Privacy Policy

Stampify is an email-signature management tool for Microsoft 365 and Google Workspace, produced by CyberITEX. We hold a minimal set of directory data (names, job titles, contact details, group memberships) for the sole purpose of rendering a centrally-managed signature for each user in your tenant.

We do not read email content. We do not run trackers in the admin dashboard. We do not embed tracking pixels in rendered signatures by default. The OAuth scopes we request are read-only directory scopes; we never request scopes that would grant access to mailboxes, calendars, files, or send.

Stampify is produced and operated by CyberITEX. CyberITEX is the data controller for the processing described in this policy. Contact: privacy@cyberitex.com.

The data Stampify holds is the data needed to render a signature. Nothing more.

Tenant data (created when an admin connects their tenant)

• Vendor tenant identifier (Microsoft 365 tenant GUID or Google Workspace customer ID)
• Primary domain (e.g. company.com)
• Admin email address: the person who clicked "Grant admin consent"
• Brand-wide signature defaults you configure: company name, phone numbers, social URLs, logo URL, brand color palette, font choice
• Design templates you create (HTML + CSS for the signature layout)
• Directory-sync configuration: which users or groups to sync, sync frequency, what to do when a user leaves the directory

Per-user signature data (populated by directory sync or user self-service)

• First name, last name, email, job title
• Office and mobile phone numbers as published in your vendor directory
• Group memberships (used to pick a per-team template)
• Optional fields the user adds themselves: social URLs, custom links, personal logo URL, font color
• Timestamps of when each row was last synced or edited

Operational telemetry

• Render-endpoint request logs: timestamps, tenant ID, user email, compose-event type, response status. Used to debug slow renders and outages. Retained for 30 days.
• Directory-sync run logs: counts of users created / updated / suspended / deleted per run. Retained as part of the tenant’s sync history for the life of the tenant.
• Admin action audit log (post-MVP): who changed what, when. Append-only, retained for the life of the tenant for compliance review.

The architecture rules out collecting the following, not by policy alone but by the OAuth scopes we request:

• The body, subject, recipients, attachments, or thread history of any email
• The contents of any document or file in OneDrive / SharePoint / Google Drive
• Calendar events, meetings, or invitees
• Browsing behaviour in the Stampify dashboard. There are no third-party scripts in the admin app (no Google Analytics, Hotjar, Intercom, or ad pixels)
• IP-address geolocation profiles or device fingerprints

See the OAuth scope list in our security overview for the exact permissions requested on each vendor.

We process tenant and user data on the basis of the contract we have with each tenant (Article 6(1)(b)), namely the agreement to provide email-signature management. Operational logs are processed on the basis of legitimate interest in maintaining service reliability and security (Article 6(1)(f)).

All tenant data lives in CyberITEX's self-hosted Appwrite database. You choose the region at onboarding:

• EU customers: stored in the European Union (Frankfurt)
• US customers: stored in the United States

Data does not cross regions without an explicit migration request from the tenant admin. We do not use third-party data warehouses or analytics destinations.

• Row-level permissions per tenant via Appwrite Teams. Every API request is scoped to the caller’s tenant; cross-tenant reads are not expressible.
• Vendor refresh tokens are encrypted at rest before they touch the database. The encryption key lives in a separate secret store, not in Appwrite.
• TLS in transit on every endpoint. Cloudflare in front of the application terminates TLS 1.3.
• Append-only audit log of admin actions for compliance review (post-MVP).
• Minimum-necessary OAuth scopes. See the section above on what we do not collect.

A current list of subprocessors that handle tenant data:

• Microsoft (Microsoft Graph)
  Microsoft’s region matching your M365 tenant

  Reading your tenant’s directory to populate signature rows. Read-only.

• Google (Admin SDK Directory API)
  Google’s region matching your Workspace

  Reading your Workspace directory to populate signature rows. Read-only.

• Cloudflare
  Global CDN

  DNS, edge TLS termination, DDoS mitigation in front of stampify.app and addin.stampify.app.

• CyberITEX self-hosted Appwrite (svc.cyberitex.com)
  EU or US per tenant choice

  Application database, authentication, and storage.

We will update this list and notify tenant admins by email at least 30 days before adding a new subprocessor that handles personal data.

Tenant data lives for the duration of the contract. When a tenant is deleted, the cascade is immediate:

• All user signature rows are deleted
• All design templates are deleted
• All license records are deleted
• All directory-sync configuration and run history is deleted
• The tenant’s global signature configuration is deleted
• Operational logs older than 30 days are already gone; logs newer than that are scheduled for deletion within 7 days

Right-to-be-forgotten requests on individual users are honored within 30 days of receipt. Submit them through your tenant admin or directly to privacy@cyberitex.com.

You have the right to access, correct, delete, port, or restrict the processing of your personal data. End users can edit most of their own row directly at stampify.app/me; for everything else, contact your tenant admin or write to privacy@cyberitex.com. We respond within 30 days.

The Stampify dashboard uses a single session cookie for authentication (set by Appwrite) and one preference cookie for theme (light / dark). We do not use cookies for advertising, cross-site tracking, or analytics.

Material changes will be communicated to tenant admins by email at least 30 days before they take effect. Non-material clarifications may be made at any time and reflected in the "Last updated" date above.

Questions about this policy or about how we handle your data:

privacy@cyberitex.com