Privacy Policy

1. Information We Collect

When you sign in with Microsoft, we receive your name, email address, and Microsoft Entra tenant identifier. We also collect read-only metadata about your tenant's app registrations, credential metadata, users, and license assignments through Microsoft Graph API. We do not collect passwords, secrets, certificates, or authentication tokens from your tenant.

2. How We Use Your Data

Your tenant data is used exclusively to provide governance insights, risk scoring, credential monitoring, and license optimization recommendations within the IdentityOps platform. We do not use your data for advertising, profiling, or any purpose outside of delivering the Service.

3. Data Storage and Security

All data is stored in encrypted databases hosted on secure cloud infrastructure. Access tokens are encrypted at rest and in transit. Sessions are time-limited with automatic expiration and rotation. We follow industry-standard security practices including HTTPS everywhere, encrypted service credentials and tokens, and least-privilege access controls.

4. Third-Party Services

IdentityOps uses the following third-party services to operate:

• Microsoft Graph API — to read tenant data (read-only permissions)
• Stripe — to process subscription payments securely
• Neon — for database hosting with encryption at rest

We do not sell, rent, or share your tenant data with any other third parties.

5. Data Retention

Scan results and activity logs are retained for the duration of your active subscription to provide historical governance insights. Session data is automatically cleaned up on a regular schedule.

If you cancel your subscription, we retain your tenant data for 30 days to allow recovery and billing reconciliation. After 30 days, all tenant data is automatically and permanently deleted from our systems, including scan history, app metadata, user records, alert configurations, and activity logs.

You may request immediate deletion at any time by contacting support at support@identityops.dev. Internal audit records (admin actions) are retained separately for security, audit, and compliance purposes and do not contain your tenant data. Stripe retains minimal billing records (invoice IDs, payment history) independently per their data retention policy.

6. Your Rights

You have the right to access, correct, or delete your personal data stored by IdentityOps. You may revoke IdentityOps's access to your Microsoft Entra tenant at any time through the Azure portal. Upon revocation or account deletion, we will remove your tenant data from our systems. We respond to verified data access or deletion requests within a reasonable timeframe.

7. Cookies

IdentityOps uses essential cookies only — specifically a secure, HTTP-only session cookie and a tenant identifier cookie. We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will make reasonable efforts to notify users of material changes. Continued use of the Service after changes constitutes acceptance of the updated policy.

9. Data Protection Regulations

Where applicable, IdentityOps complies with data protection regulations including GDPR and CCPA. This Privacy Policy is governed by the laws of the United States.

10. Contact

For privacy-related questions or data requests, contact us at support@identityops.dev.