Privacy Policy

Last Updated: February 2026

            Effective Date: This Privacy Policy is effective as of February 1, 2026, and applies to all users of the EVisaPlatform.com service ("Platform").
        

1. Introduction and Overview

EVisaPlatform.com is a multi-tenant Software-as-a-Service (SaaS) platform operated by Paragon Management, designed to assist immigration law firms in managing visa cases and related documentation. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Platform.

This platform is not a law firm and does not provide legal advice. We are a service provider to law firms and their staff members. Our primary obligation is to protect the sensitive immigration and personal data entrusted to us by law firms on behalf of visa applicants and beneficiaries.

2. Definitions and Key Concepts

Customer

A law firm or immigration law practice that has entered into a subscription agreement with Paragon Management to use the EVisaPlatform.com service.

User

An individual employee, contractor, or representative of a Customer (including attorneys, paralegals, administrative staff, and other personnel) who accesses the Platform with a unique login credential.

Beneficiary Data

Personal information about visa applicants and beneficiaries, including but not limited to passport numbers, names, dates of birth, immigration case details, employment records, and related documentation.

Customer Data

All data, documents, and information uploaded to, created within, or processed by the Platform by or on behalf of a Customer, including Beneficiary Data and firm operational information.

3. Information We Collect

3.1 Beneficiary Data (Customer-Provided)

Customers upload sensitive information regarding visa applicants and beneficiaries to the Platform, which may include:

Full legal names, alternate names, and maiden names
Passport numbers, visa numbers, and national identification numbers
Dates of birth and places of birth
Citizenship and immigration status information
Employment history and professional credentials
Educational background and qualifications
Contact information (addresses, phone numbers, email addresses)
Financial information and tax identification numbers
Visa case files, supporting documentation, and correspondence
Family relationship information and dependent details
Medical and health information as required by visa categories

3.2 User Account Information

When a User creates an account on the Platform, we collect:

Full name and professional title
Business email address
Phone number (optional)
Law firm affiliation and role
Password (encrypted)
Profile information and permissions level

3.3 Usage and Activity Data

We automatically collect certain information about User activity on the Platform:

Login times and frequency
Actions performed on cases and documents
IP address and device information
Browser type and operating system
Pages and features accessed
Duration of access and session information
Search queries and filters used

3.4 Technical and Device Information

We collect information about devices used to access the Platform:

Device type, model, and operating system version
Unique device identifiers
Mobile network information
Browser cookies and similar tracking technologies
IP addresses and geolocation data (approximate)

3.5 Billing and Payment Information

When a Customer subscribes to the Platform, we collect:

Law firm name and billing address
Billing contact information
Payment method information (processed securely via Stripe)
Subscription tier and billing cycle
Invoice and payment history

Important: We do not store complete credit card numbers. Payment information is processed and stored by Stripe, our Payment Card Industry (PCI) Data Security Standard certified payment processor.

3.6 Communications

We collect communications you send to us, including:

Support tickets and customer service inquiries
Email correspondence with our team
Feedback, comments, and suggestions
Communication preferences

4. How We Use Information

4.1 Beneficiary Data Usage

We use Beneficiary Data solely to:

Provide the core functionality of the Platform as contracted by the Customer
Maintain and organize visa case files as requested by the Customer
Facilitate case management and workflow processes
Generate reports and case summaries for the Customer
Support data export functionality at Customer request
Comply with legal obligations and law enforcement requests (as described in Section 6)

Beneficiary Data is processed strictly as a data processor on behalf of the Customer, as defined under the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), and other applicable privacy laws.

4.2 User Account Information Usage

We use User account information to:

Authenticate Users and maintain account security
Manage access permissions and role-based access control
Send account-related notifications and alerts
Prevent fraud and unauthorized access
Enforce subscription terms and billing arrangements
Provide customer support and technical assistance

4.3 Usage Analytics and Improvement

We use aggregated and anonymized activity data to:

Improve Platform functionality and user experience
Identify and fix technical issues and bugs
Develop new features and enhancements
Conduct usage analytics and trend analysis
Monitor platform performance and security

4.4 Communication Purposes

We use contact information to:

Send transactional emails (password resets, subscription confirmations, invoices)
Respond to support requests and customer inquiries
Notify you of important security updates and policy changes
Send service announcements and updates (with ability to opt-out of non-essential communications)
Conduct user surveys and request feedback (optional)

5. Data Isolation and Multi-Tenant Security

5.1 Strict Data Isolation

As a multi-tenant SaaS platform, we implement strict data isolation protocols to ensure that each law firm's (Customer's) data is completely separated from all other Customers:

Database-level isolation: Each Customer's data is logically and physically segregated in our databases
Access control: Users can only access data belonging to their own Customer organization
Row-level security: Database queries are enforced with tenant identifiers to prevent cross-tenant data access
API restrictions: API calls are validated against the authenticated Customer's tenant ID
Backup isolation: Backups are segregated by tenant and encrypted

