Privacy Policy

Introduction to NMDS OÜ Privacy Policy


At Nomads Embassy®, a trademark of NMDS OÜ, we understand that privacy and data security are of paramount importance, especially in today’s digitally connected world. Our privacy policy reflects our commitment to protecting the personal data of our clients and website visitors. This introduction outlines the core principles and approaches of our privacy practices:


Our Mission and Services:


NMDS OÜ, through Nomads Embassy®, specializes in facilitating digital nomad visa applications by connecting clients globally with a network of legal partners. Our services are designed to simplify the complexities of visa applications for digital nomads, striving for a smooth, transparent, and efficient process.


Scope of the Privacy Policy:


This policy applies to all personal data processed by Nomads Embassy®. It encompasses data collected through our website, during service provision, and in interactions with our clients and partners.


Global Operations and Compliance:


Recognizing our global reach, with services offered across 25 destinations, our privacy policy is crafted to comply not only with Estonian laws but also with relevant international data protection standards, including GDPR.


Data Protection Principles:


We adhere to key data protection principles, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.


Client-Centric Approach:


The privacy and security of our clients’ data are at the forefront of our operations. We are committed to ensuring that our clients have control over their personal information, in line with their data protection rights.


Partnerships and Third-Party Interactions:


Our collaboration with distinguished law firms in each of the countries we cover is grounded in mutual respect for data protection. We ensure that our partners uphold similar standards of privacy and confidentiality.

Transparency and Communication:


Clear, accessible communication about how we collect, use, store, and protect personal data is a key component of our policy. We believe in keeping our clients informed and empowered regarding their data.


User Rights and Empowerment:


We recognize and facilitate the exercise of user rights under GDPR, including access, rectification, erasure, restriction, data portability, objection, and rights related to automated decision-making.


Security and Data Integrity:


Safeguarding personal data against unauthorized access, disclosure, alteration, and destruction is integral to our privacy strategy. We employ advanced security measures and continuously review our practices to address emerging threats.


Continuous Improvement:


Our privacy policy and practices are not static; they evolve with changing legal requirements, technological advancements, and our expanding global services.


This introduction sets the foundation for our comprehensive privacy policy, underscoring Nomads Embassy®’s dedication to upholding the highest standards of data protection and privacy for our global clientele.


1. Types of Data Collected: 

At Nomads Embassy®, we collect a variety of personal data to effectively assess your eligibility for digital nomad visas and to provide tailored services. The specific types of data we collect include:


1.1 Personal Identification Information: This encompasses basic personal details such as your name, date of birth, and nationality. These details are fundamental in assessing visa eligibility and in the application process.


1.2 Contact Information: We collect contact details, including your email address, phone number, and mailing address. This information is crucial for maintaining communication throughout the visa application process and for providing updates and information relevant to our services.


1.3 Financial Information: For the purpose of assessing eligibility for certain visas, we may require information about your financial status. This includes, but is not limited to, proof of income, bank statements, or other financial documents that help establish your financial stability as part of the visa application criteria.


1.4 Employment and Educational Background: Understanding your professional and educational history can be important in the visa application process. This data helps in determining your suitability for certain types of visas, particularly those that have specific requirements regarding skills, qualifications, or work experience.


1.5 Travel History and Documents: We may collect information about your previous travel, including past visas and travel documents. This history can be relevant to new visa applications and can impact the likelihood of visa approval.


1.6 IP Addresses and Technical Data: When you visit our website, we collect data such as your IP address, browser type, and operating system. This information helps us understand how our website is used and how we can improve user experience. It also aids in diagnosing technical problems and defending against cyber threats.


1.7 Cookies and Usage Data: Through the use of cookies and similar tracking technologies, we gather information about how you interact with our website. This data includes pages visited, time spent on pages, and the navigation pathway through the site. It enables us to optimize the website for better user experience and for analytical purposes.


1.8 Communication Data: When you contact us via email, phone, or through our website forms, we collect the information you provide in these communications. This may include queries, feedback, or requests related to our services.


Each category of data we collect serves a specific purpose in providing our services and ensuring the best possible experience for our clients. We are committed to handling all personal data responsibly, in line with GDPR requirements and with respect for your privacy.


1 Subject matter of the processing Personal Information belonging to Potential

Customers and Customers seeking and/or obtaining

remote health insurance, including, if necessary,

assisting with processing of any claims.

2 Duration The Personal Information will be processed during the

term of this Agreement.

3 Nature and Purpose of the processing The Personal Information described below will be

processed by NMDS OÜ to effectively assess clients eligibility for digital nomad visas and to facilitate and provide tailored services.

4 Types of Personal Information processed The Personal Information includes the following data






Date of Birth/Age

Work and Home Address


Country of Residence/Home Country


National Identifiers, Passport Image/Number, Driver’s

License Image/Number

Email Address (work and home)

Phone Number (work, home, mobile)

Call Recordings

Smartphone Applications

Geo-location Data

Marketing Preferences

Employment Status

Marital Status/Next of Kin/Dependents

Travel Destination/Length of Travel

Data Concerning Health and Health Care

Financial Data, including credit or debit card account

numbers, bank account numbers, card account service

codes, security codes, expiration dates, validation

codes or values, magnetic stripe data, PIN, PIN block,

and password data/information

5 Categories of Data Subjects in

relation to Personal Information Processed

Potential Customers


Spouse/Civil Partner/Partner/Dependents of


Employees of Company and Client

Independent Contractors

Third Party Agents

Government Officials

Healthcare Providers


2. Methods of Data Collection:

Nomads Embassy® employs various methods to collect data, ensuring accuracy, efficiency, and compliance with legal standards. Here’s an in-depth look at each method:


2.1 Google Analytics: This tool provides insights into website traffic and user behavior. We use it to understand how visitors navigate through our site, which pages are most popular, and how users engage with our content. This data helps us optimize the website for better user experience and to make informed decisions about content and layout.


2.2 Google Tag Manager: This is a tag management system that allows us to quickly and easily update tracking codes and related code snippets on our website. It enables us to manage tags for analytics, conversion tracking, and site optimization without altering the code of our website, thus enhancing the efficiency of our data collection processes.


