Privacy
policy.

This Privacy Policy (“Policy”) explains how Devign SAL, trading as Visa Port (“Visa Port”, “we”, “us”, “our”), a company registered in Lebanon with offices at Hamra, Beirut, collects, uses, stores, and shares personal data in the course of operating the portal at portal.visa-port.com, the marketing website at visa-port.com, and related APIs and services (together, the “Service”).

This Policy applies to three categories of individuals: (a) Agency account owners and staff who register, configure, and use the Service on behalf of a travel or immigration agency; (b) Applicants whose personal data is submitted to the Service by an Agency for the purpose of processing a visa, travel, or immigration file; and (c) visitors of our public websites who have not created an account.

For Applicant data, the Agency is the Data Controller under the EU General Data Protection Regulation (“GDPR”) and equivalent laws; Visa Port acts as Data Processor on the Agency’s documented instructions. Applicants who wish to exercise rights over their data should contact the Agency that submitted their file; we will assist the Agency in responding within the timelines required by law. For Agency-account data and visitor data, we act as Data Controller.

From Agencies: business name, legal form, commercial-registration number or equivalent, tax identification number where applicable, agency address, email addresses, phone numbers, the full name and role of each staff member, profile photographs, authentication credentials (stored as bcrypt hashes — we never see plaintext passwords), multi-factor-authentication secrets, and payment-method metadata returned by Stripe (brand, last four digits, expiry, country — we never see card numbers).

From Applicants, submitted by the Agency: full name, date of birth, place of birth, gender, nationality, marital status, surname at birth (where applicable), passport number and expiry date (stored encrypted), identity-document scans, passport photographs, selfies and photographs for embassy submission, email address, phone number, residential address, occupation, employer details, income or bank statements where required by the destination embassy, travel-history information, chat messages with the Agency or with the AI consultation module, and any additional document or field the Agency specifically requests for a given visa type.

From B2B partners configured by Agencies: company name, contact person, email, phone, negotiated commission terms, and ledger of balance transactions.

From visitors and registered users: standard technical telemetry including IP address, approximate geolocation derived from IP, user-agent string, device type, operating system, referrer URL, pages viewed, and timestamps. We use session cookies and CSRF cookies that are strictly necessary to operate the Service.

From all users: audit logs of key security-relevant events (login, logout, failed login, password reset, two-factor-authentication changes, role assignments, document access, payments) together with the IP address and user-agent associated with each event.

Sensitive categories. Passport scans, identity documents, and AI-consultation transcripts may incidentally contain data that is considered sensitive under GDPR Article 9 (for example, information that could reveal religious belief, health, biometric, or other protected characteristics). We process such data strictly on the lawful basis provided by the Agency (typically the Applicant’s explicit consent gathered by the Agency at intake) and under the heightened security measures described in Section 4.

We process Agency-account data on the legal basis of contractual necessity (performance of the Terms of Service you accepted) and legitimate interests (billing, fraud prevention, product improvement, security). Where required by law, we rely on your consent, which you may withdraw at any time.

We process Applicant data on the legal basis of performance of a contract between the Agency and the Applicant (the Agency’s engagement to process the application) and, where the data falls within GDPR Article 9, the explicit consent the Agency is required to obtain from the Applicant before submitting the data to the Service. The Agency is responsible for establishing and documenting the lawful basis.

We process technical telemetry on the legal basis of legitimate interests in operating, securing, and improving the Service, balanced against the rights and freedoms of the individual.

Specific purposes: (a) providing the contracted features of the Service; (b) authenticating users and securing the platform; (c) billing subscriptions and processing payments; (d) providing customer support; (e) communicating service, security, and transactional notifications; (f) detecting, preventing, and responding to fraud, abuse, and security incidents; (g) complying with legal, tax, and regulatory obligations; (h) enforcing our Terms and protecting our rights; (i) improving the Service through aggregated and de-identified analytics; and (j) where you have opted in, sending product updates.

We do not sell personal data. We do not use personal data for advertising. We do not train AI models on your data or your Applicants’ data. We do not share Applicant data with any third party except the sub-processors listed in Section 7 (acting strictly on our instructions) or as required by law.

Encryption in transit. All traffic between user devices and our servers is protected by TLS 1.3 using certificates issued by Let’s Encrypt. HTTP Strict Transport Security (HSTS) with a one-year max-age and includeSubdomains directive is enforced.

