Privacy Policy

This Privacy Policy ("Policy") describes how 3D Tesla LLC, a Florida limited liability company ("3D Tesla," "we," "us," or "our"), operating under the trade name LicenseIQ, collects, uses, stores, shares, and protects personal data when you use the LicenseIQ platform, website (licenseiq.app), and related services (collectively, the "Service").

This Policy applies to all users of the Service, including website visitors, beta testers, registered users (Free, Pro, and Business plans), and administrators who connect Microsoft 365 tenants to the Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you are using the Service on behalf of an organization, you represent and warrant that you have authority to bind that organization to this Policy.

For the purposes of the European Union General Data Protection Regulation ("GDPR"), the UK GDPR, and other applicable data protection laws, the Data Controller is:

3.1 Account Information — When you create an account or register for the beta program, we collect: full name, email address, password (stored securely in Microsoft Entra External ID, not by us directly), company name (optional), and phone number (optional, for feedback purposes only).

3.2 Microsoft 365 Tenant Data — When you connect your M365 tenant, we access the following data through the Microsoft Graph API using read-only application permissions that you explicitly grant:

• Organization information: Organization display name and verified domains.
• License inventory: Subscribed SKU names, quantities (total, assigned, unassigned). We do NOT access customer pricing — all monetary estimates are based on publicly available Microsoft list prices.
• User directory data: Display name, email, user principal name, department, job title, account status (enabled/disabled), assigned licenses, license assignment states (direct vs. group-based), and last sign-in date/time.
• Usage reports (aggregated): Office 365 Active User Detail, Teams User Activity, and Mailbox Usage Detail for the preceding 30-day period. These reports include per-user service activity indicators (e.g., whether a user used Exchange, Teams, OneDrive) but do NOT include message content, file content, or communication details.

3.3 Technical and Usage Data — We automatically collect: IP address, browser type and version, pages visited, timestamps, and referring URLs. This data is collected through server logs and is used solely for security monitoring and service improvement.

3.4 Feedback and Communications — When you submit feedback, contact forms, or support requests, we collect: your name, email, phone (if provided), message content, and category of inquiry.

3.5 Payment Information — Payment processing is handled entirely by Stripe, Inc. We do NOT collect, store, or process credit card numbers, bank account details, or other financial instrument data. We store only Stripe customer IDs and subscription IDs for plan management.

To be clear, LicenseIQ does NOT access, read, store, or process:

• Email messages, attachments, or email content (Exchange/Outlook)
• Files or documents stored in OneDrive, SharePoint, or Teams
• Teams chat messages, call recordings, or meeting transcripts
• User passwords, authentication tokens, or multi-factor authentication data
• Calendar events or contact lists
• Customer financial data or billing information from Microsoft
• Any data outside the specific Microsoft Graph API scopes listed in Section 3.2

All Microsoft Graph API permissions used by LicenseIQ are read-only application permissions. LicenseIQ never writes to, modifies, creates, or deletes any data in your Microsoft 365 tenant.

We process personal data under the following legal bases as defined by the GDPR:

• Contract performance (Art. 6(1)(b)): Processing account data, tenant data, and scan results is necessary to perform the Service you have subscribed to.
• Legitimate interest (Art. 6(1)(f)): Processing technical/usage data for security monitoring, fraud prevention, and service improvement. We have conducted a balancing test and determined that these interests do not override your fundamental rights.
• Consent (Art. 6(1)(a)): Where you explicitly connect your M365 tenant and grant Graph API permissions, you provide informed consent for the specific data access described in Section 3.2. You may withdraw consent at any time by disconnecting your tenant.
• Legal obligation (Art. 6(1)(c)): Where required to comply with applicable laws, regulations, or legal processes.

