Privacy Policy

WorldPath AI — Global Relocation & Investment Migration Platform
Effective Date: March 5, 2026
Last Updated: March 5, 2026

1. Introduction

WorldPath AI ("we," "us," "our," or the "Company") operates a global relocation and investment migration platform accessible at worldpath.ai (the "Platform"). Our Platform helps users explore citizenship by investment (CBI), residence by investment (RBI), and visa programmes worldwide, and connects them with licensed service providers who deliver those services. We are committed to protecting your personal data and respecting your privacy in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), the UK Data Protection Act 2018 (UK GDPR), Brazil’s Lei Geral de Proteção de Dados (LGPD), and all other applicable international data protection laws. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you visit our Platform, use our services, or communicate with us. It also describes your rights regarding your personal data and how to exercise them. By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please discontinue use of the Platform.

2. Data Controller

The data controller responsible for your personal data is:

WorldPath AI
Email: privacy@worldpath.ai
General Inquiries: team@worldpath.ai
For EU/EEA residents, you may also contact our Data Protection Officer (DPO) at: dpo@worldpath.ai

3. Personal Data We Collect

We collect a limited set of personal data necessary to connect you with the right service provider.

3.1 Data You Provide Through Our Consultation Request Form

When you submit an inquiry through our Platform, we collect:

Purpose of Inquiry: Your selected area of interest (e.g., citizenship by investment, residence by investment, visa programme).
First Name: Your first name to personalise communication.
Phone Number: Your phone number, including country code, as the primary means of contact.
Preferred Contact Method: Your chosen communication channel — Call, WhatsApp, Telegram, Botim, or Email.
Provider Preference: Whether you have a preference for a specific service provider, or would like us to recommend one.

3.2 Data You Provide Through Communication

Communication Data: Content of messages, emails, live chat conversations, and any follow-up correspondence between you and our team.

3.3 Data Collected Automatically

Technical Data: IP address, browser type and version, operating system, device type and identifiers, screen resolution, and language preferences.
Usage Data: Pages visited, time spent on each page, click patterns, referral source, search queries within the Platform, and session duration.
Cookie and Tracking Data: Cookies, pixel tags, and similar technologies as described in our Cookie Policy.

3.4 Data from Third Parties

We may receive limited data from: analytics and advertising partners (anonymised or pseudonymised data) and publicly available sources for compliance purposes.
Important: We do not collect or process passport copies, financial documents, medical certificates, criminal records, or any other immigration application documents. If your chosen service provider requires such documents, they will collect them directly under their own privacy policy and data processing agreements.

3.5 CCPA Categories Disclosure (California Residents)

The following table summarises the categories of personal information we have collected in the preceding 12 months, the sources, the business purposes, and the categories of third parties with whom we share each category:

We do not collect: biometric data, geolocation data, sensitive personal information, financial account information, or professional/employment information.
Sale and Sharing: We do not sell your personal information as defined under CCPA/CPRA. Sharing your inquiry data with licensed service providers constitutes a "business purpose" disclosure, not a "sale." Certain analytics cookies may constitute "sharing" for cross-context behavioural advertising under CPRA; you can opt out via our cookie consent manager or by enabling the Global Privacy Control (GPC) signal in your browser.

4. How We Use Your Data (Legal Bases)

We process your personal data for the following purposes and on the following legal bases:

4.1 Contract Performance (GDPR Art. 6(1)(b))

Connecting you with appropriate licensed service providers based on your inquiry, processing your consultation requests, managing your communication preferences, and following up on your inquiry to ensure you received assistance.

4.2 Legitimate Interests (GDPR Art. 6(1)(f))

Improving and optimising Platform functionality and user experience, conducting internal analytics and reporting, preventing fraud and ensuring security, and communicating service updates and relevant programme changes.

4.3 Legal Obligations (GDPR Art. 6(1)(c))

Complying with applicable regulatory requirements, responding to lawful requests from government and regulatory authorities, and maintaining records as required by applicable laws.

4.4 Consent (GDPR Art. 6(1)(a))

Sending marketing communications about relevant programmes and services, and placing non-essential cookies and tracking technologies. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent, contact us at privacy@worldpath.ai or use the unsubscribe link in marketing emails.

5. Who We Share Your Data With

We share your personal data only with the following categories of recipients, and only to the extent necessary:
Licensed Service Providers: When you submit a consultation request, we share your inquiry data (name, phone number, purpose, preferred contact method, and provider preference) with the selected or recommended service provider so they can contact you directly. Each service provider operates under their own privacy policy and terms of service.
Technology and Infrastructure Providers: Cloud hosting, email service providers, CRM systems, and analytics tools — all bound by data processing agreements.
Professional Advisors: Auditors, lawyers, and consultants engaged by us to ensure regulatory compliance.
We do not sell your personal data to third parties. We do not share your personal data with advertisers for their own marketing purposes.