5.2 Authentication and Authorization

We implement industry-standard authentication and authorization mechanisms:

Strong password requirements and hashing algorithms
Option for multi-factor authentication (MFA)
Role-based access control (RBAC) by Customer configuration
Session management and automatic timeout after inactivity
API token authentication for Enterprise plan API access

5.3 Encryption Standards

We protect data through encryption:

In Transit: All data transmitted between Users' devices and the Platform is encrypted using TLS 1.2 or higher
At Rest: Sensitive customer data is encrypted at rest using AES-256 encryption
In Backups: All backup copies are encrypted with AES-256
Encryption Key Management: Encryption keys are managed securely and rotated periodically

6. Data Sharing and Disclosure

6.1 Limited Data Sharing

EVisaPlatform.com does NOT share, sell, or disclose Customer Data or Beneficiary Data to third parties, except as described below:

6.2 Service Providers

We may share data with carefully selected service providers who assist in operating the Platform:

Cloud Infrastructure Providers: For hosting and data storage services (Amazon Web Services, Google Cloud Platform, or similar providers with SOC 2 Type II certifications)
Payment Processor: Stripe for processing subscription payments (limited to billing information, not Beneficiary Data)
Email Service Providers: For transactional emails (limited to essential account information)
Security and Monitoring: Services providers for threat detection and security monitoring

All service providers are bound by Data Processing Agreements (DPAs) that require them to maintain the same level of data protection as EVisaPlatform.com and to use data only for the purpose of providing contracted services.

6.3 Legal Obligations and Law Enforcement

We may disclose data when required by law or in response to legal processes:

Subpoenas, court orders, or other legal directives issued by a court of competent jurisdiction
Requests from government agencies or immigration authorities in compliance with applicable law
As necessary to enforce our Terms of Service and other agreements
As necessary to protect the safety, rights, and property of EVisaPlatform.com, Users, Customers, and the public

Important: Except in emergency situations or where legally prohibited, we will attempt to notify the affected Customer of any legal disclosure request before complying, to allow the Customer to seek protective orders if appropriate.

6.4 Business Transfers

If EVisaPlatform.com is involved in a merger, acquisition, bankruptcy, or other business transaction, Customer Data and Beneficiary Data may be transferred as part of that transaction. We will provide notice of such a transfer and the opportunity for Customers to delete their data if they do not consent to the transfer.

6.5 Aggregate and De-identified Data

We may use and disclose aggregate, anonymized, and de-identified data for:

Industry statistics and trend reporting
Product development and improvement
Marketing and promotional purposes
Research and benchmarking

This data cannot reasonably identify any individual or Customer.

7. Data Processing Agreement (DPA)

7.1 DPA Requirement

Customers subject to the General Data Protection Regulation (GDPR) or similar data protection laws are required to execute a separate Data Processing Agreement with EVisaPlatform.com, which supersedes this Privacy Policy to the extent of any conflict. The DPA establishes:

The role of EVisaPlatform.com as a data processor
Specific processing instructions and limitations
Data subject rights and procedures
Security and confidentiality obligations
Sub-processor management and notification
Data breach notification procedures

7.2 DPA Availability

A form Data Processing Agreement is available upon request. Enterprise customers should request a DPA during onboarding. For GDPR compliance, the DPA is mandatory before processing any personal data of data subjects located in the European Union or European Economic Area.

8. Data Retention and Deletion

8.1 Retention During Active Subscription

Customer Data and Beneficiary Data are retained in the Platform for as long as the Customer maintains an active subscription. The Customer has full control over their data and may delete or export specific cases and documents at any time through the Platform interface.

8.2 Deletion Upon Cancellation

Upon cancellation or termination of a Customer's subscription:

The Customer account is immediately marked as inactive
Customer Data and Beneficiary Data are retained for a grace period of 30 days to allow for data export or recovery
After the 30-day grace period, all Customer Data and Beneficiary Data are permanently deleted from the Platform
Deleted data is removed from live systems and backups (with deletion from backups occurring within 60 days of backup expiration)

8.3 User-Initiated Deletion

Customers may request deletion of specific cases, documents, or beneficiary records at any time. Once deleted, this data is permanently removed from the Platform. We do not recover deleted data except in extraordinary circumstances (e.g., recovery from data corruption or security incidents).

8.4 Backup Retention

For disaster recovery and business continuity purposes, backup copies of all data are retained for up to 90 days. These backups are encrypted and access-restricted. Upon subscription cancellation, backups are deleted within 60 days of the customer's data being purged from active systems.

8.5 Aggregated Data

Aggregated and de-identified usage statistics may be retained indefinitely for product improvement and analytics purposes.

9. Your Rights and Choices

9.1 California Consumer Privacy Act (CCPA) Rights

Customers and Users in California have the following rights under the CCPA:

Right to Know: Request what personal information is collected, the categories of sources, and how it is used
Right to Delete: Request deletion of personal information collected from you (subject to certain exceptions)
Right to Opt-Out: Opt-out of the "sale" or sharing of personal information (though we do not sell data)
Right to Correct: Request correction of inaccurate personal information
Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights

To exercise these rights, contact us at sshah@paragon-mgt.com with details of your request. We will respond within 45 days.

