Privacy Policy

Last updated: 15 March 2026

1. Introduction

Permission Email Ltd ("we", "us", "our") operates SPScan, a SharePoint permission monitoring and storage analytics platform. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service.

2. Information We Collect

Account Information: When you register, we collect your name, email address, and team name.

Microsoft 365 Data: When you connect a tenant, we collect tenant ID, organisation name, SharePoint site metadata, permission structures, and storage metrics. We do not access or store the contents of your files.

OAuth Tokens: Microsoft OAuth tokens are encrypted at rest and are used solely for authenticating requests to the Microsoft Graph API.

Usage Data: We collect information about how you use the service, including feature usage, page views, and error logs, to help us improve SPScan.

Payment Data: Payment processing is handled by Stripe. We do not store your credit card details. Stripe's privacy policy governs the handling of your payment information.

3. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the SPScan service
  • Send alerts and notifications about your SharePoint environment
  • Generate reports and compliance scores
  • Improve the product and develop new features
  • Communicate with you about your account, billing, and service updates

4. Data Sharing

We do not sell your data. We share information with third parties only as necessary to provide the service:

  • Stripe — for payment processing
  • Email provider — for transactional emails such as alerts and account notifications

We may also disclose your information if required to do so by law or in response to valid legal requests by public authorities.

5. Data Retention

Permission and storage snapshots are retained for 365 days by default. This retention period is configurable within your account settings. Account data is retained for as long as your account is active. Upon account termination, all associated data will be permanently deleted after 30 days.

6. Data Security

We take the security of your data seriously. Our security measures include: encryption of OAuth tokens at rest, HTTPS encryption for all data in transit, role-based access controls, and regular backups. While we implement industry-standard security practices, no method of electronic storage or transmission is 100% secure.

7. Your Rights (GDPR)

If you are located in the UK or European Economic Area, you have the following rights under the General Data Protection Regulation:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate personal data
  • Erasure — request deletion of your personal data
  • Portability — request a machine-readable copy of your data
  • Restriction — request that we limit how we use your data
  • Objection — object to our processing of your personal data

To exercise any of these rights, please contact us using the details below.

8. Cookies

SPScan uses session cookies for authentication and maintaining your login state. We do not use tracking cookies, and we do not use third-party advertising cookies.

9. International Transfers

Your data is processed in the United Kingdom and the European Union. When SPScan connects to your Microsoft 365 tenant, API calls are made to Microsoft's infrastructure, which may process data in various locations as described in Microsoft's own privacy documentation.

10. Children's Privacy

SPScan is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a person under 18, we will take steps to delete that information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the email address associated with your account. We encourage you to review this policy periodically.

12. Contact

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

hello@spscan.app
Permission Email Ltd
Unit 3, Millars Brook
Wokingham, RG41 2AD, UK