Privacy Policy
Vendifi.io — including the Vendifi Insights Outlook Add-in
Last updated: March 2026 • Applies to: vendifi.io website, Vendifi services, and the Vendifi Insights Microsoft Outlook Add-in
This Privacy Policy describes how Vendifi.io ("Vendifi," "we," "us," or "our") collects, uses, shares, and stores your personal information when you use our website (vendifi.io), our related services, and the Vendifi Insights Microsoft Outlook Add-in ("the Add-in"), published on Microsoft AppSource. Vendifi is incorporated in the United Kingdom and complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Information We Collect
1a. Website and Services
When you use the Vendifi website or services, we may collect:
Personal Information: Your name, email address, phone number, and postal address, collected when you register for an account, contact us, or participate in activities on the site.
Usage Data: Information about how you use the site, such as pages visited, features used, and time spent, collected via cookies and tracking technologies.
Device Information: Device type, operating system, browser type, IP address, and device identifiers.
We use Microsoft Clarity and Google Analytics to understand website usage. By using our site, you agree that Vendifi, Microsoft, and Google may collect and use this data. This applies to the vendifi.io website only — not the Outlook Add-in.
1b. Vendifi Insights Outlook Add-in
The Add-in is designed with a minimal data footprint. It does not collect, store, or transmit any email content, message body, subject lines, recipient lists, or personal account data.
When you use the Vendifi Insights Add-in in Outlook, the following data handling applies:
Sender domain name (e.g. "microsoft.com") — Accessed: Yes | Sent to API: Yes — domain only | Stored: No
Sender full email address — Accessed: Yes (to extract domain only) | Sent to API: No | Stored: No
Email subject or body — Accessed: No | Sent to API: No | Stored: No
Recipient addresses — Accessed: No | Sent to API: No | Stored: No
Attachments or mailbox content — Accessed: No | Sent to API: No | Stored: No
User account or login details — Accessed: No | Sent to API: No | Stored: No
The Add-in operates under Outlook's ReadItem permission — the minimum permission available. It has no ability to read other messages, access your contacts, send email, or modify any part of your mailbox. The sender domain is sent to the Vendifi scoring API at https://insight.vendifi.io/api/score which returns a security report displayed within your Outlook session.
2. How We Use Your Information
2a. Website and Services
We use information collected via the website and services to:
Provide and operate the site and services
Create and manage your account
Process your transactions
Send marketing communications such as newsletters and promotional offers (you can opt out at any time)
Respond to your enquiries and requests
Improve the site and services
Comply with legal and regulatory requirements
2b. Vendifi Insights Outlook Add-in
The sender domain name collected by the Add-in is used solely to query the Vendifi security scoring API and return a real-time security report within your Outlook session. It is used for no other purpose. Specifically, domain query data is:
Not stored in any database or log by the Vendifi API
Not used for advertising, profiling, or marketing of any kind
Not combined with any user account information
Not shared with third-party analytics or tracking services
Not retained after the API response is returned — queries are processed in memory only and immediately discarded
3. Sharing Your Information
We may share your information with third-party service providers who help us operate the website and services. These providers are contractually obligated to keep your information confidential and use it only for specified purposes.
We may also share your information with third parties to:
Comply with legal or regulatory requirements
Respond to a subpoena or other legal process
Prevent fraud or other illegal activities
Protect the rights, property, or safety of ourselves or others
Vendifi Insights Add-in: Domain data submitted via the Add-in is not shared with any third party. The Vendifi scoring API queries publicly available sources (DNS records, threat intelligence feeds) independently — no data from your Outlook session is forwarded to these sources. The Add-in does not integrate any third-party analytics or advertising within the Outlook task pane.
4. Vendifi Insights Outlook Add-in — Full Data Notice
This section provides the complete data handling notice for the Vendifi Insights Add-in as required by Microsoft AppSource and UK GDPR.
4a. What the Add-in Does
Vendifi Insights analyses the security posture of an email sender's domain. When you click the "Vendifi Insights" button in the Outlook ribbon, the Add-in reads the sender's email address from the open message, extracts the domain portion (the part after the @ symbol), and queries the Vendifi API. The API returns a scored security report covering DMARC, SPF, MTA-STS, SMTP TLS, DNSSEC, ransomware intelligence, and breached credential exposure for that domain.
