Privacy Policy

Last Updated: February 2026

Effective Date: February 2026

1. Introduction

This Privacy Policy describes how Coax ApS ("Coax," "we," "us," or "our") collects, uses, stores, and protects personal data when you use our SaaS management platform ("Service"). Coax helps organizations discover, track, and optimize their software subscriptions by integrating with Microsoft 365.

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Danish data protection laws.

2. Data Controller

Coax ApS Copenhagen, Denmark

For privacy inquiries, contact us at: privacy@coaxsecurity.com

3. Data We Collect

3.1 User Account Data

When you sign in with Microsoft 365, we collect:

  • Profile Information: Email address, display name, profile photo (if available)
  • Account Identifiers: Microsoft user ID, tenant ID
  • Authentication Tokens: OAuth access and refresh tokens (encrypted at rest)

3.2 Organization Directory Data

With appropriate permissions, we access your Microsoft 365 organization directory to collect:

  • User Directory: Names, email addresses, job titles, departments, phone numbers
  • Organizational Structure: Manager relationships, group memberships
  • License Assignments: Microsoft 365 license allocations per user

3.3 SSO Activity Data

To analyze application usage, we collect sign-in activity including:

  • Sign-in Events: Timestamps, application names, authentication status
  • Location Data: IP addresses, approximate geographic location (city/country)
  • Device Information: Device type, operating system, browser information
  • Session Details: Sign-in frequency, duration, success/failure status

3.4 Email Metadata

To discover SaaS subscriptions and billing information, we access:

  • Email Headers: Subject line, sender address, recipient address, date/time
  • Billing Keywords: We search for specific terms (invoice, receipt, subscription, payment)
  • Sender Domains: Matched against 2000+ known SaaS vendor domains

Important Privacy Safeguard: We do NOT store email body content. Emails are processed in-memory only for SaaS detection and billing extraction. Only extracted metadata (application name, amounts, dates, sender domain) is persisted.

3.5 Invoice Attachments

When billing emails contain PDF or image attachments:

  • Attachment Files: Invoice PDFs/images are uploaded to secure cloud storage
  • Extracted Data: Amounts, billing cycles, license counts, vendor names
  • Storage Location: Google Cloud Storage (EU region)

3.6 Analytics Data

We use Mixpanel to understand how users interact with our Service:

  • Usage Events: Page views, feature interactions, navigation patterns
  • Session Data: Session duration, referral source, return visits
  • Technical Data: Browser type, screen resolution, operating system
  • Identifiers: Anonymized user ID, organization ID

4. How We Use Your Data

We process your personal data for the following purposes:

PurposeLegal Basis (GDPR)
Provide and maintain the ServiceContract performance (Art. 6(1)(b))
Discover and track SaaS applicationsContract performance (Art. 6(1)(b))
Extract billing and cost informationContract performance (Art. 6(1)(b))
Analyze SSO activity for optimizationContract performance (Art. 6(1)(b))
Send service notificationsContract performance (Art. 6(1)(b))
Improve our ServiceLegitimate interest (Art. 6(1)(f))
Product analytics and usage insightsLegitimate interest (Art. 6(1)(f))
Respond to support requestsContract performance (Art. 6(1)(b))
Comply with legal obligationsLegal obligation (Art. 6(1)(c))

5. Data Sharing and Third Parties

We share data with the following third-party service providers (subprocessors):

5.1 Microsoft Corporation

  • Purpose: Identity authentication, email API access, directory access
  • Data Shared: OAuth credentials, email metadata, directory information
  • Location: Global (data center based on your Microsoft 365 tenant location)
  • Privacy Policy: https://privacy.microsoft.com/

5.2 Mixpanel Inc.

  • Purpose: Product analytics and usage tracking
  • Data Shared: User ID (hashed), email, organization ID, usage events
  • Location: EU (Frankfurt data center)
  • Privacy Policy: https://mixpanel.com/legal/privacy-policy/

5.3 Google Cloud Platform (Google LLC)

  • Purpose: Application hosting, infrastructure, file storage, AI-powered invoice parsing (Vertex AI / Gemini)
  • Data Shared: Invoice attachments, application data, logs, invoice PDF/image content (processed by Vertex AI for data extraction)
  • Location: EU (Belgium - europe-west1)
  • Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice
  • Note: AI invoice parsing via Vertex AI (Gemini 2.0 Flash) runs within EU infrastructure. Invoice content is processed for data extraction and not retained.

