Last Updated: February 15, 2026
1. Introduction
ForIT LLC ("ForIT," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our consulting services, or use our software products including ForIT Productivity and other SaaS tools.
We've written this to be straightforward and honest — not to bury important details in legal boilerplate. If you have questions about this policy, contact us at the address listed at the bottom.
2. Information We Collect
Personal Information
We may collect personal information that you provide directly to us, such as:
- Name and job title
- Company name
- Email address
- Phone number
- Information about your business operations
- Any other information you choose to provide
Account Information (SaaS Products)
When you sign up for ForIT software products, we collect:
| Data | Purpose |
|---|---|
| Email address | Identify your account, send notifications |
| Display name | Personalize the interface |
| Home tenant ID | Associate your account with your Microsoft 365 tenant |
Linked Microsoft 365 Tenant Data
When you connect a Microsoft 365 tenant to our software products, we store:
- Tenant ID and tenant name — to identify which tenant we're operating on
- OAuth2 tokens (access and refresh) — encrypted at rest, used to call Microsoft Graph API on your behalf
- SharePoint site URLs — to read and write your configurations
API Keys
If you generate API keys to access ForIT products programmatically:
- We store a cryptographic hash of each key (PBKDF2-SHA256, 600,000 iterations with random salt)
- We store the key prefix (first few characters) so you can identify which key is which
- We store creation and last-used timestamps
- We do not store your raw API key after initial generation
Ingest Tokens
If you use the AI ingestion feature or MCP server, we generate an ingest token stored in our database. Unlike API keys, ingest tokens are stored in their original form (not hashed) because they must be returned to you for use as bearer tokens. You can regenerate your ingest token at any time, which invalidates the previous one.
Activity and Sync Logs
- Activity logs: records of your actions and API requests, with timestamps. Retained for 90 days, then permanently deleted.
- Sync logs: records of sync operations between your systems, including status and errors. Retained for 180 days, then permanently deleted.
Email Metadata
When you use our email automation products, we process and may temporarily store:
- Email subject lines and sender addresses for emails matched by your rules
- Email content snippets when you use AI-powered features (classification, summarization)
We do not store full email bodies in our database. Email content is only transmitted to our AI provider (Anthropic) for real-time processing and is not retained after the API call completes.
Automatically Collected Information
When you visit our website, we may automatically collect certain information about your device, including:
- IP address
- Browser type and version
- Operating system
- Referring website
- Pages visited and time spent
3. How We Use Your Information
We process your data under the following lawful bases:
| Data Category | Lawful Basis | Purpose |
|---|---|---|
| Account information | Contract performance | Required to provide the service |
| OAuth tokens | Contract performance | Required to connect to your Microsoft 365 tenant |
| API keys | Contract performance | Required to authenticate programmatic access |
| Activity logs | Legitimate interest | Troubleshooting, abuse prevention, reliability |
| Email metadata | Contract performance | Required to evaluate and execute your rules |
| Email content (AI) | Consent | You opt in to AI features; content only sent to Anthropic when used |
| Contact form data | Legitimate interest | Respond to your inquiry |
We do not sell your data. We do not use your data for advertising. We do not build behavioral profiles for third-party use.
4. Microsoft 365 Permissions
When you connect your Microsoft 365 account to our software products, we request delegated permissions. Here is what each one does and why we need it:
| Permission | What It Allows | Why We Need It |
|---|---|---|
| User.Read | Read your basic profile | Display your name and email; identify your account |
| Mail.ReadWrite | Read and modify your email | Evaluate rules against messages; move/categorize/flag emails |
| Mail.Send | Send email on your behalf | Forward or auto-reply actions in your rules |
| MailboxSettings.ReadWrite | Read and modify mailbox settings | Create and manage Outlook inbox rules |
| Tasks.ReadWrite | Read and modify your tasks | Sync and manage tasks in Microsoft To Do |
| Sites.ReadWrite.All | Read and write SharePoint items | Store your configurations on your own OneDrive site |
| Contacts.ReadWrite | Read and modify your contacts | Look up contact details for rule conditions |
| Calendars.ReadWrite | Read and modify your calendar | Scheduling features and calendar event creation |
| Notes.ReadWrite.All | Read and write OneNote content | Create notes from automation actions |
| offline_access | Maintain access when you're offline | Refresh tokens without requiring re-authentication |
You can revoke these permissions at any time by disconnecting your tenant in the product dashboard or by removing the app from your Microsoft 365 account at myapps.microsoft.com.
5. AI Processing
ForIT uses Anthropic's Claude API for AI-powered features across our products, including email classification, summarization, task extraction, and our website chat assistant.
How AI Processes Your Data
- When you use an AI-powered feature, relevant content (e.g., email subject and body) is sent to Anthropic's Claude API over an encrypted connection.
- Claude processes the content and returns a result (classification, summary, task, or response).
- Anthropic does not store your content beyond the API call. Per Anthropic's data policy, API inputs and outputs are not used to train their models and are not retained after processing.
- We do not store the content that was sent to Claude in our own database.
Website Chat Assistant
Our website includes an AI-powered chat assistant. When you interact with this assistant:
- Your messages and responses may be logged for quality improvement
- Conversations are processed by Anthropic's Claude API
- Chat history within your browser session is stored locally using sessionStorage
- If you submit a form, your chat conversation may be included with the submission
Opting Out of AI Features
AI features are optional. If you do not use AI-powered actions (such as AI classification, summarization, or the chat assistant), no content is sent to Anthropic. You can configure your rules and workflows to use only non-AI actions. Do not share sensitive information (passwords, financial details, confidential data) in AI-powered features.
