Legal
Privacy Policy
This policy explains what personal data EuropeVerified collects, why, and how it is used. It applies to all visitors and users of europeverified.com and is effective as of May 8, 2026.
EuropeVerified is operated by Sebastian Mueller, Las Vegas, NV, United States. For contact details, see the Impressum.
Section 1
Who we are and how to reach us
The data controller responsible for this website is:
Email: see Impressum (bot-protected)
Website: europeverified.com
If you have any questions about this Privacy Policy or wish to exercise your rights, contact us via the Impressum email or contact form.
Section 2
What data we collect and why
2.1 — Automatically collected data (server logs)
When you visit this website, our hosting provider (Vercel) automatically records standard server log data including your IP address, browser type, operating system, referring URL, pages visited, and timestamps. This data is used solely for security monitoring and performance purposes. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Retention: up to 30 days.
2.2 — Analytics (Google Analytics)
We use Google Analytics to understand how visitors use the site — which pages are popular, how long visits last, and where traffic comes from. Google Analytics uses cookies to collect this data and may transfer data to Google servers in the United States. We have enabled IP anonymization. This processing only occurs with your consent, obtained via our cookie banner. Legal basis: consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time by adjusting your cookie preferences. For more information, see Google's Privacy Policy.
2.3 — Contact form submissions
When you use the contact form on our Impressum page, we collect your name and message. This data is transmitted via Formspree (see Section 5) and delivered to our inbox. We use this data solely to respond to your inquiry. Legal basis: contract or pre-contractual measures (Art. 6(1)(b) GDPR) or legitimate interests (Art. 6(1)(f) GDPR). Retention: as long as necessary to resolve your inquiry, typically no longer than 12 months.
2.4 — Cookies and local storage
We use cookies and browser local storage for the following purposes:
| Cookie / Key | Purpose | Type | Basis |
|---|---|---|---|
| theme | Stores your light/dark mode preference | Functional | Legitimate interest |
| _ga, _gid | Google Analytics visitor tracking | Analytics | Consent |
| _gat | Google Analytics rate limiting | Analytics | Consent |
| ev-matcher-state | Visa matcher answers (browser local storage; see Section 4) | Functional | Legitimate interest |
| ev-matcher-rl | Visa matcher rate-limit counter (Cloudflare Turnstile + Vercel KV) | Security | Legitimate interest |
You can manage or withdraw cookie consent at any time via our cookie preference center (banner shown on first visit) or by adjusting your browser settings.
Section 3
Legal bases for processing (GDPR)
Where GDPR applies, we process personal data on the following legal bases:
Consent — Art. 6(1)(a)
Analytics cookies and any future marketing communications. You may withdraw consent at any time.
Contract — Art. 6(1)(b)
Processing necessary to respond to your inquiries or provide a service you have requested, including delivering visa matcher reports.
Legal obligation — Art. 6(1)(c)
Where we are required to retain data by applicable law (e.g. tax records).
Legitimate interests — Art. 6(1)(f)
Server logs for security and performance, abuse prevention (rate limits, bot protection), and storing your theme preference.
Section 4
Visa matcher data flow
The visa matcher is an interactive tool that walks you through documented criteria for German residence permits and produces a report based on your answers. This section explains what data the matcher collects, where it lives, how long it is retained, and how email is handled.
4.1 — What the tool does
The matcher asks you a series of questions about your circumstances and applies your answers to documented criteria from the German Residence Act (Aufenthaltsgesetz / AufenthG) and related statutes. It returns information about which criteria appear to be met, with sources and dates. It is an information service. It is not legal advice, and it does not produce an eligibility determination — those are made by German authorities. See the disclaimers shown alongside every result.
4.2 — What data is collected, where it lives, and for how long
| Data | Where it lives | Retention |
|---|---|---|
| Your matcher answers | Browser local storage on your device | Until you clear it; auto-expires 30 days after last activity |
| Email + answers (at PDF request) | Vercel function memory only — not written to any persistent EuropeVerified store | Released when the function exits, typically within seconds |
| Generated PDF | Vercel function memory; emailed as attachment | Not stored. Your inbox is the only durable copy |
| Email-provider delivery logs | Resend (transactional email provider) | Per Resend's retention policy — see Section 5 |
| Rate-limit counters | Vercel KV / Upstash (hashed identifier, not your email in plaintext) | Auto-expires on the rate-limit window (per-hour, per-day, per-month) |
4.3 — Email handling
When you request a PDF report, you provide an email address. We use that address only to send your report. We don't share it. We don't add you to any list unless you separately and explicitly opt in.
Legal basis: contract performance (Art. 6(1)(b) GDPR) — you requested the report and we deliver it. The transactional email contains only the report and the disclaimers shown alongside it. We do not include promotional content.
