Privacy Policy

Effective Date: January 2, 2026 | Last Updated: January 2, 2026

Summary: ExchangeGuardians is committed to protecting your privacy. We collect only essential data to deliver incident response services, operate our platform, and comply with legal obligations. You have full rights to access, correct, port, and delete your data under GDPR, CCPA, and similar laws.

1. Information We Collect

We collect information in the following categories:

1.1 Contact & Identification Data

When you contact us or open an incident, we collect:

  • Full name, email address, phone number, organization name
  • Role, title, and authorization level within your organization
  • Billing and invoice address (for paid services)

1.2 Incident & Diagnostic Data

When you request incident response services, we collect:

  • Microsoft 365 tenant details (tenant ID, domain names, tenant name)
  • Exchange Online configuration, logs, and diagnostic data you provide or authorize us to access
  • Error codes, message traces, and performance metrics
  • User and mailbox identifiers necessary to diagnose and remediate issues
  • Details of changes made, rollback steps, and validation results

1.3 Technical & Usage Data

Our platform automatically collects:

  • IP address, browser type, OS, device type, referrer
  • Pages visited, links clicked, time spent, interaction patterns
  • Cookies and similar tracking technologies (see Cookie Notice)
  • API usage patterns and authentication logs

1.4 Communications Data

We retain:

  • Email correspondence, chat logs, video call recordings (with consent)
  • Support tickets, incident notes, and resolution documentation

2. Legal Basis & Purpose

We process your data based on:

  • Contract Performance: Delivering incident response, runbooks, and diagnostic services
  • Legal Obligation: Compliance with applicable laws, regulations, and audit requirements
  • Legitimate Interest: Improving services, preventing fraud, and ensuring security
  • Consent: Marketing communications, non-essential analytics, and optional surveys

3. Data Sharing & Disclosure

We do not sell or rent your data. We share data only when:

  • Service Providers: Cloud hosting (AWS, Azure), email, analytics, and security vendors under Data Processing Agreements (DPAs)
  • Legal Requirement: Court order, subpoena, law enforcement, or regulatory investigation
  • Your Authorization: When you explicitly grant access to third parties (e.g., Microsoft support)
  • Business Transfer: Merger, acquisition, or asset sale (we will notify you and provide opt-out)

4. Data Retention

  • Active Incidents: Retained for the duration of the engagement plus 12 months for audit and compliance
  • Contact Records: Retained for the duration of our relationship plus 3 years for legal/tax purposes
  • Usage & Technical Logs: Retained for 90 days for security and performance analysis
  • Communications: Retained per contractual requirements or legal holds; otherwise deleted after 2 years
  • Marketing Opt-Out: Upon request, we delete marketing contact data immediately

You may request deletion at any time (subject to legal retention requirements).

5. International Data Transfers

If you are in the EU, UK, or other jurisdiction with restricted data transfers:

  • We use Standard Contractual Clauses (SCCs) for transfers to the US and other regions
  • We comply with GDPR Chapter 5 requirements for legitimate transfers
  • We only use processors certified under adequacy decisions or subject to enforceable safeguards

6. Your Rights

You have the following rights (subject to applicable law):

  • Access: Request a copy of your data in a readable format
  • Correction: Update or correct inaccurate information
  • Deletion: Request erasure of your data (subject to legal holds)
  • Portability: Receive your data in a structured, portable format
  • Objection: Opt out of marketing, analytics, and non-essential processing
  • Restrict Processing: Request limited processing during disputes
  • Withdraw Consent: Withdraw consent for optional processing at any time

To exercise these rights, contact us at privacy@exchangeguardians.com with your name, contact info, and request details. We will respond within 30 days.

7. Security Measures

We employ industry-standard protections:

  • AES-256 encryption in transit (TLS 1.2+) and at rest
  • Role-based access control (RBAC) and multi-factor authentication (MFA)
  • Regular penetration testing, vulnerability assessments, and security audits
  • Secure data destruction (DOD 5220.22-M standards)
  • Incident response plan with 24/7 breach notification capability

Important: While we maintain rigorous safeguards, no system is 100% secure. We cannot guarantee absolute security.

8. Cookies & Tracking

See our Cookie Notice for details on:

  • Types of cookies used (functional, analytics, marketing)
  • How to manage cookie preferences
  • Third-party analytics and tracking

9. Children's Privacy

Our services are not directed to children under 13. We do not knowingly collect data from children. If we discover we have inadvertently collected data from a child, we will delete it promptly. Parents or guardians concerned about data collection should contact us immediately.

10. California Consumer Privacy Rights (CCPA)

If you are a California resident:

  • Right to Know: What personal information we collect, use, and share
  • Right to Delete: Request deletion of your data (with exceptions)
  • Right to Opt-Out: Opt out of "sales" or "sharing" (we do not sell data; limited sharing applies)
  • Right to Non-Discrimination: We do not discriminate based on privacy rights exercise

To submit a CCPA request, email privacy@exchangeguardians.com with "CCPA Request" in the subject line. You may also appoint an authorized agent.

11. Virginia, Colorado, Connecticut & Other State Laws

We comply with emerging US state privacy laws including VCDPA, CPA, and CTDPA. You have rights to access, correct, delete, and port your data. We do not engage in profiling for automated decisions.

12. Third-Party Links

Our website may link to third-party sites. We are not responsible for their privacy practices. Please review their privacy policies before sharing data.

13. Changes to This Policy

We may update this policy periodically. Changes will be posted here with an updated "Last Updated" date. Continued use of our services after material changes constitutes acceptance. For significant changes, we will notify you via email.

14. Contact Us

For privacy questions, requests, or concerns:

15. EU & UK Legal References

  • General Data Protection Regulation (GDPR) 2016/679
  • UK Data Protection Act 2018
  • ePrivacy Directive 2002/58/EC (Cookies)
  • EU Consumer Rights Directive 2011/83/EU

16. Third-Party Service Compliance

16.1 Google Services

If we use Google services (Analytics, Ads, Tag Manager), we comply with:

  • Google API Services User Data Policy: We access, use, store, and share Google user data only as permitted
  • Limited Use Requirements: Google user data is used solely to provide and improve our services, not for advertising or profiling
  • Google Ads Policies: All advertising complies with Google's advertising policies and prohibited content guidelines
  • Restricted Data: We do not share Google user data with third parties except as permitted or required

Current Implementation: We use privacy-friendly Plausible Analytics (no Google Analytics). If we implement Google services in the future, we will update this policy and obtain necessary consents.

16.2 Microsoft Services

As an Exchange Online support provider, we comply with:

  • Microsoft Cloud Services Agreement
  • Microsoft Partner Network terms and conditions
  • Microsoft Online Services Terms (OST) when accessing customer tenants

Version: 1.1 | Effective: January 11, 2026 | Last Updated: January 11, 2026

This privacy policy is legally binding and supersedes any prior versions. Your use of our services constitutes your acceptance of this policy.