2.3 Microsoft Clarity: This analytics tool provides session recordings and heatmaps, offering a visual representation of how users interact with our website. It helps us identify areas where users spend more time and how they navigate, enabling us to optimize the website layout and improve user experience.


2.4 Convertbox (Forms): We use Convertbox to create and manage interactive forms on our website. These forms may be used for a variety of purposes, such as newsletter sign-ups, service inquiries, or visa eligibility assessments. The data collected through these forms is directly provided by users and includes personal and contact information relevant to the services they are interested in.


2.5 Active Campaign: This is a tool for email marketing and customer experience automation. We use it to manage our email communications with clients and potential clients, including sending newsletters, updates, and service offerings. The tool collects and manages the contact details of subscribers, allowing us to tailor our email content to their preferences and needs.


2.6 Iubenda: We employ Iubenda for managing cookie consent and compliance on our website. It ensures that we are compliant with GDPR and other privacy regulations by managing user consent for cookies and other tracking technologies, offering users transparency and control over their data.


2.7 WordPress: As our website’s content management system, WordPress plays a key role in data collection. While it doesn’t directly collect personal data, the plugins and add-ons we use on WordPress might collect personal data if users interact with them, such as by leaving comments, subscribing to a blog, or filling out contact forms.


Each of these tools and methods is chosen for its reliability and compliance with data protection laws, particularly GDPR. They collectively enable us to gather necessary data for service provision, website optimization, and improving overall user experience, while maintaining transparency and respecting user privacy.


3. Purpose of Data Collection: 

The collection of data at Nomads Embassy®, a trademark of NMDS OÜ, is oriented towards facilitating the process of digital nomad visa applications and connecting clients with legal partners. Our data collection serves several key purposes:


3.1 Facilitation of Visa Application Services: The primary use of the data we collect is to facilitate the visa application process. This involves using personal and financial information to help determine the best approach for each client’s visa application and to connect them with appropriate legal partners who can provide the necessary legal assistance.


3.2 Client-Partner Connection: We use the information gathered to match clients with suitable legal partners. This matchmaking is based on the specific needs and circumstances of each client, ensuring that they are connected with legal experts who are best suited to assist with their particular visa application process.


3.3 Service Improvement and Customization: Data collected through our website helps us to understand how users interact with our services and to identify areas for improvement. This includes enhancing the functionality of the website, making it more user-friendly, and tailoring our services to better meet the needs of our clients.


3.4 Communication and Updates: Contact information is used to communicate with clients regarding their visa application process, to provide updates on the progress of their applications, and to inform them about relevant changes in visa policies or regulations. We also use this data to send out newsletters and updates about our services.


3.5 Compliance and Legal Obligations: Collecting certain data is necessary for compliance with legal and regulatory requirements. This includes maintaining accurate records and ensuring that our operations adhere to data protection laws, such as GDPR, and other relevant regulations.


3.6 User Support and Feedback: We collect data when clients contact us for support or provide feedback. This allows us to respond effectively to inquiries, offer assistance, and improve our service based on client feedback.


3.7 Marketing and Promotional Activities: We use contact details to inform clients about new offerings, services, or promotions that may be of interest to them. This marketing is conducted in compliance with legal standards and with respect to user preferences.


3.8 Security Measures: Technical data, like IP addresses, is collected to protect our website and services from unauthorized access and cyber threats. It aids in maintaining the integrity and security of our digital platforms and client data.


3.9 Analytics for Business Strategy: Aggregated data is used for business analysis purposes, helping us understand market trends and user behavior. This assists in making informed decisions that guide the strategic direction of our business.


Each of these data collection purposes aligns with our role as a facilitator in the digital nomad visa application process, ensuring that we connect clients with qualified legal partners effectively and efficiently while respecting their privacy and complying with GDPR.


4. Legal Basis for Processing: 


Nomads Embassy®, operating under the trademark of NMDS OÜ, acknowledges the importance of lawful and transparent data processing. Our legal bases for processing personal data are aligned with GDPR requirements and tailored to our role as a facilitator connecting clients with legal partners for digital nomad visa applications:


4.1 Consent: The primary basis for processing personal data at Nomads Embassy® is the explicit consent obtained from our clients. When users engage with our website, sign up for services, or fill out forms, we ensure that they are fully informed and their consent is obtained for the collection and use of their personal data. This consent is a deliberate and voluntary action, indicating the client’s agreement to the processing of their data for specified purposes, such as facilitating their visa application process or providing them with relevant updates and information.


4.2 Contractual Necessity: Processing certain types of personal data is essential for the performance of our services. When a client engages Nomads Embassy® to facilitate their visa application process, the collection and processing of specific personal data become necessary to fulfill our contractual obligations. This includes sharing relevant information with legal partners to effectively assist in the visa application process.


4.3 Compliance with Legal Obligations: As an entity operating under Estonian law, Nomads Embassy® is obligated to process data in accordance with legal requirements. This includes maintaining records for audit purposes, adhering to financial and tax regulations, and complying with data protection laws, such as GDPR. The processing of data for these purposes is essential to fulfill our legal responsibilities.


4.4 Legitimate Interests: In certain cases, data processing is justified on the basis of legitimate interests pursued by Nomads Embassy® or a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. This includes activities like analyzing the use of our website to improve our services, ensuring network and information security, or for internal administrative purposes.


4.5 Vital Interests: While less common in our line of business, processing may occasionally be necessary to protect the vital interests of a data subject or another person. This could apply in emergency situations where processing personal data might be crucial for safeguarding an individual’s life or health.


4.6 Compliance with GDPR: All our data processing activities are designed to comply with GDPR principles, ensuring that data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject.


For each type of data processing, we ensure that there is a solid legal foundation, and we maintain records of these processing activities as required by GDPR. We are committed to respecting the privacy and security of our clients’ data, processing it only for the purposes for which we have a legal basis, and in a manner that is consistent with our role as a facilitator in the visa application process.


