Insurer · Euroins Ukraine · NBU licensed
ukraineborder
Legal

Privacy policy

How we collect, use, and protect your personal data when you use UkraineBorder.com.

Privacy Policy

Last updated: 19 May 2026

This Privacy Policy explains how LLC «WELCOME TO UKRAINE» (USREOU 44559356, Ushinsky str, bldg. 40, office 302, Kyiv 03151, Ukraine) — the operator of UkraineBorder.com (the "Site") — collects, uses, and protects your personal data. It applies to all visitors of the Site and to anyone who submits a travel-insurance application through it.

We are committed to processing your data lawfully, transparently, and only for clearly defined purposes. This document is written in plain language; if anything is unclear, contact us at editor@ukraineborder.com.

1. Who is responsible for your data

The data controller is:

  • Legal name: LLC «WELCOME TO UKRAINE»
  • USREOU (Ukraine company register code): 44559356
  • Registered address: Ushinsky str, bldg. 40, office 302, Kyiv 03151, Ukraine
  • Contact: editor@ukraineborder.com · +380 93 542 67 32
  • Regulator: National Bank of Ukraine (the operator is also a licensed insurance intermediary on the NBU Insurance Intermediaries Register)

For specific data-processing matters (rights requests, complaints, questions about this policy), use the contact details above or submit a formal request via our Privacy Request Form.

We have not appointed a dedicated Data Protection Officer (DPO) under GDPR Art. 37 — our processing does not meet the mandatory-DPO thresholds. The contact details above act as the privacy point of contact.

Joint controllership with Euroins Ukraine

When you submit a travel-insurance application through the Site, your application data is transmitted to PJSC «IC EUROINS UKRAINE» (alternate name: Euroins Ukraine) — the licensed underwriter that issues the policy. Under GDPR Art. 26, Euroins Ukraine and LLC WELCOME TO UKRAINE act as joint controllers for that application: each side processes your data for its own role (we as the authorized agent / interface, Euroins as the underwriter). A summary of the arrangement is available on request.

2. What personal data we collect

We collect and process the following categories of data:

2.1 When you browse the Site

  • Standard server logs: IP address, user-agent, requested URL, response code, timestamp. Logs are retained for up to 90 days for security and operational reasons.
  • Cookies: a small set of strictly necessary cookies (session, consent state). With your consent, optional cookies for functional preferences, analytics, and marketing — see our Cookie Policy.

2.2 When you record a cookie-consent decision

  • Your choice (accept all / reject non-essential / per-category preferences)
  • A hashed IP address (SHA-256, truncated — we do not store the raw IP)
  • User-agent string (truncated to 500 chars)
  • Timestamp

This log exists to demonstrate that consent was given (GDPR Art. 7(1) accountability).

2.3 When you request an insurance quote

To issue a real insurance policy, the underwriter (Euroins Ukraine) requires the data needed to identify the policyholder, screen against sanctions lists, and produce a contract:

  • First name, last name, second name (where applicable)
  • Date of birth
  • Citizenship (ISO country)
  • Passport number
  • Email
  • Phone number
  • Trip start / end dates, intended length of stay
  • Coverage tier selected (Minimum / Standard / Maximum, optional radiation rider)
  • Additional travellers (same fields above, up to 9)
  • A verification code we email you (used to confirm you control the email address)

Where this data lives:

  • The Site itself stores only an opaque session identifier (sid), the cookie-consent state, lifecycle status (pending / verified / paid / failed), pricing snapshot, and analytics counters. No passport, name, email, phone, or date of birth is stored on our side.
  • The full application data is transmitted to and stored by Euroins Ukraine, who acts as joint controller for the policy.

2.4 When you submit a data-subject request (DSR)

If you exercise your GDPR rights through our Privacy Request Form, we collect:

  • The type of request (access, rectification, erasure, portability, objection, restriction)
  • Your email (required, used for the response)
  • Optional free-form details
  • The locale you submitted from
  • A timestamp

We may ask for additional information to verify your identity before responding.

2.5 When you contact us directly

If you email or call us, we process the content of your message and your contact details for the time needed to respond to your enquiry. We do not use those details for marketing.

3. Why we process your data + legal basis

We process your data only for the purposes below, each tied to a specific legal basis under GDPR Art. 6.

PurposeLegal basis
Run the Site, serve pages, ensure security and integrityLegitimate interest (Art. 6(1)(f)) — operating a website you have voluntarily visited
Set strictly necessary cookies (session, consent state)Legitimate interest + ePrivacy "strictly necessary" exemption
Set optional cookies (functional / analytics / marketing)Consent (Art. 6(1)(a)) — only when you accept the relevant category in the consent banner
Issue an insurance quote and policy on your requestContract (Art. 6(1)(b)) — performance of the insurance agreement at your request, including pre-contractual steps
Run the email verification step (OTP)Contract + legitimate interest in fraud prevention
Transmit application data to Euroins UkraineContract + joint controllership disclosed in §1
Process payments via WayForPayContract
Handle data-subject requests (DSR)Legal obligation (Art. 6(1)(c)) — GDPR Art. 15–22 fulfilment
Respond to your direct enquiriesLegitimate interest in helpful customer service
Defend legal claimsLegitimate interest (Art. 6(1)(f))

We do not use your data for automated decision-making with legal effects (GDPR Art. 22). Sanctions-list screening is performed by the underwriter and reviewed by humans if a result is unclear.