We use the data collected for the following specific purposes:

• License analysis: Scanning your M365 license inventory, calculating Health Scores (0-100), identifying unassigned licenses, inactive users (30/60/90-day thresholds), duplicate license assignments, and generating cost-saving recommendations with dollar-value estimates.
• Usage analysis: Analyzing per-user service usage patterns (Teams adoption rates, mailbox activity, Office 365 service usage) to identify data-driven downgrade candidates and optimization opportunities.
• Department analysis: Aggregating license costs and inactive user rates by organizational department to enable targeted cost optimization by business unit.
• Report generation: Creating PDF reports containing scan results, recommendations, and analysis, and optionally sending them via email to your designated report email address using Azure Communication Services.
• Scan history: Storing historical scan results (Pro and Business plans) to enable trend analysis and comparison over time.
• Multi-domain management: For Business plan users, managing multiple M365 tenant connections and performing scans across multiple domains.
• Account management: Authenticating users via Microsoft Entra External ID, managing subscriptions, processing payments via Stripe, and providing customer support.
• Service improvement: Analyzing aggregated, anonymized usage patterns to improve the Service. We do NOT use your M365 tenant data for this purpose.
• Communications: Sending transactional emails (beta invitations, scan reports, feedback confirmations) and responding to support requests.

7.1 Infrastructure: All data is stored in Microsoft Azure data centers. Our primary hosting region is the United States. Azure maintains SOC 1, SOC 2, ISO 27001, ISO 27018, and CSA STAR certifications.

7.2 Encryption: All data is encrypted in transit using TLS 1.2 or higher. Data at rest in Azure Table Storage is encrypted using AES-256 with Microsoft-managed keys (Storage Service Encryption).

7.3 Credential security: Your M365 App Registration credentials (Client ID and Client Secret) are stored in Azure Table Storage with encryption at rest. We do NOT store your personal Microsoft account password — authentication is handled entirely by Microsoft Entra External ID (CIAM).

7.4 Data isolation: Each customer's data is logically isolated by their unique user identifier (Entra Object ID). There is no cross-tenant data access or sharing.

7.5 Retention periods:

• Account data: Retained for the duration of your active account.
• Scan results (Free): Single scan retained until a new scan is performed or an administrator executes a reset (which deletes the scan data).
• Scan history (Pro/Business): Retained until explicitly deleted by the user or upon account closure.
• M365 tenant credentials: Retained while the connection is active; deleted upon disconnection or account closure.
• Beta signup data: Retained for the duration of the beta program.
• Feedback data: Retained indefinitely for product improvement unless deletion is requested.
• Payment records: Stripe customer and subscription IDs retained per Stripe's retention policies.
• Upon account deletion: All associated data (account, scans, history, connections, settings) is permanently removed within 30 days.

We do NOT sell, rent, lease, or trade your personal data to any third party for marketing or commercial purposes. We share data only with the following sub-processors, each acting as a Data Processor under appropriate data processing agreements:

• Microsoft Azure (Microsoft Corporation, Redmond, WA, USA): Cloud infrastructure, data storage (Azure Table Storage), hosting (Azure App Service), and email delivery (Azure Communication Services). Microsoft's DPA: Microsoft DPA.
• Microsoft Entra External ID (Microsoft Corporation): User authentication and identity management for the LicenseIQ application.
• Microsoft Graph API (Microsoft Corporation): Read-only access to your M365 tenant data, initiated and authorized exclusively by you through the App Registration you create in your own tenant.
• Stripe, Inc. (San Francisco, CA, USA): Payment processing for paid subscriptions. Stripe is PCI DSS Level 1 certified. Privacy policy: stripe.com/privacy.

We may disclose personal data if required by law, subpoena, court order, or governmental authority, or if we believe in good faith that disclosure is reasonably necessary to protect our rights, your safety, or the safety of others, or to investigate fraud.

Your data may be transferred to and processed in the United States, where our infrastructure is hosted. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on:

• The EU-U.S. Data Privacy Framework (DPF) and the UK Extension to the DPF, under which our sub-processors (Microsoft, Stripe) are certified.
• Standard Contractual Clauses (SCCs) as adopted by the European Commission (Implementing Decision (EU) 2021/914), incorporated into our sub-processor agreements.
• Microsoft's commitment to GDPR compliance for Azure services, as detailed in the Microsoft Online Services Data Protection Addendum (DPA) and Microsoft's EU Data Boundary commitment.

