CitizensOS

Privacy Policy

Last updated: April 26, 2026

CitizensOS Inc. ("CitizensOS," "we," "us," or "our") respects your privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have. It applies to citizensos.ai, any subdomain we operate, and any service or application that links to this Policy (collectively, the "Services").

By using the Services, you agree to this Privacy Policy. If you do not agree, please do not use the Services.

1. Who We Are

CitizensOS is a Delaware C-corporation operating the CitizensOS platform — the world's first Mobility Asset Manager, helping users discover, plan, and execute international residency and citizenship rights. CitizensOS provides information, tools, and software. CitizensOS is not a law firm, an immigration consultancy, or a financial, tax, or investment advisor. We do not provide legal advice, immigration representation, financial planning advice, or investment advice. See our Terms of Service for the full disclaimer.

Contact for privacy matters: CitizensOS Inc. 169 Madison Ave, STE 88132 New York, NY 10016 Email: privacy@citizensos.ai

2. Information We Collect

We collect three categories of information directly. One of those categories — sensitive personal information — is treated with heightened safeguards described in Section 2.4. Identity-verification biometric information is described separately in Section 2.5.

2.1 Information You Provide Directly

When you sign up, complete an assessment, or use our Services, you may provide:

  • Account information: name, email address, password (stored as a hash), profile photo, account preferences, time zone, and language preference.
  • Assessment and planning information: country of citizenship, country of residence, language proficiency, education level, work history, family information (including ancestry and heritage information for descent-based citizenship pathways), travel and residency history, savings range, income range, retirement plans, intended destinations, and similar inputs you provide to receive personalized country matches and residency plans.
  • PassVault contents: documents and metadata you upload to organize your residency, citizenship, or visa application materials, including but not limited to: passports and national ID cards; birth, marriage, divorce, and death certificates; baptismal and naturalization records; police certificates and apostilles; tax records; bank statements and proof-of-funds documentation; prior visa, residency, or denial decisions; and translations and notarizations of any of the foregoing.
  • Payment information: billing name, billing address, and payment method details. We do not store full credit card numbers. Payment information is collected and processed by our payment processor, Stripe, Inc. See Section 5.
  • Identity verification submissions: when identity verification is required, the photographs and documents you submit through Stripe Identity. See Section 2.5.
  • Communications: the content of messages you send to us through email, contact forms, or chat, including any feedback or support requests.

2.2 Information Collected Automatically

When you use the Services, we and our service providers automatically collect:

  • Device and usage information: device type, operating system, browser type, IP address, language settings, screen resolution, referring URLs, pages viewed, links clicked, time spent on pages, assessment progression, and approximate location (derived from IP address).
  • Cookies and similar technologies: as described in our Cookie Policy.

2.3 Information from Third Parties

We may receive information about you from:

  • Authentication providers: if you sign in with Google, Apple, or another OAuth provider, we receive your email address, name, profile photo, and a unique provider identifier from that provider.
  • Payment processor: Stripe shares limited transaction data with us (e.g., last four digits of card, transaction status, billing country) so we can service your account.
  • Identity verification provider: Stripe Identity shares the result of identity verification checks (pass/fail, verification ID, and limited metadata about the document type and issuing country) so we can release verified-only features to you. See Section 2.5.
  • Analytics providers: aggregated usage data from the analytics tools described in our Cookie Policy.
  • Public sources: publicly available information used to enrich the country, program, and pathway data we surface in our Services (this is information about countries and programs, not about you).

2.4 Sensitive Personal Information and Identity Documents

Because the Services support residency, citizenship, and visa planning, much of the information we collect falls into categories considered "sensitive personal information" under one or more privacy laws. These categories include:

  • Government-issued identification documents: passport scans, national ID cards, driver's licenses, residence permits, social security numbers, tax identification numbers (TINs), and equivalent foreign identifiers;
  • Vital records: birth, marriage, divorce, and death certificates; baptismal records; naturalization certificates; adoption records;
  • Heritage and ancestry information: the names, birthplaces, dates of birth, marriages, deaths, and citizenship status of your ancestors and family members, used to evaluate eligibility for citizenship-by-descent pathways such as Italian jure sanguinis or Irish Foreign Births Register registration;
  • Financial information: income range, savings range, asset categories, proof of funds, and other financial data needed to evaluate eligibility for residency programs that have minimum solvency or investment requirements;
  • Tax-relevant information: information about citizenship, tax residence, prior tax filings, FATCA/FBAR reporting status (for U.S. persons), and account ownership disclosures that may be required by destination countries;
  • Immigration history: prior visas, residency permits, denials, removals, and travel records;
  • Religious or cultural affiliations: in limited cases relevant to a specific pathway (for example, Sephardic ancestry for certain Spanish or Portuguese pathways).

