Skip to content
EB5 Status
Back to Home

Privacy Policy

How EB5 Status collects, uses, and protects your information

Version 2.0 — Effective March 11, 2026. This policy was updated to reflect account-based services including onboarding data collection, user preferences, and notification settings.

Overview

EB5 Status is committed to protecting your privacy. This privacy policy explains what information we collect when you visit our website or create an account, how we use it, and what choices you have. By using EB5 Status, you consent to our privacy practices as described in this policy.

Data Controller: EB5 Status is the data controller responsible for deciding how your personal data is collected, used, and stored. Data Processor: Supabase, Inc. processes and stores account data on our behalf under a data processing agreement. Your data is hosted in Supabase-managed PostgreSQL databases in the United States (AWS us-east-1).

Information We Collect

Passive Information

When you visit EB5 Status, we automatically collect certain information about your device and browsing activity. This includes your IP address, browser type, operating system, referring URL, pages visited, and time spent on pages. We collect this information through server logs and analytics tools to understand how users interact with our site.

Account Data

When you create an EB5 Status account, we collect and store the following information:

  • Email address — used for authentication, password resets, and notifications. This is the only required field.
  • Password hash — if you sign up with email/password, your password is hashed using bcrypt before storage. We never store or have access to your plaintext password. OAuth users (e.g., Google sign-in) have no password stored by EB5 Status.
  • Country of chargeability — collected during onboarding to personalize visa bulletin cutoff dates and dashboard data for your country.
  • User role — collected during onboarding (e.g., investor, attorney, regional center professional, researcher). Used to tailor dashboard content and future features.
  • Tracked metrics — which EB-5 data categories you choose to follow (visa bulletin, processing times, filing trends, approval rates, FOIA data, country backlogs).
  • Notification preferences — which email alerts you opt into (visa bulletin updates, processing time changes, FOIA releases, new articles) and your preferred notification frequency (instant, daily, weekly).
  • Watchlist selections — countries and categories you follow for personalized tracking.

Country, role, tracked metrics, and notification preferences are collected during a one-time onboarding flow after account creation. All fields except email are optional and may be updated or removed at any time from your account settings.

Information from Forms

If you contact us through a contact form, subscribe to a newsletter, or register for any service on EB5 Status, we collect the information you provide, which may include your name, email address, and message content. This information is used to respond to your inquiry or fulfill the requested service.

Payment Information

If you subscribe to a paid plan, payment is processed by Stripe. We do not store your credit card number, CVV, or full billing details on our servers. We receive and store only a transaction identifier, plan type, subscription status, and billing cycle dates from Stripe. Stripe's privacy policy governs their handling of your payment information.

Analytics Data

We use privacy-focused analytics (Vercel Analytics) to track aggregated, non-personally identifiable information about how users interact with our site. This includes:

  • Page views and navigation paths
  • Feature usage (which dashboard tabs, charts, and tools are used)
  • Device type, browser, operating system, and screen size
  • Referral sources and geographic region (country-level, not precise location)

Analytics data is not linked to individual accounts and helps us improve content, design, and user experience. We do not use Google Analytics or any advertising-linked tracking.

How We Use Information

We use the information we collect for the following purposes:

  • Provide, maintain, and improve EB5 Status services and user experience
  • Authenticate your identity and manage your account
  • Personalize your dashboard with data relevant to your country and visa category
  • Send alert notifications when visa bulletin dates, processing times, or other tracked data change
  • Send newsletters and informational updates (when you subscribe)
  • Process subscription payments and manage billing
  • Respond to inquiries, feedback, and support requests
  • Analyze site usage patterns and user behavior
  • Embed watermarks in exported data files (timestamp, account identifier, unique export ID)
  • Detect, prevent, and address technical issues and security concerns
  • Comply with legal obligations and law enforcement requests

Alert Notifications

If you opt into alerts, we send email notifications when data relevant to your watchlist changes — for example, when a new visa bulletin is published, when processing times update, or when a cutoff date moves for your country and category. Alert emails are sent to the email address associated with your account.

You may configure which alerts you receive or disable all alerts from your account settings. You may also unsubscribe from alert emails using the unsubscribe link in any alert email.

Alert emails may include open-tracking pixels and click tracking to help us measure engagement and improve notification quality. You can disable this tracking by configuring your email client to block remote images.

Cookies and Session Management

EB5 Status uses cookies and similar tracking technologies to enhance your browsing experience, authenticate logged-in users, and collect analytics data.

Essential Cookies

Required for basic site functionality, security, and authentication. These include session cookies that keep you logged in and CSRF tokens that protect form submissions. These cookies cannot be disabled without impairing site functionality.

Authentication Cookies

When you log in to your account, we set secure, HTTP-only session cookies that identify your authenticated session. These are managed by Supabase Auth and include an access token and refresh token. Session cookies expire after 30 days of inactivity or when you log out.

OAuth Provider Cookies

If you sign in with Google (or another OAuth provider), the provider may set its own cookies during the authentication flow. These cookies are governed by the provider's privacy policy (e.g., Google's Privacy Policy). EB5 Status does not control or have access to OAuth provider cookies.

Analytics Cookies

Track how you use EB5 Status to help us understand user behavior and improve our content and design. We use Vercel Analytics for privacy-focused, aggregated usage metrics.

