transactional email (report delivery) | Email address, report link |
| Anthropic (Claude AI) | AI-generated report summaries | Aggregated property data (no PII) |
| Meta, Google, X | Advertising analytics | Hashed email (server-side), page events (client-side, with consent) |
We do not sell your personal data to any third party. We do not share your data for purposes unrelated to the operation of the Platform.
6. International Data Transfers
Your personal data may be transferred to and processed in the United States, where our infrastructure is hosted. For users in the EU/EEA, UK, or other jurisdictions with data transfer restrictions:
- We rely on EU Standard Contractual Clauses (SCCs) or equivalent mechanisms as adopted by our sub-processors
- Our sub-processors (Stripe, Google, Vercel, Supabase) maintain their own data protection certifications for international transfers
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Generated reports (PDF) | 90 days from date of purchase |
| Account data | Duration of account + 30 days after deletion |
| Payment records | 7 years (as required by tax and accounting regulations) |
| Analytics data | 26 months (Google Analytics 4 default) |
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
8.1 EU/EEA Residents (GDPR)
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate or incomplete data
- Right to erasure: Request deletion of your personal data
- Right to restriction: Request limitation of processing in certain circumstances
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interest or direct marketing
- Right to withdraw consent: Withdraw consent at any time
- Right to lodge a complaint: File a complaint with your local Data Protection Authority
8.2 Turkey Residents (KVKK)
Under Article 11 of the Turkish Personal Data Protection Law (KVKK, Law No. 6698), you have the right to learn whether your data is processed, request information about processing, learn the purpose, know third parties to whom data is transferred, request rectification, request deletion, object to automated decisions, and request compensation for damages caused by unlawful processing.
8.3 UK Residents (UK GDPR)
You have the same rights as EU/EEA residents. The supervisory authority is the Information Commissioner's Office (ICO).
8.4 California Residents (CCPA/CPRA)
- Right to know: Request disclosure of personal information collected
- Right to delete: Request deletion of personal information
- Right to opt-out of sale: We do not sell personal information
- Right to non-discrimination: We will not discriminate against you for exercising your rights
8.5 Other Jurisdictions
Users in jurisdictions with data protection laws (including UAE PDPL, Singapore PDPA, South Korea PIPA, Thailand PDPA, Australia Privacy Act 1988) may have similar rights. We respond to all legitimate requests within 30 days. Contact support@yerbak.com.
9. Cookies & Tracking Technologies
We use the following categories of cookies and tracking technologies:
| Category | Purpose | Required? |
|---|---|---|
| Essential | Authentication session, security tokens | Yes |
| Analytics | Google Analytics 4 (page views, sessions) | No (consent-based) |
| Advertising | Meta Pixel, Google Ads tag, X Pixel | No (consent-based) |
You can manage cookie preferences through your browser settings. Disabling essential cookies may affect Platform functionality.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption in transit (TLS/HTTPS) for all data communications
- Secure payment processing via Stripe (PCI DSS compliant)
- Row-Level Security policies on our database for data isolation
- Rate limiting and abuse prevention on all endpoints
- HMAC-signed tokens for sensitive operations (access tokens)
While we take data security seriously, no method of transmission or storage is 100% secure. We encourage you to protect your account credentials and contact us immediately if you suspect unauthorized access.
11. Children's Privacy
The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will take steps to delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For registered users, we will provide email notice of material changes. Continued use of the Platform after changes take effect constitutes acceptance.
13. Contact
For privacy-related inquiries, data subject requests, or to exercise any of your rights, contact us at:
YerBak LLC — Data Protection
Email: support@yerbak.com
Registered in Delaware, United States
We aim to respond to all data subject requests within 30 days of receipt.