How we handle sensitive personal information:

  • We collect this information solely to provide the Services you have requested. We do not use it for advertising, profiling, or any purpose unrelated to the Services.
  • Sensitive personal information is encrypted at rest in our databases and encrypted in transit using TLS 1.2 or higher.
  • Access is restricted to personnel and service providers who need it to operate the Services, under role-based access controls and audit logging.
  • We do not sell, share, or use sensitive personal information for cross-context behavioral advertising as those terms are defined under California law.
  • You may request deletion of any specific document or category of sensitive personal information at any time, subject to legal retention requirements (Section 6).

2.5 Biometric Information (Stripe Identity)

CitizensOS uses Stripe Identity (operated by Stripe, Inc., the same company that processes our payments) to verify the identity of users when required for the Services — for example, to validate that a passport submitted to your PassVault belongs to you. As part of identity verification, Stripe Identity collects:

  • A live photograph of your face (a "selfie") taken at the time of verification;
  • Photographs of a government-issued identification document (such as a passport, national ID card, or driver's license) that you submit;
  • Biometric identifiers derived from those images, including facial geometry data used to compare your live selfie to the photograph on your identification document, for the sole purpose of confirming that the document belongs to you.

This information is biometric information under U.S. state biometric privacy laws and special-category personal data under the GDPR.

How we handle biometric information:

  • Consent. We collect biometric information only with your explicit consent at the time of identity verification. Consent is captured through a clear disclosure in the verification flow before any biometric data is collected. You may decline.
  • Purpose. We use biometric information solely to verify your identity for the Services. We do not use it for advertising, profiling, training of artificial intelligence models, or any purpose unrelated to identity verification.
  • Processing. Biometric information is processed by Stripe Identity in its capacity as our service provider. Stripe's handling of biometric data is also governed by the Stripe Privacy Policy and the Stripe Identity Service Agreement.
  • What CitizensOS retains. We retain only the minimum verification metadata needed to operate the Services: a verification ID, the pass/fail result, the document type and issuing country, and the date of verification. CitizensOS does not retain raw biometric identifiers, selfie images, or document images on its own systems. Those are held by Stripe Identity.
  • Retention schedule. We will permanently delete or de-identify all biometric verification metadata in our possession no later than three (3) years after our last interaction with you, and sooner where required by law or upon your request to delete your account. Stripe Identity retains the underlying biometric identifiers and images according to its own retention policies and applicable law; you may also request deletion directly from Stripe.
  • No sale or trade. We do not sell, lease, trade, or otherwise profit from your biometric information.

Illinois residents (BIPA). If you are an Illinois resident, you have specific rights under the Illinois Biometric Information Privacy Act ("BIPA"), including the right to written disclosure (this Section 2.5 provides that disclosure), the right to a written retention schedule (provided above), the right to be informed of any sale or trade of biometric information (we do not sell or trade), and the right to provide written consent before any biometric information is collected (consent is captured at the start of the verification flow). For questions about our BIPA practices, contact privacy@citizensos.ai.

Texas, Washington, and other state biometric laws. If you reside in a jurisdiction with biometric privacy laws — including Texas's Capture or Use of Biometric Identifier Act (CUBI), Washington's biometric law, or others — we comply with the requirements of those laws.

EU/UK residents (GDPR). Biometric data used to uniquely identify you is "special category personal data" under Article 9 of the GDPR. We process it on the basis of your explicit consent under Article 9(2)(a) and for the performance of an identity verification contract under Article 6(1)(b). You have the right to withdraw your consent at any time, in which case we will stop processing your biometric data going forward, though this will not affect the lawfulness of processing carried out before withdrawal.

You may decline to undergo identity verification, but doing so may prevent you from accessing features that require verification.

