Privacy Policy

1. Introduction

VEPATime is an email automation service that helps Microsoft 365 users organize calendar event emails automatically. We are committed to protecting your privacy and ensuring transparent data practices compliant with the General Data Protection Regulation (GDPR).

This Privacy Policy explains what data we collect, how we use it, your rights, and how we protect it.

2. Data Controller

Organization: SparkEros, Inc.
Address: [BUSINESS ADDRESS]
Contact Email: privacy@sparkeros.com
Support Contact: kent@sparkeros.com
Response Time: 5 business days

SparkEros is the data controller for personal data processed by VEPATime. When you use VEPATime, you authorize us to process your email and calendar data as described in this policy.

3. Data We Collect

Email Data

• Sender information: Email address and display name of email sender
• Subject line: Email subject to identify calendar event emails
• Timestamp: Date and time email was sent
• Message ID: Unique identifier for tracking

Calendar Data

• Event details: Title, start/end time, location, attendees
• Response status: Your acceptance, decline, or tentative response
• Folder structure: Names and IDs of your Outlook folders

User Profile Data

• Email address: Your Microsoft 365 account email
• Display name: Your profile name
• Tenant ID: Your organization's unique Azure tenant identifier

Authentication Data

• OAuth refresh token: Encrypted token for background processing (stored in Azure Key Vault)
• OAuth access tokens: Temporary tokens (valid 1 hour, not stored)

Service Configuration

• User preferences: Your folder routing rules and automation settings
• Inbox folder ID: Identifier of your Outlook Inbox folder
• Processing state: Last time emails were processed (for backoff timing)

4. Legal Basis for Processing

We process your data under the following legal bases (GDPR Article 6):

Consent

Primary basis: You explicitly authorize VEPATime to access and process your mailbox by granting OAuth permissions during signup. You can revoke this consent at any time.

Contract

Basis: Processing is necessary to provide the email automation service you requested. This is essential to fulfill the service agreement.

Legitimate Interests

Basis: We have a legitimate interest in improving service functionality, security, and user experience. We balance this interest against your privacy rights and use data minimization principles.

5. How We Use Your Data

Core Service Functions

• Email classification: Read calendar event emails to determine response type
• Automated routing: Move emails to VEPATime Archive, Review, or Priority folders per your preferences
• Calendar management: Update calendar events based on email responses
• Background processing: Maintain continuous access via OAuth refresh tokens

Service Improvement

• Error analysis: Identify and fix processing failures
• Performance optimization: Improve processing speed and reliability
• Feature development: Understand usage patterns to guide future features

Security and Legal Compliance

• Fraud prevention: Detect and prevent account abuse
• Regulatory compliance: Meet GDPR, CCPA, and other legal requirements
• Incident response: Investigate and respond to security issues

Communication

• Service announcements: Notify you of important service updates
• Security alerts: Warn of unauthorized access attempts or suspicious activity
• Support: Respond to your questions and support requests

6. Data Sharing and Third Parties

Data Sharing Policy

VEPATime does NOT sell, rent, trade, or share your personal data with third parties for marketing purposes.

Microsoft Services

Your data is processed by Microsoft services only:

• Microsoft Graph API: We query your mailbox and calendar through this API
• Azure Storage: User configurations stored in Microsoft Azure Table Storage
• Azure Key Vault: OAuth tokens encrypted and stored in Microsoft Key Vault
• Application Insights: Service telemetry and error tracking (no PII logged)

All data remains within Microsoft's infrastructure and is not transferred to external vendors.

Legal Requirements

We may disclose your data if required by law (court order, law enforcement, government request) and will notify you of such requests when legally permitted to do so.

Data Processor Agreement

Microsoft (our data processor for infrastructure services) has agreed to protect your data and comply with GDPR requirements.