5. Data Storage and Security: 


At Nomads Embassy®, a trademark of NMDS OÜ, we prioritize the security and integrity of the personal data we collect. Our data storage and security measures are designed to protect against unauthorized access, alteration, disclosure, or destruction of personal information. Here is a detailed overview:


5.1 Data Storage Facilities:


Cubbit: We utilize Cubbit, a cloud storage solution known for its robust security features. Cubbit encrypts data before it leaves the device, ensuring that it remains secure during transmission and while stored in the cloud.

Amazon AWS: As another layer of our data storage strategy, we use Amazon AWS, a leading cloud service provider. AWS is renowned for its high standards of security, providing comprehensive data protection and redundancy.


5.2 Data Encryption:


All data stored on Cubbit ( and Amazon AWS ( is encrypted. This means that the data is converted into a secure code to prevent unauthorized access. Encryption is applied both in transit (as it moves across the network) and at rest (when stored on our servers).


5.3 Access Control:


We implement strict access controls to ensure that only authorized personnel have access to personal data. This includes the use of secure passwords, two-factor authentication, and regular reviews of access privileges.


5.4 Regular Security Audits:


Our systems undergo regular security audits to identify and remedy potential vulnerabilities. This proactive approach helps in safeguarding against potential security breaches.


5.5 Data Integrity and Backup:


We maintain the integrity of the data we store through regular backups. These backups are essential for data recovery in the event of a system failure, ensuring that our client’s information is not lost or compromised.


5.6 Compliance with Data Protection Laws:


Our data storage and security measures are in full compliance with GDPR and other relevant data protection laws. We regularly review our practices to ensure ongoing compliance and to adapt to any changes in legal requirements.


5.7 Employee Training and Awareness:


Our team members receive regular training on data protection and security. This ensures that they are aware of the latest best practices in data security and understand the importance of maintaining the confidentiality and integrity of client data.


5.8 Incident Response Plan:


We have an incident response plan in place to swiftly address any data breaches or security incidents. This plan outlines the steps to be taken in the event of a breach, including notification to affected parties and relevant authorities as required by law.


5.9 Continuous Monitoring and Improvement:


Our security measures are not static; we continuously monitor our data storage and security systems and make improvements as technology evolves and new threats emerge.


By implementing these robust data storage and security measures, Nomads Embassy® ensures the protection of client data, reinforcing our commitment to privacy and security in our role as a facilitator of digital nomad visa applications.

6. Data Retention Period: 


At Nomads Embassy®, a trademark of NMDS OÜ, we are committed to retaining personal data only for as long as necessary to fulfill the purposes for which it was collected, in line with GDPR guidelines and Estonian law. Our data retention policy is designed to respect the privacy of our clients while ensuring effective service delivery and compliance with legal obligations.


6.1 Duration of Service Provision:


Personal data collected for the facilitation of digital nomad visa applications is retained for the duration of the service provision. This includes the period during which we connect clients with legal partners and support them through the visa application process. The retention period is extended as necessary to complete all aspects of the service, including any follow-up or support post-service completion.


6.2 Legal and Regulatory Compliance:


Certain data may be retained for longer periods as required by Estonian law and other relevant regulations. This includes retaining records for tax purposes, compliance with financial regulations, and adherence to data protection laws. The specific duration for this retention is determined by the applicable legal requirements.


6.3 Client Consent:


In cases where we retain data for purposes beyond the immediate service provision, such as for marketing or future service offerings, we do so based on explicit consent from our clients. Clients have the right to withdraw their consent at any time, after which we will cease to use their data for these purposes.


6.4 Periodic Review of Data:


We conduct regular reviews of the data we hold to determine whether it is still necessary to retain it. Data that is no longer needed for any lawful purpose is securely deleted or anonymized.


6.5 Data Minimization:


Our approach to data retention is guided by the principle of data minimization. We ensure that only the data necessary for the specific purposes of our service is retained and that it is kept no longer than necessary.


6.6 Security of Retained Data:


Throughout the retention period, we continue to apply robust security measures to protect the data against unauthorized access, loss, or alteration.


6.7 Right to Erasure:


In accordance with GDPR, clients have the right to request the erasure of their personal data. Upon such requests, we will delete their data unless there is a legal ground that obligates us to retain it.


6.8 Notification of Data Retention Practices:


We transparently communicate our data retention practices to our clients, ensuring they are informed about how long their data will be kept and for what purposes.


By adhering to these data retention principles, Nomads Embassy® ensures that personal data is handled responsibly, retained only for as long as necessary, and protected throughout its lifecycle.


7. Data Sharing and Third-Party Access: 


At Nomads Embassy®, a trademark of NMDS OÜ, our operations involve the careful sharing of data with selected third parties, primarily our network of legal partners across various global destinations. Our approach to data sharing is governed by strict privacy standards and legal compliance.


7.1 Sharing with Legal Partners:


Our primary reason for data sharing is to connect clients with legal partners in countries offering digital nomad visas. This involves transferring relevant personal and application-related data to law firms in destinations like Anguilla, Austria, Brazil, Cyprus, Estonia, Greece, Mexico, Panama, Portugal, Spain, Thailand, and others within our network of destinations Covering North America, Central America, South america, Europe, AEU, SEA


Each legal partner is meticulously selected for their expertise and reliability. Data shared with these partners is strictly for the purpose of facilitating visa applications and providing legal assistance.


7.2 Consent-Based Sharing:


Data sharing with our legal partners is based on explicit client consent. Clients are informed about the specific data to be shared and the identity of the legal partner receiving it.


Clients have the right to withdraw their consent to data sharing at any time, subject to any legal or contractual restrictions.


7.3 Purpose-Limited Sharing:


Data shared with legal partners is strictly limited to what is necessary for the visa application process. This ensures that only relevant and required information is exchanged.


7.4 Third-Party Vetting and Agreements:


All legal partners and third-party service providers are thoroughly vetted to ensure they adhere to our high standards of data protection and privacy.

We enter into formal agreements with these partners, mandating compliance with data protection laws and outlining their responsibilities in handling client data.