3. How We Use Your Information

We use your information to:

  • Provide, operate, maintain, and secure the Services, including account creation, authentication, identity verification, and customer support;
  • Match you to relevant residency, citizenship, and visa pathways and generate personalized plans;
  • Process payments and manage subscriptions;
  • Communicate with you about your account, transactions, security, and changes to the Services;
  • Send you marketing communications about CitizensOS (you can opt out at any time using the unsubscribe link or by emailing privacy@citizensos.ai);
  • Conduct analytics, research, and product development to improve the Services, including refinement of our scoring methodologies and assessment workflows;
  • Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service;
  • Comply with legal obligations and enforce our agreements.

We do not use your personal information to train artificial intelligence or machine learning models that are made available to other CitizensOS users or third parties. We do not use biometric information for any purpose other than identity verification.

4. Legal Bases for Processing (EU/UK Users)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information on the following legal bases:

  • Performance of a contract: to provide the Services you have requested.
  • Legitimate interests: to operate, secure, and improve the Services, prevent fraud, and conduct analytics, where these interests are not overridden by your rights.
  • Consent: for marketing communications and certain cookies, where required.
  • Legal obligation: to comply with applicable laws.
  • Explicit consent (Article 9 GDPR): for processing of special-category personal data (such as heritage data, religious affiliations relevant to a pathway, and biometric data used for identity verification).

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before the withdrawal.

5. How We Share Your Information

We share information only as described below. We do not sell your personal information for monetary consideration, and we do not "share" it for cross-context behavioral advertising as those terms are defined under California law.

5.1 Service Providers

We share information with vendors who perform services on our behalf under written contracts that restrict their use of your information. Our principal service providers include:

  • Supabase, Inc. — authentication, database, and storage infrastructure;
  • Vercel, Inc. — hosting and content delivery;
  • Stripe, Inc. — payment processing and identity verification (including Stripe Identity, as described in Section 2.5);
  • Google LLC (where you sign in with Google) — federated authentication;
  • Email and customer support providers — transactional email and support ticketing;
  • Analytics providers — usage analytics, as described in our Cookie Policy.

5.2 Third-Party Professionals

If you choose to engage a third-party professional (such as an attorney, immigration consultant, tax advisor, translator, or document procurement specialist) through introductions facilitated by CitizensOS, you may authorize us to share specific portions of your information with that professional. We share only what you direct, and the third-party professional becomes an independent controller of any information you share with them. CitizensOS is not responsible for the third-party professional's information practices. See Section 11.2 of our Terms of Service for more on Third-Party Professionals.

5.3 Legal and Safety Disclosures

We may disclose information when we believe in good faith that disclosure is necessary to: comply with a subpoena, court order, or other legal process; respond to a lawful government request; protect the rights, property, or safety of CitizensOS, our users, or others; investigate potential violations of our Terms of Service; or detect, prevent, or address fraud or security issues.

5.4 Business Transfers

If CitizensOS is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

5.5 With Your Consent

We may share your information with other third parties when you direct us to do so or otherwise consent.

6. Data Retention

We retain your information for as long as your account is active and for a reasonable period thereafter to comply with legal obligations, resolve disputes, enforce our agreements, and operate the Services.

  • Account information: retained while your account is active and for up to 24 months after closure, unless a longer period is required by law.
  • Assessment data: retained while your account is active. You may delete individual assessments from your account at any time.
  • PassVault contents (uploaded documents): retained while you maintain an active subscription that includes document storage. Upon cancellation of your subscription:
  • You will have a 30-day grace period during which you can sign in and download your documents from your PassVault.
  • After the 30-day grace period, documents in your PassVault will be deleted from production systems.
  • Encrypted backups may persist for up to 90 additional days, after which they are also deleted.
  • You may also request immediate deletion at any time by emailing privacy@citizensos.ai.
  • Biometric verification metadata (CitizensOS systems): verification ID, pass/fail result, document type, issuing country, and date of verification, retained for no more than three (3) years after our last interaction with you, and sooner upon account deletion or upon your request. Underlying biometric identifiers and images are held by Stripe Identity according to its policies; see Section 2.5.
  • Payment records: retained for at least seven years to comply with tax and accounting obligations.
  • Support communications: retained for up to three years.
  • Backup copies: may persist in encrypted backups for up to 90 days after deletion from production systems.

You may request deletion of your account and associated data at any time. See Section 7.

7. Your Privacy Rights

7.1 All Users

Regardless of where you live, you can:

  • Access the personal information we hold about you;
  • Correct inaccurate or incomplete information;
  • Delete your account and associated personal information, subject to legal retention requirements;
  • Export a copy of your information in a portable format;
  • Opt out of marketing communications.

