Privacy Policy

1. Data Controller

The data controller for personal data processed in connection with our website and services is:

For questions about this Privacy Policy or your data, please contact us at the address above.

2. Information We Collect

2.1 Information You Provide to Us

• Contact information: Name, email address, and company name when you contact us, request a demo, or engage our services.
• Payment information: Payment details are collected and processed by Paddle.com. We do not store your full credit card numbers or payment instrument data.
• Service-related information: Microsoft 365 tenant details, Azure AD App Registration credentials, and configuration information you provide to enable our services.
• Communications: Emails, messages, and other correspondence you send to us.

2.2 Information Collected Automatically

• Log data: IP address, browser type, pages visited, timestamps, and referring URLs when you visit our website.
• Cookies: We use minimal cookies necessary for website functionality. We do not use advertising or tracking cookies.
• Analytics: We may use privacy-respecting analytics (such as aggregate page view counts) to understand how our website is used.

2.3 Microsoft 365 Tenant Data

When delivering subscription or monitoring services, we access Microsoft 365 security event data from your tenant, including:

• Security alerts from Microsoft Defender for Cloud Apps, Defender for Identity, and Microsoft Entra ID
• Sign-in logs and audit logs from Microsoft Entra ID
• Email flow anomalies from Exchange Online Protection

This data is used exclusively for providing the agreed services to you. We do not use your tenant data for any other purpose, and we do not share it with third parties except as required to deliver the services (e.g., forwarding a summarised alert to your LINE or Teams channel).

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve our services
• Process payments and manage your subscription (via Paddle)
• Send service notifications, alerts, and reports as part of your subscription
• Respond to your inquiries and provide customer support
• Communicate important updates, including changes to these policies
• Comply with legal obligations
• Prevent fraud and ensure the security of our services

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), our legal basis for processing your personal data includes:

• Contractual necessity: Processing required to perform our contract with you (e.g., delivering the services you purchased).
• Legitimate interests: Processing necessary for our legitimate business interests (e.g., improving our services, preventing fraud), provided these interests are not overridden by your rights.
• Legal obligation: Processing required to comply with applicable law.
• Consent: Where we rely on your consent (e.g., for marketing communications), you may withdraw consent at any time.

5. Data Sharing and Third Parties

5.1 Payment Processing — Paddle

All payments are processed by Paddle.com Market Limited, acting as Merchant of Record. Paddle collects and processes your payment and billing information in accordance with their own Privacy Policy.

5.2 Notification Delivery

To deliver real-time alerts, we send summarised security notification data to the LINE or Microsoft Teams webhook endpoints you configure. Ensure that those platforms' terms and privacy policies are acceptable to you.

5.3 Infrastructure Providers

We may use third-party infrastructure services (such as cloud hosting providers) to operate our services. These providers process data only as necessary to provide their infrastructure services to us and are contractually bound to protect your data.

5.4 Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect the rights or safety of HowardAI_Studio, our customers, or others.

6. Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this Privacy Policy, including to provide services, comply with legal obligations, resolve disputes, and enforce our agreements.

• Account and contact data: Retained for the duration of our business relationship plus up to 3 years afterward.
• Security event data (tenant logs): Retained for up to 90 days for alert correlation purposes, then purged unless specifically retained for an ongoing investigation at your request.
• Payment records: Retained as required by financial and tax regulations (typically 7 years).

7. Data Security

We implement reasonable technical and organisational measures to protect your personal data, including:

• Encrypted data transmission (HTTPS/TLS)
• Access controls limiting who can access customer data
• Minimal permission scope for Microsoft 365 integrations (Security Reader role, not Global Admin)
• Regular review of access permissions and service configurations

However, no security measures are perfect. We cannot guarantee absolute security and are not liable for unauthorised access or disclosure resulting from circumstances beyond our reasonable control.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Data portability: Request your data in a structured, commonly used format.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, please contact us at sales@howardaistudio.com. We will respond within 30 days. We may need to verify your identity before processing your request.

9. Cookies

We use only essential cookies necessary for our website to function (e.g., session management). We do not use advertising, tracking, or third-party analytics cookies. You can disable cookies in your browser settings, but this may affect website functionality.

10. International Data Transfers

Our services are operated from Taiwan. If you access our services from outside Taiwan, your data may be transferred to, stored, and processed in Taiwan or the jurisdiction of our infrastructure providers. We take steps to ensure appropriate safeguards are in place for international data transfers.

11. Children's Privacy

Our services are intended for business customers and are not directed to individuals under the age of 18. We do not knowingly collect personal data from children.

12. Links to Third-Party Sites

Our website may contain links to third-party websites. This Privacy Policy does not apply to those sites. We are not responsible for their privacy practices and encourage you to review their privacy policies.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new "Last Updated" date, and by email if the changes are significant. Your continued use of our services after the effective date constitutes acceptance of the updated policy.

14. Contact Us