Privacy Policy

Effective Date: April 2026 · Version 1.0

1. Introduction

This Privacy Policy describes how 9247-4246 QUEBEC INC., operating as GraphWarden ("GraphWarden", "we", "us", or "our"), collects, uses, and protects your information when you use our website at graphwarden.com and our zero-trust security proxy service for Microsoft Graph API (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, company name, and job title. This information is required to provide the Service and communicate with you about your account.

Usage Data

We collect analytics data about how you interact with the GraphWarden dashboard and website. This includes pages visited, features used, and session duration. This data helps us improve the product.

Technical Data

We automatically collect certain technical information, including your IP address, browser type and version, operating system, time zone setting, and device identifiers. This data is used for security, troubleshooting, and analytics purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and maintain the Service - to operate your account, deliver the proxy service, and provide customer support.
  • Improve the product - to understand usage patterns, identify issues, and develop new features.
  • Communicate with you - to send service notifications, security alerts, product updates, and respond to your inquiries.
  • Comply with legal obligations - to meet applicable laws, regulations, and legal processes.

4. Microsoft 365 Data

GraphWarden does NOT store Microsoft 365 data.

GraphWarden operates as a pass-through proxy. Microsoft 365 data flows through the proxy from Microsoft Graph API to your applications, but it is never persisted, written to disk, or stored in any database by GraphWarden.

The optional in-memory cache is volatile and is never persisted to disk. When the proxy process stops, all cached data is immediately lost.

In on-premise deployments, Microsoft 365 data never leaves your infrastructure. In cloud deployments, data transits through Azure infrastructure but is not stored by GraphWarden at any point.

Audit logs record metadata about API calls (which application, which endpoint, which rule was triggered, how many objects were returned) but do not contain the actual Microsoft 365 data from the responses.

5. Data Sharing

We do not sell, rent, or trade your personal information to third parties.

We may share limited information with the following categories of partners and service providers:

  • Distribution Partners - CoreView and other authorized resellers may receive account information necessary to manage your subscription when you purchase through a partner channel.
  • Infrastructure (Azure) - Microsoft Azure hosts our Service. Data processed by Azure is governed by the Microsoft Online Services Terms.
  • Analytics (Google Analytics) - We use Google Analytics to understand website usage patterns. Google Analytics collects anonymized usage data.
  • Customer Support (Crisp) - We use Crisp for live chat support. Chat conversations and associated contact information are processed by Crisp.

6. Data Retention

  • Account data - retained for as long as your account is active. When you close your account, we delete your data within 30 days, except where retention is required by law.
  • Audit logs - retained according to the retention period configured for your account (default: 90 days). Extended retention is available as an add-on.
  • Microsoft 365 data - never stored. GraphWarden is a pass-through proxy; no Microsoft 365 data is persisted at any time.
  • Website analytics - retained for up to 26 months in accordance with Google Analytics data retention settings.

7. Your Rights

Under the General Data Protection Regulation (GDPR) and Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Loi 25), you have the following rights:

  • Right of Access - you may request a copy of the personal information we hold about you.
  • Right to Rectification - you may request that we correct inaccurate or incomplete information.
  • Right to Deletion - you may request that we delete your personal information, subject to legal retention requirements.
  • Right to Data Portability - you may request a machine-readable copy of your personal data.
  • Right to Withdraw Consent - where processing is based on consent, you may withdraw that consent at any time.

To exercise any of these rights, contact us via our contact form. We will respond within 30 days.

8. Cookies and Tracking

We use a limited set of cookies on our website:

  • Analytics cookies - Google Analytics cookies to understand website usage patterns and improve our content.
  • Crisp chat cookies - used to maintain your live chat session and recognize returning visitors.
  • Functional cookies - used to remember your language preference and session state. These are strictly necessary for the website to function.

We do not use advertising cookies or third-party tracking pixels.

9. Data Security

We implement appropriate technical and organizational measures to protect your information:

  • Encryption in transit - all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest - data stored in Azure is encrypted at rest using Azure Storage Service Encryption.
  • Access controls - access to customer data is restricted to authorized personnel on a need-to-know basis, with role-based access controls and audit logging.

10. International Transfers

GraphWarden is based in Montreal, Quebec, Canada. Our primary data processing occurs in Azure Canada Central (Toronto). Depending on your selected availability zone, data may also be processed in the United States (East US) or Europe (West Europe).

Where data is transferred outside of your jurisdiction, we ensure appropriate safeguards are in place, including Standard Contractual Clauses where applicable.

11. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us via our contact form, and we will take steps to delete that information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Effective Date" at the top of this page. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

9247-4246 QUEBEC INC.

Operating as GraphWarden

Montreal, Quebec, Canada

our contact form