Privacy Policy

Last updated: June 2026

What we access

When you connect your Microsoft 365 tenant, M365 Health Score requests the following Microsoft Graph permissions via OAuth, with admin consent:

  • User.Read — your basic profile, to identify your account.
  • Reports.Read.All — usage activity reports (e.g. last activity date for Exchange, Teams, SharePoint, OneDrive), used only to flag inactive license holders.
  • Directory.Read.All — directory objects such as user accounts and their assigned licenses.
  • Organization.Read.All — your organization's purchased license SKUs and seat counts.

These are all read-only permissions. M365 Health Score cannot and does not modify your tenant, change licenses, reset passwords, or alter any settings. We never request access to mailbox content, file contents, Teams messages, or any other content data.

What we store

We store the minimum needed to run scans and deliver your report:

  • Your name, email address, and organization domain (from your Microsoft account).
  • OAuth access and refresh tokens, used to run scans and scheduled monthly re-scans on your behalf. These are stored encrypted at rest where supported by our hosting provider and are never shared with third parties.
  • Scan results — license counts, unassigned-seat counts, disabled/inactive account flags, and the resulting waste calculations. We do not store mailbox content, file contents, or message data, because we never request access to it.
  • Payment confirmation data from PayPal (such as order/subscription IDs). We do not store your card or bank details — PayPal handles all payment processing.

How we use it

Scan data is used solely to generate your waste report and, for monthly monitoring subscribers, to run automatic re-scans and email you updated reports. We do not sell, rent, or share your data with advertisers or data brokers. We do not use your tenant data to train any AI models.

Third-party processors

  • Microsoft Graph API — the source of all scan data, accessed under the read-only scopes above.
  • PayPal — processes all payments and subscriptions. See PayPal's privacy policy.
  • Resend — delivers transactional emails (your report, scan notifications). See Resend's privacy policy.

Cookies & sessions

We use a single session cookie to keep you signed in while you use the app. It contains no tracking data and is not used for advertising. We don't run third-party analytics or ad-tracking scripts.

Data retention & deletion

We retain scan history and account data for as long as your account is active, so monthly subscribers can see historical trends. You can request full deletion of your account, tokens, and scan history at any time by emailing [email protected] — we'll confirm once it's done, typically within a few business days.

Refunds

The one-time $99 report comes with a 14-day, no-questions-asked money-back guarantee. See our Terms of Service for details.

Contact

Questions about this policy or your data? Email [email protected].

This policy is a plain-language summary provided for transparency and is not a substitute for legal advice.