Privacy Policy – Avamboo Encrypt for Outlook (New)
§ 1 General
This Privacy Policy applies to the Microsoft Outlook add-in "Avamboo Encrypt for Outlook (New)" (hereinafter "Add-in"), developed and operated by: Avamboo GmbH; Christian Braumüller Bahnhofsallee 13a 86438 Kissing Phone: 0821 57086670 info@avamboo.de Your personal data is processed only in accordance with German data protection law and the General Data Protection Regulation (GDPR) of the European Union.
§ 2 What Data Is Processed?
(1) Azure AD Object ID (OID) The Azure AD Object ID (OID) is used to identify the user. It is provided by Microsoft Identity (MSAL / Nested App Authentication) and is used solely to associate the license and settings. The OID is stored on our servers. (2) User email address The email address of the signed-in user is processed for license management and contact purposes. It is stored on our servers. (3) Recipient email addresses (hashed) To enforce license-based send limits, recipient email addresses are stored as a SHA-256 hash. It is technically impossible to recover the original address. (4) License and usage data Information about the active license, sending limits (daily/monthly) and activation timestamps is stored for license management. (5) User settings Add-in settings (e.g. encryption behavior, templates) are stored on our servers and associated with the user. (6) Encrypted key material As part of the password manager, encrypted private keys and encrypted master keys are stored on our servers. This data can only be decrypted with the user's personal user key, which is never transmitted to us (zero-knowledge architecture). (7) Recipient passwords (encrypted) Passwords stored in the password manager are encrypted client-side using AES-256-GCM. We have no access to the unencrypted passwords. (8) Operational logs Internal logs are kept for traceability of system actions and operational security. They do not contain any unencrypted email content or passwords.
§ 3 Purpose of Processing
The data is processed exclusively for the following purposes: • User authentication and identification • License management and enforcement of usage limits • Provision and storage of user settings • Operation of the password manager (encrypted, zero-knowledge) • Technical support and troubleshooting
§ 4 Legal Bases
Processing is based on the following legal bases: • Art. 6(1)(b) GDPR (performance of a contract) — for license and usage data • Art. 6(1)(f) GDPR (legitimate interest) — for audit logs and security
§ 5 Zero-Knowledge Architecture
The Add-in uses a zero-knowledge architecture for all cryptographic keys and passwords: • All encryption and decryption operations take place exclusively on the user's device (client-side). • The personal user key is never transmitted to our servers. • Private keys are only stored in encrypted form. • Recipient passwords leave the device exclusively in encrypted form. • Avamboo GmbH has no technical access to unencrypted keys, passwords or email content.
§ 6 Disclosure to Third Parties
Your personal data is not disclosed to third parties, except: • to hosting providers as part of commissioned data processing (server operation) • where we are required to do so by law Our servers are located in the EU/Germany.
§ 7 Storage Period
• OID, email address, license and settings data: for the duration of the active license + statutory retention obligations (max. 10 years pursuant to § 257 HGB, § 147 AO) • Hashed recipient email addresses: automatic deletion after the end of the respective billing period • Encrypted key material and passwords: until deleted by the user or upon express deletion request to info@avamboo.de • Operational logs: for the period necessary for operational security
§ 8 Rights of the Data Subject
You have the following rights vis-à-vis us: 1. Right of access (Art. 15 GDPR) 2. Right to rectification (Art. 16 GDPR) 3. Right to erasure (Art. 17 GDPR) 4. Right to restriction of processing (Art. 18 GDPR) 5. Right to data portability (Art. 20 GDPR) 6. Right to object (Art. 21 GDPR) 7. Right to withdraw consent (Art. 7(3) GDPR) 8. Right to lodge a complaint with a supervisory authority (Art. 77 GDPR) To exercise your rights, please contact: info@avamboo.de
§ 9 Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the GDPR. Competent supervisory authority: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18, 91522 Ansbach https://www.lda.bayern.de
§ 10 Data Controller
Avamboo GmbH; Christian Braumüller Bahnhofsallee 13a 86438 Kissing Phone: 0821 57086670 info@avamboo.de