Privacy Policy
Last updated: March 26, 2026
This Privacy Policy describes how save365.ca (“we,” “us,” or “our”) collects, uses, stores, and discloses information when you use our Microsoft 365 license auditing service at save365.ca(the “Service”). We are committed to protecting your privacy and handling your data in a manner that is at least as protective as the Microsoft Privacy Statement, as required by the Microsoft APIs Terms of Use.
1. Who We Are
save365.ca is an independent Microsoft 365 license auditing tool operated from Ontario, Canada. We are not affiliated with, endorsed by, or sponsored by Microsoft Corporation. “Microsoft 365,” “Azure,” and “Microsoft Graph” are trademarks of Microsoft Corporation.
Contact: privacy@save365.ca
2. What Data We Collect
2.1 Account Information (Sign-in)
When you sign in with your Microsoft work or school account via Microsoft's OAuth 2.0 identity platform, we receive from Microsoft:
- Your full name and display name
- Your primary work email address
- A unique Microsoft account identifier (object ID)
We do notreceive or store your Microsoft account password. Authentication is handled entirely by Microsoft's identity platform.
2.2 Microsoft 365 Tenant Data (Audit Scan)
To perform the license audit, we access the following data from your Microsoft 365 tenant using read-only Microsoft Graph API calls, with permission explicitly granted by your tenant administrator via admin consent:
| Data element | Permission used | Purpose |
|---|---|---|
| User display names, UPNs, email addresses | User.Read.All | Identify license holders |
| Account enabled/disabled status | User.Read.All | Flag disabled users with active licenses |
| Assigned license SKUs (product names) | User.Read.All | Determine which licenses are assigned |
| Last sign-in date | AuditLog.Read.All | Identify inactive users by sign-in recency |
| Microsoft 365 usage report data (last activity per app) | Reports.Read.All | Identify inactive users by product usage |
| Tenant subscription counts (prepaid vs. consumed) | Organization.Read.All | Identify unassigned license seats |
| User created date | User.Read.All | Distinguish never-active from recently inactive users |
We access only the minimum data necessary for the stated purpose. We follow the principle of least privilege and do not request or retain any data beyond what is required for the license audit.
We do NOT access: email message content, calendar events, files, SharePoint documents, Teams chat messages, contact details, or any personal communications.
2.3 Technical Usage Data
We collect standard web server logs (IP addresses, browser type, pages visited, timestamps) for security monitoring and operational purposes only. This data is retained for up to 90 days and is not used for any other purpose.
3. How We Use Your Information
We use collected information solely for the following purposes:
- Authenticating you and managing your account session
- Performing the Microsoft 365 license audit you requested
- Displaying your audit findings and recommendations in your dashboard
- Temporarily caching scan results to improve performance (results expire within 24 hours)
- Detecting, investigating, and preventing security incidents or misuse
- Complying with legal obligations
We will NEVER:
- Use your data or your tenant's user data for advertising, marketing, or profiling
- Sell, rent, or share personal data or organizational data with third parties for commercial purposes
- Build or maintain any databases populated from Microsoft Graph API data beyond what is necessary for providing the Service
- Send unsolicited communications to users in your tenant
- Use Microsoft 365 data for any purpose other than the license audit you initiated
- Collect or transfer user personal information in a misleading, illegal, unauthorized, or unfair manner
4. Legal Basis for Processing (GDPR)
For users and organizations subject to the General Data Protection Regulation (GDPR), we process personal data on the following legal bases:
- Contract (Article 6(1)(b)) — processing your account information is necessary to provide the Service you requested
- Legitimate interests (Article 6(1)(f)) — security monitoring and fraud prevention
- Legal obligation (Article 6(1)(c)) — where required by applicable law
- Explicit consent (Article 6(1)(a))— for the tenant scan, obtained through your tenant administrator's admin consent action in Microsoft's consent screen
Processing of Microsoft 365 tenant data (which may include employee names and email addresses) is performed on the basis of the admin consent granted by your organization's administrator, who acts as the data controller for their organization's employee data. We act as a data processor on behalf of your organization for that data.
5. Data Storage and Security
Your account information and audit results are stored in Supabase-managed PostgreSQL databases hosted on AWS infrastructure. All data is:
- Encrypted at rest using AES-256
- Encrypted in transit using TLS 1.2 or higher
- Isolated by tenant using Row-Level Security (RLS) database policies
- Accessible only to authenticated users who own the data, enforced server-side on every request
Microsoft OAuth access tokens used during scans are used in-memory only and are not written to any database or persistent storage.
