Does Visa Master Free send any data to torly.ai?

No. Visa Master Free makes zero network calls to torly.ai. All monitoring happens locally in your browser. The extension's only external connections are to tlscontact.com (the page you are already on) and optionally to Telegram's API if you have configured your own bot.

Does Visa Master store my TLScontact password?

Visa Master Free never asks for or stores your TLScontact password. Visa Master Premium stores your credentials encrypted with AES-GCM using a key derived via PBKDF2 from a per-install random salt. The encrypted blob stays in chrome.storage.local on your device and is never transmitted to torly.ai.

What data does Visa Master Premium send to torly.ai?

Premium sends: your installId (a random UUID, not linked to your identity), your Stripe email at payment, the bookingId after a successful booking, and the slot timestamp and centre. It never sends your TLS password, session token, polling cadence, or DOM contents.

What Chrome permissions does Visa Master request?

Visa Master's manifest host permissions are limited to *.tlscontact.com and torly.ai. It does not request access to all websites. You can verify this on the Chrome Web Store listing or in the open-source repository.

Is Visa Master open source?

The extension's source is partially open — the public release components are available at github.com/torlyai/Schengen-master. This allows independent verification of the privacy claims made in the extension's documentation.

How Visa Master Watches TLScontact Without Touching Your Login

When a Chrome extension monitors a website, three questions matter: what does it read, what does it store, and what does it send? For a tool monitoring TLScontact — a site where you are logged in with sensitive identity information — those questions are not academic. This article answers them in full, for both the Free and Premium tiers of Visa Master.

This is the technical record. If you want the short version: Free tier sends nothing to torly.ai, ever. Premium sends a small, explicit set of metadata — described precisely below — and explicitly does not send credentials, session tokens, or page content.

How the Free Tier Works: 100% Local Architecture

Visa Master Free is a Chrome Manifest V3 extension. Its core is a service worker — a background script that runs persistently (within Chrome's eviction rules) and manages the monitoring loop.

When you are logged into TLScontact and have the appointment calendar page open, the service worker polls the page on a cadence of approximately 20–40 seconds. It does this by injecting a content script into the TLScontact tab, which reads the DOM — specifically the appointment calendar elements — and reports back whether any slots are available.

The content script reads DOM state. It does not read:

Your TLScontact email or password (those are in the login form, which you completed before the extension started)
Your personal details stored in TLScontact
Any payment card information
Any passport or identity document data
The source HTML of pages other than the appointment calendar

When the content script reports an available slot, the service worker fires a Chrome desktop notification and — if you have configured Telegram — sends a message to your personal bot token. That Telegram API call goes from your device to Telegram's servers directly; it does not route through torly.ai.

Network calls made by Visa Master Free

Destination	Purpose	Required?
`*.tlscontact.com`	Load and poll the appointment calendar you are already on	Yes — this is the monitoring
`api.telegram.org`	Send slot alert to your personal bot	Only if you have configured Telegram
`torly.ai`	None	—
Any other domain	None	—

The manifest host_permissions field, which Chrome enforces and which you can inspect in the Chrome Web Store listing or the public extension repository, restricts the extension to *.tlscontact.com and torly.ai. It does not have access to any other domains. The torly.ai permission is present in the manifest for the Premium tier's license validation and payment flow — but in Free mode, no code path calls it.

Chrome storage: what is saved locally

The extension uses chrome.storage.local as its state bus — this is local-only storage, not synced to any Google account. It stores:

Your monitoring settings (target centre, polling cadence preference, notification sound preference)
The current extension state (IDLE, NO_SLOTS, SLOT_AVAILABLE, etc.)
Your Telegram bot token and chat ID (if configured)
Statistics (how many polls have been run, last slot detected, etc.)
An installId — a randomly generated UUID created at install time

The installId is generated locally and stored locally. In Free mode, it is never transmitted anywhere. Its existence in storage is preparation for the Premium tier's payment flow — where it becomes the pseudonymous identifier that links your device to a successful booking without revealing your identity.

How the Premium Tier Works: Explicit, Documented Opt-In

Premium adds two capabilities to the Free tier: automatic re-login when TLScontact logs you out, and automatic booking when a slot appears. Both require your TLScontact credentials. Here is exactly how those credentials are handled.

Credential storage: AES-GCM with per-install salt

When you enable Premium and enter your TLScontact credentials, the extension encrypts them before storage. The encryption process:

Retrieves your installSalt — a random byte array generated at install and stored in chrome.storage.local.
Derives an encryption key using PBKDF2 from the install salt. The key never leaves your device.
Encrypts your TLScontact email and password using AES-GCM with a randomly generated IV.
Stores the encrypted blob in chrome.storage.local under the key tlsCreds.