7.5 Global Data Transfers:


Given our global operations, data transfers may occur across international borders. We ensure such transfers are compliant with GDPR and other relevant data protection regulations, employing safeguards like Standard Contractual Clauses (SCCs) or relying on adequacy decisions.


7.6 Security Measures with Third Parties:


We require all legal partners and third-party service providers to implement robust security measures to protect client data from unauthorized access, disclosure, alteration, or destruction.


7.7 Audit and Compliance:


Regular audits are conducted to ensure that third-party partners continue to adhere to our data protection standards and legal requirements.

Any non-compliance identified during audits is addressed promptly, including re-evaluating the partnership if necessary.


7.8 Client Notification and Transparency:


Clients are kept informed about our data sharing practices. Transparency is maintained through clear communication in our agreements and privacy policy.


7.9 Limitation of Liability:


While we ensure professional service, Nomads Embassy® is not responsible or liable for the actions of our partners. We do not cover any government fees or taxes related to the visa application process.


By adhering to these principles, Nomads Embassy® ensures responsible and secure data sharing with legal partners and third-party service providers, always prioritizing client privacy and legal compliance in our global operations.


8. International Data Transfers: 


Given the global nature of Nomads Embassy®’s operations, the facilitation of digital nomad visa applications involves the transfer of personal data across international borders. These transfers are an essential aspect of our service, allowing us to connect clients with legal partners in various countries. Here’s how we handle these international data transfers:


8.1 Global Network of Legal Partners:


Our network extends to countries including Anguilla, Antigua & Barbuda, Armenia, Austria, Barbados, Belize, Bermuda, Brazil, the Cayman Islands, Cape Verde, Colombia, Costa Rica, Croatia, Curaçao, Cyprus, the Czech Republic, Dominica, Dubai, Ecuador, Estonia, Greece, Hungary, Iceland, Indonesia, Malaysia, Malta, Mauritius, Mexico, Montenegro, Montserrat, Norway, Panama, Portugal, Romania, the Seychelles, Spain, Thailand, Uruguay and others. Each transfer of personal data to these locations is necessary for the facilitation of the visa application process.


8.2 Compliance with GDPR:


As an entity operating under Estonian law and adhering to GDPR, we ensure that all international transfers of personal data comply with GDPR standards. This includes transferring data to countries that have been deemed to provide an adequate level of data protection by the European Commission or under arrangements that provide equivalent safeguards, such as Standard Contractual Clauses (SCCs).


8.3 Safeguards for Data Transfers:


Where data is transferred to countries without an adequacy decision, we implement appropriate safeguards. This may include SCCs, binding corporate rules, or other legally recognized mechanisms that ensure the protection of personal data in line with GDPR requirements.


8.4 Transparency in Data Transfers:


Clients are informed about the international transfer of their data, including the destination countries and the measures in place to protect their data. This transparency is key to maintaining trust and ensuring clients are comfortable with how their data is handled.


8.5 Purpose-Limited Transfers:


Data transfers are strictly limited to what is necessary for the completion of the visa application process. Only relevant and required information is shared with our legal partners in the destination countries.


8.6 Vetting of International Partners:


Our legal partners in each destination are meticulously selected for their expertise and reliability. We ensure that they are committed to data protection and have measures in place to secure the data they receive.


8.7 Client Consent:


Where applicable, we obtain explicit consent from clients for the international transfer of their data, particularly in situations where such transfers are not covered by an adequacy decision or SCCs.


8.8 Regular Review and Compliance Monitoring:


Our data transfer practices are regularly reviewed to ensure ongoing compliance with evolving data protection laws. We also monitor the data protection regimes of the countries where our partners are based, adapting our practices as necessary.


8.9 Data Transfer Agreements:


Agreements with our international legal partners include clauses that mandate adherence to data protection standards equivalent to those required under GDPR.


By adhering to these practices, Nomads Embassy® ensures that international data transfers are conducted securely, lawfully, and in a manner that respects the privacy rights of our clients. This approach underpins our commitment to providing professional service while navigating the complexities of international data protection laws.


9. User Rights at Nomads Embassy


In compliance with GDPR and considering our global clientele, Nomads Embassy® is committed to upholding the rights of our users with respect to their personal data. These rights are an integral part of our data protection and privacy practices:


9.1 Right to Access:


Users have the right to request access to the personal data we hold about them. This includes the right to be informed about the nature of the data collected, the purposes for its processing, and any third parties to whom the data is disclosed.


9.2 Right to Rectification:


If a user finds that the data we hold is inaccurate or incomplete, they have the right to have it corrected. We take steps to ensure that any inaccuracies are amended promptly.


9.3 Right to Erasure (‘Right to be Forgotten’):


Users can request the deletion of their personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, or if the user withdraws consent and there is no other legal ground for processing.


9.4 Right to Restriction of Processing:


Users have the right to request a restriction on the processing of their data. This is applicable in situations like when the accuracy of the data is contested, or the processing is unlawful.


9.5 Right to Data Portability:


Users have the right to receive their personal data in a structured, commonly used, and machine-readable format. This right is particularly relevant when transferring data from one service provider to another.


9.6 Right to Object:


Users can object to the processing of their personal data, especially in cases where the processing is based on legitimate interests or for direct marketing purposes.


9.7 Rights in Relation to Automated Decision-Making and Profiling:


Users have the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.


9.8 Right to Withdraw Consent:


Where the processing of data is based on consent, users have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.


9.9 Right to Lodge a Complaint with a Supervisory Authority:


If users believe that the processing of their personal data violates data protection laws, they have the right to lodge a complaint with a relevant supervisory authority.


At Nomads Embassy®, we facilitate the exercise of these rights by providing clear channels of communication and assistance. Our approach involves ensuring that requests related to user rights are addressed promptly and effectively, acknowledging the importance of these rights in the context of our global visa facilitation services.


10. Consent and Withdrawal Mechanisms: 


Understanding the importance of informed consent in data processing, especially under GDPR, Nomads Embassy® implements clear and straightforward mechanisms for obtaining and managing user consent:


10.1 Obtaining Consent:


Consent is explicitly sought from our clients before certain personal data is processed. This is done through clear, affirmative actions such as ticking a checkbox on a form, choosing settings on our website, or providing personal information in our application process.