6. SMS/Text Messaging
Opt-In and Consent
When you provide your phone number and consent to receive SMS messages from ForIT LLC, we may send you text messages related to account notifications, appointment reminders, service updates, and general communications. By opting in, you consent to receive these messages at the phone number you provided.
Message and data rates may apply. Message frequency varies depending on your interaction with our services. You can opt out at any time by replying STOP to any message, or by contacting us directly. Reply HELP for assistance.
SMS Privacy Protection
We will never share your mobile opt-in information with third parties for marketing purposes. Your phone number and SMS opt-in status are kept strictly confidential and used solely for the purposes you explicitly consented to.
7. Data Security
We implement the following security measures:
- Encryption in transit: All data transmitted between your browser, our API, Microsoft 365, and Anthropic uses TLS encryption.
- Token encryption at rest: OAuth2 tokens stored in our database are encrypted using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256).
- API key hashing: API keys are hashed with PBKDF2-SHA256 using 600,000 iterations and a cryptographically random salt. We cannot recover your raw API key.
- Database encryption: Azure SQL Database provides transparent data encryption (TDE) at rest.
- Rate limiting: API access is rate-limited to prevent abuse.
- Multi-tenant isolation: All database tables use user-scoped foreign keys. Users cannot access another user's data through the application.
- Serverless infrastructure: We use Azure Functions, which reduces our attack surface compared to always-on servers.
We do not claim to be perfect. If you discover a security issue, please contact us immediately at the address below.
8. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Account information | Until you delete your account | Cascade delete on account removal |
| OAuth tokens | Until you disconnect or delete your account | Immediate deletion on disconnect |
| API keys (hashed) | Until you revoke or delete your account | Immediate deletion on revocation |
| Activity logs | 90 days | Automated purge |
| Sync logs | 180 days | Automated purge |
| Email metadata | As long as the rule exists | Deleted when rule is removed |
| SharePoint list data | Stored on your own tenant | You control this data directly |
When you delete your account, all data associated with your account is permanently removed from our database via cascading deletes. This includes all linked tenants, tokens, API keys, logs, and rule metadata.
9. Information Sharing
We do not sell, trade, or rent your personal information. We share data with the following third-party services, and no others:
Microsoft (Microsoft Graph API)
- What: Your email metadata, tasks, calendar events, contacts, and SharePoint data — as needed to execute your configured automations
- Why: This is the core of what our software products do
- Their policy: Microsoft Privacy Statement
Anthropic (Claude API)
- What: Email subject lines, content snippets, and chat messages — only when you use AI features
- Why: To provide AI-powered classification, summarization, and chat assistance
- Retention: Anthropic does not retain API inputs/outputs for model training
- Their policy: Anthropic Privacy Policy
Microsoft Azure (Infrastructure)
- What: All application data is hosted on Azure infrastructure (Azure Functions, Azure SQL Database, Azure Static Web Apps)
- Region: United States (East)
- Their policy: Microsoft Azure Data Protection
We do not use analytics services, advertising networks, or data brokers. We do not embed third-party tracking scripts in our application.
10. Your Rights
Regardless of where you are located, we provide the following rights to all users:
Access and Export
You can export all data associated with your account at any time via our API or by contacting us. The export includes your account information, linked tenants (excluding raw tokens), API key metadata, activity logs, and feature flags.
Deletion
You can delete your account through the application or by contacting us. This permanently removes all data associated with your account from our systems. Deletion is immediate and irreversible.
Disconnect Tenants
You can disconnect any linked Microsoft 365 tenant at any time. This immediately deletes the stored OAuth tokens for that tenant and stops all automation.
Revoke API Keys
You can revoke any API key at any time. Revoked keys are immediately invalidated. The hashed key record is retained with a revocation timestamp until you delete your account, at which point it is permanently removed via cascading delete.
Opt-Out of Marketing
You can opt out of marketing communications at any time by replying STOP to SMS messages, unsubscribing from emails, or contacting us directly.
GDPR-Specific Rights (EEA Users)
If you are in the European Economic Area, you additionally have the right to:
- Rectification: request correction of inaccurate personal data
- Restriction: request that we limit processing of your data
- Portability: receive your data in a structured, machine-readable format
- Object: object to processing based on legitimate interest
- Complaint: lodge a complaint with your local data protection authority
To exercise any of these rights, contact us at the address below. For GDPR-related requests, please include "GDPR Request" in the subject line.
11. Data Transfers
ForIT is hosted in the United States on Microsoft Azure infrastructure. If you are located outside the United States, your data will be transferred to and processed in the United States. For users in the European Economic Area, this transfer is covered by Microsoft's adherence to the EU-U.S. Data Privacy Framework and Standard Contractual Clauses.
12. Software Products Disclaimer
Important: Experimental Software Notice
ForIT software products are developed using rapid, AI-assisted methodologies. Regarding data processed by these tools:
- We cannot guarantee the security of data processed by our software products
- Data may be transmitted through third-party services (Microsoft, Anthropic, etc.) subject to their privacy policies
- Our software may log debugging information that could include your data during troubleshooting
- You are responsible for ensuring our tools meet your compliance requirements
Do not use ForIT software products to process sensitive personal data (PHI, PCI, etc.) without implementing additional safeguards and accepting full responsibility for compliance.
13. Cookies
We use cookies and similar technologies to maintain session state and enhance your experience. We do not use third-party tracking cookies or advertising cookies. You can control cookies through your browser settings.
14. Children's Privacy
Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children.
15. Changes to This Policy
We may update this policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Notify active users via email or in-app notification
We will not retroactively reduce your rights or expand our data use without your consent.
16. Breach Notification
In the event of a data breach affecting your personal data, we will notify affected users within 72 hours of becoming aware of the breach, as required by GDPR. We will also notify the relevant supervisory authority where required.
17. Contact Us
For questions about this privacy policy, data requests, or security concerns: