Privacy Policy

1. Introduction

Effective date: 20 May 2026Last updated: 20 May 2026

This Privacy Policy explains how THE CLOUDOPS LTD, a private limited company registered in England and Wales under company number 17112198, operating the website visatocambodia.com and trading as VisaToCambodia(“we,” “us,” or “our”), collects, uses, shares, and protects your personal data when you visit our website or apply for a Cambodia eVisa through our service.

Our registered office is Work.Life Manchester, Core 30, Brown Street, Manchester, England, M2 1DH, United Kingdom. For all matters relating to your personal data, we act as the Data Controller under the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU General Data Protection Regulation (EU GDPR). This means we are responsible for deciding how and why your personal data is processed.

We are committed to handling your data lawfully, fairly, and transparently. We understand that applying for a visa requires you to entrust us with sensitive documents — including a scan of your passport and a personal photograph — and we treat that responsibility with the seriousness it deserves. This policy is written to be clear and readable, so you always know what happens to your information.

This policy applies to everyone who interacts with us: visitors who browse our website, applicants who submit a Cambodia eVisa request, and customers who have completed a purchase. It covers every channel through which we may collect your data, including our website, our application forms, our email communications, and our customer support tools. Wherever you are located in the world, we apply the same high standard of protection to your personal data.

Throughout this document we use a few defined terms. “Personal data” means any information that relates to an identified or identifiable individual. “Processing” means any operation performed on personal data, such as collecting, storing, using, sharing, or deleting it. A “processor” is a third party that processes personal data on our behalf and under our instructions. As Data Controller, we remain accountable for how our processors handle your data.

This policy should be read together with our Terms and Conditions and our Refund Policy, which together govern your use of our service. By using visatocambodia.com or submitting an application, you confirm that you have read and understood how your personal data will be handled as described here. If you do not agree with any part of this policy, please do not use our website or submit an application.

2. Data We Collect

We collect personal data that is necessary to process your visa application, operate our website, and meet our legal obligations. We follow the principle of data minimisation, which means we only collect what we genuinely need. Some of the data we collect — such as your passport details and photograph — is considered sensitive, and we apply additional care when handling it. We group the data we collect into three categories.

2.1 Personal Data You Provide

When you apply for a Cambodia eVisa or contact us, you provide the following personal data directly:

• Full name — as it appears on your passport
• Date of birth
• Nationality and country of citizenship
• Passport details — passport number, issue date, and expiry date
• Passport scan — a digital image of your passport biographical page
• Application photo — a recent passport-style photograph
• Email address
• Phone number
• Travel details — intended travel dates and your planned port of entry into Cambodia
• Occupation
• Billing address
• Payment information — your card details are entered directly into our payment processor, Stripe. We do not see, handle, or store your full card number; we only receive confirmation that a payment succeeded along with limited information such as the card type and last four digits.

2.2 Data Automatically Collected

When you browse visatocambodia.com, certain technical data is collected automatically by our systems and cookies:

• IP address
• Browser type and version
• Device type and identifiers
• Operating system
• Pages visited and the time spent on each page
• Referring URL — the site you arrived from
• Cookie data — small files stored on your device (see Section 9)

2.3 Data from Third Parties

We also receive limited personal data from trusted third parties:

• Payment confirmation from Stripe, confirming the status of your transaction
• Visa status updates from the Cambodian Immigration authorities, including approval, rejection, or requests for further information
• Reviews and feedback you submit through review platforms or surveys

3. How We Use Your Data (Lawful Bases)

Under UK and EU GDPR we must have a valid lawful basis for every purpose for which we process your personal data. We never collect more data than we need, and we only process it for the purposes described in this policy. The list below maps each purpose to its lawful basis so you can understand exactly why each processing activity takes place. The six lawful bases recognised by the GDPR are consent, contract, legal obligation, vital interests, public task, and legitimate interests; the bases we rely on are contractual necessity, legitimate interest, consent, and legal obligation.