4b. Legal Basis for Processing (UK GDPR)
Vendifi operates in the United Kingdom and complies with the UK GDPR and the Data Protection Act 2018. The legal basis for processing the sender domain name is:
Legitimate Interests (Article 6(1)(f) UK GDPR) — the legitimate interest of the user in assessing the security posture of an email sender before acting on that email. Given that a domain name is generally business data rather than directly identifying personal data, and that no data is retained, this processing is proportionate and low risk.
For personal information collected via the website and services, the legal basis is:
Contract (Article 6(1)(b)) — processing necessary to provide the services you have requested
Legitimate Interests (Article 6(1)(f)) — for analytics and service improvement
Consent (Article 6(1)(a)) — for marketing communications, which you may withdraw at any time
5. Cookies and Tracking Technologies
We use cookies and similar tracking technologies on the vendifi.io website to collect and store information about your use of the site. Cookies are small data files transferred to your device when you visit a website.
You can disable cookies in your browser settings. Note that disabling cookies may limit certain features of the site.
Cookies and tracking technologies (Microsoft Clarity, Google Analytics) apply to the vendifi.io website only. The Vendifi Insights Outlook Add-in does not use cookies, analytics, or any tracking technologies.
6. Data Retention
6a. Website and Services
We retain your personal information for as long as necessary to provide the services, comply with our legal obligations, resolve disputes, and enforce our agreements.
6b. Vendifi Insights Outlook Add-in
The Add-in retains no user data. Domain queries are processed in memory and discarded immediately after the API response is returned. There is nothing to delete.
Vendifi may maintain aggregated, anonymised statistics about the volume of domains queried for capacity planning. These statistics contain no identifying information and cannot be used to reconstruct any individual query.
7. Your Rights Under UK GDPR
You have the following rights regarding your personal information:
Right of access: Request a copy of the personal data we hold about you
Right to rectification: Request correction of inaccurate personal data
Right to erasure: Request deletion of your personal data ("right to be forgotten")
Right to restrict processing: Request that we limit how we use your data
Right to object: Object to processing based on legitimate interests
Right to data portability: Receive your data in a structured, machine-readable format
Right to withdraw consent: Withdraw consent for marketing at any time
To exercise any of these rights, contact us at contact-us@vendifi.io. As the Add-in stores no personal data, the rights of access, erasure, and portability are satisfied by default for Add-in usage.
You also have the right to lodge a complaint with the UK supervisory authority: the Information Commissioner's Office (ICO) at ico.org.uk.
8. Security
We take reasonable measures to protect your information from unauthorised access, disclosure, alteration, or destruction. All data transmitted between the Vendifi Insights Add-in and the scoring API uses HTTPS/TLS encryption. However, no website or internet transmission is completely secure and we cannot guarantee absolute security.
9. International Data Transfers
The Vendifi API infrastructure is hosted within the United Kingdom and/or the European Economic Area (EEA). Where any processing occurs outside the UK or EEA, Vendifi ensures appropriate safeguards are in place in accordance with UK GDPR Chapter V, including reliance on adequacy regulations or UK-approved Standard Contractual Clauses (SCCs) as approved by the Information Commissioner's Office.
Given that the Add-in transmits only a domain name, the risk associated with any international transfer via the Add-in is minimal.
10. Microsoft Platform
The Vendifi Insights Add-in is distributed via Microsoft AppSource and operates within the Microsoft 365 / Outlook platform. Microsoft's own privacy practices govern the handling of your Outlook account data and credentials. Vendifi has no access to your Microsoft account or any data beyond the sender domain described in Section 1b above.
Microsoft's privacy statement: https://privacy.microsoft.com
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the site and, where required, via the Microsoft AppSource listing. You are advised to review this policy periodically.
The current version is always available at https://vendifi.io/privacy-policy.
12. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us:
Email: contact-us@vendifi.io
Website: https://vendifi.io
Data Controller: Vendifi.io, United Kingdom
Supervisory Authority: Information Commissioner's Office (ICO), ico.org.uk