For a complete list of our subprocessors, see our Subprocessor List.

6. Cookies and Tracking Technologies

6.1 Cookies We Use

Cookie/StorageTypePurposeDuration
session_idHttpOnly CookieSession authentication24 hours
mp_*Mixpanel CookieAnalytics tracking1 year
__mp_opt_in_out_*Mixpanel CookieConsent preferences1 year

6.2 Local Storage

We use browser localStorage for:

  • Mixpanel: Stores anonymized device ID and event queue
  • User Preferences: Theme settings, dismissed notifications

6.3 Managing Cookies

You can manage or disable cookies through:

  1. Browser Settings: Most browsers allow you to block or delete cookies
  2. Mixpanel Opt-Out: Contact us at privacy@coaxsecurity.com to opt out of analytics
  3. Do Not Track: We honor Do Not Track browser signals for analytics

Note: Disabling the session cookie will prevent you from using the Service, as it is required for authentication.

7. Data Retention

We retain your personal data as follows:

  • Account Data: Retained while your account is active
  • Organization Data: Retained while organization subscription is active
  • Email Metadata: Retained while account is active for historical analysis
  • Invoice Attachments: Retained while account is active
  • Analytics Data: Retained for 12 months in Mixpanel
  • Logs: Retained for 30 days

Upon Account Deletion: Personal data is deleted within 30 days of your deletion request. Some data may be retained longer if required by law or for legitimate business purposes (e.g., billing records).

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption at Rest: Sensitive data (tokens, credentials) encrypted with AES-256-CBC
  • Encryption in Transit: All data transmitted via HTTPS/TLS 1.3
  • Access Controls: Role-based access, principle of least privilege
  • Infrastructure: Hosted on Google Cloud Platform with enterprise security controls
  • Authentication: Microsoft OAuth 2.0, secure session management

For more details, see our Security Practices.

9. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. When we transfer data outside the EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): Applied to transfers to US-based processors
  • Adequacy Decisions: Where applicable (e.g., UK)
  • Processor Agreements: All subprocessors have Data Processing Agreements

10. Your Rights

Under GDPR, you have the following rights regarding your personal data:

10.1 Right of Access (Art. 15)

Request a copy of the personal data we hold about you.

10.2 Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data.

10.3 Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten").

10.4 Right to Restriction (Art. 18)

Request limitation of processing of your personal data.

10.5 Right to Data Portability (Art. 20)

Receive your personal data in a structured, machine-readable format.

10.6 Right to Object (Art. 21)

Object to processing based on legitimate interests, including profiling.

10.7 Rights Related to Automated Decision-Making (Art. 22)

We do not make decisions based solely on automated processing that produce legal effects.

How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email: privacy@coaxsecurity.com

Response Time: We will respond to your request within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you.

Verification: We may need to verify your identity before processing your request.

11. Children's Privacy

Our Service is designed for business use and is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website
  • Updating the "Last Updated" date
  • Sending email notification for significant changes (if you have an account)

We encourage you to review this policy periodically.

13. Supervisory Authority

If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with the Danish Data Protection Agency:

Datatilsynet Carl Jacobsens Vej 35 2500 Valby, Denmark Website: https://www.datatilsynet.dk/ Email: dt@datatilsynet.dk

14. Contact Us

For any questions about this Privacy Policy or our data practices:

Email: privacy@coaxsecurity.com

Legal Inquiries: legal@coaxsecurity.com

Mailing Address: Coax ApS Copenhagen, Denmark

This Privacy Policy is also available at: https://coaxsecurity.com/legal/privacy