Privacy Policy

Last updated: 11 June 2026

This Privacy Policy explains what information Azure Helper ("we", "us", "the Service") collects when you use the hosted web app, the browser extension shells, and the related marketing pages, and how that information is used, stored, and protected. Azure Helper is a read-only learning tool for Microsoft Azure and Microsoft 365 — it is built to never write to, modify, or delete anything in your tenant.

1. Who we are

Azure Helper is operated by Cloudpartner ("Cloudpartner.fi"). For any privacy questions or data requests, contact noreply@cloudpartner.fi.

2. Information we collect

2.1 Account information

• Email address, used for magic-link sign-in and account communication.
• Subscription/plan status (e.g. Pro, Partner, demo overrides for admin testing) and billing state from our payment provider (Stripe), when billing is enabled.

2.2 Microsoft Entra / Microsoft Graph / Azure data

If you choose to connect a Microsoft Entra tenant, Azure Helper requests read-only (".Read") application and delegated permissions to Microsoft Graph and Azure Resource Manager. This may include, depending on which features you use and which permissions your administrator has consented to:

• Basic organization, user, group, and domain information (counts, display names, license/SKU summaries).
• Conditional Access policy summaries, directory role membership, recent sign-in activity, service health and service messages, and enterprise application (service principal) listings.
• Azure subscription, resource group, and resource listings (via Azure Resource Manager "Reader"-level reads).
• Your signed-in Microsoft identity (name, email/UPN, object ID, and tenant ID) for the purpose of identifying which tenant(s) you have access to and letting you switch between them — similar to the Azure Portal's directory switcher.

A delegated refresh token (used only to discover tenants you already belong to and to read data on your behalf) is stored encrypted at rest. We do not request or use any ".ReadWrite" or "Directory.ReadWrite" style permissions, and the Service contains no code path capable of creating, updating, or deleting objects in your tenant.

2.3 Usage and diagnostics data

• Standard web request logs (IP address, timestamps, request paths) for security, rate-limiting, and abuse prevention.
• Lightweight in-app diagnostics (e.g. whether a Graph/Azure read succeeded or returned a permission error) to help you and us troubleshoot setup issues.
• If you ask the AI Guide a question, the relevant live tenant context (e.g. summary metrics, the specific Graph query and response you are looking at) may be sent to our AI provider (Azure OpenAI) to generate an answer. We do not use this content to train models, and Azure OpenAI processes it under Microsoft's enterprise data-handling terms.

3. How we use this information

• To authenticate you and maintain your session (magic-link sign-in, session cookies).
• To show you live, tenant-specific examples in the Guide, Graph Explorer, and Home dashboard.
• To enforce subscription/plan entitlements (e.g. number of connected tenants on Pro vs Partner plans).
• To operate, secure, and improve the Service, including rate limiting and fraud/abuse prevention.
• To send you account-related email (magic links, billing notices, and — if you opt in — waitlist/launch updates).

4. Data retention and deletion

Account records, connected-tenant metadata, and encrypted refresh tokens are retained for as long as your account is active. Tenant data read via Graph/Azure (e.g. dashboard summary numbers) is fetched on demand and is not permanently archived beyond short-lived caching needed to render the page. You can disconnect a tenant at any time from the Connection panel, which removes its stored metadata. To request deletion of your account and all associated data, email noreply@cloudpartner.fi.

5. Sharing and sub-processors

We do not sell your data. We use the following categories of sub-processors to operate the Service:

• Cloudflare — hosting, edge network, database (D1/KV), and rate limiting.
• Microsoft — Entra ID (sign-in, delegated tenant access) and Microsoft Graph / Azure Resource Manager (read-only tenant data) and Azure OpenAI (AI Guide answers).
• Stripe — subscription billing, when enabled.
• Azure Communication Services — transactional email delivery (magic links, notifications).

6. Security

• Refresh tokens are encrypted at rest (AES-GCM) and never exposed to the browser.
• Sessions use HttpOnly, secure cookies; state-changing requests are protected against CSRF via origin/referer checks.
• The Service requests only ".Read" Graph/Azure scopes — by design it cannot perform write, update, or delete operations against your tenant.

7. Your rights

Depending on your location, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise these rights, contact noreply@cloudpartner.fi. If you are an end user of an organization that has connected its tenant to Azure Helper, your organization's administrator may also manage or revoke that connection at any time (Connection panel → "Disconnect", or revoking admin consent in Microsoft Entra).

8. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date above. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

9. Contact

Questions about this policy or your data: noreply@cloudpartner.fi.