4.4 — Abuse prevention
To prevent abuse of the matcher (volumetric attacks, email-bombing, scraping), we apply rate limits per IP address and per email address, and we use Cloudflare Turnstile to detect automated submissions. Counters are stored as short-lived hashes — not your email in plaintext — and expire automatically on their respective rate-limit windows. Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — protecting the service from abuse and ensuring availability for legitimate users.
4.5 — Your rights specific to matcher data
Because the matcher is session-only, most of your data lives on your device, not on our servers. To delete your matcher answers, clear your browser's local storage for europeverified.com — that removes them entirely. The PDF you received via email is in your inbox; manage or delete it through your email provider.
If you would like us to confirm what data, if any, persists in our service-provider logs (Resend delivery logs, Vercel KV rate-limit counters), or to request deletion of any data we may hold, contact us via the Impressum. The full set of GDPR rights described in Section 7 applies.
Section 5
Third-party service providers
We use the following third-party services to operate the platform. Each acts as a data processor under a data processing agreement, or as an independent controller where indicated.
Vercel Inc.
Hosting & infrastructureAll website traffic is served via Vercel's global edge network. Vercel processes server log data including IP addresses. Vercel also operates Vercel KV, used for matcher rate-limit counters. Vercel is certified under the EU-US Data Privacy Framework. Vercel Privacy Policy →
Sanity.io
Content management (backend only)Sanity stores our editorial content. It does not process any visitor or user data directly. No Sanity code runs in your browser. Sanity Privacy Policy →
Formspree
Contact form processingWhen you submit the contact form, your name and message are transmitted to Formspree's servers and forwarded to our inbox. Formspree may temporarily store submission data. Formspree is GDPR-compliant. Formspree Privacy Policy →
Resend
Transactional email (visa matcher PDFs)When you request a visa matcher report, we use Resend to deliver the PDF to your email address. Resend processes your email address and the email contents to perform delivery, and retains delivery logs (delivery status, timestamps, bounce data) per its own retention policy. Resend offers EU data region processing for users subject to GDPR. Resend Privacy Policy →
Cloudflare Inc.
DNS, domain, email routing, and bot protectionOur domain is registered and managed via Cloudflare, which also handles DNS resolution and email routing (forwarding inbound email to our inbox). We additionally use Cloudflare Turnstile on the visa matcher's email submission step to detect automated abuse. Turnstile processes minimal browser metadata to score submission legitimacy and does not use third-party cookies. Cloudflare Privacy Policy →
Google LLC (Analytics)
Website analyticsGoogle Analytics collects anonymized usage data via cookies when you have given consent. Data may be transferred to Google servers in the United States under the EU-US Data Privacy Framework. Google Privacy Policy →
Google LLC (Gmail)
Email communicationsEmails sent to or from our contact address are processed via Google's Gmail infrastructure. Google acts as an independent controller for its own email services. Google Privacy Policy →
GitHub Inc.
Source code hostingOur codebase is hosted on GitHub. GitHub does not process any visitor or user data from europeverified.com. GitHub is operated by Microsoft Corporation. GitHub Privacy Policy →
Section 6
International data transfers
EuropeVerified is operated from the United States. Some of our service providers (including Vercel, Resend, Cloudflare, and Google) may process data on servers located outside the European Economic Area (EEA). Where this occurs, we rely on appropriate safeguards including the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), or adequacy decisions issued by the European Commission.
Section 7
Your rights
If you are located in the European Union or European Economic Area, you have the following rights under GDPR. To exercise any of them, contact us via the Impressum.
Right of access — Art. 15
Request a copy of the personal data we hold about you.
Right to rectification — Art. 16
Request correction of inaccurate or incomplete data.
Right to erasure — Art. 17
Request deletion of your personal data ('right to be forgotten').
Right to restriction — Art. 18
Request that we limit how we process your data in certain circumstances.
Right to portability — Art. 20
Receive your data in a structured, machine-readable format.
Right to object — Art. 21
Object to processing based on legitimate interests, including for analytics.
Right to withdraw consent
Where processing is based on consent, withdraw it at any time without affecting prior processing.
Right to lodge a complaint
File a complaint with your local data protection authority. In Germany: Bundesbeauftragter für den Datenschutz (BfDI).
We will respond to all requests within 30 days. We may ask you to verify your identity before processing a request.
Section 8
Data retention
We retain personal data only for as long as necessary for the purpose it was collected, or as required by law. Server logs are retained for up to 30 days. Contact form submissions are retained for up to 12 months from the date of the inquiry. Analytics data is retained according to Google Analytics default retention settings (up to 26 months) and only where consent has been given. Visa matcher data follows the retention rules described in Section 4. We do not sell personal data to third parties.
Section 9
Children's privacy
EuropeVerified is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has submitted personal data to us, please contact us and we will delete it promptly. The visa matcher displays a notice on the Student Visa flow recommending that users under 18 consult a parent or guardian when planning their next steps.
Section 10
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The effective date at the top of this page will be updated accordingly. We encourage you to review this page periodically. Continued use of the site after changes constitutes acceptance of the updated policy.