7. Data Security

Encryption in Transit

• Protocol: All communication uses TLS 1.2 or higher (industry standard)
• Certificates: Azure-managed certificates with automatic renewal
• Enforcement: HTTPS enforced on all endpoints (HTTP redirects to HTTPS)

Encryption at Rest

• OAuth tokens: Encrypted with AES-256 in Azure Key Vault
• User configurations: Encrypted by Microsoft Azure Table Storage (platform-level encryption)
• Backups: All backups encrypted with same standards

Key Vault Security

• Access method: Azure Managed Identity (no credentials stored in code)
• Permissions: Function App has read-only access (Key Vault Secrets User role)
• Audit logging: All secret access attempts logged in Azure Monitor
• Rotation: OAuth refresh tokens automatically rotated by Microsoft (90-day cycle)

Access Controls

• Role-Based Access Control (RBAC): Least privilege principle applied
• Multi-Factor Authentication: Required for Azure account access
• Monitoring: 24/7 automated monitoring for suspicious activity
• Audit logs: All administrative actions logged

Application Security

• Input validation: All external inputs validated and sanitized
• Error handling: Errors logged securely without exposing sensitive information
• Dependency updates: Regular security updates for all libraries
• Code review: All code changes reviewed for security issues

8. Your Rights Under GDPR

You have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@sparkeros.com.

Right to Access (Article 15)

You have the right to obtain confirmation that we process your data, and to receive a copy of your personal data in a machine-readable format. Response time: 30 days

Right to Rectification (Article 16)

You have the right to correct inaccurate or incomplete data. We will update your information upon verification of your request. Response time: 30 days

Right to Erasure (Article 17 - "Right to be Forgotten")

You have the right to request deletion of your personal data, subject to legal obligations. Upon request, we will:

• Revoke OAuth access to your mailbox
• Delete all stored configurations and preferences
• Remove refresh tokens from Key Vault
• Purge all historical data within 30 days

Response time: 30 days

Right to Restrict Processing (Article 18)

You have the right to restrict processing of your data while we verify your request or handle a dispute. We will stop processing but retain data for legal compliance. Response time: 30 days

Right to Data Portability (Article 20)

You have the right to receive your data in a structured, machine-readable format (e.g., CSV, JSON) and transmit it to another service. Response time: 30 days

Right to Object (Article 21)

You have the right to object to specific data processing activities. We will stop processing unless we have compelling legitimate interests. Response time: 30 days

Right to Withdraw Consent

You can revoke OAuth permissions at any time via:

• Microsoft account settings: https://myaccount.microsoft.com/
• Azure Portal: Enterprise Applications → VEPATime → Remove
• Contact us: privacy@sparkeros.com

Revocation is immediate. VEPATime stops processing within 60 seconds.

Right to Lodge a Complaint

If you believe we have violated your privacy rights, you have the right to lodge a complaint with your national data protection authority (Supervisory Authority).

9. Data Retention

We retain data only as long as necessary to provide the service and comply with legal obligations.

Active User Data

• User configurations: Retained while account is active
• Processing state: Retained while account is active (backoff timing)
• OAuth refresh token: Retained while account is active

Deleted User Data

• Timeline: Purged within 30 days of account deletion
• Scope: All configurations, tokens, and processing state
• Grace period: 30-day window for account recovery (if requested)

Trial User Data

• Timeline: 30-day grace period after trial expiration if not converted to paid
• Post-deletion: Account deleted automatically if not activated

Backup Data

• Retention: 90 days (standard Azure backup retention)
• Post-retention: Automatically deleted after 90 days

Telemetry and Logs

• Application logs: Retained 180 days in Application Insights
• Azure Monitor logs: Retained 180 days
• Audit logs: Retained 90 days (Azure standard)

Legal Hold

If required by law, we may retain data beyond normal retention periods to comply with court orders or regulatory requirements.

10. International Data Transfers

Data Residency

All data is processed and stored within Microsoft Azure East US 2 region only. No data is transferred to other geographic locations without explicit consent.

GDPR Compliance for International Transfers

If you are in the European Union:

• Transfer mechanism: Microsoft complies with GDPR via Standard Contractual Clauses
• Data protection: Microsoft maintains the same security standards
• Adequacy decision: GDPR Article 45 compliance verified

Sub-processors

Microsoft is our only sub-processor. No other third parties have access to your data.

11. Contact Us

If you have questions about this Privacy Policy or your data, please contact us:

Changes to This Privacy Policy

We may update this policy as needed to reflect changes in our practices or legal requirements. We will notify you of significant changes via email at least 30 days in advance. Your continued use of VEPATime after updates constitutes acceptance of the new policy.