The consent process is designed to be as transparent as possible, with information provided about the specific data being collected, the purposes of processing, and any third parties with whom the data will be shared.


10.2 Informed Consent:


We ensure that all clients are fully informed before giving their consent. This includes explaining the nature of the services provided by Nomads Embassy® and our role in connecting clients with legal partners across various global destinations.

Details about how the data will be used, stored, and protected are also provided, ensuring that clients make informed decisions.


10.3 Easy to Understand Language:


The language used in our consent forms and privacy notices is clear, straightforward, and free of legal jargon, making it accessible to our diverse global client base.


10.4 Separate Consents:


For different processing activities, separate consents are obtained. For instance, consent for data processing for visa application facilitation is sought separately from consent for marketing communications.


10.5 Withdrawal of Consent:


Clients can withdraw their consent at any time. We provide easy mechanisms for this, such as an ‘unsubscribe’ link in email communications or a simple process on our website where clients can manage their consent preferences.

Upon withdrawal of consent, we promptly cease the processing of the individual’s data for the purposes they have withdrawn consent for. This process is as straightforward as the initial granting of consent.


10.6 Record-Keeping:


Records of consent are maintained, documenting when and how consent was obtained and for what purposes. This ensures transparency and accountability in our data processing practices.


10.7 Review and Update of Consent Mechanisms:


Our consent mechanisms are regularly reviewed and updated to ensure continued compliance with GDPR and other relevant laws, especially considering our global operations and diverse client base.


10.8 Client Education:


We actively educate our clients about the significance of consent in data processing, reinforcing their understanding of their rights and our commitment to data protection.


10.9 Responsive to Client Queries:


Any inquiries or concerns regarding consent are addressed promptly, ensuring that clients feel supported and respected in their data protection rights.


By implementing these consent and withdrawal mechanisms, Nomads Embassy® not only adheres to GDPR requirements but also fosters a relationship of trust and transparency with our clients. Our approach respects client autonomy in personal data decisions while facilitating global digital nomad visa applications effectively.


  1. Procedures for Exercising Rights:


At Nomads Embassy®, we acknowledge the significance of our clients’ rights regarding their personal data. Here are the established procedures that enable our clients to exercise their GDPR rights effectively:


11.1 Channels for Exercising Rights:


Clients can exercise their rights through various channels, including a dedicated email address (e.g., [email protected]), a contact form on our website, or by postal mail. Contact details are clearly provided on our website and in our privacy policy.


11.2 Identification and Verification:


To protect client data, we verify the identity of anyone making a request related to their personal data. This verification process is crucial to prevent unauthorized access to or modification of client data.


11.3 Guidance and Assistance:


We offer clear guidance on how to make a request to exercise any of the GDPR rights, such as access, rectification, erasure, or portability. This guidance is accessible on our website and can also be provided by our customer support team.


11.4 Response Timeframe:


In line with GDPR requirements, we respond to all requests from clients regarding their data rights without undue delay and in any event within one month of receipt of the request. This period may be extended by two further months where necessary, considering the complexity and number of the requests.


11.5 Handling Requests:


Each request is logged and handled by a team trained in data protection and privacy. This team assesses the request, ensures that it is processed correctly, and communicates with the client throughout the process.


11.6 No Fee for Exercising Rights:


Generally, we do not charge a fee for complying with a data rights request. However, a reasonable fee may be charged for requests that are unfounded, excessive, or repetitive.


11.7 Data Rectification and Erasure:


Clients can request the correction or deletion of their personal data. Upon such a request, we take appropriate steps to rectify or erase the data, including notifying third parties to whom the data has been disclosed.


11.8 Data Portability:


Upon request, we provide personal data in a structured, commonly used, and machine-readable format. We also facilitate the transfer of this data to another entity, if technically feasible.


11.9 Restriction and Objection to Processing:


Clients can request the restriction or object to the processing of their data under certain conditions. We assess each such request individually and take appropriate action.


11.10 Communication and Follow-Up:


After processing a request, we communicate the outcome to the client. In cases of denial or partial fulfillment of requests, we provide clear reasons and information about further steps, including the right to lodge a complaint with a supervisory authority.


By establishing these procedures, Nomads Embassy® ensures that the rights of our clients are respected and facilitated, reflecting our commitment to data protection and compliance with GDPR, regardless of our global scope of operation.

12. Automated Decision-Making and Profiling: 


Nomads Embassy®, in its role of facilitating digital nomad visa applications, pays careful attention to the use of automated decision-making and profiling processes. Here’s how these are managed:


12.1 Use of Automated Decision-Making:


Currently, Nomads Embassy® does not rely on fully automated decision-making processes that have legal effects or similarly significantly affect our clients. All visa application facilitation and client services involve human oversight, ensuring that each client’s situation is considered individually.


12.2 Profiling Activities:


While we may use certain automated tools for profiling purposes, such as segmenting our client base for tailored communication, these activities do not have significant legal effects on individuals. Profiling is primarily used for enhancing user experience, service personalization, and effective marketing.


12.3 Transparency and Consent:


In any instance where automated profiling is used, we ensure transparency with our clients. Clients are informed about the nature of the profiling, the data used, and the purposes for which it is employed. Where necessary, explicit consent is obtained for such activities.


12.4 Global Considerations:


Given our global client base, we are mindful of the different regulations governing automated decision-making and profiling in various jurisdictions. Our practices are designed to be compliant with GDPR as well as other relevant international data protection laws.


12.5 Right to Human Intervention:


Clients have the right to request human intervention if any automated processing is used, to express their point of view, and to contest any decision made based solely on automated processing.


12.6 Data Protection Impact Assessments (DPIAs):


For any processes involving automated decision-making or profiling, we conduct DPIAs to assess and mitigate risks to individual rights and freedoms, ensuring compliance with data protection principles.


