Privacy policy for agencies, teams, and client records.

VisaDesk is a software platform designed for visa and immigration agencies. We provide tools for case management, application tracking, financial records, reporting, and team coordination.

For client records entered into the platform, VisaDesk acts as the data processor. The registered agency acts as the data controller and is responsible for collecting and using that data lawfully.

For account-level data such as agency users, billing contacts, and account settings, VisaDesk may act as both controller and processor depending on the context.

We collect the following categories of data:

• Agency account data such as names, emails, plan selection, and billing details.
• Client data entered by your agency, including passport details, application records, appointment dates, notes, and finance history.
• Usage and technical data such as IP address, browser details, audit log events, and error diagnostics.
• Support and communication data shared through onboarding, billing, or help requests.

Client data remains owned by your agency. We process it only to provide the service to you.

Your agency may connect optional services so VisaDesk can deliver email, SMS, or analytics. Those providers process data under their own terms and act as sub-processors for the functions you enable.

Google — optional "Connect Gmail": If an administrator links a Google account in Settings → Email, VisaDesk uses Google OAuth with the scopes gmail.send and userinfo.email. We use gmail.send only to send outbound messages you or your automations trigger (for example applicant notifications). We do not use this access to read, search, or sync the mailbox. We use userinfo.email only to record which Google address is connected and to set the sender identity shown in the product. OAuth tokens are stored encrypted and can be revoked anytime by disconnecting in VisaDesk or removing access in your Google Account.

Email (Resend, SMTP): When you configure transactional or SMTP providers, message content and recipient details pass through that provider to deliver mail. Use only providers your agency trusts and has a contract with where required.

SMS (e.g. Twilio): When enabled, phone numbers and message content needed to deliver SMS are processed by your configured SMS provider.

Google Analytics (optional): We may use Google Analytics 4on our marketing and app surfaces to understand aggregate traffic and usage (for example pages viewed, general geography). Where used, it is configured to support our legitimate interest in improving the product; we do not use it to sell personal data or for ad profiling of your clients' visa records inside the dashboard.

Hosting and infrastructure: Servers, databases, and backups may be operated by vetted infrastructure suppliers under agreements that require confidentiality and security safeguards.

• Direct input from you or your staff during normal platform use.
• Automated technical collection such as session, browser, and log data.
• Third-party service events when you connect email or SMS providers.
• Support communications you send to our team.

We do not buy personal data from brokers or use scraped public data to populate agency records.

• To provide, operate, and maintain the VisaDesk service.
• To manage subscriptions, billing, onboarding, and account access.
• To deliver notifications and workflow alerts configured by your agency.
• To secure the platform, monitor misuse, and investigate incidents.
• To respond to support requests and improve reliability.
• To comply with legal or regulatory requirements.

We do not use client data for advertising, profiling, or unrelated marketing purposes.

Depending on the context, we rely on these legal bases:

• Contractual necessity: To deliver the service you subscribed to.
• Legitimate interests: To keep the platform secure and reliable.
• Legal obligation: To retain records when required by law.
• Consent: For optional communications when you opt in.

For client data, your agency is responsible for having a lawful basis to collect and process your clients' information.

Data is stored on secure infrastructure with encryption in transit and at rest. We use role-based access controls, strong authentication, backup systems, and audit logging to reduce risk.

• Restricted production access for authorized personnel only.
• Encrypted network traffic and secure secret handling.
• Automated backups and recovery procedures.
• Security reviews, dependency monitoring, and logging.
• Password hashing for account credentials.

No system is perfectly secure, so agencies are also responsible for strong passwords and prompt reporting of suspicious access.

We retain data based on account and legal requirements:

• Active account data is retained for the duration of the subscription.
• Post-cancellation agency and client data may be retained for 90 days to allow export.
• Billing records may be retained longer where accounting rules require it.
• Audit logs and support records are retained for operational and security needs.

We do not sell or rent data. Limited sharing may occur with:

• Infrastructure providers that host or process data under contract.
• Email, SMS, or payment providers needed to deliver configured services.
• Authorities where disclosure is legally required.
• A successor entity in a merger, acquisition, or asset transfer.

VisaDesk uses cookies and local storage to keep users signed in, enforce security (including content security protections), remember interface preferences, and support normal platform behavior.

• Authentication: HttpOnly cookies may store session tokens issued by our API so your browser stays signed in securely.
• Preferences: Local storage may remember UI choices (for example sidebar or lightweight client state).
• Google Analytics 4 (optional): If enabled for our deployment, Google may set cookies or use similar technology to collect pseudonymous identifiers and usage statistics. See Google's Privacy Policy. You can use browser controls or plugins to limit analytics cookies.

We do not use third-party advertising or behavioral retargeting pixels for visa case data. Clearing cookies or local storage may sign you out and reset saved preferences.

Agencies can share public tracking links so applicants can review their case status without another login. Anyone with the link may be able to see the information exposed through that page.

• Agencies control whether tracking links are shared.
• Agencies are responsible for deciding what information appears there.
• We do not treat tracking links as password-protected resources.

Data may be processed in infrastructure locations outside your home country. Where cross-border transfers occur, we use contractual and operational safeguards appropriate for the applicable legal framework.

Depending on your jurisdiction, you may have rights such as:

• Access to the personal data we hold about you.
• Correction of inaccurate or incomplete information.
• Deletion, subject to lawful retention obligations.
• Restriction or objection to certain processing.
• Data portability where applicable.
• Withdrawal of consent for consent-based processing.

For client records, requests should normally be directed to your agency first because your agency is the data controller.

If a personal data breach creates a material risk to affected users or agencies, we will investigate promptly and notify impacted agency admins and authorities where required by law.

VisaDesk is intended for use by registered businesses and agency staff, not by minors directly. If your agency stores information about minors as part of a visa application, your agency is responsible for the lawful basis for that processing.

We may update this policy to reflect operational, legal, or product changes. Material changes will be announced in advance through email or in-product notice where appropriate.

For questions or requests related to privacy, contact us at:

• privacy@visadesk.cloud
• security@visadesk.cloud
• support@visadesk.cloud

If you believe our response does not resolve your concern, you may also have the right to contact a relevant supervisory authority.