Legal
Privacy Policy
Last updated July 1, 2026
Effective date: July 1, 2026
This Privacy Policy explains how Alexander Duggleby, a sole proprietor operating as SimpleNewsletter365 (“SimpleNewsletter365,” “we,” “us”) handles personal data when you use our website and the SimpleNewsletter365 application (the “Service”). SimpleNewsletter365 is a newsletter tool for organizations that use Microsoft 365.
Two roles, two relationships
We act in two different roles depending on whose data is involved:
- As a controller for the personal data of our account holders: the people who sign in, set up an organization, and administer the Service. This Privacy Policy describes that processing.
- As a processor for the contact and recipient data that you, our customer, upload and send to. You remain the controller of your audience data, and your use of that data is governed by your own privacy notice and by our Data Processing Addendum.
Data we collect as a controller
Account and identity data. When you sign in with Microsoft, we receive and store your Microsoft tenant ID, user object ID, email address, and display name from Microsoft Entra. We sign you in as a confidential OpenID Connect client. Microsoft access and refresh tokens stay on our servers and are never exposed to the browser or to front-end code.
Organization data. Account and tenant identifiers, display names, setup status, enabled feature gates, team memberships, roles, permissions, and invitations.
Mailbox connection data. When you connect a sending mailbox, we store non-secret grant metadata (grant ID, tenant, user object ID, subject mailbox, and granted scopes). Refresh-token material is encrypted at rest and never exported or logged.
Usage and diagnostic data. Audit records (actor ID, action, target, and timestamp), correlation IDs, and operational logs. Our logs use identifiers, hashes, statuses, counts, and durations rather than message content, email addresses, or token material.
Website analytics data. We use website analytics to understand visits to the marketing website, such as page URLs, referrers, browser and device metadata, event timestamps, and approximate location derived from IP address.
Billing data. If you buy a paid plan, our reseller and Merchant of Record, Paddle, processes your payment and charges applicable taxes. We receive plan, transaction, and status metadata, not your full card number.
Data we process as a processor
On your instruction, the Service stores and processes the audience data you manage, including contact email addresses, names, organizations, custom fields, subscription status, segment membership, signup form submissions, newsletter content, and delivery outcomes. We process this data to provide the Service to you and do not use it for our own purposes. See the Data Processing Addendum and our list of subprocessors.
How newsletters are sent
Newsletters are delivered through your own Microsoft 365 mailbox using Microsoft Graph. We do not operate a shared sending pool, and your recipients’ email addresses are not shared with other customers. We store a recipient record with an obfuscated email hint for progress reporting; full recipient email addresses are shown only to users with the appropriate permission.
How we use personal data
We use personal data to authenticate you, provide and secure the Service, send newsletters on your behalf, generate delivery and engagement reports, provide support, comply with legal obligations, and prevent abuse. We do not sell personal data, and we do not use your audience data to train advertising profiles.
Legal bases (EEA and UK)
Where the GDPR or UK GDPR applies, we rely on: performance of a contract (to provide the Service), legitimate interests (to secure and improve the Service and prevent abuse), consent (where required, for example certain cookies), and compliance with legal obligations.
Cookies
The application uses a single strictly necessary session cookie to keep you signed in and protect the session. We do not use advertising or tracking cookies. Our marketing website uses privacy-friendly, cookieless analytics, so it sets no non-essential cookies.
Sharing and subprocessors
We share personal data only with service providers that help us run the Service under contract: Microsoft Azure for hosting, storage, and key management, Microsoft Graph and Microsoft Entra for authentication and sending, Paddle for payments, Lettermint for transactional email, and Approximated for serving custom domains. We keep a current list of subprocessors. We may also disclose data where required by law or to protect rights and safety.
International transfers
The Service is hosted in a single Microsoft Azure region in the European Union (West Europe, Netherlands). Where personal data is transferred across borders, we rely on appropriate safeguards such as the Standard Contractual Clauses.
Retention and deletion
We keep account data for as long as your account is active. When an account is deleted, we remove account-scoped records and stored image assets. Subscriber history rows are retained as append-only audit evidence, with email and actor email fields anonymized. Encrypted mailbox token material is revoked and deleted. Hashed signup-form audit and rate-limit rows are purged on a short cycle. Unsubscribe state is retained long enough to honor opt-outs. See the Data Processing Addendum for the processor-side detail.
Your rights
Subject to applicable law, you may request access, correction, deletion, restriction, portability, or objection, and you may withdraw consent. Account holders can export and delete account data from within the Service. If you are a recipient of a newsletter sent through SimpleNewsletter365, please contact the sender (our customer), who controls that data; we will assist them as their processor. To exercise rights against us as a controller, contact hello@simplenewsletter365.com.
Security
We protect data with encryption in transit and at rest, encrypted token storage protected by Azure Key Vault, least-privilege access, tenant and account isolation on every record, and logging that excludes sensitive values. See our Security overview.
Children
The Service is not directed to children under 16, and we do not knowingly collect their personal data.
Changes
We may update this Policy and will revise the effective date above. Material changes will be communicated through the Service or by email.
Contact
Alexander Duggleby (operating as SimpleNewsletter365), Marxergasse 24/2, 1030 Wien, Austria. VAT ATU62316158. Privacy questions: hello@simplenewsletter365.com.