12.7 Regular Review of Processes:


Automated processes are regularly reviewed to ensure accuracy, fairness, and compliance with legal standards. This includes monitoring for biases or inaccuracies that could impact decision-making.


12.8 Client Communication:


Information about any automated decision-making or profiling practices is clearly communicated in our privacy policy, and clients are provided with easy-to-understand information about these processes.


By incorporating these measures, Nomads Embassy® ensures responsible use of automated decision-making and profiling, emphasizing respect for individual rights and compliance with legal standards in our global operations.


13. Data Protection Officer (DPO): 


Nomads Embassy®, understanding the importance of data protection and privacy, has appointed a Data Protection Officer (DPO) who plays a pivotal role in our data governance structure: Simone Albano CTO and DPO of NMDS OÜ.


13.1 Role and Responsibilities:


The DPO is responsible for overseeing our data protection strategy and its implementation to ensure compliance with GDPR and other data protection laws. This includes monitoring our compliance with GDPR, other EU and national data protection laws, and our own data protection policies.

The DPO provides advice and guidance on data protection impact assessments (DPIAs) and acts as a point of contact for data subjects and supervisory authorities.


13.2 Independence of the DPO:


The DPO operates independently, without any conflict of interest, ensuring unbiased oversight of our data protection practices. The DPO reports directly to the highest level of management at Nomads Embassy®.


13.3 Expertise and Qualifications:


Our DPO is equipped with professional knowledge of data protection law and practices. This expertise is particularly pertinent given our global operations, necessitating an understanding of both Estonian data protection laws and the legal frameworks of the countries in which our partners operate.


13.4 Training and Awareness:


The DPO is responsible for conducting regular training sessions for staff to promote awareness of data protection responsibilities. This includes educating employees about compliance, data processing practices, and the importance of protecting personal data.


13.5 Contact Information of the DPO:


Our DPO can be contacted at [email protected]. This contact information is readily available on our website and in our privacy policy, making it easy for clients, partners, and regulatory bodies to get in touch.


13.6 Global Data Protection Practices:


Given our international clientele and partnerships, the DPO ensures that our data protection practices are not only compliant with Estonian law but also respect the data protection requirements of the various jurisdictions in which we and our partners operate.


13.7 Handling of Data Protection Queries and Requests:


The DPO manages and responds to queries or requests from clients and authorities concerning data protection. This includes requests related to data subject rights, data breaches, and data processing activities.


13.8 Regular Data Protection Audits:


The DPO conducts regular audits to ensure our data processing and protection measures are in line with current laws and best practices. Any gaps or issues identified during these audits are addressed promptly.


By having a dedicated DPO, Nomads Embassy® demonstrates its commitment to maintaining the highest standards of data protection and privacy, an essential aspect of our trust-based relationship with our clients and partners.


14. Children’s Privacy: 


Nomads Embassy®, recognizing the importance of protecting the privacy of children, especially in the context of its digital nomad visa facilitation services, adheres to the following principles and practices:


14.1 Target Audience and Service Nature:


Our services are specifically designed for adults, particularly those seeking assistance with digital nomad visas. As such, our website and services are not intended for, nor do they target, children under the age of 18.


14.2 Age Verification:


We take reasonable steps to verify the age of our clients during the registration or application process. This helps ensure that we do not inadvertently collect personal data from children.


14.3 No Knowingly Collection of Children’s Data:


Nomads Embassy® does not knowingly collect, use, or disclose personal information from children. If we become aware that we have inadvertently collected personal data from a child without proper parental consent, we will take steps to delete that information as soon as possible.


14.4 Parental Consent and Involvement:


In cases where the involvement of children is necessary or incidental (for instance, in a family visa application process), we ensure that appropriate parental consent is obtained before any personal data of children is collected or processed.


14.5 Data Protection Measures for Children’s Data:


In the rare instances where children’s data is processed (always with parental consent), we apply stringent data protection measures, treating such information with the highest level of security and confidentiality.


14.6 Compliance with Legal Standards:


Our approach to children’s privacy is in compliance with relevant data protection laws, including GDPR. We are particularly cautious about adhering to laws and regulations that specifically address children’s privacy.


14.7 Communication and Transparency:


Our privacy policy clearly communicates that our services are not intended for children and outlines the measures taken to protect children’s privacy.


14.8 Training and Awareness:


Our staff receives training on the importance of children’s privacy, including how to identify and escalate any instances where children’s data might be involved.


14.9 Regular Policy Review:


We regularly review our children’s privacy practices and policies to ensure they remain effective and compliant with current legal standards, adapting them as necessary to address changes in law or in our services.


14.10 Responsibility and Reporting:


We encourage anyone (clients, partners, or the public) to report any concerns related to children’s data or privacy. Such concerns are taken seriously and addressed promptly.


By adhering to these principles, Nomads Embassy® ensures a responsible and lawful approach to children’s privacy, aligning with our commitment to providing professional visa facilitation services while respecting the privacy of all individuals, including children.

15. Notification of Changes: 


Nomads Embassy® acknowledges the importance of keeping our clients informed about any changes to our policies, especially those related to privacy and data protection. Our process for notifying clients of changes is as follows:


15.1 Timely Updates:


We are committed to communicating any changes to our privacy policy, terms of service, or any other significant policy changes in a timely manner. This ensures that our clients are always aware of how their data is being used and what rights they have.


15.2 Methods of Communication:


Notifications of changes are primarily disseminated through email. We use the email addresses provided by our clients to send updates. The subject line of these emails clearly indicates that they contain important information about policy changes.

Additionally, we post updates on our website, particularly in the privacy policy and terms of service sections, ensuring that the latest versions are always accessible.


15.3 Clear and Accessible Language:


All communications regarding changes are made in clear, easy-to-understand language. We avoid legal jargon to ensure that all our clients, regardless of their legal expertise, can understand the implications of the changes.


15.4 Highlighting Key Changes:


In our communications, we clearly highlight the key changes made. This includes a summary of the changes, why they were made, and how they might affect our clients.


15.5 Advance Notice:


Whenever possible, we provide advance notice of changes, especially when they might significantly affect how we process client data or how our services are provided.


