Privacy Statement for Topsail — Outlook / Microsoft Graph Integration / google

Latest revision: 04 May 2025

Topsail is a revenue-enablement platform provided by Vision & Story, LLC (“Vision & Story,” “we,” “our,” “us”).
This notice applies only to the Topsail features that connect to Microsoft 365 through the Microsoft Graph API (mail and calendar workflows). Separate statements cover any other integrations.

1 . Personal Data We Collect

Category What We Store Source Account data Name, work-email, company, hashed password, MFA settings You / your Microsoft 365 admin Graph OAuth tokens Access / refresh tokens + expiry for the scopes listed in Section 4 Issued after you grant consent Outlook mail data (limited) • E-mail you compose in Topsail (HTML body) • Thread & message IDs, subject line, sender / recipient addresses • Reply indicators when we poll for responses Delegated Graph access Calendar event data (limited) • Events you schedule via Topsail links (title, start/end, attendees, body if entered) • Events you link to a Topsail deal (IDs, start/end, attendee list) Delegated Graph access User signature HTML Stored so Topsail can append it automatically Retrieved once via Graph per seller Product-usage telemetry Feature clicks, page views, error logs, IP, browser/device Cookies & server logs Support & feedback Support tickets, chat transcripts, surveys You / your users Billing data (paid plans) Stripe customer ID, subscription status, invoices (no card numbers stored by Topsail) Stripe

Topsail does not pull messages or calendar events that you did not create or actively link through the platform.

2 . How We Use Personal Data

Purpose Example Activities Legal Basis (GDPR) Provide & secure the Service Authenticate sellers, refresh tokens, send mail, create calendar events Contract performance Append signatures & flag replies Read stored signature once; watch mail headers to mark “replied” Contract performance Scheduling features Generate booking links; look up availability; post confirmed events Contract performance Deal-linked reminders Notify sellers when a calendar event is associated with a Topsail deal Contract performance Generate AI mail summaries (optional) Strip identifiers → send prompt to LLM → show summary in UI Legitimate interests Improve features Aggregate de-identified usage statistics Legitimate interests Transactional notices Password resets, service alerts Contract performance Comply with law Tax records, subpoenas Legal obligation

We never sell Personal Data and never use mail or calendar content for advertising or profiling.

3 . Sharing & Disclosure

Recipient Reason Safeguards Microsoft Corporation Send mail, create/read events, and retrieve minimal metadata through Graph OAuth delegated tokens Amazon Web Services (us-west-2) Delivers static web assets (no Personal Data) via CloudFront CDN DPA + SOC 2 Stripe, Inc. Subscription billing PCI-DSS, DPA OpenAI LLC / Perplexity AI (opt-in summaries) Generate LLM summaries (prompts omit addresses & IDs) Processor DPA Authorised teammates in your tenant Internal collaboration you configure Role-based access Government authorities Only when legally compelled; we will notify you if allowed Legal obligation

A current sub-processor list is available at visionandstory.com/subprocessors.

4 . Microsoft 365 Scopes Authorised

When you connect Topsail, Microsoft shows these delegated Graph scopes:

Calendars.Read               – read your own calendars
Calendars.Read.Shared        – read calendars shared with you
Calendars.ReadWrite          – create and edit events in your calendars
Calendars.ReadWrite.Shared   – create and edit events in shared calendars
Mail.Read                    – read mail you create in Topsail and thread headers
Mail.ReadWrite               – update flags on those messages
Mail.Send                    – send mail you compose in Topsail
MailboxSettings.Read         – retrieve your signature block and time-zone
offline_access               – refresh tokens while you are offline
User.Read                    – read basic profile (sign-in display)

Topsail uses these scopes only for the purposes described in Sections 1 and 2.
If additional scopes are required later, we will update this Statement and the Microsoft consent screen before you grant access.

5 . International Transfers

Primary storage: Iowa, USA (Google Cloud us-central1). Static web assets are delivered via an AWS CloudFront edge in us-west-2, but these files contain no Personal Data. If data moves overseas (e.g., EU users accessing U.S. endpoints) we rely on EU Standard Contractual Clauses or equivalent mechanisms.

6 . Security Measures

TLS 1.2+ for data-in-transit; AES-256 encryption at rest
OAuth tokens and limited mail/calendar metadata are stored in Google Firestore, encrypted at rest with AES-256 by Google-managed keys
Hosting on Google Cloud (us-central1) and AWS CloudFront — both SOC 2 Type II & ISO 27001 certified
Principle of least privilege IAM roles and granular Firebase security rules
Google Cloud Logging & Error Reporting with alert policies for automated anomaly detection

7 . Data Retention

Data Type Default Retention Account & billing profiles Account lifetime + 7 years (tax/audit) OAuth tokens Auto-rotated; deleted ≤ 30 days after account closure Sent-mail bodies Not stored after successful send Calendar event data Retained while the related Topsail deal or booking exists Thread & reply metadata 30-day rolling window (configurable) Signature HTML Until you update or disconnect Outlook Backups 14-day rolling window Support logs 1 year

Complete deletion occurs ≤ 30 days after confirmed account closure unless law requires otherwise.

8 . Your Rights

Where applicable (e.g., GDPR, CCPA/CPRA) you may:

Access, correct, or delete Personal Data
Receive a portable copy
Object to or restrict processing
Withdraw consent for marketing at any time

Send requests to austin@visionandstory.com — we respond within 30 days.

9 . Cookies & Local Storage

We use first-party cookies/local-storage solely for authentication and anonymised session metrics. We do not use third-party ad-tracking cookies or cross-site beacons.

10 . Children

Topsail is enterprise software and is not directed to children under 16. We do not knowingly collect children’s Personal Data.

11. Contact

Vision & Story, LLC
1671 NW Albany Ave, Bend, OR 97703, USA
E-mail: austin@visionandstory.com • Phone: +1 503-551-7565