Immio

§ Legal — Form IM-P

Last updated: 25 April 2026

Privacy Policy.

Immio collects only what is necessary to run the planning service and never sells your data. This policy explains what is collected, how it is used, who else touches it, and how you exercise your rights under California law.

§ 1

Information we collect

Information you provide

We collect account information (name, email address); immigration profile data (visa status, country of birth, employment, priority dates, case receipt numbers, dependents); chat messages with our AI assistant; and payment information processed by Stripe (we do not store card numbers).

Sensitive personal information

Under the CCPA as amended by AB 947, immigration and citizenship status are classified as Sensitive Personal Information. We collect and process this data solely to provide our immigration information service.

§ 2

How we use your information

We use your information to provide and improve the service; generate personalized scenario evaluations; power AI-assisted informational chat; send visa bulletin change, processing time, and deadline notifications; and process payments and comply with legal obligations.

We do not sell personal information, share immigration data with USCIS or ICE, use your data for advertising, or train AI models on your chats.

§ 3

Your rights under CCPA

You have the right to know what personal information we collect and how it is used; delete your personal information (with limited exceptions); correct inaccurate personal information; opt out of sale or sharing (we do not sell or share); limit use of Sensitive Personal Information; and exercise these rights without discrimination.

Contact privacy@immio.ai or use in-app Settings. We respond within 45 days.

§ 4

Data security

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). The database is hosted on Supabase (SOC 2 Type 2). Row-level security ensures users only access their own data.

§ 5

Data retention

Account and immigration profile data: retained while active; deleted within 30 days of closure. Chat conversations: 12 months, then auto-deleted. Payment records: as required by law (typically 7 years). Usage analytics: anonymized after 90 days. Consent acknowledgements: anonymized when your account is deleted (your user ID is removed); the version, timestamp, and hashed metadata are retained as a legal audit trail of informed consent.

§ 6

Third-party services

Supabase (database and auth), Anthropic (AI), Stripe (payments), Resend (email), Sentry (error monitoring), Vercel (hosting).

§ 7

End of Privacy Policy.