15.6 Encouraging Review:


We encourage our clients to review the updated policies in full. Links to the detailed documents are included in our communications for easy access.


15.7 Feedback and Inquiries:


We welcome feedback on policy changes and provide contact details for our clients to ask questions or seek clarifications. This could be via our dedicated email addresses, contact forms on our website, or customer service channels.


15.8 Record of Changes:


A record of all changes made to our policies is maintained. This includes dates of changes and previous versions of the documents, providing a transparent history of our policy evolution.


15.9 Compliance with Legal Requirements:


All notifications are in compliance with GDPR and other relevant data protection laws, ensuring that our global client base is informed in line with legal requirements.


By adhering to these procedures, Nomads Embassy® ensures that our clients are always informed of changes in a manner that is timely, transparent, and in compliance with legal standards.

16. Complaints Process: 


Nomads Embassy® is committed to providing high-quality service and respecting the data protection rights of our clients. In the event of dissatisfaction or concerns, especially regarding data processing in compliance with GDPR, we have a structured complaints process:


16.1 Filing a Complaint:


Clients who have concerns about how their data is being handled can file a complaint with us. This can be done via email at [email protected], through our website’s contact form, or by postal mail. Clear instructions and contact details for lodging a complaint are available on our website and in our privacy policy.


16.2 Acknowledgment of Complaint:


Upon receiving a complaint, we acknowledge receipt promptly, typically within 48 hours. This acknowledgment includes an overview of our complaints process and the expected time frame for resolution.


16.3 Investigation Process:


Every complaint is thoroughly investigated. We review the circumstances surrounding the issue, involving relevant departments and accessing necessary data securely.


16.4 Communication During Investigation:


We maintain open lines of communication with the complainant throughout the investigation. Regular updates are provided on the progress of the investigation and any findings.


16.5 Resolution and Response:


Once the investigation is complete, we communicate the outcome to the complainant. This includes a detailed explanation of our findings, any actions taken, and remedies offered if applicable.


16.6 Escalation to Supervisory Authority:


If the complainant is not satisfied with the outcome or how the complaint was handled, they have the right to escalate the matter to the relevant supervisory authority in their EU member state. We provide information on how to contact these authorities.


16.7 Data Protection Officer (DPO) Involvement:


Our DPO is available to assist in the complaints process, ensuring compliance with data protection laws and offering an additional layer of review if needed.


16.8 Record Keeping:


We keep records of all complaints and their resolutions. This helps us in identifying trends, areas for improvement, and ensuring accountability in our processes.


16.9 Review and Improvement:


The complaints process itself is subject to regular review. Feedback from complainants, along with outcomes of complaints, is used to improve our services and data handling practices.


16.10 Client-Centric Approach:


Throughout the complaints process, we focus on a client-centric approach, ensuring that the complainant’s concerns are addressed respectfully, promptly, and efficiently.


By adhering to this comprehensive complaints process, Nomads Embassy® ensures that any concerns regarding data protection or service quality are handled with the utmost seriousness, reflecting our commitment to client satisfaction and compliance with GDPR.


17. Data Breach Notification Plan:


Recognizing the critical importance of data security, Nomads Embassy® has established a comprehensive plan for responding to data breaches. This plan ensures prompt action and compliance with GDPR, particularly given our global client base and operations:


17.1 Identification and Assessment:


We have systems in place for the early identification of potential data breaches. Upon detection of any breach or suspected breach, we immediately conduct an assessment to determine the nature and extent of the incident.


17.2 Containment and Recovery:


The initial response includes containing the breach to prevent further unauthorized access or leakage of data. Simultaneously, efforts are made to recover lost data and secure our systems to prevent further breaches.


17.3 Internal Reporting and Escalation:


All data breaches are reported internally to key decision-makers, including our Data Protection Officer (DPO). The DPO is responsible for overseeing the breach response and determining the risk level to affected individuals.


17.4 Notification to Authorities:


In compliance with GDPR, if the data breach poses a risk to the rights and freedoms of individuals, we notify the appropriate data protection authorities within 72 hours of becoming aware of the breach. This notification includes details about the nature of the breach, categories and approximate number of individuals affected, and the likely consequences.


17.5 Communication to Affected Users:


Affected individuals are promptly notified if the breach is likely to result in a high risk to their rights and freedoms. This notification is clear, transparent, and provides details about the nature of the breach, the steps taken to address it, and guidance on how they can protect themselves.


17.6 Global Considerations:


Given our international operations, we also consider the data breach notification requirements in other jurisdictions where our clients are located. Where necessary, notifications are made to relevant local authorities in accordance with local laws.


17.7 Documentation and Record Keeping:


All data breaches, regardless of their size and impact, are documented. This includes the facts of the breach, its effects, and the remedial actions taken. These records help us in meeting GDPR’s accountability requirements.


17.8 Post-Breach Analysis and Improvement:


After addressing a breach, we conduct a thorough analysis to understand its cause and effectiveness of our response. Lessons learned are integrated into our security practices and response plans to prevent future occurrences.


17.9 Staff Training and Awareness:


Regular training and awareness programs for staff are conducted, ensuring they understand their roles and responsibilities in preventing and responding to data breaches.


17.10 Client Assurance:


We reassure our clients of our commitment to data security and the measures in place to protect their information. This includes continuous improvement of our security practices in line with evolving threats and technologies.


By adhering to this data breach notification plan, Nomads Embassy® demonstrates its commitment to data security and compliance with GDPR, ensuring that our clients’ data is protected across our global network.

18. Cookie Policy: 


Nomads Embassy® utilizes cookies on its website to enhance user experience, gather analytics, and personalize services. Managed by Iubenda, our cookie policy is designed to be transparent and compliant with data protection laws, including GDPR. Here’s a detailed look at our cookie policy:


18.1 What are Cookies:


Cookies are small text files stored on a user’s device when they visit a website. They are used to remember user preferences, facilitate certain website functionalities, and collect analytical data.


18.2 Types of Cookies Used:


Essential Cookies: Necessary for the website to function properly. These include cookies that enable basic functionalities like page navigation and access to secure areas of the website.


