Data Collection, IT Security and Privacy

Our privacy policy is published here, and we offer a data processing agreement (just contact our support), but we want to summarize our handling of data, the security involved and your privacy in simple terms here:

What data do we collect for accounts?

  • When you login with your Microsoft 365 (aka Office365) account to MailMerge365 your personal information is sent to us to enable our service, but we do NOT receive your password. The password for your account is only verified by Microsoft (it is never sent to us even during the login) and we simply receive a notification from Microsoft to say "MailMerge365 can trust this account". This is a principle called single sign-on. This also means that any additional security features you have activated for your Microsoft 365 (aka Office365) account (such as Two Factor Authentication) automatically also secures your data in MailMerge365, since you will only be able to login to MailMerge365 the same way you login to your Microsoft 365 (aka Office365) account.
  • When you create a campaign you upload a spreadsheet of data (or re-use the data from a previous campaign). This data is stored on our servers*. 
  • When you send the campaign, you are actually sending an email to our servers which then starts the sending process for your campaign. The original email is stored on our servers*.
  • The campaign generates an email to each of your recipients and stores this email in Microsoft 365 (aka Office365) servers (your Outlook Mailbox). The generated mail is only stored on our servers until it is sent to your account but then deleted from our servers. We do not keep the contents of each individual email.
  • For campaign that use open and click tracking (optional) this metadata data (incl. some information to the person clicking, e.g. user-agent) is stored on our servers*.

*until you either delete the campaign or you delete the account. At this time the data is deleted from our production servers but will still be available in backups for the defined period of time (see below).

What data do we transmit to third parties?

  • All your campaign data is transmitted to Microsoft (via Microsoft 365/Office365) upon sending the campaign (in form of the generated emails).
  • Your email address, campaign subject line (or name) is transmitted to Postmark (our email provider) for the purpose of sending you your campaign result email.
  • The mail contents (body, subject, links etc) are transmitted to each recipient you specify in a campaign.

What are my privacy rights?

  • Regardless of any local law that may apply to you or MailMerge365, your data is always fully accessible, correct-able and delete-able. Most of this is available through your dashboard, but if you have any concerns, requests or issue don't hesitate to contact us
  • To clarify: the information stored in Microsoft 365 (aka Office365) (such as your name, email addresses and the individual sent emails in your campaign etc) are managed by Microsoft. They must be changed or deleted by using Microsoft Outlook, the Microsoft 365 (aka Office365) self service options or Microsoft support themselves.

IT Security - How is my data secured?

  • MailMerge365 servers run in the same world class Microsoft data centers that Microsoft 365 (aka Office365) itself uses. You can read about the security of their data centers here. More specifically our data centers run only in Microsoft's European data centers, that is Ireland as the primary data center and the Netherlands as a backup. Vulnerability scanning and patch management is provided by Microsoft.
  • Your data runs on database services managed by Microsoft with a 35 day point in time recovery option. This means that the database is serviced and provided to the highest industry levels by Microsoft and we can recover any data that may be accidentally deleted up to 35 days in the past. There is also a long term retention policy in place which provides access to the last 12 months of data in monthly increments.
  • All our databases are encrypted at rest. 
  • Direct access to production and to the the database (incl. any security tokens) is restricted to only the managing director.
  • All developers working on MailMerge365 production code have multiple years of IT security experience and employ OWASP secure software lifecycle best practices (including security-by-design, deny-by-default and basic threat modelling). 
  • No production data is ever used in a non-production environment. 


  • For the sending infrastructure (creating and sending new campaigns) our recovery time objective (RTO) is 3 business days and our recovery point objective (RPO) is 5 minutes.
  • For the tracking infrastructure (open and click resolution) our recovery time objective (RTO) is 1 business day and our recovery point objective (RPO) is 5 minutes.

Data flow - Where is data sent and why during sending of a MailMerge365 campaign?

  1. Installation and Setup
    1. If you install the plugin a request is made to our servers and we check for the existence of your account and log temporary debugging information.
    2. You will be asked to authenticate with Microsoft365 at which point Microsoft365 informs us if you are a valid user and we store your user id, tenant id, email, but we do not store your password ever.
  2. Sending a campaign
    1. You create a new email in Outlook, the draft is saved in your Microsoft 365 tenant.
      1. If you click preview the email body is sent to our servers to display.
    2. You upload a campaign data file (e.g. a spreadsheet) which is sent to our servers for processing. This file is kept until the processing is complete but the data that has been extracted can be kept until your account is deleted.
    3. Once you send the email it is sent to Postmark. Postmark receives the email and sends it to our servers.
    4. Our servers then generate the campaign emails and sends them on your behalf via Microsoft Graph through your Microsoft365 tenant mailbox.
    5. Postmark is then once again used to send you notifications about the campaign progress. The individual campaign emails are never sent through Postmark, they are only sent via your own mailbox.
  3. Open and click tracking
    1. If you have activated open and click tracking these signals are registered through our servers and the data is stored for your campaign. This data is kept until your account is deleted.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us