Graflo
Legal

Privacy Policy

Last updated: 17 April 2026

1. Who we are

Graflo ("Graflo", "we", "us") is a SaaS product operated from the United Kingdom. Our domain is graflo.io. You can contact us at privacy@graflo.io.

2. What data we collect

Graflo collects two categories of data:

  • Account data: Name, email address, and organisation details provided during sign-up or onboarding.
  • Microsoft 365 data:Calendar metadata, mail metadata (sender, recipient, timestamps — not message body), Teams call records, user profiles, manager hierarchy, and group memberships. This data is accessed via the Microsoft Graph API following admin consent by your organisation's IT administrator.

3. How we use your data

We use data to:

  • Generate the intelligence reports described on our Features page
  • Provide and improve the Graflo service
  • Send transactional emails (onboarding, billing confirmations, sync notifications)
  • Comply with legal obligations

We do not sell your data to third parties. We do not use your M365 data for advertising.

4. Tenant isolation

Each customer organisation ("tenant") is strictly isolated. Your Microsoft 365 data is never accessible to another tenant. All Graph API tokens are stored encrypted in AWS Secrets Manager, scoped to your specific Azure AD tenant ID.

5. Data retention

Metric snapshots are retained according to your subscription tier (30 days on Free, 90 days on Starter, 12 months on Growth, unlimited on Enterprise). When your subscription ends, your data is deleted within 30 days unless a longer retention period is required by law.

6. Your rights

Under UK GDPR and applicable data protection law, you have the right to access, correct, export, or delete your personal data. To exercise these rights, contact us at privacy@graflo.io.

7. Sub-processors

We use the following key sub-processors:

  • AWS — Hosting, Secrets Manager, Lambda, CloudWatch
  • Neon — Managed PostgreSQL database
  • Stripe — Payment processing
  • Resend — Transactional email

8. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or via the Graflo dashboard. Continued use of the service after changes constitutes acceptance.

9. Contact

Questions about this policy? Email us at privacy@graflo.io.