Legal
Privacy Policy
Kyvoi Ventures Private Limited · Last updated: 27 March 2026 · Registered in Delhi, India
1. About Us
Kyvoi Ventures Private Limited ("Kyvoi", "we", "us", "our") is a cybersecurity SaaS company incorporated in India and registered in Delhi. We operate the Kyvoi M365 Security Assessment platform accessible at kyvoi.com and api.kyvoi.com.
We are committed to protecting your data and being transparent about what we collect, why we collect it, and how long we keep it.
2. What Data We Collect
2.1 Microsoft 365 Tenant Configuration Data
When you connect your Microsoft 365 tenant to run a security assessment, we access the following data via the Microsoft Graph API on a read-only basis:
- Tenant configuration settings (Conditional Access policies, MFA settings, SharePoint sharing settings, authentication methods)
- Organisational metadata (tenant name, tenant ID, licence information)
- Security posture data (Microsoft Secure Score, audit log availability)
- User and role information (administrator count, role assignments — display names only)
- Device and endpoint data (Intune enrolment status, device compliance counts)
- Email security configuration (DKIM, DMARC, SPF records, anti-phishing policy status)
We do NOT access
- Email content or message body
- File content stored in SharePoint or OneDrive
- User passwords or authentication credentials
- Personal communications (Teams messages, calendar entries)
- Financial or payment data stored in your tenant
2.2 Dashboard Account Data
When you sign in to the Kyvoi Dashboard, we collect your work email address to authenticate you via a magic link. We do not store passwords.
2.3 Payment Data
Payment transactions are processed by PayU Payments Private Limited (for direct purchases) or Microsoft Marketplace. Kyvoi does not store payment card details, bank account numbers, or UPI identifiers.
2.4 Usage and Operational Data
We collect basic operational logs including scan timestamps, framework selections, report generation events, and error logs for support and service improvement purposes.
3. How We Use Your Data
We use the data we collect to:
- Generate your M365 security assessment report
- Provide the AI security advisory included in your report
- Allow you to access your past reports via the Kyvoi Dashboard
- Send you your magic link sign-in email
- Respond to support requests
- Improve the accuracy and coverage of our security controls
- Comply with applicable laws and Microsoft Marketplace requirements
We do not use your data for advertising, profiling, or selling to third parties.
4. Data Retention
Retention Schedule
- Scan results and PDF reports — retained for a maximum of 90 days, then automatically and permanently deleted
- OAuth refresh tokens — stored in AES-256 encrypted form, retained while your account is active
- Dashboard account data (email) — retained until you request deletion
- Operational logs — retained for 30 days
5. Data Sharing
We do not sell, rent, or share your personal data with third parties for commercial purposes. We share data only with the following service providers as necessary to operate the Service:
- Microsoft Corporation — to authenticate your tenant via OAuth 2.0 and retrieve configuration data via Microsoft Graph API
- Anthropic PBC (Claude AI) — to generate AI-powered advisory content. Only anonymised, non-personally-identifiable scan findings are shared. No tenant names, email addresses, or credentials are included
- Render Inc. — our cloud infrastructure provider where your data is hosted and processed
- PayU Payments Private Limited — for payment processing on direct purchases
6. Data Security
- All data is transmitted over TLS 1.2 or higher
- OAuth refresh tokens are encrypted at rest using AES-256
- Scan findings and reports are stored in a PostgreSQL database on Render's infrastructure
- Access tokens are used only during the scan and are never persisted to disk
- Dashboard sessions use HttpOnly, Secure cookies to prevent client-side access
7. Your Rights
Under the Digital Personal Data Protection Act 2023 (India), GDPR (where applicable), and other applicable data protection laws, you have the right to:
- Access — request a copy of the data we hold about you
- Deletion — request deletion of your personal data and scan history
- Correction — request correction of inaccurate data
- Withdraw consent — revoke Microsoft OAuth access at any time from Entra admin centre under Enterprise Applications
- Portability — request your data in a machine-readable format
To exercise any of these rights, contact us at support@kyvoi.com.
8. Data Deletion
To request deletion of all your data, email support@kyvoi.com with the subject line "Data Deletion Request". We will confirm receipt within 48 hours and complete deletion within 30 days.
You can also revoke Kyvoi's access to your Microsoft 365 tenant directly from Microsoft Entra admin centre → Enterprise Applications → Kyvoi → Delete.
9. Cookies
kyvoi.com uses minimal cookies. The Kyvoi Dashboard uses a single HttpOnly session cookie to maintain your signed-in state. We do not use advertising, analytics, or third-party tracking cookies.
10. Children
Our services are directed at business users and are not intended for individuals under the age of 18. We do not knowingly collect personal data from minors.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of material changes by updating the "Last updated" date above. Continued use of the Service after changes are posted constitutes acceptance of the updated Policy.