Privacy Notice
This Privacy Notice describes how LataSys Limited ("we", "us") collects, uses, and shares personal data when you use the M365 Quarantine service — the Outlook add-in, the admin portal, and the supporting platform — and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Effective 2 July 2026 · LataSys Limited (UK Co. No. 17261093)
1. Who we are and how to contact us
The data controller for the personal data described in this notice (where we act as a controller) is:
LataSys LimitedRegistered in England and Wales, Company No. 17261093
66 Paul Street
London, England
EC2A 4NA
United Kingdom
support [at] latasys [dot] com · latasys.com
For all privacy enquiries and to exercise the rights set out in section 7, contact us through our contact form.
2. Categories of personal data we process
In delivering M365 Quarantine we process the following categories of personal data:
- Identity and contact data of end users — the User Principal Name (UPN), object id, display name, and email address of tenant administrators and end users who interact with the service.
- Quarantined message metadata — for messages held in Microsoft 365 quarantine that an end user can view or request release of: subject, sender address, recipient address, received date, quarantine reason, policy name, and an opaque message identity. We do not store the body content of the original message.
- Tenant configuration — your Microsoft 365 tenant id,
your initial
.onmicrosoft.comdomain, and the consent and permission grants you have made to the service. - Audit and telemetry data — actions taken in the service (view, request release, release approved, etc.), with timestamps, correlation ids, IP addresses, and user agent strings. Used for security monitoring, debugging, and meeting our own accountability obligations.
- Billing data — for paying customers: a billing contact email, the Stripe customer identifier, and counts of licensed seats. We do not store payment card or bank account details; those live with our payments sub-processor.
- Cookies — strictly-necessary cookies for the portal session and rate limiting. See our Cookie Policy.
3. How we use personal data (purposes)
- Providing the M365 Quarantine service to your organisation — listing quarantined messages and processing release requests on behalf of the tenant administrator.
- Authenticating users via Microsoft Entra ID and authorising their access to quarantine items belonging to their own mailbox.
- Recording an audit trail of administrative and end-user actions for security and compliance.
- Operating and securing the service — fraud detection, abuse prevention, capacity planning, debugging incidents.
- Billing customers and reconciling payments through our payments sub-processor.
- Communicating service changes, security advisories, and (where you have not opted out) product updates to administrators.
- Complying with our legal obligations and exercising or defending legal claims.
4. Lawful basis under UK GDPR Article 6
- Performance of a contract (Art 6(1)(b)) — when we provide the service to a customer organisation that has subscribed.
- Legitimate interests (Art 6(1)(f)) — for authentication, audit logging, security monitoring, fraud prevention, and product improvement. Our legitimate interest is operating a reliable and secure SaaS; balanced against the limited intrusion (no message bodies, scoped to the user's own mailbox) we consider this proportionate.
- Compliance with a legal obligation (Art 6(1)(c)) — for responding to lawful information requests and meeting our own retention and accountability duties.
- When you sign in with your Microsoft Entra ID account, your employer (the tenant administrator) determines the lawful basis for that underlying use of your mailbox data — we act as their data processor for that processing. See our Data Processing Agreement.
5. Who we share personal data with
We share personal data only with the following recipients:
- Microsoft Corporation — as the operator of (a) the Microsoft Entra ID identity directory we authenticate against, (b) the Microsoft Graph and Exchange Online PowerShell APIs we call to list and release quarantined messages, and (c) the Microsoft Azure infrastructure on which the platform runs.
- Stripe Payments Europe Ltd / Stripe, Inc. — as our card payments and subscription billing sub-processor.
- Sub-processors of our hosting and observability stack — including Microsoft Azure Application Insights for application telemetry. A current list of sub-processors is maintained in our Data Processing Agreement.
- Vendors / MSPs — where you are an end customer onboarded by an MSP/reseller, that vendor has visibility of the same audit and operational data they need to manage your tenant on your behalf, scoped to their portfolio.
- Professional advisers and authorities — auditors, insurers, and law-enforcement bodies, where required to do so by law or to defend legal claims.
We do not sell personal data and we do not share it for advertising purposes.