6. International Data Transfers

As a global platform serving clients across multiple jurisdictions, your personal data may be transferred to and processed in countries outside your country of residence, including countries outside the EU/EEA. Where such transfers occur, we ensure appropriate safeguards are in place, including: EU Standard Contractual Clauses (SCCs) approved by the European Commission, UK International Data Transfer Agreements (IDTAs) where applicable, adequacy decisions by relevant data protection authorities, and binding corporate rules or equivalent contractual safeguards.

7. Data Retention

We retain your personal data for the following periods:
Inquiry and Contact Data: 3 years from the date of your last inquiry or communication.
Communication Records: 3 years from the date of last communication.
Analytics and Technical Data: 26 months from collection (anonymised data may be retained indefinitely).
Marketing Consent Records: For the duration of consent plus 3 years after withdrawal.
When data is no longer needed for any purpose, it is securely deleted or irreversibly anonymised.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including: encryption of data in transit (TLS 1.2+) and at rest (AES-256), access controls and role-based permissions, regular security assessments, employee training on data protection and confidentiality, incident response and breach notification procedures, and secure backup and disaster recovery systems. No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

8.1 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required under GDPR Article 33), notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34), and provide California residents with notification in accordance with California Civil Code §1798.82. Breach notifications will describe the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach.

9. Automated Decision-Making

WorldPath AI does not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. Our service provider matching is based on the preferences you submit (purpose, provider preference, contact method) and is reviewed by our team. You are never subject to a decision based solely on automated processing.

10. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

10.1 Rights Under GDPR (EU/EEA and UK Residents)

Right of Access: Obtain confirmation of whether we process your data and request a copy.
Right to Rectification: Request correction of inaccurate or incomplete data.
Right to Erasure ("Right to be Forgotten"): Request deletion of your data where there is no compelling reason for continued processing.
Right to Restriction: Request that we limit processing in certain circumstances.
Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
Right to Object: Object to processing based on legitimate interests or for direct marketing.
Rights Related to Automated Decision-Making: Not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

10.2 Rights Under CCPA/CPRA (California Residents)

Right to Know: Request disclosure of categories and specific pieces of personal information collected, the sources, the business purposes, and the categories of third parties with whom we share it.
Right to Delete: Request deletion of personal information collected from you.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell your personal information. However, you have the right to opt out of any sharing for cross-context behavioural advertising via our cookie consent manager or by clicking the "Do Not Sell or Share My Personal Information" link available in the Platform footer.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Authorised Agents: You may designate an authorised agent to submit a request on your behalf. The agent must provide written authorisation signed by you or a power of attorney. We may still require you to verify your own identity directly before fulfilling the request.
Financial Incentives: We do not offer financial incentives related to the collection, sale, or deletion of your personal information.

10.3 Rights Under LGPD (Brazilian Residents)

Brazilian residents have rights substantially similar to GDPR rights as outlined above, including access, correction, anonymisation, portability, deletion, information about sharing with third parties, and the right to petition the Autoridade Nacional de Proteção de Dados (ANPD). Our Data Protection Officer also serves as the encarregado for LGPD purposes and can be contacted at dpo@worldpath.ai.

10.4 Exercising Your Rights

To exercise any of your rights, contact us at: privacy@worldpath.ai
We will respond to verified requests within: 30 days for GDPR requests (extendable by 60 days for complex requests), 45 days for CCPA requests (extendable by 45 days with notice), and 15 business days for LGPD requests. We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests.

11. Children’s Privacy

Our Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@worldpath.ai.

12. Third-Party Links

Our Platform may contain links to third-party websites, including government immigration portals, service provider websites, and external resources. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before submitting any personal data.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or regulatory guidance. We will notify you of material changes by: posting the updated policy on this page with a new "Last Updated" date, sending an email notification to registered users for significant changes, and displaying a prominent notice on the Platform. We encourage you to review this policy periodically. Your continued use of the Platform after changes are posted constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: privacy@worldpath.ai
General Inquiries: team@worldpath.ai
Data Protection Officer: dpo@worldpath.ai

15. Supervisory Authority

If you are located in the EU/EEA or the UK and believe that our processing of your personal data infringes data protection law, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
For UK residents, complaints can be directed to the Information Commissioner’s Office (ICO) at: https://ico.org.uk/make-a-complaint/
For Brazilian residents, complaints can be directed to the Autoridade Nacional de Proteção de Dados (ANPD) at: https://www.gov.br/anpd/

16. Annual Review

This Privacy Policy is reviewed at least once per calendar year, or more frequently when required by material changes to our data practices, applicable laws, or regulatory guidance. The "Last Updated" date at the top of this page reflects the most recent review.
This Privacy Policy was last reviewed and updated on March 5, 2026.