Performance Cookies: Collect information about how visitors use the website, such as which pages are visited most often. These cookies do not collect information that identifies a visitor; all information is aggregated and anonymous.


Functional Cookies: Used to recognize users when they return to the website, enabling personalization of content and remembering preferences.


Advertising Cookies: Deployed to deliver adverts more relevant to users and their interests. They are also used to limit the number of times a user sees an advertisement as well as help measure the effectiveness of advertising campaigns.


18.3 Purpose of Cookies:


The cookies we use aim to enhance user experience on our website, assist in navigation, ensure website security, and provide analytical data that helps us improve the website.


18.4 Consent Management:


Consent for cookies is obtained through a clear and easily accessible consent mechanism managed by Iubenda. This mechanism allows users to choose which categories of cookies they accept or reject.


Users are informed about the specific cookies used, their purposes, and the implications of consenting or not consenting to their use.


18.5 User Control and Preferences:


Users can change their cookie preferences at any time via the cookie settings interface on our website.


Instructions are provided on how to manage and delete cookies through browser settings for those who wish to block cookies entirely.


18.6 Third-Party Cookies:


Some cookies used on our website may be set by third-party services we use for various features. Our policy includes information about these third-party cookies and links to their respective privacy policies.


18.7 Updates to the Cookie Policy:


Our cookie policy is reviewed and updated regularly to reflect any changes in the cookies we use or changes in legal requirements. Users are notified of significant changes.


18.8 Transparency and Access to Policy:


The full cookie policy is easily accessible on our website, providing detailed information about the use of cookies and user rights related to them.


By implementing this comprehensive cookie policy, Nomads Embassy® ensures that our clients are informed and have control over their data, aligning with our commitment to privacy and compliance with global data protection standards.


19. Third-Party Links Policy: 


Nomads Embassy®’s website serves as a gateway for our clients to access a range of resources, including connections to legal partners and information pertinent to digital nomad visas. This includes the provision of links to third-party websites. Our policy regarding these links is as follows:


19.1 Nature of Third-Party Links:


Our website may feature links to external third-party websites, such as government portals, legal resources, or partners’ websites. These links are provided for informational purposes, to enhance the service experience, or as a part of our service delivery.


19.2 No Endorsement Implied:


Providing a link to a third-party website does not imply an endorsement or approval of that site, its content, or its owners. These links are offered solely for the convenience and further information of our clients.


19.3 Disclaimer of Responsibility:


Nomads Embassy® does not have control over, nor is responsible for, the content, privacy policies, or practices of third-party websites. We do not verify, monitor, or routinely review the content on these external sites.

As such, we cannot guarantee the accuracy, completeness, or reliability of information found on these external websites.


19.4 User Discretion Advised:


Users are advised to use their discretion when accessing and using third-party websites. Engaging with these sites, including the use of any information or services offered, is at the user’s own risk.


19.5 Privacy Considerations:


Clients should be aware that third-party websites may have privacy practices that differ from those of Nomads Embassy®. We encourage users to review the privacy policies of any third-party site they visit to understand how their information may be collected and used.


19.6 Changes in Third-Party Links:


The external links provided on our website may change over time as we continually update our content to better serve our clients’ needs. We aim to ensure that these links remain relevant and useful.


19.7 Feedback and Reporting Inaccurate Links:


We welcome feedback from our users regarding the utility and accuracy of the third-party links provided. If a link is found to be broken, inaccurate, or inappropriate, users are encouraged to inform us, allowing us to take appropriate action.


19.8 Legal Compliance:


Our third-party links policy is crafted in compliance with applicable laws and regulations, respecting the legal frameworks within which we operate globally.


By maintaining this third-party links policy, Nomads Embassy® underscores its commitment to providing valuable resources while clarifying the scope of our responsibility regarding external content. This policy forms part of our broader commitment to transparency and user empowerment in our digital nomad visa facilitation services.


20. Contact Information for Privacy-Related Inquiries at Nomads Embassy


Nomads Embassy® is dedicated to maintaining open and transparent communication with our clients, particularly regarding privacy and data protection matters. Here’s how clients and users can contact us for privacy-related inquiries:


20.1 Primary Contact for Privacy Inquiries:


For any questions, concerns, or requests related to data privacy and protection, users can contact us directly at [email protected]. This dedicated email address is monitored by our team, including our Data Protection Officer (DPO), ensuring expert handling of all privacy matters.


20.2 Response Commitment:


We are committed to responding to all inquiries promptly. Our standard response time for privacy-related emails is within 48 hours. In cases where a more in-depth investigation or response is required, we communicate this to the inquirer, providing an estimated timeframe for resolution.


20.3 Alternative Contact Methods:


While [email protected] is the primary channel for privacy inquiries, users can also reach us through alternative methods for general queries:

Contact Form: Available on our website, this form can be used for general inquiries, including those related to privacy.

Postal Mail: For users who prefer or require traditional mail communication, our mailing address is provided on our website.


20.4 Multilingual Support:


Given our global client base, we strive to accommodate inquiries in multiple languages. While our primary communication language is English, efforts are made to respond to non-English inquiries in an effective and understanding manner.


20.5 Special Assistance:


If users require special assistance or have specific needs in communicating their privacy concerns, we endeavor to accommodate these requirements. This may include providing information in alternative formats or arranging for a direct conversation.


20.6 Confidentiality in Communications:


All communications with our clients, especially those concerning sensitive personal data, are handled with strict confidentiality. We employ secure communication methods to protect the privacy and integrity of the information shared.


20.7 Feedback and Continuous Improvement:


We welcome feedback on our communication and response processes. Client suggestions are taken into account for continuous improvement of our customer service and privacy practices.


20.8 Awareness and Information:


We ensure that our contact information for privacy inquiries is easily accessible on our website, particularly on the privacy policy page, and in any relevant communication materials.

By providing clear and accessible contact information and channels for privacy-related inquiries, Nomads Embassy® reinforces its commitment to data protection, client trust, and adherence to GDPR and other data privacy regulations.