Last updated · 29 April 2026

Privacy Policy

This policy explains how Applikeable (CVR 46168437), Copenhagen, Denmark processes personal data in connection with 365.report ("the Service"). We are the data controller for personal data you provide to us as a customer or visitor, and the data processor for personal data contained in your tenant data.

1. Data we process

Account data (we are the controller)

  • Name, work email and workspace name when you sign up.
  • Authentication metadata (sign-in events, IP address, user agent).
  • Billing details and invoices (handled by our payment provider).
  • Support correspondence you send us.

Tenant data (we are the processor on your behalf)

  • Microsoft 365 license assignments, user identifiers, group memberships and department/cost-centre tags.
  • Azure consumption records and cost figures from Cost Management.
  • Report configuration, recipients and delivery history.

Site & product analytics

  • Aggregate usage telemetry (page views, feature usage). We do not use third-party advertising trackers.

2. How we use it

  • To operate the Service and produce the reports you configure.
  • To bill you and meet our accounting obligations.
  • To respond to support requests and security incidents.
  • To improve the Service through aggregate analytics that do not identify individuals.
  • To send transactional product email (e.g. delivery confirmations, billing notices). Marketing email is opt-in and you can unsubscribe at any time.

3. Legal bases (GDPR Art. 6)

  • Contract — to provide the Service to you and bill for it.
  • Legitimate interests — to keep the Service secure, prevent abuse, and improve product quality.
  • Legal obligation — to retain accounting records and respond to lawful requests.
  • Consent — for optional marketing communications, where given.

4. Data location & sub-processors

Customer Data is stored in EU data centres (Frankfurt and Copenhagen). We rely on a small number of vetted sub-processors to operate the Service:

  • Cloud hosting — application and database in EU regions.
  • Email delivery — for transactional and report email.
  • Payments — to handle subscription billing and invoices.
  • Error monitoring — aggregate, EU-hosted.

An up-to-date list of named sub-processors is included with our Data Processing Agreement, available on request.

5. Microsoft Graph & Cost Management

When you connect your tenant, we are granted read-only consent to specific Microsoft Graph and Azure Cost Management scopes — only what is required to produce the reports you configure. We do not write back to your tenant. You may revoke consent at any time from the Entra ID admin centre, which immediately stops further data collection.

6. Recipient magic links

Reports are delivered to recipients via signed, audience-scoped magic links that expire after 30 days. We log delivery events (sent, opened, viewed) so you can audit who saw what. Recipients are not enrolled into our authentication system and we do not create user accounts for them.

7. Retention

  • Tenant data — retained while your workspace is active and deleted within 90 days of termination, in line with our backup cycle.
  • Account data — retained for the lifetime of the workspace plus the period required by Danish accounting law (typically 5 years for invoices).
  • Support correspondence — up to 24 months from the last interaction.

8. Your rights

You have the right to access, correct, port, restrict or delete personal data we hold about you, and to object to processing based on legitimate interests. To exercise these rights, write to privacy@365.report. You may also lodge a complaint with the Danish Data Protection Agency (Datatilsynet).

Where we act as a processor for your tenant data, please direct subject requests from your end users to your own organisation; we will assist you in responding.

9. Security

We encrypt data in transit and at rest, restrict production access on a need-to-know basis, and operate regular backups. Tenant credentials are stored using Microsoft's OAuth refresh tokens; we never see your users' passwords. SOC 2 Type II audit is planned for late 2026.

10. International transfers

Customer Data stays in the EU. Where a sub-processor occasionally requires transfer outside the EEA (for example, for support tooling), we rely on Standard Contractual Clauses and additional safeguards as required by GDPR.

11. Changes

We may update this policy from time to time. Material changes will be announced to the workspace owner and posted here at least 30 days before they take effect.

12. Contact

Applikeable, CVR 46168437, Copenhagen, Denmark. privacy@365.report for privacy matters, hello@365.report for everything else.