Microsoft API Services User Data Policy Compliance

Microsoft API Services User Data Policy Compliance
REMBRR INC. – Port Charlotte, Florida, USA.
Privacy and Compliance Office - privacy@rembrr.com

1. General Statement
   This policy describes how REMBRR INC. accesses, uses, stores and protects user data obtained via Microsoft APIs, including Microsoft Graph, through OAuth 2.0 based integrations.

   The text published on REMBRR's web portal and store is consistent with the information presented during the OAuth consent flows and the application review processes required by Microsoft.

   REMBRR fully complies with Microsoft API Terms, the Microsoft Graph Data Protection Policy, Microsoft Entra ID privacy policies, and applicable requirements for applications accessing Microsoft 365 data.

2. Accessed Data
   With the user's explicit consent, REMBRR INC. may request only the minimum necessary scopes from Microsoft OAuth 2.0 to provide productivity, automation, and synchronization features between the user's Microsoft account and the REMBRR platform.

   The data categories that can be accessed are strictly limited to:

   Basic profile: name, e-mail address and profile picture, used exclusively for authentication and identity management.

   Microsoft OneDrive: view, create and update files and metadata only within the workspace that the user chooses to link.

   Microsoft Outlook / Calendar: read and create calendar events for agenda synchronization.

   Outlook Mail (metadata only): subject, sender, recipient and timestamps, used exclusively for notifications or automations requested by the user.

   REMBRR never reads, stores, or analyzes message content.

   Microsoft To Do / Planner (metadata only): task titles and timestamps if the user voluntarily connects them.

   No other Microsoft user data, including email content, attachments, or contacts, is accessed, stored, or analyzed without the explicit and specific authorization of the user in accordance with Microsoft's policies.

3. Data Usage
   Data obtained through Microsoft APIs is used exclusively for:

   Authenticate the user and manage secure sessions.

   Synchronize files, events, tasks, and reminders within the user environment.

   Provide the requested functions and maintain the reliability and security of the service.

   Microsoft APIs data is never used for:

   Advertising.
   - Behavioral or commercial profiling.
   - Resale or transfer for purposes other than those authorized.

4. Data Sharing
   REMBRR does not share Microsoft user data with third parties, except in the following cases:

   Infrastructure, authentication or security providers that support the operation of the system and are subject to strict confidentiality and data protection agreements.

   When legally required, applicable regulation, or court order demands it.

   All processing is done in strict compliance with Microsoft's data protection policies and limited use principles.

5. Storage and Protection
   The data obtained through Microsoft APIs is:

   – Encrypted in transit using TLS 1.3.
   – Encrypted at rest using AES-256.
   Stored exclusively on secure servers located in the United States.

   REMBRR applies multilevel security controls, including:

   – Role-Based Access Control (RBAC).
   - Multi-factor authentication (MFA).
   – Audit logs.
   – Account-based logical isolation.

   REMBRR does not export Microsoft data to external analytics or advertising systems.

6. Retention and Disposal
   Data from Microsoft integrations are retained only as long as the user keeps the connection active.

   When the user disconnects the integration or requests the deletion of their data:

   – OAuth tokens and all associated information are revoked and permanently deleted within a maximum of 30 days.

   - Backups with residual data are automatically deleted at the next maintenance cycle, no longer than 45 days.

   The user can verify the deletion by writing to support@rembrr.com or via /delete-data-request.

7. User Control
   The user can revoke REMBRR's access to their Microsoft data at any time by visiting their Microsoft account permissions: https://account.microsoft.com/privacy

   You can also request access, portability or deletion of data by writing to info@rembrr.com or through /user-data-rights.

8. Transparency in the Connection Flow
   During sign-in with Microsoft or when connecting services like OneDrive, Outlook, Calendar, or To Do, the user sees the following notice:

   “By signing in with Microsoft or connecting a Microsoft service, you agree to REMBRR's Privacy Policy and Terms of Use.”

   This message includes direct links to privacy-policy /terms/user-data-rights.

9. Compliance Commitments
   REMBRR INC. certifies that:

   This policy is reviewed annually or whenever Microsoft updates its API policies.

   Security controls follow NIST SP 800-53 and ISO/IEC 27001 frameworks.

   All personnel with access to OAuth data receive privacy training and sign confidentiality agreements.

   A Data Protection Impact Assessment (DPIA) is maintained for the scopes used by Microsoft Graph.

   Users will be notified of any substantial changes at least 7 days before they take effect.

10. Microsoft Data Matters Contact
    Privacy and Compliance Office - privacy@rembrr.com
    REMBRR INC. 23087 Langdon Avenue
    Port Charlotte, FL 33954 – United States
11. Last updated: October 14, 2025.
    This version supersedes all previous versions and is consistent with the text submitted during Microsoft's OAuth consent and application review processes.