We ensure that any transfer of personal data is subject to appropriate safeguards as required by Chapter V of the GDPR.

If you are located in the EEA, UK, Switzerland, or another jurisdiction with applicable data protection laws, you have the following rights regarding your personal data:

• Right of Access (GDPR Art. 15): You may request a copy of the personal data we hold about you, including the purpose of processing, categories of data, recipients, and retention periods.
• Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete personal data. You can update your name, company, and report email directly in Settings.
• Right to Erasure (Art. 17): You may request deletion of your personal data ("right to be forgotten"). You can disconnect your M365 tenant and request full account deletion at any time. Upon deletion, all associated data is permanently removed within 30 days.
• Right to Restriction of Processing (Art. 18): You may request that we restrict processing of your data in certain circumstances, such as when you contest the accuracy of the data.
• Right to Data Portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format. Scan results can be exported as PDF reports.
• Right to Object (Art. 21): You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent (e.g., M365 tenant connection), you may withdraw consent at any time by disconnecting your tenant from the Service. Withdrawal does not affect the lawfulness of processing performed prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EEA DPAs is available at edpb.europa.eu.
• Right Not to Be Subject to Automated Decision-Making (Art. 22): LicenseIQ does not make automated decisions that produce legal effects or similarly significant effects on you. Recommendations are informational only and require human review before implementation.

To exercise any of these rights, contact us at privacy@licenseiq.app. We will respond within 30 days (or one calendar month as required by GDPR). We may request verification of your identity before fulfilling your request.

LicenseIQ is built with data protection principles embedded into its architecture:

• Data minimization: We collect only the data necessary to perform license analysis. We request only 4 read-only Graph API permissions (Directory.Read.All, Organization.Read.All, Reports.Read.All, AuditLog.Read.All) and no write permissions.
• Purpose limitation: M365 tenant data is used exclusively for license optimization analysis and is never repurposed for marketing, profiling, or sale to third parties.
• Storage limitation: Data is retained only as long as necessary for the stated purpose and is deleted upon account closure or user request.
• Integrity and confidentiality: All data is encrypted in transit and at rest, with logical isolation per customer.
• Customer-controlled credentials: Each customer creates their own App Registration in their own M365 tenant, maintaining full control over the credentials and the ability to revoke access at any time by deleting the App Registration or Client Secret.

We have conducted a Data Protection Impact Assessment (DPIA) in accordance with GDPR Article 35 for the processing of M365 tenant data. The assessment concluded that the risks to data subjects are appropriately mitigated by: (a) the strictly read-only nature of all API permissions; (b) encryption of data at rest and in transit; (c) logical data isolation per customer; (d) the user's ability to disconnect and delete data at any time; (e) the limited scope of data accessed (no email content, files, or communications); and (f) customer-controlled App Registration credentials.

LicenseIQ uses only strictly necessary cookies (Category 1 under the ePrivacy Directive) required for authentication and session management. These cookies are exempt from consent requirements under GDPR Recital 30 and the ePrivacy Directive Art. 5(3) as they are essential for the Service to function.

We do NOT use: advertising or marketing cookies, third-party analytics cookies (Google Analytics, etc.), tracking pixels, social media tracking, or fingerprinting technologies. No personal data is shared with advertising networks or data brokers.

Client-side session data (e.g., SKU override preferences) is stored in the browser's sessionStorage and is automatically cleared when the browser tab is closed. This data is not transmitted to our servers.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will: (a) notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33; and (b) notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34.

The Service is intended exclusively for business use by organizations and their authorized administrators. It is not directed at individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete such data promptly.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale or sharing of personal information. We do NOT sell or share personal information as defined by the CCPA/CPRA. To exercise your California privacy rights, contact privacy@licenseiq.app.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify registered users of material changes via email at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when this Policy was most recently revised. Continued use of the Service after the effective date of an updated Policy constitutes your acceptance of the changes.

For any questions, concerns, or requests related to this Privacy Policy or the processing of your personal data: