Privacy Policy
Folder Suggest ("we", "our", "the add-in") is an Outlook add-in developed and operated by an individual developer. It uses on-device AI to suggest the best Outlook folder for each email you read. This policy explains what data we access, how it is used, and your rights as a user.
1. Who We Are
Folder Suggest is an independent add-in developed by a solo developer. It is not affiliated with Microsoft Corporation. For any privacy-related enquiries, contact us at [email protected].
2. Data We Access
To provide folder suggestions, the add-in accesses the following data from your Microsoft 365 account via the Microsoft Graph API, solely on your device:
- The subject line and sender address of the currently selected email
- The names and IDs of your mail folders
- Subject lines and sender addresses of recent emails in your folders (used to compute local similarity scores)
This data is accessed in real time to generate suggestions. It is not transmitted to our servers, not stored outside your device, and not retained after the add-in session ends.
3. How Data Is Processed
All AI processing happens entirely on your device. The add-in downloads a small AI model (~20 MB) once from Hugging Face and runs it locally inside Outlook's browser environment. Your email content is never sent to our servers or to any third-party AI service for processing.
4. Data Storage and Retention
Folder embeddings — compact numerical representations of your folder content, not the email text itself — are cached locally in your browser's IndexedDB storage. This cache exists solely to speed up future suggestions and remains entirely on your device. It is automatically cleared if you uninstall the add-in or clear your browser storage. We retain no server-side copy of any user data.
5. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), our legal basis for accessing your mailbox data is legitimate interests (Article 6(1)(f) GDPR): specifically, to provide the folder suggestion functionality you have explicitly chosen to use. We process the minimum data necessary for this purpose and do not use it for any other purpose.
6. Microsoft Graph API and Authentication
The add-in uses Microsoft's OAuth 2.0 identity platform (Azure Active Directory) to authenticate you. During sign-in, Microsoft may share your account email address and display name with the add-in as part of the standard OAuth token. We use this only to confirm authentication and do not store or transmit it. We request only the minimum Graph API permissions needed:
- User.Read — to sign you in and confirm your identity (granted automatically by Microsoft for all add-ins; your profile is not stored or transmitted)
- Mail.Read — to read email subjects and senders, and to list your mail folders
- Mail.ReadWrite — to move emails to the selected folder
7. Data We Do Not Collect
- We do not collect, transmit, or store any email content on our servers
- We do not use analytics, crash reporting, or tracking of any kind
- We do not use cookies or any cross-session tracking
- We do not sell, rent, or share any data with third parties
- We do not build user profiles or use data for advertising
8. Third-Party Services
The AI model is downloaded from Hugging Face on first use. This is a one-way file download — no personal data, email content, or usage information is sent to Hugging Face. After download, the model runs fully offline. Hugging Face's own privacy policy applies to that initial download request (which includes your IP address, as with any web request).
9. Your Rights (GDPR / CCPA)
Because we do not collect or store personal data on our servers, most data subject rights (access, rectification, erasure) are exercised directly through your Microsoft account. However, you have the following rights with respect to the add-in:
- Right to withdraw consent: Uninstall the add-in at any time via Outlook's add-in manager. This immediately revokes access.
- Right to delete local data: Clear your browser's IndexedDB storage to remove the local embedding cache.
- Right to revoke Graph permissions: Visit myapps.microsoft.com to revoke the add-in's access to your Microsoft account.
- Right to contact us: Email [email protected] with any data-related request. We will respond within 30 days.
10. Children's Privacy
This add-in is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect data from children. If you believe a child has used this add-in, please contact us and we will take appropriate steps.
11. Security
All communication between the add-in and Microsoft Graph is encrypted via HTTPS. The add-in is hosted on Cloudflare Pages with HTTPS enforced. Because we do not store email data on our servers, there is no server-side data breach risk for your email content.
12. Disclaimer and Limitation of Liability
This add-in is provided "as is" without warranty of any kind, express or implied. To the maximum extent permitted by applicable law, the developer shall not be liable for any indirect, incidental, or consequential damages arising from your use of the add-in, including but not limited to any loss of data or email misplacement. You use the add-in at your own discretion.
13. Changes to This Policy
We may update this policy from time to time to reflect changes in the add-in or applicable law. The "last updated" date at the top of this page will be updated accordingly. Continued use of the add-in after a policy change constitutes acceptance of the updated policy.
14. Contact
For any questions about this privacy policy or your data, please contact us at [email protected]. We aim to respond within 2 business days.