← Back to ButWhy.Cloud
Privacy Policy
Last updated: March 2026
ButWhy.Cloud is a read-only security scanning service. We do not store your tenant data beyond what is necessary to deliver your report. Your scan results are held in Azure Blob Storage for 5 days and then permanently deleted.
1. Who We Are
ButWhy.Cloud ("we", "us", "our") is a cloud security scanning service operated as a trading name. Our contact address is hello@butwhy.cloud.
2. What Data We Collect
When you use our service we collect:
- Your email address — provided by you before scanning, used solely to deliver your security report.
- Microsoft OAuth access token — issued by Microsoft when you consent to our app registration. Used only during the scan and never stored after the scan completes.
- Scan results — the output of security checks run against your tenant (check IDs, pass/fail status, evidence strings, remediation guidance). Stored in Azure Blob Storage for 5 days then permanently deleted.
- Basic usage data — Cloudflare web analytics (page views, approximate location). No cookies are set for analytics purposes.
We do not collect passwords, payment card data, or any personally identifiable information from your Microsoft tenant beyond what appears in scan evidence (e.g. user principal names of misconfigured accounts).
3. How We Use Your Data
- To run the security scan against your Microsoft 365 and Azure tenant.
- To generate and email your security report.
- To temporarily store your report so it can be retrieved if delivery fails.
We do not use your data for advertising, profiling, or any purpose other than delivering the service.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area or United Kingdom, our legal basis for processing your data is:
- Contract performance (Article 6(1)(b) GDPR) — processing your email and scan data is necessary to deliver the service you requested.
- Legitimate interests (Article 6(1)(f) GDPR) — retaining scan results for 5 days to support report re-delivery in case of failure.
5. Legal Basis for Processing (POPIA)
If you are located in South Africa, we process your personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA). Our lawful grounds are your consent (given when you initiate a scan) and the necessity to fulfil the service contract.
6. Data Retention
- Email address — retained only for the duration of report delivery. Not stored in any database.
- OAuth access token — used in memory during the scan, never written to disk or storage.
- Scan results — stored in Azure Blob Storage (East US region) for 5 days, then automatically and permanently deleted.
7. Data Sharing
We do not sell, rent, or share your data with third parties except:
- Microsoft Azure — our infrastructure provider. Scan results are stored in Azure Blob Storage under our account.
- Mailgun — used to deliver your report email. Your email address is transmitted to Mailgun for this purpose only.
- Cloudflare — provides DNS, CDN, and web analytics for our website.
All sub-processors are bound by data processing agreements consistent with GDPR requirements.
8. Your Rights
Depending on your jurisdiction you have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your data (note: scan data auto-deletes after 5 days).
- Object to or restrict processing.
- Data portability (GDPR only).
- Lodge a complaint with your supervisory authority.
To exercise any right, email hello@butwhy.cloud. We will respond within 30 days.
9. Revoking Microsoft Access
Your OAuth consent grant persists in your Microsoft tenant until you revoke it. To remove ButWhy.Cloud's access, go to Entra ID → Enterprise Applications, find ButWhy.Cloud, and delete it. This does not affect any scan data already generated.
10. Security
Scan data is stored in Azure Blob Storage with private access only, no public URLs. All data in transit is encrypted via TLS. Access to storage is restricted to our scanning infrastructure only.
11. Changes to This Policy
We may update this policy from time to time. The "last updated" date at the top of this page will reflect any changes. Continued use of the service after changes constitutes acceptance.
12. Contact
For any privacy-related queries: hello@butwhy.cloud