4. Who we share your data with

We share personal data only with the following categories of recipients, and only to the extent needed for the purpose stated:

  • PJSC «IC EUROINS UKRAINE» (Euroins Ukraine) — joint controller for insurance applications and policy issuance.
  • WayForPay (UA-licensed payment processor, NBU-regulated, PCI-DSS) — for payment processing only. We do not see your card data — it is entered directly on WayForPay's secured page.
  • Hosting and infrastructure providers (data processors): Vercel Inc. (web hosting, EU Frankfurt region), Neon (managed PostgreSQL, EU region), Cloudflare R2 (object storage, EU region).
  • Email provider (when we add transactional email — currently not wired): a data processor under a DPA before activation.
  • Error monitoring (when we add Sentry — currently not wired): a data processor with PII scrubbing before activation.
  • Analytics (Google Analytics 4 — only after you grant analytics consent): a data processor under SCC + DPF (US transfer).
  • Legal and regulatory bodies: where we are legally required to disclose (e.g., law enforcement requests, regulators).
  • Professional advisors (lawyers, auditors): bound by confidentiality.

We do not sell your personal data and we do not share it with advertising networks without your explicit consent.

5. International data transfers

The operator (LLC WELCOME TO UKRAINE) and the underwriter (Euroins Ukraine) are both established in Ukraine. Most processing therefore happens within Ukraine. The European Commission has issued an adequacy decision for Ukraine under GDPR Art. 45 in 2024, so transfers from the EU/EEA to Ukraine require no additional safeguards.

Some processors operate outside the EU/EEA (e.g., Cloudflare and Google operate globally). For those transfers we rely on:

  • EU Standard Contractual Clauses (SCCs) approved by the European Commission, OR
  • EU–US Data Privacy Framework (DPF) for US-based processors that participate, OR
  • Adequacy decisions where applicable.

You can request a copy of the safeguards in place for any specific transfer by writing to editor@ukraineborder.com.

6. How long we keep your data

CategoryRetention
Server logsUp to 90 days
Cookie-consent log entries2 years from collection (evidentiary purpose)
Insurance-order records (no PII)7 years (statutory accounting and insurance record-keeping)
Audit log entries7 years (compliance and regulatory record-keeping)
DSR request records3 years after closure (defence against regulatory complaints)
Direct enquiry correspondence2 years after last contact
Insurance application PII held by Euroins UkrainePer Euroins's own retention policy (typically the statutory insurance retention period)

When the retention period ends, the records are deleted or irreversibly anonymised.

7. Your rights

Under GDPR (and equivalents in UK GDPR, LGPD, CCPA), you have the following rights:

  • Access (Art. 15): ask us for a copy of the personal data we hold about you, plus information about how we process it.
  • Rectification (Art. 16): ask us to correct inaccurate or incomplete data.
  • Erasure / right to be forgotten (Art. 17): ask us to delete your data when one of the legal grounds applies.
  • Restriction (Art. 18): ask us to restrict processing in certain circumstances.
  • Portability (Art. 20): ask us to provide your data in a machine-readable format, where the processing is based on consent or contract.
  • Objection (Art. 21): object to processing based on legitimate interests.
  • Withdraw consent (Art. 7): at any time, with effect for the future, where processing is based on your consent. You can manage cookie consent at any time via our Cookie settings page.
  • Lodge a complaint with a supervisory authority — see §9 for the relevant ones.

To exercise any of these rights, use our Privacy Request Form or write to editor@ukraineborder.com. We will respond within 30 days (15 days for LGPD, 45 days for CCPA), free of charge for the first request; subsequent identical requests within a short period may be limited or charged a reasonable fee as permitted by law.

For insurance application data held by Euroins Ukraine, rights are exercised directly with them as joint controller — we can route the request on your behalf if simpler.

8. Security

We apply technical and organisational measures appropriate to the risk: TLS 1.2+ for all traffic, HSTS preload, strict CSP headers, password hashing (bcrypt) for admin accounts, encrypted storage at rest, audit logging, principle of least privilege for staff access, PII scrubbing in application logs, regular dependency updates, and an incident-response runbook.

We never store payment card details on our infrastructure — those are handled exclusively by WayForPay under PCI-DSS.

No system is perfectly secure. If we ever experience a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (GDPR Art. 33) and you directly without undue delay where the risk is high (Art. 34).

9. Supervisory authorities

You have the right to lodge a complaint with a supervisory authority. Depending on where you reside:

10. Cookies and similar technologies

For a detailed list of the cookies we use, third-party cookies set by our processors, and instructions on how to manage them, see our Cookie Policy.

11. Updates to this policy

We may update this policy when our processing activities change, when laws change, or to clarify the existing wording. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be announced on the Site (e.g., a banner or revised consent prompt) and, where required by law, by direct notification.

12. Contact

For all data-protection matters:

Data protection contact

For questions about how we process your personal data or to exercise your rights under GDPR (access, rectification, erasure, portability, objection, restriction), write to the address below or submit a formal request via our privacy form.

Email: info@welcomeukraine.today

Postal address: Ushinsky str, bldg. 40, office 302, Kyiv 03151, Ukraine

Submit a DSR request →