Legal document
Privacy Policy
Last updated: July 11, 2026
At a glance
- VizoraMail reads authorized email mailboxes in read-only mode to detect notifications from visa application centers — nothing is ever modified, moved or deleted.
- Your data is never sold, never used for advertising, never shared with third parties, and never used to train artificial-intelligence models.
- Credentials and access tokens are stored encrypted; each agency can only access its own data.
- You can revoke access to a mailbox at any time and request the complete deletion of your data.
1.Who we are
VizoraMail (“the Service”, “we”) is an email-monitoring platform for travel and visa-service agencies. It automatically detects, inside explicitly authorized mailboxes, notifications sent by visa application centers (TLScontact, VFS Global, consulates…) and alerts the relevant agency.
The Service is published and operated by:
- Publisher: Ahmed Bouguerba
- Email: [email protected]
- Phone: +212 626 559 561
For any question about this policy or your data, contact us at the address above (see also section 16).
2.Definitions and scope
- Agency: the professional (travel or visa-service agency) holding an account on the platform.
- Mailbox owner: the person who owns a monitored mailbox. This may be the Agency itself or one of its clients.
- Monitored mailbox: a Gmail or Outlook mailbox connected to the Service with its owner's authorization.
- User: any person who signs in to the Service's interface.
This policy applies to VizoraMail's public website, its web application and its monitoring engine. It covers all data processed by the Service, including data obtained through Google and Microsoft APIs.
3.Data we collect
| Category | Data | Source |
|---|---|---|
| Agency account | Agency name, sign-in email, password (stored only as an irreversible hash), notification email address. | Entered when the account is created. |
| Client file | Client's first and last name, phone number, monitored mailbox address, case-tracking dates (start date, payment due date). | Entered by the Agency. |
| Email content | For each processed email: sender, subject, date, message body (plain text and HTML) and the names of attachments. Attachment contents are never downloaded or stored. | Read from authorized mailboxes through Google's and Microsoft's official interfaces (see sections 5 and 6). |
| Access tokens | OAuth refresh tokens and mailbox app passwords, stored encrypted. | Provided when the mailbox is authorized. |
| Technical data | Processing history (timestamps, number of emails analyzed, rules applied, errors) and server logs. | Generated by the operation of the Service. |
We do not collect any browsing data for advertising purposes and we use no analytics tools (see section 9 — Cookies).
4.Purposes: why we use this data
The data described above is used exclusively for the Service's user-facing features:
- Detection: comparing each new email in monitored mailboxes against the rules defined by the Agency (expected sender, keywords, case-number format);
- Alerting: notifying the Agency when an email matches (in-app notification and summary email);
- Review: letting the Agency view detected emails and its mailboxes' archive from its dashboard;
- Case tracking: reminding the Agency of the deadlines it entered (payment, case age);
- Security and reliability: logging processing runs to diagnose errors and prevent abuse.
We never use this data for: advertising or ad targeting, selling or renting to third parties, profiling, creditworthiness assessment, or training artificial-intelligence or machine-learning models.
5.Google user data
5.1 Requested permissions (OAuth scopes)
When a Gmail mailbox is connected through “Sign in with Google”, VizoraMail requests the following permissions:
openidandemail— used only to verify that the authorized Google account matches the mailbox declared in the Service (protection against connecting the wrong account);gmail.readonly— read-only access to the Gmail mailbox, through Google's official Gmail API. By construction, this permission allows no write operation whatsoever: no email can ever be sent, modified, marked, moved or deleted — it is the narrowest scope that allows monitoring the Inbox and Spam folders.
5.2 What we do with this data
- The engine reads new emails from the Inbox and Spam folders at regular intervals;
- For each email, it stores the sender, subject, date, message body and attachment names, then compares it against the Agency's detection rules;
- Attachment contents are never downloaded;
- The access token (refresh token) is stored encrypted and is used only to open the read connection.
5.3 Who can see this data
The email content of a mailbox is visible only to: (a) the authorized users of the Agency the mailbox belongs to, within the mandate granted by the mailbox owner (see section 7); and (b) the Service operator, only where strictly necessary for maintenance, security, or compliance with a legal obligation. No other human access takes place.
5.4 Limited Use disclosure (required by Google)
VizoraMail's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In practice, data obtained through Google APIs: is used only to provide the features described in section 4; is never sold; is never used for advertising; is never used to train generalized AI models; and is read by humans only in the cases described in section 5.3.
6.Microsoft user data
When an Outlook mailbox is connected, VizoraMail requests the Microsoft
Graph Mail.Read permission: it allows
reading emails only, with no ability to send, modify
or delete anything.
The same commitments as for Google apply: reading of the Inbox and Junk folders, storage of the sender, subject, date, body and attachment names (never their contents), encrypted access token, no advertising or commercial use, no transfer to third parties, and human access limited to the cases in section 5.3.