• Processing and submitting your visa application — Lawful basis: Contractual necessity. We need your data to perform the service you have requested.
• Communicating with you about your application — Lawful basis: Contractual necessity.
• Providing customer support — Lawful basis: Contractual necessity and Legitimate Interest.
• Sending service notifications and status updates — Lawful basis: Contractual necessity.
• Processing payments — Lawful basis: Contractual necessity.
• Preventing and detecting fraud — Lawful basis: Legitimate Interest and Legal Obligation.
• Complying with legal and regulatory requirements — Lawful basis: Legal Obligation.
• Analysing anonymised website usage — Lawful basis: Legitimate Interest.
• Sending marketing communications — Lawful basis: Consent.

Where we rely on legitimate interests, we have carefully balanced our interests against your rights and freedoms, and we will only proceed where our interests are not overridden by your own. Where we rely on consent, you are free to withdraw it at any time, and doing so will not affect the lawfulness of any processing carried out before the withdrawal. In practice, the purposes above mean that we use your data to:

• Process and submit your application to the Cambodian authorities
• Communicate with you throughout the application lifecycle
• Provide support before, during, and after your application
• Send notifications about the progress and outcome of your application
• Process payments securely via Stripe and issue receipts
• Detect, prevent, and investigate fraud and misuse
• Comply with legal, tax, and regulatory obligations
• Improve our website and service through anonymised analytics
• Send marketing communications, where you have given consent
• Deliver your approved eVisa to you by email from evisa@visatocambodia.com

4. Who We Share Data With

We share your personal data only with the parties that are strictly necessary to deliver our service, comply with the law, or operate our business. Each recipient is bound by a contract — typically a Data Processing Agreement — that requires them to keep your data secure and to process it only for the purposes we specify. We carry out due diligence on our processors to satisfy ourselves that they provide appropriate safeguards. The table below sets out each recipient, the purpose of the sharing, the categories of data involved, and where the processing takes place.

To be absolutely clear about what we never do:

5. International Data Transfers

Because of the nature of our service, your personal data is transferred to, and processed in, countries outside the United Kingdom and the European Economic Area (EEA). In particular, your data may be transferred to:

• Cambodia — to submit your application to the Cambodian authorities
• The United States — to our payment processor, analytics, and certain infrastructure providers
• Pakistan — to our operational team who help process applications and provide support

Whenever we transfer your data internationally, we ensure an appropriate level of protection is in place using one or more of the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the UK and EU authorities
• Adequacy decisions, where the destination country is recognised as providing adequate protection
• Encryption of data in transit and at rest
• Data Processing Agreements (DPAs) with every processor that handles your data

We recognise that some of these destinations may not offer the same level of legal data protection as the UK or the EEA. The transfer of your application data to Cambodia is a necessary part of obtaining your visa, because only the Cambodian authorities can issue it. Where we transfer data to our payment processor and infrastructure providers in the United States, and to our operational team in Pakistan, we rely on the safeguards listed above to ensure your data continues to be protected to a standard that is essentially equivalent to UK and EU law. You may request a copy of the relevant safeguards by contacting us using the details in Section 15.

6. Data Retention

We keep your personal data only for as long as is necessary for the purposes for which it was collected, or for as long as the law requires. Our retention periods are:

• Application data (including passport scans and photos) — retained for 90 days after a decision is made on your application, then securely deleted
• Support communications — retained for 2 years to help resolve disputes and improve our service
• Payment records — retained for 7 years to comply with UK tax and accounting law
• Marketing consent records — retained until you withdraw your consent
• Anonymised analytics data — retained indefinitely, as it can no longer identify you

We determine these retention periods by considering the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process the data, whether we can achieve those purposes by other means, and our legal and regulatory obligations. In some circumstances we may retain data for longer where required to do so by law, or to establish, exercise, or defend legal claims.

When a retention period ends, we securely delete or irreversibly anonymise the relevant data. Secure deletion includes removing data from active systems and ensuring it is overwritten or rendered unrecoverable in backups during normal backup rotation cycles. Once data has been anonymised so that it can no longer be associated with you, we may retain and use it indefinitely without further notice, as it is no longer personal data.

