Privacy Policy

Last updated: April 2026  |  Operated by Lowery Solutions LLC

Overview

TenantScan is a complimentary Microsoft 365 security and AI readiness audit tool operated by Lowery Solutions LLC ("Lowery Solutions," "we," "us"). This Privacy Policy explains what information TenantScan accesses, how it is used, and how it is protected. We have designed TenantScan with a zero-retention policy: no Microsoft 365 tenant data is stored anywhere at any time.

Information You Provide Directly

When you submit the audit intake form, you provide: first name, last name, work email address, company name, firm type, and firm size. This contact information is submitted to Lowery Solutions' customer relationship management (CRM) system (HubSpot) so that we can deliver your report results and optionally follow up about your findings. We do not sell this information to third parties.

Microsoft 365 Data: Read-Only, Not Retained

To generate your audit report, TenantScan requests read-only access to your Microsoft 365 tenant using the Microsoft Identity Platform (OAuth 2.0). The following types of data are retrieved:

  • User account list (names, email addresses, license assignments, last sign-in dates)
  • Multi-factor authentication (MFA) registration records
  • Conditional Access policy configuration
  • Microsoft Secure Score and improvement actions
  • License subscription counts
  • Authorization and guest collaboration policy settings
  • Domain configuration records
  • SharePoint root site sharing configuration

This data is used only during your current browser session to generate your report. It is never written to a database, file, log, or any persistent storage. It is never shared with any third party. When your browser session ends or expires (after 30 minutes of inactivity), all retrieved data is discarded.

OAuth Access Tokens

When you authorize TenantScan through Microsoft, an OAuth 2.0 access token is issued by Microsoft to TenantScan. This token is used immediately and exclusively to retrieve your audit data via the Microsoft Graph API. The token is stored only in your active server-side session for the duration of the report generation process and is immediately discarded afterward. TenantScan does not request or store refresh tokens. We do not retain access tokens beyond the current request lifecycle.

How to Revoke Access

You can revoke TenantScan's access to your Microsoft 365 tenant at any time by:

  • Visiting myapps.microsoft.com, finding TenantScan in your approved applications, and removing it.
  • Or by visiting the Azure portal under your tenant's Enterprise Applications and revoking consent.

Because TenantScan does not store refresh tokens, revoking access is immediately effective.

Cookies and Sessions

TenantScan uses a server-side session cookie solely to maintain your session state during the audit flow (intake form → Microsoft consent → report generation). Sessions are signed with a secure key, marked HttpOnly and Secure, and expire after 30 minutes of inactivity. TenantScan does not use tracking cookies, analytics cookies, or advertising cookies of any kind.

Third-Party Services

Microsoft Graph API: All Microsoft 365 data is retrieved from Microsoft's Graph API. Microsoft's privacy practices are governed by the Microsoft Privacy Statement.

Anthropic (Claude AI): Anonymized, summarized audit findings are sent to Anthropic's API to generate the plain English executive summary in your report. No personally identifiable information (names, email addresses) is included in this API call. Anthropic's privacy practices are governed by Anthropic's Privacy Policy.

HubSpot: Your intake form contact information is submitted to HubSpot to record your audit request and deliver follow-up communication from Lowery Solutions. HubSpot's privacy practices are governed by HubSpot's Privacy Policy.

Data Security

TenantScan is deployed on Railway, a secure cloud hosting platform. All traffic is encrypted in transit using HTTPS/TLS. Session data is stored only in server memory and is never written to disk. We implement security best practices including CSRF protection, HttpOnly cookies, and input validation.

Microsoft Trademark Notice

TenantScan is not affiliated with, endorsed by, or sponsored by Microsoft Corporation. Microsoft, Microsoft 365, and Copilot are trademarks of Microsoft Corporation.

Contact Us

If you have questions about this Privacy Policy or about how TenantScan handles your information, please contact Lowery Solutions:

Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of TenantScan after a policy update constitutes acceptance of the revised terms.