Privacy Policy
Effective 5 July 2026
This Privacy Policy explains how GraphPaaS, operated by DataTouches ("we", "us"), handles personal data. For the data we read from your Microsoft 365 and Azure environment, your organisation is the data controller and we act as a data processor on its instructions.
1. Data we process
- Microsoft 365 & Azure metrics — read-only, via the Graph and Azure APIs. This can include personal data such as user principal names, display names, device names, sign-in activity and usage statistics.
- Account data — the identity of users who sign in to GraphPaaS (name, email, tenant) and their preferences.
We never modify data in your Microsoft environment, and we do not sell personal data.
2. Purpose and legal basis
We process this data solely to provide the analytics and reporting features of the Service to your organisation, on the basis of the agreement between us and, where applicable, a Data Processing Agreement (DPA).
3. Retention
Collected metrics are retained for a limited period — 90 days by default, or as agreed with your organisation — after which they are automatically purged. On disconnection or account closure we delete or return your data.
4. Storage and security
- Data is stored on infrastructure located in the European Union.
- All connections use TLS encryption in transit.
- Access tokens are stored encrypted and expire automatically.
- Application logs are masked so they do not contain identifying personal data.
5. Sub-processors
We rely on infrastructure providers (hosting, object storage) to run the Service. These are bound by data-processing terms and located in the EU. A current list is available on request.
6. Your rights
As the personal data belongs to your organisation's environment, requests to access, correct or erase data should be directed to your organisation (the controller), which can instruct us accordingly. Your organisation's administrators can request export or erasure through the Service.
7. Contact
Privacy questions or requests: hello@graphpaas.com.