We maintain reasonable administrative, technical, and physical safeguards designed to protect your data against unauthorized access, disclosure, alteration, or destruction.
6. Data Retention and Deletion
| Data type | Retention period |
|---|---|
| Account information (name, email, Microsoft user ID) | Until account deletion |
| Tenant scan results (user names, activity dates, license data) | 24 hours from scan completion |
| OAuth state tokens (used during consent flow) | 10 minutes (auto-expired and purged) |
| Microsoft OAuth access tokens | Not stored — used in-memory only during scan |
| Server access logs | 90 days |
When you close your account or revoke admin consent, we will delete all associated personal data and tenant scan data within 30 days. To request immediate deletion, email privacy@save365.ca.
We keep all data up to date in accordance with corrections, restrictions, or deletions as reflected in data obtained through Microsoft Graph APIs. If a user is removed from your Microsoft 365 tenant, their data will be removed from our systems at the next scan or within 30 days, whichever is sooner.
7. Revoking Access and Managing Consent
You can revoke save365.ca's access to your Microsoft 365 tenant at any time through Microsoft. Revoking consent immediately prevents any further access to your tenant data.
To revoke tenant admin consent:
Microsoft Entra admin center → Enterprise applications → save365 → Delete
To manage your personal Microsoft sign-in consent:
Visit myapps.microsoft.com or account.live.com/consent/Manage to manage or revoke your individual sign-in consent.
After revoking access, cached scan results will expire automatically within 24 hours. Contact us at privacy@save365.ca for immediate deletion of any stored data.
8. Third-Party Service Providers
We use the following infrastructure providers as data processors. They process data only on our instructions and are bound by confidentiality and data protection obligations:
| Provider | Purpose | Privacy policy |
|---|---|---|
| Supabase | Authentication & database hosting (AWS) | supabase.com/privacy |
| Vercel | Frontend web hosting | vercel.com/legal/privacy-policy |
| Fly.io | Backend API hosting | fly.io/legal/privacy-policy |
| Microsoft | Identity (OAuth 2.0) & Graph API | privacy.microsoft.com |
We do not use third-party analytics services, advertising networks, social media tracking pixels, or any other data brokers.
9. International Data Transfers
Our infrastructure providers (Supabase/AWS, Vercel, Fly.io) may process data in data centers located in the United States and other countries. When data is transferred outside your country of residence, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) where required by GDPR
- Data processing agreements with all sub-processors
- Use of providers with recognized data protection certifications
10. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data. We will respond to all requests within 30 days (extendable to 60 days for complex requests with prior notice).
Access
Request a copy of all personal data we hold about you
Correction
Request correction of inaccurate or incomplete data
Deletion
Request deletion of your account and all associated data
Portability
Receive your data in a structured, machine-readable format (JSON)
Restriction
Request that we restrict processing of your data
Objection
Object to processing where we rely on legitimate interests
Withdraw consent
Withdraw consent at any time without affecting prior lawful processing
Complaint
Lodge a complaint with your local data protection authority
To exercise any of these rights, contact: privacy@save365.ca
For data your organization has provided about its employees (tenant scan data), please note that your organization is the data controller for that data. Requests from individual employees regarding their organizational data should be directed to their employer's IT or HR team.
11. Children's Privacy
The Service is designed for business and enterprise use only. We do not knowingly collect personal information from individuals under the age of 18. If you believe a minor has provided personal information through the Service, please contact us immediately at privacy@save365.ca.
12. Compliance
This Privacy Policy is designed to comply with:
- PIPEDA — Personal Information Protection and Electronic Documents Act (Canada)
- GDPR — General Data Protection Regulation (EU/EEA), where applicable
- Microsoft APIs Terms of Use — including the requirement that our privacy practices be at least as protective as the Microsoft Privacy Statement
- Microsoft identity platform Terms of Use — for applications accessing Microsoft user data via OAuth 2.0
13. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will update the “Last updated” date and, where required by law, notify affected users by email. Continued use of the Service after changes constitutes acceptance of the updated policy. We encourage you to review this page periodically.
14. Contact Us
Privacy inquiries, data requests, and complaints:
Email: privacy@save365.ca
General: hello@save365.ca
Website: save365.ca
Jurisdiction: Ontario, Canada
Response time: within 30 days for privacy requests, within 72 hours for security incidents.