Chrome extension · Privacy policy

Visa Master privacy policy.

Last updated: 14 May 2026 · Applies to: Visa Master Chrome extension, all versions ≥ 1.1.0

Who we are

Visa Master is operated by Innovatorly Ltd (trading as TorlyAI), a company registered in England & Wales. We are the data controller for personal data described below and are registered with the UK Information Commissioner’s Office (ICO). Contact: contact@torly.ai.

The short version

Free tier: we collect nothing. The extension runs entirely inside your own browser tab. No account, no telemetry, no install ping, no contact with torly.ai. The only network traffic is what your browser already makes to TLScontact when you load the page yourself, plus an optional Telegram message to your own bot if you set one up.

Premium tier: we collect the minimum we need to verify your licence and charge the £19 success fee when an auto-book completes — an anonymous install UUID, your Stripe customer ID, and the booking receipt. Your TLScontact password never touches our servers; it stays encrypted on your machine.

We don’t sell data and we don’t use it for advertising. The extension itself runs no analytics — it talks only to TLScontact (with your credentials, locally) and, on Premium, to our own backend with the fields listed below.

What we collect

Free tier

Nothing on our servers. Free has no account, no identifier, no server contact.
On your device (in chrome.storage.local): your settings (polling cadence, notification preferences, language, release windows), the current monitoring state, and optionally your Telegram bot token if you set one up. This data never leaves your browser.

Premium tier (in addition to the above)

Anonymous install id — a random UUID generated locally on first run. Stored in our database to pair your install with a Stripe customer.
Stripe customer id and payment-method id — issued by Stripe when you upgrade. Linked to your install id in our database. We never see card numbers.
Email address — collected by Stripe Checkout (not by the extension). Used to send receipts and refund correspondence.
Booking receipts — on a successful auto-book only: the TLS booking confirmation id, the slot date/time, and the visa centre. Stored as a receipt for the £19 charge.
TLScontact credentials (Premium) — stored in your browser’s extension storage, encrypted with AES-GCM (key derived via PBKDF2 from a per-install salt). They never leave your machine. The extension decrypts them locally only when re-establishing a TLS session that has expired. We have no key, no copy, and no way to read them.

Support tickets (both tiers)

If you email contact@torly.ai we store your message and any attachments you choose to send (a screenshot, an exported settings file, etc.) for as long as needed to resolve the issue. See “Retention” below.

Why we collect it

To run the service you installed: watching your TLScontact tab for slots, sending you notifications, and (on Premium) attempting an auto-book and charging the £19 success fee when one completes.

Under UK GDPR our legal basis is performance of the contract between us (the Terms of Service) for the data we need to deliver Premium, and our legitimate interest for things like fraud prevention and aggregated reliability tuning of the licensing backend. The Free tier collects no personal data, so most legal bases are inapplicable by design.

Where it’s stored

Your device. Everything that matters for Free (settings, monitoring state, Telegram token) and your TLScontact credentials for Premium are stored in chrome.storage.local on the machine where the extension is installed. Uninstalling clears that storage.

Our backend (Premium only). The torly.ai backend is a Next.js application hosted on Vercel with a Supabase (managed Postgres) database. Both services are configured to host data in EU regions. Vercel’s edge network may route requests through other regions in the ordinary course of operation.

Stripe. Payment data is processed by Stripe on their own infrastructure under their own privacy policy.

Retention

Free tier — local data: kept on your device until you uninstall the extension or clear extension storage. Uninstalling deletes everything local.
Premium — install records and Stripe IDs: kept for the lifetime of your Premium use plus up to 7 years afterwards, to satisfy UK financial-record retention requirements.
Premium — booking receipts: kept for 7 years as part of the billing record for the £19 success fee.
TLScontact credentials: never leave your machine, so we have no copy to retain. Cleared when you uninstall the extension or click “Forget credentials” in the extension settings.
Support emails: kept for up to 12 months after the issue is resolved, then deleted.

Who we share it with

We only share data with the processors we need to run the service:

Vercel — hosting for the Next.js backend at torly.ai.
Supabase — managed Postgres for install records and booking receipts.
Stripe — payment processing for the £19 Premium success fee.
Resend — transactional email (Premium receipts and refund correspondence).

We do not share data with TLScontact beyond the actions you authorise the extension to take inside your own browser tab, using your own credentials. The extension never proxies TLS requests through our servers.

We do not sell data to anyone. The torly.ai marketing site uses standard product analytics to measure how visitors find us; the Chrome extension itself runs no analytics and contacts no analytics endpoint.

Why each Chrome permission is requested

These match the justifications submitted to the Chrome Web Store. Each permission was added for a specific reason; none are speculative.

alarms — schedule the polling cadence (2–15 min). Required because Manifest V3 service workers are evicted when idle.
storage — persist your settings and state across service worker restarts. Local only.
notifications — alert you via the system notification surface when a slot is detected.
tabs — find your open TLScontact tab to inject the detector script and (optionally) focus it when a slot opens. Other tabs are never enumerated; we filter by the *.tlscontact.com URL pattern at every call.
scripting — inject the slot-detection content script into your TLScontact tab. The script reads DOM state to detect open slots and reports back to the extension service worker. It does not modify the page or read form fields.
Host permission for *.tlscontact.com — required to inject the slot-detection content script. Without it the extension cannot perform its primary function.
Host permission for torly.ai (Premium only) — verify the Premium licence and capture the £19 success fee via Stripe. Free users never trigger any network call to torly.ai.
Optional host permission for api.github.com — requested only when you click “Check for updates”, to read the latest extension release tag.

Cookies and similar technologies

The Chrome extension itself does not set cookies. State and (on Premium) encrypted credentials are stored in your browser’s extension storage on your own machine.

The torly.ai marketing website sets a session cookie required for sign-in to other (non-Visa Master) torly.ai products, plus standard analytics cookies. None of those cookies are read by the Visa Master extension.

Your rights

On the Free tier there is no personal data for us to hold, so most rights are inapplicable by design.

On the Premium tier you can ask us to send you a copy of your data, correct anything that’s wrong, or delete your records (your install id, Stripe customer id, and booking receipts). Email contact@torly.ai and we’ll respond within 30 days.

If you’re in the UK or EU you also have the right to object to processing, restrict processing, request data portability, and lodge a complaint with your local data protection authority — in the UK the Information Commissioner’s Office (ico.org.uk).

International transfers

We aim to keep personal data within the UK and EEA via Vercel and Supabase EU regions. Vercel’s edge network may transit requests through other jurisdictions in the course of routing traffic. Where any onward transfer of personal data outside the UK / EEA does occur, we rely on the standard data protection terms our processors offer as part of their data-processing addenda, including the UK International Data Transfer Addendum and EU Standard Contractual Clauses where applicable.

Children

Visa Master is intended for adults applying for a Schengen visa. We don’t knowingly collect personal data from anyone under 18. If you believe a child has used the service, email contact@torly.ai and we’ll delete the data.

Chrome Web Store certifications

We confirm:

We do not use or transfer user data for purposes unrelated to the extension’s single purpose.
We do not use or transfer user data to determine creditworthiness or for lending purposes.
We do not sell user data to third parties.
The extension contains no remote code. Every line of executable JavaScript is bundled in the package; no eval, no dynamically loaded scripts.

Changes

We may update this policy. The “Last updated” date at the top reflects the current version. We’ll flag material changes in the release notes of the extension version that introduces them. Past versions of this policy remain in the git history of github.com/torlyai/Schengen-master.

Contact

Privacy questions, deletion requests, or compliance correspondence: contact@torly.ai.

← Visa Master product page Source on GitHub torly.ai general privacy policy