The plaintext credentials exist in memory only during the instant of encryption and during the instant of decryption when the extension needs to re-authenticate with TLScontact. They are never logged to console.*, never included in any error report, and never transmitted to torly.ai.

The encryption is implemented in src/shared/crypto.ts in the extension source. Independent verification is possible via the public repository.

What Premium sends to torly.ai

Data point	Why it is sent
`installId` (random UUID)	Pseudonymous identifier for license status and success-fee tracking
Stripe customer email	Payment processing — goes directly to Stripe, not stored in torly.ai database
`bookingId` (TLS booking reference)	Receipt generation, Telegram booking echo
`slotAt` (slot timestamp)	Receipt and confirmation
`centre` (TLScontact centre name)	Receipt and Telegram notification
Browser version, OS	Error reporting and compatibility tracking

Data point	Status
TLScontact email	❌ Never sent
TLScontact password	❌ Never sent
Session cookies or tokens	❌ Never sent
Polling cadence	❌ Never sent
DOM contents	❌ Never sent
Telegram bot token	❌ Never sent
Passport or identity data	❌ Never sent

The installId is the most sensitive item in the "sent" column. It is a random UUID — it cannot be linked to your real identity unless you explicitly associate it by contacting support. It is used pseudonymously to track whether a given install has an active license and whether a success fee is owed.

The Webhook Channel: A Separate Anonymous Identifier

For users who want to receive booking confirmations via a BYO webhook (rather than relying on Telegram or the Visa Master notification system), the extension uses a separate identifier: webhookInstallId.

This is a different UUID from installId. It is used exclusively for the webhook channel so that Free users who enable webhook notifications never reveal an identifier that could be correlated with any Premium payment or license record. The two UUIDs are kept strictly separate in both the extension's code and in torly.ai's database schema.

The torly.ai Backend: What It Knows and What It Does Not

The torly.ai server handles three functions for Visa Master: license JWT issuance, success-fee capture via Stripe, and booking confirmation echo.

License JWT issuance: When you activate Premium, torly.ai issues a JWT (JSON Web Token) signed with RS256. The token encodes your installId, the audience visa-master-extension (distinct from other torly.ai products), an expiry, and the tier. The extension validates this token locally on every check — it does not make a network call for every validation, only for periodic liveness checks (approximately once every 24 hours).

Success-fee capture: The £19 success fee is processed through Stripe. torly.ai receives your Stripe customer email and the booking confirmation metadata. Your payment card data never touches torly.ai — it stays within Stripe's PCI-compliant infrastructure.

Booking confirmation echo: When a successful booking is made, torly.ai receives the bookingId, slotAt, and centre. This is used to send a Telegram confirmation (via the Visa Master team's bot, separate from your personal BYOB bot) and to generate a receipt. This data is stored against your installId in the torly.ai database.

What torly.ai's database does NOT contain

Your TLScontact login credentials
Your real name, nationality, or passport number
Your travel dates or visa application details
Your Telegram account information
Any DOM snapshot of TLScontact pages

Manifest Permissions: What Chrome Enforces

Chrome's permission model is enforced by the browser, not just declared by the extension. The manifest host_permissions in Visa Master are:

"host_permissions": [
  "*://*.tlscontact.com/*",
  "*://torly.ai/*"
]

This means the extension cannot inject content scripts into, read page data from, or make cross-origin requests to any domain outside these two. You can verify this yourself: install the extension, open chrome://extensions/, click "Details" on Visa Master, and review the permissions listed. Chrome independently enforces the manifest — the extension cannot access any other domain at runtime regardless of what its code attempts.

The extension also requests the following Chrome API permissions: storage, alarms, notifications, tabs, scripting, webNavigation. Each has a specific purpose in the monitoring and notification flow. None grant access to passwords, payment data, or other installed extensions.

Why This Architecture Matters

The local-first model is not a marketing claim — it is a specific technical architecture that has verifiable consequences. A server-side scanning tool for TLScontact cannot make the same guarantees, because by definition it requires TLScontact to be accessed by an external server rather than your own browser session.

The practical upshot: with Visa Master Free, TLScontact sees only requests from your IP address, your browser, your authenticated session. No third-party server is involved in the monitoring. Your browsing session remains private to you.

Free never reads your TLS password. Free never sends anything to torly.ai. Free never makes a network call outside the TLS tab and optional Telegram.

— Visa Master architecture documentation

This promise is verifiable. The manifest is public. The open-source components of the extension can be audited. If you want to go further, you can run Chrome's network inspector while the extension is active and confirm that no requests are made to torly.ai.

Install Visa Master Free from the Chrome Web Store and verify the network traffic yourself.

For how this compares to competing extensions' approaches, read Chrome Extensions for France Visa Slots: Visa Master vs VisaReady vs Booker. For the complete picture of auto-book credential handling, see Auto-Book France Visa Appointments: How Success-Fee Tools Actually Work.