7.Mailbox owner consent
A mailbox can only be monitored with the explicit consent of its owner, expressed on Google's or Microsoft's authorization screen (or by voluntarily providing an app password).
When the Agency connects a client's mailbox as part of handling their visa case, the Agency warrants that it has previously informed the client and obtained their explicit agreement regarding: the monitoring of their mailbox by the Service, the Agency's access to detected and archived emails, and the duration of that monitoring.
The mailbox owner may withdraw consent at any time, without giving any reason, through any of the means described in section 12. Withdrawal immediately ends the monitoring of the mailbox.
8.Sharing and disclosure
We do not sell, rent or share your data with any third party, except:
- Our hosting provider (Kamatera Inc.), which provides the private server the Service runs on, acting as a technical processor. The hosting provider has no right to use the data;
- Competent authorities, only where a legal obligation requires it (e.g. a court order), and strictly within the limits of what is required.
Each Agency can only access its own data: agency workspaces are strictly isolated from one another.
9.Cookies
The application uses a single session cookie, strictly necessary for the signed-in area to work (it proves you are authenticated). It is flagged HttpOnly (unreadable by scripts) and expires on sign-out or after a period of inactivity.
We use no advertising cookies, no trackers and no analytics tools.
Public pages load fonts from Google Fonts: when they load, your IP address is transmitted to Google, as with any third-party-hosted content.
10.Security
- Encryption in transit: exchanges with Google's and Microsoft's servers use TLS; the application is accessed over HTTPS;
- Encryption at rest: OAuth tokens and mailbox app passwords are encrypted in the database (authenticated symmetric encryption, with the key kept outside the database);
- Passwords: user account passwords are hashed with a salted algorithm (never stored in plain text, never decryptable);
- Isolation: every request verifies that the requested data belongs to the signed-in agency;
- Application protections: CSRF protection on all actions, automatic lockout after several failed sign-in attempts, time-limited sessions;
- Least privilege: read-only mailbox access, attachments never downloaded, restricted administrator access.
No system is infallible: in the event of a data breach likely to affect you, we will inform you as soon as possible, as well as the competent authorities where the law requires it.
11.Retention and deletion
- Access tokens: kept while the mailbox is monitored; deleted as soon as authorization is revoked or the mailbox is removed, and also as soon as we detect that access was withdrawn from your Google or Microsoft account (the now-unusable token is erased);
- Detected emails and archives: kept in the Agency's workspace for as long as it needs them for case tracking. The Agency can empty a mailbox's archive at any time from its interface;
- Client file (name, phone…): kept while the mailbox exists in the Agency's workspace;
- Technical processing history: kept for reliability and diagnostic purposes.
Complete deletion on request: a mailbox owner or an Agency may at any time request the permanent deletion of all data concerning them (email content, client file, tokens, archives) by writing to [email protected]. Deletion is carried out within a maximum of 30 days, including in our backup copies.
12.Revoking access
The Service's access to a mailbox can be withdrawn at any time, through three independent means:
- From the application: removing the authorization or the mailbox on the “Mailboxes” page (the Agency) — monitoring stops immediately, the stored token is deleted and, for Google accounts, the authorization is also revoked with Google (VizoraMail disappears from your account's third-party apps list);
- From your Google account: myaccount.google.com/permissions — remove “VizoraMail”'s access: the tokens immediately become unusable;
- From your Microsoft account: account.live.com/consent/Manage (personal accounts) — same effect.
13.Your rights
In accordance with Moroccan law No. 09-08 on the protection of individuals with regard to the processing of personal data, you have the following rights:
- Right of access: to know what data we hold about you and obtain a copy of it;
- Right of rectification: to have inaccurate data corrected;
- Right to object and to withdraw: to object to processing and withdraw your consent at any time;
- Right to deletion: to obtain the erasure of your data (see section 11).
To exercise these rights, write to [email protected]. We reply within a maximum of 30 days. You may also lodge a complaint with Morocco's data protection authority (CNDP).
If you reside in the European Economic Area, the equivalent rights under the General Data Protection Regulation (GDPR) apply, including the right to data portability and the right to lodge a complaint with your local supervisory authority.
14.Minors
The Service is intended for professionals. When a visa case concerns a minor, the Agency warrants that it has the legal guardian's consent for the monitoring of the mailbox associated with the case.
15.Changes to this policy
We may update this policy to reflect changes in the Service or in legal obligations. The date of the latest update is shown at the top of this page. In the event of a substantial change (new purpose, new sharing), Agencies will be informed through the application or by email before it takes effect.
16.Contact
For any question about this policy or your data:
- Email: [email protected]
- Phone: +212 626 559 561