Controller: iVerifi Limited, registered in England and Wales
Regulation: UK GDPR & Data Protection Act 2018
Contact: privacy@iverifi.io
1. Who We Are
iVerifi Limited ("iVerifi", "we", "us", "our") is the data controller for personal data processed through the Email Safety Advisor Outlook add-in. We are registered in England and Wales and operate in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What Data We Collect
When you view an email in Microsoft Outlook, the add-in extracts and transmits the following metadata to our classification API:
| Field | Detail |
|---|---|
| Sender email address | The RFC 5321 envelope-from / From: header address (e.g. sender@example.com) |
| Sender display name | The human-readable name in the From: header field |
| Subject line | The full email subject as presented in Outlook |
| Body excerpt | Plain-text body content, truncated to the first 500 characters.
Recognisable personal identifiers (names, phone numbers, financial references,
National Insurance numbers) are replaced with neutral tokens such as
[PERSON_NAME] and [AMOUNT] before transmission. |
| Authentication headers | SMTP transport headers relating to sender authentication, including DMARC, SPF, DKIM results, and Microsoft 365 antispam confidence scores |
3. What We Do NOT Collect
- The full email body — only the first 500 characters of plain text are transmitted, and PII is tokenised before leaving your device
- Attachments of any kind (documents, images, links embedded in attachments)
- Recipient lists — To:, CC:, and BCC: fields are not read or transmitted
- Email identifiers, folder names, thread history, calendar data, or contact records
- Any data from emails you compose or send
4. Why We Collect It and Our Legal Basis
| Purpose | Legal basis (UK GDPR Article 6) |
|---|---|
| Real-time phishing and social engineering risk assessment | Art. 6(1)(f) — Legitimate interests of the employer organisation in protecting employees, customers, and IT infrastructure from email-borne threats |
| Audit logging and service integrity monitoring | Art. 6(1)(f) — Legitimate interests in maintaining service security, investigating abuse, and demonstrating regulatory compliance |
The Email Safety Advisor is a business-to-business service deployed by employer organisations. The organisation deploying the add-in is responsible for ensuring it has an appropriate lawful basis under UK GDPR and has provided relevant information to employees in its own privacy notices.
5. Sub-processors
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Microsoft Azure OpenAI Service | AI-powered email risk classification. Training opt-out is enabled — data submitted via the API is not used to train or improve Microsoft's shared models. | UK South | Microsoft Data Processing Agreement; EU Standard Contractual Clauses (adapted for UK); data processed in-region only |
| Microsoft Azure (iVerifi tenant) | API hosting (Azure Functions) and short-term audit log storage | West Europe | Microsoft Data Processing Agreement |
| Vercel Inc. | Static hosting of the add-in front-end files. No personal data is transmitted to or processed by Vercel. | Global CDN (static assets only) | Vercel Data Processing Agreement; EU SCCs |
6. Retention
- Classification requests: Email metadata transmitted to the classification API is used solely to compute a risk score and is not persisted beyond the duration of the HTTPS request.
- Audit logs: Request identifiers, risk scores, signal IDs, and processing timestamps are retained in Azure Application Insights for a maximum of 90 days, after which they are automatically purged. Audit logs do not contain email body content, subject lines, or sender addresses.
- No long-term email content storage: iVerifi does not store, archive, or index any email content, subject lines, or sender addresses beyond the in-flight API request.
7. Your Rights Under UK GDPR
Data subjects have the following rights, exercisable by contacting privacy@iverifi.io:
| Right | How it applies to this service |
|---|---|
| Access | You may request confirmation of whether we hold personal data about you. Given our minimal retention policy, most requests are satisfied by confirming no stored content data exists. |
| Erasure | You may request deletion of any personal data we hold. Audit log entries (which do not contain email content) are purged automatically within 90 days, or on request. |
| Objection | You may object to processing based on legitimate interests. Where your employer has deployed the add-in, objections should also be directed to your employer as the responsible party. |
| Portability | Where we hold personal data in a structured format, you may request a machine-readable copy. |
We will respond to all rights requests within one calendar month. If we are unable to accommodate a request, we will explain why.
8. Automated Decision-Making
The add-in generates a risk score and a recommended action (NONE, REVIEW, DELETE, or REPORT) for display purposes only. No decision with legal or similarly significant effect is made solely by automated means. The final judgement on how to treat any email rests entirely with the user.
9. International Transfers
Our primary processing takes place within the UK and the European Economic Area. Where data passes through infrastructure outside the UK (e.g. Vercel CDN edge nodes serving static files), transfers are covered by the UK International Data Transfer Agreement (IDTA) or an equivalent UK adequacy decision. No email metadata is transferred outside the UK or EEA.
10. Complaints
If you believe your personal data has been handled unlawfully, you have the right to lodge a complaint with the UK supervisory authority:
Authority: Information Commissioner's Office (ICO)
Address: Wycliffe House, Water Lane, Wilmslow SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113
We would welcome the opportunity to address your concerns before you contact the ICO. Please write to privacy@iverifi.io in the first instance.
11. Changes to This Policy
We may update this policy to reflect changes in our practices, sub-processors, or legal obligations. Material changes will be communicated to subscribing organisations with at least 30 days' notice. The current version is always available at safety.iverifi.io/privacy.