Effective date: [19 February 2026] · Last updated: [19 February 2026]
This policy explains how BindSignal (“BindSignal”, “we”, “us”) collects, uses, shares, and protects personal data when you use our website and services.
Summary (plain English)
We are a B2B service. Our customers are insurance organisations (e.g., MGAs) who connect Microsoft 365 to generate weekly “Producer Activation” insights.
We use Microsoft Graph data that the customer authorises. We aim to minimise access and only process what is needed to deliver the service.
We do not sell personal data. We do not use customer mailbox data to train public AI models.
Customers control which mailboxes are included and who receives the digest.
This summary is not part of the legal policy; it’s here to help you understand it.
1) Who we are
Controller
BindSignal is the controller for personal data we collect on our website and for account administration. For data processed on behalf of a customer in the service, BindSignal typically acts as a processor.
Our website (including /setup and related pages); and
Our service provided to business customers (the “Service”).
Where a customer connects Microsoft 365 and enables us to process organisational email data, we process that data under the customer’s instructions and applicable agreements (e.g., a Data Processing Addendum).
3) Information we collect
A. Information you provide
Account and contact data (e.g., name, business email, job title, organisation, phone number) when you request a demo, start a pilot, or contact support.
Configuration data (e.g., digest recipients, included mailboxes, threshold settings, internal/excluded domains) set by authorised users.
Support communications (e.g., messages you send to us, and our responses).
B. Information we collect automatically
Usage data (e.g., pages viewed, timestamps, device/browser info) to operate and secure the website.
Log and security data (e.g., IP address, authentication events, error logs) for reliability and fraud prevention.
C. Information from third parties
Microsoft identity data (e.g., tenant ID, user principal name) when you authenticate using Microsoft Entra ID (Azure AD).
Microsoft 365 mailbox data when a customer authorises access via Microsoft Graph (see Section 4).
4) Microsoft 365 / Microsoft Graph data
When a customer connects Microsoft 365, we access Microsoft Graph data only as authorised by the customer. The specific permissions and access can vary by deployment and tenant policy.
What we typically access (examples)
Mailbox metadata and message headers (e.g., sender/recipient, subject line, sent time, message ID) to compute engagement signals.
Limited mailbox settings (e.g., timezone/locale) to schedule digests correctly.
Shared mailbox identifiers to allow customers to select which mailboxes are included (subject to permissions).
We aim to avoid access to message bodies and attachments unless a customer explicitly enables a feature that requires it.
How we use mailbox data
Generate weekly digest insights about producer activation (e.g., which external contacts appear more active based on email patterns).
Reduce noise via internal domain and exclusion rules set by the customer.
Operate, secure, and troubleshoot the Service (e.g., detecting failed syncs).
Customer responsibilities
Customers are responsible for ensuring they have a lawful basis and appropriate notices for processing employee and business-contact data in the Service, including enabling access to relevant mailboxes and configuring recipients.
5) How we use information
We use personal data to:
Provide the Service, including authentication, configuration, and digest delivery.
Maintain security, prevent abuse, and monitor reliability.
Respond to enquiries and provide support.
Improve our website and Service (e.g., fixing bugs, improving performance).
Send service communications (e.g., onboarding and operational notices). For marketing communications, we provide opt-out where required.
No sale of personal data. We do not sell personal data.
No public-model training. We do not use customer mailbox data to train public or general-purpose AI models.
6) Lawful bases (UK/EU)
Where the UK GDPR/EU GDPR applies, our lawful bases include:
Contract – to provide the Service and customer support.
Legitimate interests – to secure, operate, and improve the website and Service, and to prevent fraud and misuse (balanced against your rights).
Consent – where required for certain cookies/analytics or marketing (you can withdraw consent at any time).
Legal obligation – to comply with applicable laws.
7) How we share information
We share personal data only as needed to run the Service:
Service providers (processors) such as hosting, monitoring, email delivery, and support tools. We require them to protect data and use it only for providing services to us.
Microsoft for authentication and Graph access as part of the Service.
Legal / compliance where required by law, to enforce rights, or to protect users and the Service.
Business transfers if we are involved in a merger, acquisition, financing, reorganisation, or sale of assets.
We do not share customer mailbox data with third parties for advertising.
8) Security
We use administrative, technical, and physical safeguards designed to protect information, including:
Least-privilege access controls and role-based access for internal staff.
Encryption in transit (TLS) and encryption at rest where supported by our cloud providers.
Audit logging and monitoring for abnormal activity.
Segregation of tenant data and controls to prevent cross-tenant access.
No method of transmission or storage is 100% secure. We work to continually improve our controls and will notify customers of applicable incidents as required by law and contract.
9) Data retention
We retain personal data only as long as necessary for the purposes described in this policy, including:
Account/configuration data for the duration of the customer relationship, plus a limited period to meet legal or audit requirements.
Service logs for security and troubleshooting, generally for a limited period (e.g., 30–180 days), unless needed longer for investigations or compliance.
Mailbox-derived signals (e.g., counts and relationship metrics) may be retained to support week-to-week comparisons and reporting, subject to customer agreements and configuration.
Customers may request deletion or export of customer data as described in their agreement.
10) Your rights
Depending on your location, you may have rights to access, correct, delete, object to, restrict, or port your personal data. To exercise these rights, contact us at [privacy@bindsignal.com].
If we process data as a processor for a customer, we may direct you to the relevant customer (controller) to handle your request.
11) International transfers
We may process and store data in the UK, EEA, US, or other locations where our service providers operate. Where required, we use appropriate safeguards for international transfers (such as standard contractual clauses).
Analytics to understand usage and improve performance (subject to consent where required).
You can manage cookies in your browser settings. If we use a cookie banner, you can manage preferences there.
13) Children
Our website and Service are not directed to children, and we do not knowingly collect data from children.
14) Changes to this policy
We may update this policy from time to time. We will post updates on this page and update the “Last updated” date above. If changes are material, we will provide additional notice where required.