Privacy Policy
Esmeris is operated by Esmeris Inc. ("we," "us," "our"). This policy explains what information we collect, how we use and protect it, and the choices you have. If anything is unclear, email us at privacy@esmeris.com and we will give you a straight answer.
1. What Esmeris does
Esmeris is a security audit service. With authorization from an administrator, it connects read-only to a company's Google Workspace and/or Microsoft 365 environment and produces a report on third-party application access, account status, and authentication posture. Our entire purpose is to show your own data about your own environment back to you.
2. Information we collect
Account information you give us. When you create an account: your name, email address, password (stored only as a salted hash), company name, and billing details (handled by our payment processor; we never store full card numbers).
Information from Google Workspace, with your administrator's consent. When a Google Workspace administrator connects a tenant, we access the following through Google's APIs using read-only authorization: the user directory (names, email addresses, account status, administrator role assignments, two-step verification enrollment status, and last sign-in times); the list of third-party applications each user has authorized, including the application's identity and the permission scopes it was granted; and administrative audit-log events related to sign-ins and application authorizations.
What we do not collect from Google Workspace. We do not access, read, or store the content of any email message, document, file, calendar event, chat, or attachment. The permissions we request are administrative and security metadata only. We never receive user passwords.
Information from Microsoft 365, with your administrator's consent. The equivalent categories via Microsoft Graph: the user directory and account status, sign-in activity where the tenant's licensing makes it available, enterprise application registrations and the permissions granted to them, per-user and organization-wide application consent records, multi-factor authentication registration status, and administrative role memberships. The same exclusion applies: no email, file, message, or document content, ever.
Information collected automatically. Standard service logs (IP address, browser type, pages visited) and cookies necessary for sign-in sessions. We do not use advertising cookies or trackers.
3. How we use information
We use data for one product purpose: generating and displaying your security audit. Supporting uses are limited to operating the service — authenticating you, processing payment, sending transactional email, providing support when you ask for it, and maintaining the security and reliability of the service.
We do not use your data for advertising. We do not sell it or rent it to anyone. We do not use data obtained from Google Workspace or Microsoft 365 to train artificial-intelligence or machine-learning models. Human access to your tenant data occurs only with your permission for support purposes, when necessary for security investigation, or where required by law.
4. Google API Services — Limited Use disclosure
Esmeris's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In plain terms: data we receive from Google APIs is used only to provide the security-audit features you see in the product. It is not transferred to third parties except as necessary to provide those features, to comply with law, or as part of a merger or acquisition with notice to you. It is never used for advertising. It is never sold. Staff do not read it except in the limited circumstances described in Section 3.
5. How we store and protect information
All data is encrypted in transit using TLS 1.2 or higher. All data is encrypted at rest. OAuth tokens and credentials that allow access to your tenant receive additional protection: encrypted with a dedicated key-management service before storage, never written to logs, and decrypted only inside isolated worker processes that perform scans. Access to production systems is restricted to authorized personnel using multi-factor authentication, and all access is logged.
6. Sharing and subprocessors
We share data only with service providers required to run the product, each bound by data-protection agreements. We do not share customer data with any other third party except when required by law, in which case we will notify you unless legally prohibited. Our current subprocessors are listed at esmeris.com/trust.
7. Consultants and multi-organization accounts
If an IT consultant or service provider connects your organization's tenant under their Esmeris account, they act as your authorized administrator. You may instruct us directly at privacy@esmeris.com to disconnect your tenant and delete your organization's data, and we will honor that instruction after verifying your authority over the tenant.
8. Retention and deletion
Scan data is retained while your organization remains connected. You can delete data at any time without contacting us — disconnecting a tenant immediately revokes our credentials and deletes that tenant's scan data. Deleting your account removes all associated data, completed within 30 days including backups. If your subscription lapses, we retain data for 60 days then delete it.
9. Your rights
Depending on where you live, you may have rights to access, correct, export, or delete personal information, or to object to or restrict certain processing (including rights under the GDPR and CCPA/CPRA). Most of these you can exercise directly in the product. For anything else, email privacy@esmeris.com and we will respond within 30 days.
10. Changes to this policy
If we make material changes, we will notify account owners by email and post the updated policy with a new effective date at least 14 days before it takes effect.
11. Contact
Esmeris Inc. · privacy@esmeris.com · For security reports: security@esmeris.com