Privacy Policy

Last updated: February 2026

At Formu-Letter, we take your privacy seriously. This policy explains what data we collect and how we handle it when you use our Microsoft Excel Add-in.

1. Data Minimisation

Formu-Letter is built on the principle of data minimisation. The most secure way to protect your data is to never collect it in the first place.

2. What We Collect

• Authentication Data: When you sign in via Microsoft Single Sign-On (SSO), we receive your email address, display name, and a unique identifier from Microsoft. This data is used solely to authenticate your session and enable email sending.
• Service Metadata: We may collect anonymous, aggregated telemetry (e.g., whether a send was successful) to monitor service health. This data is never linked to your identity or your spreadsheet content.

3. What We Never Collect or Store

• Spreadsheet Data: We do not read, store, or transmit your spreadsheet data to our servers. All processing of your Excel data happens locally within your browser or Excel desktop client.
• Email Content: We do not store the subject lines or body text of the emails you compose. These are sent directly from your device to Microsoft's servers via the Microsoft Graph API.
• Recipient Lists: Your recipient email addresses are processed locally and are never stored on our infrastructure.

4. How Emails Are Sent

All emails are dispatched using the Microsoft Graph API. The Add-in acts as a local client — when you click "Send," your device communicates directly with Microsoft's secure infrastructure using your own authenticated session. We do not proxy, relay, or intercept your emails at any point during delivery.

5. Infrastructure & Third Parties

To provide a reliable service, we use the following trusted providers:

• Microsoft Azure — Hosts the Add-in's frontend assets and backend token exchange service. Data processed during authentication is encrypted in transit and never persisted. Azure does not have access to your Excel data or email content.
• Microsoft Azure AD — Provides identity and authentication services through the OAuth 2.0 On-Behalf-Of flow.
• Microsoft Graph API — The engine used to deliver your messages on your behalf.

6. Data Retention

We do not maintain a user database. Authentication tokens are short-lived, handled in-memory during your session, and are never written to persistent storage. When your session ends, no trace of your activity remains on our servers.

7. Your Rights

Since we do not store your personal data or email content, there is no data for us to sell, share, or disclose. You retain complete control over your data within the Microsoft ecosystem. If you wish to revoke the Add-in's access, you can do so at any time from your Microsoft account permissions.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be reflected on this page with an updated "Last updated" date. We encourage you to review this page periodically.

9. Contact

If you have questions about our privacy practices, please contact us at bianca@bianca.codes.