7. Your Rights Under UK/EU GDPR

Under UK and EU GDPR, you have a number of rights over your personal data. Subject to certain legal conditions, you have the right to:

1. Access — request a copy of the personal data we hold about you
2. Rectification — ask us to correct inaccurate or incomplete data
3. Erasure— ask us to delete your data (“right to be forgotten”), subject to our legal retention obligations
4. Restriction — ask us to limit how we process your data
5. Data portability — receive your data in a structured, machine-readable format
6. Object — object to processing based on our legitimate interests
7. Withdraw consent — withdraw any consent you previously gave, at any time
8. Not be subject to automated decisions that have a legal or similarly significant effect (see Section 12)
9. Lodge a complaint with a supervisory authority (see Section 15)

To exercise any of these rights, email us at contact@visatocambodia.com. We will respond within 30 days. To protect your data, we may ask you to verify your identity before we act on a request. Exercising your rights is free of charge, though we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.

California residents (CCPA).If you are a resident of California, the California Consumer Privacy Act gives you additional rights, including the right to know what personal information we collect and how it is used, the right to request deletion, and the right to opt out of any “sale” of your personal information. As stated in Section 4, we do not sell personal data. We will not discriminate against you for exercising your CCPA rights. To make a CCPA request, contact us at the same email above.

8. Data Security

We take the security of your personal data seriously. Because you entrust us with sensitive documents such as your passport scan and photograph, we apply layered technical and organisational measures designed to protect your data against unauthorised access, accidental loss, alteration, or disclosure. These measures include:

• SSL/TLS encryption for all data transmitted between your device and our servers
• AES-256 encryption for data stored at rest
• Strict access controls, including role-based permissions and the principle of least privilege
• Regular security audits and vulnerability assessments
• Ongoing staff training on data protection and security
• A documented incident response plan to deal with any security event

Despite our safeguards, no method of transmission or storage is completely secure. In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the affected individuals and the relevant supervisory authority (the ICO) without undue delay, and within 72 hours of becoming aware of it where required. Our notification will describe the nature of the breach, the likely impact, and the measures we are taking to address it.

9. Cookies and Tracking

We use cookies and similar technologies to operate our website, understand how it is used, and improve your experience. We group cookies into the following categories:

• Essential cookies — required for the website to function, such as keeping your application session active. These cannot be switched off.
• Analytics cookies — help us understand how visitors use our site, in aggregate and anonymised form.
• Functional cookies — remember your preferences to enhance your experience.
• Marketing cookies — used only with your consent, to measure the effectiveness of our communications.

You can manage or disable non-essential cookies at any time through our cookie banner or your browser settings. Disabling some cookies may affect how the website functions. For a full breakdown of the specific cookies we use, please see our Cookie Policy.

10. Children's Privacy

Our service is intended for adults and is not directed at children under the age of 18. We do not knowingly collect personal data from minors. Where a visa application is required for a child, it must be submitted by a parent or legal guardian, who is responsible for the data provided on the child’s behalf. If you believe we have inadvertently collected data from a minor without appropriate guardian consent, please contact us and we will delete it promptly.

11. Marketing Communications

We will only send you marketing communications if you have given us your explicit opt-in consent. Every marketing email we send contains a clear and easy way to unsubscribe, and you can withdraw your consent at any time.

Please note that service emails are not marketing. Communications such as application status updates, payment receipts, and delivery of your eVisa are essential to the service you requested, and you will continue to receive them even if you opt out of marketing. We never share your email address with third parties for their own marketing purposes.

12. Automated Decision-Making

We use limited automated processing only for fraud detection, to help identify suspicious or high-risk transactions and protect both you and us. This does not produce a legal or similarly significant decision about you on its own.

Crucially, we do not make automated decisions about visa approval. The decision to grant or refuse a visa is made entirely by the Cambodian government — we simply prepare and submit your application. If an automated process flags your transaction, you have the right to request human review, to express your point of view, and to contest the outcome. A member of our team will review any flagged case and reach a decision after considering all relevant information, ensuring that you are never subject to a purely automated decision that produces a legal or similarly significant effect without human involvement.

13. Third-Party Links

Our website may contain links to third-party websites, plugins, or services that are not operated by us. This Privacy Policy does not apply to those external sites. We are not responsible for the privacy practices or content of any third-party website. Clicking a link or enabling a third-party integration may allow that party to collect or share data about you, and any data you provide to them is governed by their own privacy policy, not ours. We encourage you to read the privacy policy of every site you visit before providing any personal data.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or the law. When we make a material change, we will notify you by email or through a prominent notice on our website before the change takes effect. The “Last updated” date at the top of this page always reflects the most recent revision, and we encourage you to review this policy periodically.

15. Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please use the contact details below.