Encryption at rest. Passport numbers are encrypted using AES-256-GCM via Laravel’s encrypted attribute casts. Payment-gateway credentials configured by Agencies (Stripe / Whish / other secret keys) are encrypted at rest using the same mechanism. Encryption keys are stored exclusively in server environment variables and are never committed to the code repository or exposed in the database.

Document storage. Passport scans, identity documents, and photographs are stored on the server filesystem outside the web root. They are served only through authenticated, signed, short-lived URLs generated by the application. No document can be accessed by direct URL without a valid signature and authenticated session.

Password hashing. Passwords are hashed using bcrypt at a cost factor of 12. Plaintext passwords are never logged, stored, or transmitted beyond the TLS-encrypted login request. Password-reset tokens are one-time-use, time-limited, and cryptographically random.

Access control. The database enforces per-Agency row-level scoping through foreign-key constraints and application-layer checks. Staff roles (admin, agent, accountant, B2B partner) implement the principle of least privilege. Super-admin access is gated by strict IP allow-listing and two-factor authentication.

Audit logging. Security-relevant events are logged with timestamp, actor, IP, and user-agent and retained for twelve (12) months for forensic purposes.

Backups. Encrypted backups of the database and document storage are created daily, encrypted with OpenSSL AES-256-CBC before leaving the server, retained for thirty (30) days on an offsite object-storage bucket with private-only access, and overwritten on a rolling basis thereafter.

Vulnerability management. Dependencies are monitored for published vulnerabilities via Composer audit and npm audit. Patches for high- or critical-severity vulnerabilities are applied within seven (7) days of public disclosure where technically feasible. We welcome responsible-disclosure reports at info@devignlb.com.

Physical security. Production servers are hosted by Contabo GmbH in Nuremberg, Germany, in facilities certified under ISO 27001. Physical access is restricted to authorised data-centre personnel with biometric authentication.

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot and do not guarantee absolute security. You are responsible for maintaining the security of your own credentials, devices, and email inbox.

Agency-account data is retained for the duration of the subscription plus a 30-day export window following termination, after which Agency-scoped data is permanently deleted from live systems. Residual copies in encrypted backups are overwritten within a further 90 days on the rolling backup rotation.

Applicant passport scans and photographs auto-purge 30 days after the associated application status becomes approved, rejected, or cancelled. The metadata row (without the binary) is retained for accounting and audit purposes for the period required by applicable tax and corporate law (typically seven (7) years in Lebanon), after which the metadata row is also deleted.

Soft-deleted applicant accounts are fully anonymised thirty (30) days after soft-deletion: the name is replaced with “deleted user”, passport numbers are nulled, and all scans and photographs are purged. The anonymised row remains as an audit stub that cannot be linked to a real person.

AI-consultation transcripts follow the retention of the parent application and are deleted together with it.

Audit logs, security logs, invoices, and accounting records are retained for the period required by applicable law (typically seven (7) years in Lebanon) and then permanently deleted.

Encrypted backups are retained on a 30-day rolling basis unless a longer retention is specifically required to respond to a security incident or legal hold.

Our primary server infrastructure is in Germany, within the European Economic Area. Certain sub-processors are located outside the EEA (for example, OpenAI in the United States, Stripe in the United States, Apple Push Notification Service in the United States, Google Firebase Cloud Messaging in the United States). Where personal data is transferred outside the EEA or other jurisdictions with adequate-protection laws, we rely on the transfer mechanisms approved by applicable law, including Standard Contractual Clauses published by the European Commission and, where applicable, supplementary measures such as encryption in transit, zero-retention API agreements, and minimisation of the data transferred.

By using the Service, Agencies and Applicants acknowledge that personal data may be transferred to and processed in the countries where our sub-processors operate.

We engage the following sub-processors to provide specific components of the Service. Each sub-processor is bound by a data-processing agreement or equivalent contractual commitment to process personal data only on our documented instructions and to implement appropriate security measures.

Subject to the applicable data-protection law, you have the following rights with respect to your personal data:

Right of access. You may request confirmation of whether we process personal data about you and, if so, a copy of that data and information about how it is processed.

Right to rectification. You may request correction of inaccurate or incomplete personal data. Agency owners and staff can edit their own details from the profile page. Applicants should contact the Agency that submitted their file.

Right to erasure (“right to be forgotten”). You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, you withdraw consent, you object to processing, or the processing is unlawful. Applicants request erasure via their Agency; Agency owners may email info@devignlb.com. We will comply within thirty (30) days unless a longer period is required by applicable law (e.g. for accounting records).

Right to restriction of processing. You may request that processing be restricted in specific circumstances, for example, while the accuracy of your data is being verified.