9.2 General Data Protection Regulation (GDPR) Rights

Individuals in the European Union and European Economic Area have rights under GDPR, including:

Right to Access: Request access to your personal data
Right to Rectification: Request correction of inaccurate data
Right to Erasure: Request deletion of data (subject to legal obligations)
Right to Restrict Processing: Limit how your data is processed
Right to Data Portability: Request your data in a structured, commonly used format
Right to Object: Object to processing for specific purposes

These rights are implemented through the Data Processing Agreement (DPA) and can be exercised through the Customer. For individual requests, contact us at sshah@paragon-mgt.com.

9.3 Data Access and Export

Customers can access, download, and export their data at any time through the Platform's built-in export functionality. Data exports are provided in standard formats (CSV, PDF).

9.4 Email Communication Preferences

Users may opt-out of non-essential marketing and informational emails by clicking the "unsubscribe" link in any such email or by adjusting notification preferences in their account settings. However, we will continue to send essential transactional emails (password resets, billing notifications, security alerts) regardless of opt-out preferences.

10. Data Security Measures

10.1 Security Infrastructure

EVisaPlatform.com implements comprehensive security measures:

Secure cloud infrastructure with firewalls and intrusion detection systems
Regular security updates and patches
Network segmentation and access controls
Data encryption both in transit and at rest
Secure authentication mechanisms including multi-factor authentication

10.2 SOC 2 Compliance

We are working toward SOC 2 Type II compliance to demonstrate our commitment to security, availability, processing integrity, confidentiality, and privacy. Current infrastructure providers maintain SOC 2 Type II certifications.

10.3 Employee Security Training

All employees with access to Customer Data and Beneficiary Data undergo regular security training and are bound by confidentiality agreements.

10.4 Vulnerability Management

We conduct regular security assessments, penetration testing, and vulnerability scanning. Critical vulnerabilities are remediated immediately.

10.5 Limitations on Security

While we implement industry-standard security measures, no system is completely secure. EVisaPlatform.com cannot guarantee absolute security of data. Users should maintain their own security practices, including strong passwords and protection of login credentials.

11. Data Breach Notification

11.1 Breach Notification Procedure

In the event of a confirmed data breach affecting Customer Data or Beneficiary Data, EVisaPlatform.com will:

Notify the affected Customer without unreasonable delay, typically within 48 hours of discovery
Provide details of the nature of the breach and data affected
Outline steps we have taken and will take to remediate the breach
Provide recommendations for Customers to notify affected data subjects

11.2 Regulatory Notifications

For breaches involving personal data of EU residents, we will cooperate with relevant data protection authorities and provide notifications as required by GDPR. Customers are responsible for notifying their own data subjects and regulators as appropriate under applicable law.

12. International Data Transfers

12.1 Data Location

Customer Data and Beneficiary Data are primarily stored in the United States using cloud infrastructure providers with data centers in the US and potentially other countries as determined by our hosting provider.

12.2 International Transfers

For Customers and data subjects located outside the United States, data transfers are authorized under:

Standard contractual clauses (SCCs) for EU/EEA data transfers
Applicable adequacy determinations
Other lawful transfer mechanisms as required by applicable law

These mechanisms are documented in the Data Processing Agreement.

13. Children's Privacy

The EVisaPlatform.com is not intended for individuals under the age of 18 ("minors"). We do not knowingly collect personal information from minors. If we become aware that a minor has provided us with personal information, we will delete such information and terminate the minor's account. Parents or guardians who believe their child has provided information to us should contact us immediately at sshah@paragon-mgt.com.

14. Third-Party Links and Services

The Platform may contain links to third-party websites and services that are not operated by EVisaPlatform.com. This Privacy Policy does not apply to third-party services, and we are not responsible for the privacy practices of third-party websites. We encourage you to review the privacy policies of any third-party services before providing your information.

15. California Privacy Rights Summary

Personal Information Disclosed for Business Purposes: In the preceding 12 months, EVisaPlatform.com may have disclosed personal information to service providers (cloud infrastructure providers, payment processors, email services) for the business purposes outlined in Section 4. We do not sell personal information.

Contact for CCPA Requests: To exercise rights under CCPA, contact us at sshah@paragon-mgt.com or by mail at the address in Section 16.

16. Contact Us

Privacy Questions or Requests:

Email: sshah@paragon-mgt.com

Website: www.evisaplatform.com

Paragon Management

Contact: Sanjay Shah

Email: sshah@paragon-mgt.com

17. Policy Updates and Amendments

EVisaPlatform.com may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email or by posting the revised policy on our website with an updated "Last Updated" date. Your continued use of the Platform constitutes acceptance of the updated Privacy Policy. For significant changes, we may request explicit acknowledgment before the changes become effective.

This Privacy Policy was last updated in February 2026 and is effective immediately.