To exercise these rights, email privacy@citizensos.ai from the email address associated with your account, or use the controls in your account settings.

7.2 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know the categories and specific pieces of personal information we have collected about you, the sources, the purposes for collection, and the categories of third parties with whom we share it;
  • Right to delete personal information we have collected from you;
  • Right to correct inaccurate personal information;
  • Right to limit use of sensitive personal information to that which is necessary to perform the Services;
  • Right to opt out of sale or sharing — as noted, we do not sell or share personal information as those terms are defined under California law;
  • Right to non-discrimination for exercising your rights.

You may exercise these rights by emailing privacy@citizensos.ai. We will verify your request by confirming your control of the email address on file. You may also designate an authorized agent to make a request on your behalf.

7.3 EU/UK Residents (GDPR/UK-GDPR)

If you are in the EEA, UK, or Switzerland, you also have the right to:

  • Object to processing based on legitimate interests;
  • Restrict processing in certain circumstances;
  • Withdraw consent for processing based on consent (including consent to biometric processing under Article 9);
  • Lodge a complaint with your local data protection authority.

You may contact us at privacy@citizensos.ai to exercise these rights.

7.4 Illinois Residents (BIPA)

If you are an Illinois resident, in addition to the rights above you have specific rights under BIPA regarding biometric information collected through Stripe Identity. See Section 2.5.

8. International Data Transfers

CitizensOS is based in the United States. Our infrastructure, our team, and our service providers operate across multiple countries. The nature of cross-border mobility planning means that international data transfers are inherent to the Services.

Examples of international transfers that may occur in the course of providing the Services:

  • A U.S. user pursuing Italian citizenship by descent may have their genealogical records and supporting documents reviewed by partner professionals or processed by Italian comune offices, consulates, or courts;
  • A user pursuing Portuguese, Spanish, or Greek residency may have their financial documentation transferred to those countries' authorities or to in-country service providers;
  • A user pursuing Irish Foreign Births Registration may have records transferred to Irish authorities;
  • Your information may be processed by our service providers operating in the United States, the European Union, the United Kingdom, Canada, or other countries where our infrastructure or vendors operate.

When we transfer personal information from the EEA, UK, or Switzerland to the United States or to other countries that have not received an adequacy decision, we rely on appropriate safeguards, which may include:

  • Standard Contractual Clauses approved by the European Commission and the UK Information Commissioner's Office;
  • The UK International Data Transfer Agreement or the UK Addendum to the EU SCCs;
  • Where the transfer is to a third-party professional you have engaged, your explicit consent to that specific transfer for the specific purpose of advancing your application;
  • Other lawful transfer mechanisms as they become available.

You may contact privacy@citizensos.ai for a description of the specific transfer mechanism applicable to your information.

9. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information, including:

  • Encryption in transit using TLS 1.2 or higher for all communications between you, our Services, and our service providers;
  • Encryption at rest of personal information stored in our databases, including identity documents and PassVault contents;
  • Role-based access controls so that personnel access only the information needed to perform their duties;
  • Vendor due diligence including data processing agreements with service providers and sub-processors;
  • Logging and monitoring of access to sensitive personal information;
  • Regular security reviews including vulnerability scanning and security testing.

No system is perfectly secure, however, and we cannot guarantee the absolute security of your information.

If we become aware of a breach affecting your personal information, we will notify you and applicable regulators as required by law.

10. Children's Privacy

The Services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you are under 16, do not use the Services or provide us with information. If we learn that we have collected information from a child under 16, we will delete it. Parents or guardians who believe we have collected information from a child should contact privacy@citizensos.ai.

Heritage and ancestry information about your relatives, including children, may be collected as part of an eligibility assessment. This information is provided by you about third parties; it is not collected directly from those individuals.

11. Cookies and Tracking

We use cookies and similar technologies as described in our Cookie Policy. You can control cookies through your browser settings and through any cookie consent tool we display.

12. Third-Party Links and Services

The Services may link to third-party websites and services that are not operated by CitizensOS. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing them with information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address on file) or by a prominent notice on the Services before the change takes effect. The "Last updated" date at the top of this Policy reflects the most recent revision.

14. Contact Us

Questions, concerns, or requests regarding this Policy or your personal information:

CitizensOS Inc. Attn: Privacy 169 Madison Ave, STE 88132 New York, NY 10016 Email: privacy@citizensos.ai