Right to data portability. You may request a copy of your personal data in a structured, commonly used, machine-readable format (typically JSON and CSV). Agency-level exports are available in-app; individual Applicant exports may be requested through the Agency.

Right to object. You may object to processing that is based on our legitimate interests or performed for direct-marketing purposes. If you object, we will cease the objected-to processing unless we demonstrate compelling legitimate grounds or the processing is necessary for the establishment, exercise, or defence of legal claims.

Right to withdraw consent. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing performed before the withdrawal.

Right not to be subject to solely automated decisions. We do not make decisions that produce legal or similarly significant effects solely through automated processing. AI outputs are assistive only and are reviewed by human staff before any decision is communicated.

Right to lodge a complaint. You may lodge a complaint with your local data-protection authority. In Lebanon, enquiries can be submitted to the Ministry of Economy and Trade; in the EEA, you may contact the supervisory authority of your habitual residence.

We use only strictly necessary first-party cookies and similar storage mechanisms: session tokens, CSRF tokens, authentication tokens, selected user-interface language, selected theme (light/dark), and a small localStorage cache of translation strings for performance.

We do not use analytics cookies. We do not use advertising cookies. We do not embed third-party trackers. Because we use only strictly-necessary storage, we do not display a cookie consent banner; such a banner is required only where non-essential cookies are used.

You can configure your browser to refuse cookies or to alert you when cookies are being set. If you refuse strictly-necessary cookies, parts of the Service may become unavailable (for example, you may be unable to log in).

AI-consultation messages between an Applicant, AI, and Agency staff are stored in the application database associated with the parent application. They are used only to serve that specific consultation and to generate audit logs.

AI inputs and outputs are transmitted to OpenAI under an API-level zero-retention agreement: OpenAI does not store the submitted content beyond the immediate processing window and does not use it to train its models.

Agencies and (via their Agency) Applicants may delete consultation history from the Service user interface at any time. Deletion is final and cannot be recovered.

The Service is intended for use by businesses and by adults acting in a business capacity. We do not knowingly collect personal data directly from children under sixteen (16).

Applicants submitted to the Service by an Agency may be minors (for example, family-visa applications that include children). In those cases, the Agency is responsible for obtaining appropriate parental or guardian consent at intake. We treat data relating to minors under the same safeguards as adult applicant data and apply heightened retention discipline.

In the event of a personal-data breach likely to result in a risk to the rights and freedoms of natural persons — in particular, any breach affecting passport numbers, passport scans, payment credentials, or other high-risk data — we will notify the supervisory authorities within seventy-two (72) hours of becoming aware of the breach, where required by law.

If the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will also notify the affected Agency (for Applicant data, the Agency is responsible for notifying its Applicants under its controller role) or the affected data subject (for Agency or visitor data) without undue delay. Our notice will include, to the extent known at the time: the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate harm.

All transactional mail (account verification, password resets, invoice emails, AI-consultation summaries, booking confirmations) is sent from noreply@visa-port.com or info@visa-port.com via our own Postfix server.

We publish SPF, DKIM (selector 202501), and DMARC (policy p=quarantine) records for the visa-port.com domain so that receiving mail servers can cryptographically verify authenticity and reject spoofed mail sent in our name. If you receive an email purporting to be from Visa Port that fails SPF, DKIM, or DMARC validation, please forward it to info@devignlb.com.

If you are a resident of California, you may be entitled to additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know the specific categories of personal information collected, the right to request deletion, the right to opt out of “sale” or “sharing” (we do not sell or share personal information for advertising), and the right to non-discrimination for exercising your rights.

If you are a resident of the EEA or United Kingdom, you have the rights described in Section 8 under the GDPR or UK GDPR, and the right to lodge a complaint with your local supervisory authority.

Residents of other jurisdictions (including Canada, Brazil, South Africa, and the Gulf states) have the rights provided by their local privacy laws. Please contact info@devignlb.com to exercise any such right; we will respond within the timeframe required by applicable law.

We may update this Policy from time to time. Material changes will be announced in the agency dashboard and by email at least thirty (30) days before the effective date. Non-material changes may be made at any time and will be reflected in the version and effective-date banner at the top of this page. The effective date at the top of this page tracks the most recent version.

Data-protection enquiries: info@devignlb.com (subject line: “Data Protection”). Mailing address: Devign SAL, Hamra, Beirut, Lebanon. For matters relating to Applicant data specifically, please contact the Agency that submitted your file; we will coordinate with them to respond.