DIGITALGATE SARL Privacy Policy

Effective __ ______ 2025

1. Who We Are

DIGITALGATE SARL (RCCM CA/BG/2025B856, NIU 2362025M17734S), Avenue Gamal Nasser, Bangui, Central African Republic (CAR), develops and operates the E-Visa platform for the CAR. We are the “data controller” for the personal data described below.

Questions about this notice or our data-handling practices may be sent to:

  • Email: privacy@digitalgate.cf
  • Post: Data Protection Officer, DIGITALGATE SARL, Avenue Gamal Nasser, Bangui, CAR

2. Applicable Law

This policy is drafted to comply with:

  • Law No. 24.001 of 25 January 2024 on the Protection of Personal Data (“Law 24.001”).
  • Law No. 18.002 of 17 January 2018 on Electronic Communications (“Law 18.002”), including Articles 112–123.
  • Constitution of the CAR, Article 16, on inviolability of communications.
  • The EU GDPR (Regulation (EU) 2016/679) where applicable.

Until a dedicated Data Protection Authority is operational, supervisory powers under Law 24.001 rest with the competent ministry.

3. Key Definitions

  • Personal Data – information that identifies or can reasonably identify a natural person.
  • Processing – any operation performed on Personal Data.
  • Biometric Data – facial image or other physiological traits enabling unique identification.

4. What Data We Collect

CategoryTypical ItemsLegal Basis
Identity dataFull name, date & place of birth, nationality, sexContract / legal obligation
Travel & passport data Passport number, issue & expiry dates, visa category, travel itinerary Contract / legal obligation
Contact dataEmail, phone, postal addressContract / legitimate interest
Payment dataAmounts paid, masked card details, transaction IDsContract / legal obligation
Biometric dataPassport photo & live facial imageExplicit consent / public interest
Technical dataIP address, logs, device & browser info, cookiesLegitimate interest

5. Why We Process Your Data

  1. Visa application & issuance – receive, verify and adjudicate applications.
  2. Border management & security – authenticate travellers and prevent fraud.
  3. Customer communication – status updates, MagicLink delivery and support.
  4. Payment processing & accounting – collect consular fees and meet fiscal duties.
  5. Legal compliance – fulfil requests from competent authorities.
  6. Analytics & service improvement – aggregated statistics.

We do not use Personal Data for unsolicited direct marketing.

6. International Transfers

Servers are located in the CAR. Where we transfer data outside the CAR (e.g., to EU-based payment processors or cloud providers) we rely on:

  • Adequacy decisions under GDPR Article 45
  • Standard Contractual Clauses approved by the European Commission
  • Derogations in GDPR Article 49 (visa processing is an explicit legal necessity)

Transfers to third-country authorities occur only if required by CAR law or an enforceable international agreement.

7. Retention Periods

  • Application files: 10 years after visa expiry
  • Traffic & log data: 12 months (Law 18.002 Art. 116)
  • Payment records: 10 years (tax law)
  • Cookies: max 13 months (see Section 12)

We irreversibly anonymise or securely delete data once retention periods lapse.

8. Automated Decision-Making

Visa approval always includes human review. Automated checks (e.g., fraud scoring) only assist officers and do not produce legally binding decisions.

9. Security Measures

  • TLS 1.3 in transit; AES-256 at rest
  • Zero-trust network segmentation & MFA
  • OWASP Top-10 controls, pentesting, monitoring
  • Role-based access, audit logging, quarterly reviews
  • ISO/IEC 27001-aligned policies, breach notification within 72h

10. Your Rights

  1. Access – obtain a copy of your data
  2. Rectification – correct inaccuracies
  3. Erasure – request deletion when not needed or unlawful
  4. Restriction – pause processing during disputes
  5. Portability – receive data in machine-readable format
  6. Objection – object to processing based on legitimate interests
  7. Withdraw consent – e.g., biometric or cookies
  8. Complaint – lodge with ministry or future authority

Contact: privacy@digitalgate.cf. Response within 30 days.

11. Third-Party Recipients

  • CAR Ministry of Public Security & Immigration
  • ARCEP-licensed payment service providers
  • Customs & border officers
  • Cloud-hosting and email vendors under strict agreements

12. Cookies & Similar Technologies

Essential cookies are required for session management and fraud prevention. Analytical cookies require consent (via banner) and may be withdrawn anytime.

13. Children’s Data

E-Visa service is for applicants 16+. For minors, parents/guardians must complete the application and provide consent.

14. Biometric Images

Biometric data are used only for identity verification and fraud prevention. We rely on explicit consent and public-interest grounds. Templates are stored with advanced encryption and deleted 10 years after visa expiry.

15. Links to Third-Party Sites

Our site may link to airlines, hotels, or government portals. We do not control their practices and encourage you to read their notices.

16. Changes to This Policy

We may update this policy to reflect legal or technical changes. Material changes will be announced 14 days in advance on the website and by email where feasible.

17. Contact & Complaints

If you believe we have not respected your rights, you may contact:

  • Data Protection Officer – privacy@digitalgate.cf
  • Supervisory Ministry responsible for Personal Data Protection (interim authority under Law 24.001)
  • EU residents may also complain to their local supervisory authority under GDPR Art. 77
CAR-flag
E-VISACAR
© 2025 Electronic visas for the CAR