// privacy policy
Privacy Policy
Version 1.0 · Effective 1 March 2026
Becloudsmart Pty Ltd (ABN 13 611 079 219) operates the baref00t.io automated security assessment platform. This policy explains what data we collect, how we use it, and how we protect it.
1. What we collect
We collect the minimum data required to run your assessment and deliver your report:
- Email address -- provided at purchase to deliver your report link.
- Microsoft Entra tenant ID -- used only to run the assessment against your tenant via Microsoft Graph API. We do not store your tenant ID after the assessment completes.
- Free Health Check data -- if you use our free health check wizard, we collect your responses (organisation size, industry, compliance frameworks, and security posture information) to generate your risk score. This data is not linked to your identity unless you voluntarily provide your email address.
2. How we use your data
Your data is used solely to:
- Run the security assessment against your Microsoft 365 tenant.
- Generate a report based on the assessment results.
- Deliver the report to you via email using a secure, time-limited link.
We do not sell, share, or use your data for marketing purposes.
3. Data retention
We do not store your tenant configuration data. The assessment reads configuration via the Microsoft Graph API in real time, evaluates it, and discards the raw data. Only the generated report output is retained and made available via a secure link. Report links expire after 30 days. Assessment metadata (tenant ID, assessment ID, scores) is retained for 90 days for support purposes, after which it is automatically deleted.
4. Sub-processors
We engage the following sub-processors to operate the platform. Each sub-processor is bound by contractual data-protection obligations consistent with our commitments to you.
| Sub-processor | Role | Data processed | Location |
|---|---|---|---|
| Microsoft Azure | Cloud infrastructure / hosting | All platform data at rest + in transit | AU East, US East, West Europe, SE Asia |
| Twilio SendGrid | Transactional email | Recipient email + report links | United States |
| Stripe | Payment processing | Billing details (no card data stored by us) | United States, EU, Australia |
| Apollo.io | Lead enrichment (partner pipeline only) | Partner-supplied target domain; returned company + contact data | United States |
| Hunter.io | Email verification (partner pipeline only) | Partner-supplied email addresses | European Union |
| Anthropic | AI narrative generation (opt-in feature) | Assessment findings + scoring data | United States |
| OpenAI | AI narrative generation (opt-in feature) | Assessment findings + scoring data | United States |
| Azure OpenAI | AI narrative generation (opt-in feature) | Assessment findings + scoring data | Configured Azure region |
| Google AI | AI narrative generation (opt-in feature) | Assessment findings + scoring data | United States |
| Google Analytics 4 | Anonymous web analytics | Page views, referrer, coarse geo (no PII) | United States |
AI narrative providers are engaged only when a partner has theai-narrativefeature flag enabled on their account; otherwise no assessment data is sent to any AI sub-processor.
Updates to this list:we will provide at least 30 days’ notice via partner portal banner and email before adding a new sub-processor that processes partner-customer data, so partners have an opportunity to object.
5. Data location
Data processing and storage occurs in the Azure region closest to you — Australia East (Sydney), US East (Virginia), West Europe (Netherlands), or Southeast Asia (Singapore). Your data does not leave the region where it is processed.
6. Cookies
We use the following cookies:
- Essential cookies -- session cookies required for the purchase and consent flow to function.
- Analytics cookies -- Google Analytics (GA4) sets cookies (
_ga,_ga_*) to understand how visitors use our public pages. These cookies collect anonymous usage data such as pages visited and time on site. No personally identifiable information is collected. You can opt out by using your browser's cookie settings or a Google Analytics opt-out extension.
We do not use advertising cookies or share cookie data with third parties for marketing purposes.
7. Your rights
You can request deletion of your data at any time by contacting us. Since we retain minimal data (email and report output only), deletion is straightforward and completed within 7 days.
8. Contact
For any privacy-related questions or data deletion requests:
Email: assessments@baref00t.io
Entity: Becloudsmart Pty Ltd
ABN: 13 611 079 219