6. Retention periods
- Quarantine message metadata — retained for the duration the message remains in Microsoft 365 quarantine (typically up to 30 days, per the tenant's quarantine policy).
- Audit log — retained for the customer-configured retention period (default 90 days) and then deleted; rolling daily Postgres backups for up to 35 days.
- Account and tenant configuration — retained for the duration of the contract and deleted within 30 days of the contract ending.
- Billing data — retained for 7 years after the final invoice to meet UK tax and accounting record-keeping requirements.
- Telemetry and platform diagnostics — retained for 90 days in Application Insights and then aggregated or deleted.
7. Your rights under UK GDPR
Subject to certain conditions, you have the right to:
- Be informed about how we use your personal data — by reading this notice.
- Request a copy of the personal data we hold about you (subject access — Art 15).
- Have inaccurate personal data corrected (Art 16).
- Have personal data erased in certain circumstances (Art 17).
- Restrict our processing in certain circumstances (Art 18).
- Receive personal data in a portable format and have it transmitted to another controller where applicable (Art 20).
- Object to processing carried out under legitimate interests, including profiling (Art 21).
- Not be subject to a solely automated decision producing legal or similarly significant effects (Art 22) — we do not make such decisions.
To exercise any of these rights, contact us through our contact form. Where you are an employee of one of our customers, your employer is the controller of most data relating to your mailbox; we will refer requests to them and assist with a response under our Data Processing Agreement.
8. International transfers
We host the M365 Quarantine platform in Microsoft Azure UK South. Personal data within the platform stays in the United Kingdom. Limited operational and support data may be processed by our sub-processors outside the UK — specifically by Microsoft Corporation entities in the United States and the European Economic Area, and by Stripe Payments Europe Ltd (Ireland) / Stripe, Inc. (United States) for billing. Where personal data is transferred outside the UK, the transfer is governed by one of the lawful safeguards permitted under Article 46 of the UK GDPR — the UK International Data Transfer Agreement (IDTA) or the European Commission Standard Contractual Clauses with the UK International Data Transfer Addendum, supported by a documented Transfer Risk Assessment.
9. Complaints
If you believe we have not complied with your data-protection rights, please contact us first through our contact form so we can investigate. You also have the right to lodge a complaint directly with the UK Information Commissioner's Office (ICO):
Information Commissioner's OfficeWycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
United Kingdom
Tel: 0303 123 1113 · ico.org.uk
10. About the Outlook add-in specifically
The M365 Quarantine Outlook add-in is reviewed by tenant administrators before installation. The add-in:
- Does NOT read message bodies, attachments, or any mailbox folder content.
- Calls the Microsoft 365 quarantine APIs (Get-QuarantineMessage / Release-QuarantineMessage via Exchange Online) only for the signed-in user's own mailbox.
- Stores quarantine metadata in our platform database (Postgres in Azure UK South) only for the duration the message remains in Microsoft 365 quarantine.
- Surfaces a sign-out / reset-session control in its diagnostics panel; signing out clears the locally cached bearer token. Any personal data we hold can be inspected or deleted by exercising the rights in section 7.
11. This website (latasys.com)
Separately from the M365 Quarantine service, when you use our marketing website at latasys.com we process the following as controller:
- Enquiries. If you use our contact form or the "talk to a human" option in the chat, we collect the name, email, organisation and message you provide, and (for chat handoffs) the transcript you choose to send. Lawful basis: legitimate interests and steps to enter into a contract.
- Chat messages. Messages you type into the website assistant are sent to our server and to our AI provider to generate a reply. Please do not enter sensitive personal data into the chat.
- Strictly necessary cookies. We store your cookie consent choice. We do not use advertising cookies. See our Cookie Policy.
- Server logs. Our hosting may process technical data such as IP address and request metadata to operate and secure the site.
We keep website enquiry data only as long as needed to deal with your request and our legitimate business records, then delete or anonymise it. The rights in section 7 apply here too; use our contact form.
12. Changes to this notice
We may update this Privacy Notice from time to time. The "Effective" date at the top of this page reflects the most recent revision. Material changes will be notified to the administrator contact registered for each tenant at least 30 days before they take effect.