Privacy Policy

Last updated: June 25, 2026

M365 Audit is a free service operated by Good Heart Tech, a nonprofit organization ("we," "us," or "our"). This Privacy Policy explains how we handle information when you use m365audit.org and app.m365audit.org.

What the service does

With your authorization, we perform a read-only review of your Microsoft 365 tenant configuration and security settings. We generate an HTML audit report and email it to the address you provide. We do not modify settings in your Microsoft 365 tenant.

Information we access

During an audit, our application may read tenant configuration and security data via Microsoft Graph and related read-only APIs. This can include users, groups, licenses, domains, Conditional Access policies, authentication methods, application consents, and similar administrative data needed to produce the report.

Information we store

We store minimal operational metadata only, such as:

• Microsoft tenant ID and organization display name
• Email addresses you provide for report delivery
• Audit job status, timestamps, and error logs
• Connection consent dates and configured retention settings

We do not persist audit findings, raw API responses, or generated report files on our servers after delivery.

Report delivery and quality review

Audit reports are emailed to the address(es) you specify. We may send a blind copy (BCC) to an internal mailbox for quality assurance and service improvement. This is disclosed here and in our Terms of Use.

What we do not do

• We do not sell or rent your information to third parties.
• We do not use your tenant data for advertising.
• We do not change configuration in your Microsoft 365 tenant.

Retention

Tenant connection metadata is retained for a limited period (default 365 days, configurable by Good Heart Tech administrators) so you can sign in and request updated audits. Job logs may be retained for operational troubleshooting and are periodically cleaned up.

Security

We use industry-standard practices including encrypted transport (HTTPS), access controls for internal administration, and least-privilege application permissions. Only authorized Microsoft 365 administrators in your organization can initiate audits.

Your choices

You can revoke application access at any time in the Microsoft Entra admin center by removing admin consent for the Good Heart Tech - M365 Audit application. Contact us if you want connection metadata removed from our systems.

Children

This service is intended for organizational administrators and is not directed to users under 18 years of age.