Preference Cookies

Remember your preferences and choices, such as theme preferences, language selection, or locale, to personalize your experience.

You can control cookies through your browser settings. Most browsers allow you to refuse cookies or alert you when cookies are being sent. However, blocking essential or authentication cookies will prevent you from logging in and using account features.

Third-Party Services and Authentication

EB5 Status uses third-party services that may collect information about you:

OAuth Authentication Providers

You may create an account or log in using a third-party OAuth provider such as Google. When you authenticate via an OAuth provider, we receive your email address and basic profile information (name and profile picture) from that provider. We do not receive or store your password from the OAuth provider. The OAuth provider may record that you authorized EB5 Status; their privacy policy governs their handling of that information.

Supabase (Authentication and Database)

We use Supabase for user authentication and data storage. Your account data, preferences, and watchlist are stored in a Supabase-managed PostgreSQL database hosted in the United States. Supabase processes data on our behalf under their data processing agreement.

Stripe (Payment Processing)

Paid subscriptions are processed by Stripe. Stripe collects and processes your payment information directly. We receive only transaction identifiers and subscription status from Stripe. Stripe's privacy policy and PCI-DSS compliance govern their handling of payment data.

Vercel (Hosting)

Our site is hosted on Vercel. Vercel processes requests and may collect server logs, IP addresses, and performance metrics on our behalf.

Kit (formerly ConvertKit) — Email Marketing

If you subscribe to our newsletter, your email address is stored by Kit (formerly ConvertKit). Kit may track email opens and link clicks. Kit's privacy policy governs their handling of subscriber data.

Resend — Transactional Email

We use Resend to send transactional emails including account verification, password resets, and alert notifications. Resend processes your email address on our behalf to deliver these messages. Resend's privacy policy governs their handling of email data.

Third-party services have their own privacy policies, which we encourage you to review. We are not responsible for their practices.

Data Security

EB5 Status takes reasonable measures to protect your information from unauthorized access, alteration, disclosure, and destruction. We use industry-standard security practices including encryption in transit (TLS), secure servers, row-level security policies on database tables, and access controls.

Passwords are never stored in plain text. If you authenticate via email and password, your password is hashed using bcrypt before storage. If you authenticate via OAuth, no password is stored by EB5 Status.

However, no security system is impenetrable. While we strive to protect your information, we cannot guarantee absolute security. You use EB5 Status at your own risk. If you believe your account has been compromised, please contact us immediately.

Data Retention and Account Deletion

We retain your account information for as long as your account is active. If you cancel a paid subscription, your account reverts to a free account and your data is retained unless you request deletion.

Account Deletion

You may request deletion of your account and all associated data at any time by contacting us or using the account deletion option in your account settings. Upon receiving a deletion request, we will permanently delete your account data within 30 days, including your email address, preferences, watchlist, and alert history.

What We Retain After Deletion

After account deletion, we may retain anonymized, aggregated analytics data that cannot be linked back to you. We may also retain records required by law (e.g., payment transaction records for tax and accounting purposes) for up to 7 years. Export watermark logs are retained for 12 months to enforce data licensing terms.

Newsletter Subscribers

If you subscribed to our newsletter without creating an account, your email address is retained until you unsubscribe. You can unsubscribe at any time using the link in any newsletter email.

Inactive Accounts

Free accounts with no login activity for 24 months may be flagged for deletion. We will send a notification email before deleting an inactive account, giving you the opportunity to log in and retain your data.

Your Rights

Depending on your jurisdiction, you have certain rights regarding your personal information under applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA):

  • Right of Access — You can request access to the personal information we maintain about you, or view it directly in your account settings. (GDPR Article 15; CCPA § 1798.100)
  • Right to Rectification — You can update your account information at any time through your account settings, or request that we correct inaccurate information. (GDPR Article 16)
  • Right to Erasure (Right to be Forgotten) — You can request deletion of your account and all associated personal data. Upon request, we will permanently delete your data within 30 days, subject to legal retention requirements. (GDPR Article 17; CCPA § 1798.105)
  • Right to Data Portability — You can request a copy of your personal data in a structured, commonly used, machine-readable format (JSON or CSV). (GDPR Article 20)
  • Right to Opt Out — You can opt out of marketing communications, alert notifications, and non-essential analytics at any time. EB5 Status does not sell personal information to third parties. (CCPA § 1798.120)
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of these rights. (CCPA § 1798.125)

To exercise these rights, use the relevant options in your account settings or contact us at the address below. We will respond to verifiable requests within 30 days (GDPR) or 45 days (CCPA). If we require additional time, we will inform you of the reason and extension period.

Changes to Policy

EB5 Status may update this privacy policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on this page with a revised date. If we make material changes that affect how we handle your personal information, we will notify account holders by email. Your continued use of EB5 Status following publication of changes constitutes your acceptance of the updated policy.

Contact

If you have questions about this privacy policy or how we handle your information, please contact us. We are committed to addressing your privacy concerns promptly and professionally.

Version 2.0 — Last updated: March 11, 2026. Effective: March 11, 2026.

Previous version (1.0) effective January 2026.

EB5 Status is for educational purposes only. Not legal or investment advice.