Privacy Policy

1. Introduction

Peregrine Sight ("we," "our," or "us") is operated by Peregrine Logic LLC. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application and services (collectively, the "Service"). By using the Service, you agree to the practices described in this policy.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and organization name through Microsoft OAuth authentication. We do not store your Microsoft password.

Microsoft 365 Tenant Data

When you connect a Microsoft 365 tenant, we access data through the Microsoft Graph API using delegated and application permissions you authorize. This includes user accounts, group memberships, security configurations, license assignments, mail flow rules, Conditional Access policies, device management settings, and SharePoint/OneDrive configurations. This data is used solely to perform security assessments and license optimization analysis.

Usage Data

We collect information about how you use the Service, including pages visited, scans initiated, reports generated, and features used.

Payment Information

Payment processing is handled by Stripe. We do not store your credit card number, bank account details, or other sensitive payment data. Stripe's collection and use of your information is governed by their privacy policy at stripe.com/privacy.

3. How We Use Your Information

• Provide, operate, and maintain the Service
• Perform security assessments and license waste analysis on your connected Microsoft 365 tenants
• Generate reports, findings, and recommendations
• Process transactions and manage your subscription
• Send scan results, alerts, and service-related notifications
• Respond to your support requests and inquiries
• Improve the Service and develop new features
• Enforce our terms of service and comply with legal obligations

4. Data Storage and Security

Your data is stored in secure, encrypted databases hosted by Supabase with row-level security policies that ensure strict organizational isolation. Each organization's data is segregated and accessible only to authorized members of that organization.

Microsoft 365 scan data is processed in real time and stored as findings and reports. We do not retain raw Microsoft Graph API responses beyond what is necessary to generate and display your results.

All data in transit is encrypted using TLS 1.2 or higher. Access tokens for Microsoft Graph API are short-lived and never stored in our database.

5. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information or tenant data to third parties. We may share information only in the following circumstances:

• Service Providers: We use trusted third-party services including Supabase (database), Railway (hosting), Stripe (payments), and Microsoft (authentication and Graph API). These providers access only the data necessary to perform their functions.
• Legal Requirements: We may disclose information if required by law, subpoena, court order, or other legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change.

6. Microsoft 365 Data Handling

Peregrine Sight accesses your Microsoft 365 tenant data exclusively through the Microsoft Graph API using permissions you explicitly grant via admin consent. We adhere to the following principles:

• We request only the minimum permissions needed for security assessments and license analysis
• Tenant data is never shared across organizations — each organization's data is isolated
• You can revoke access at any time by removing the Peregrine Sight enterprise application from your Azure AD tenant
• Scan results and findings are retained for your review and historical tracking; you can request deletion at any time

7. Your Rights and Choices

• Access: You can access your data through the Service at any time
• Correction: You can update your account information through the settings page
• Deletion: You can request deletion of your account and all associated data by contacting us
• Export: You can export your findings and reports as CSV, JSON, or PDF at any time
• Revoke Access: You can disconnect any Microsoft 365 tenant and revoke Graph API permissions through Azure AD

8. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising trackers. Stripe may set cookies as part of payment processing.

9. Data Retention

We retain your account data and scan results for as long as your account is active. If you cancel your subscription, your data is retained for 90 days to allow for reactivation, after which it may be permanently deleted. Billing records are retained as required by applicable financial regulations.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete such information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at: