Privacy Policy
Last updated: February 2026. This English version is provided for convenience; in case of doubt the German version prevails.
1. Controller
SSIG-IT GmbH
Zum weißen Jura 3
89143 Blaubeuren, Germany
Email: info@secretexpiry.com
2. Overview of processing
SecretExpiry is a B2B SaaS service that monitors Microsoft Entra app registrations and notifies users by email, in good time, about expiring client secrets and certificates. This privacy policy informs you about the nature, scope, and purpose of the processing of personal data when using SecretExpiry.
3. Legal bases
Personal data is processed on the following legal bases:
- Art. 6(1)(b) GDPR – Performance of a contract: processing of email address, tenant IDs, and metadata to provide the service.
- Art. 6(1)(f) GDPR – Legitimate interest: error monitoring (Sentry), rate limiting, and abuse protection (Cloudflare Turnstile, Upstash Redis).
- Art. 6(1)(a) GDPR – Consent: Microsoft admin consent granting API permissions to monitor app registrations.
4. Data collected
SecretExpiry processes the following personal data to provide the service:
- Email address – Login via magic link (Supabase Auth), sending notifications
- Microsoft Entra tenant ID – Association of the monitored tenants
- App registration metadata – Name, expiry dates of secrets and certificates, application display name (no actual secret values)
- Language preference – German or English, for localized emails
- Billing data – Stripe customer ID, subscription status, billing interval, license count, and for bank-transfer payments invoice details (company name, billing address, VAT ID, optional purchase order number)
- IP address – Temporarily for rate limiting (not stored permanently)
5. Zero-knowledge architecture
SecretExpiry reads metadata only via the Microsoft Graph API with the Application.Read.All permission. Actual secret values, passwords, or private certificate keys are never retrieved, transmitted, or stored at any time.
6. Hosting & processors
The following third-party providers process personal data on our behalf. Data processing agreements (DPAs) pursuant to Art. 28 GDPR are in place with all processors, as are Standard Contractual Clauses (SCCs) for any third-country transfer:
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting, serverless functions | EU region (Frankfurt) |
| Supabase Inc. | PostgreSQL database, authentication | EU region (Frankfurt) |
| Stripe Inc. | Payment processing, subscription management | USA (SCCs/DPA in place) |
| Resend Inc. | Transactional emails (notifications, onboarding) | USA (SCCs/DPA in place) |
| Upstash Inc. | Rate limiting (Redis) | EU region |
| Functional Software Inc. (Sentry) | Error monitoring, performance monitoring | USA (SCCs/DPA in place) |
| Cloudflare Inc. | Bot protection (Turnstile CAPTCHA) | Global (SCCs/DPA in place) |
| Microsoft Corporation | Graph API (reading app registration metadata) | Global (SCCs/DPA in place) |
7. Cookies, local storage & analytics
SecretExpiry uses strictly necessary cookies only. No tracking or marketing cookies are used.
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
sb-*-auth-token | Authentication & session management | Session / 7 days | Strictly necessary |
NEXT_LOCALE | Stores the selected language (German/English) | 1 year | Strictly necessary (functional) |
Analytics (Umami): For anonymous analytics we use Umami – self-hosted on our own infrastructure (umami.ssig-it.com). Umami is cookieless, stores no IP addresses or other personal data, and shares no data with third parties. Only aggregated, anonymous usage statistics (e.g. page views, referrers) are collected. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in improving our offering).
Because only strictly necessary cookies are used and analytics is cookieless without accessing device information, no consent (cookie banner) is required pursuant to § 25 (2) no. 2 TDDDG.
8. Email communication
SecretExpiry sends the following transactional emails:
- Onboarding email (hello@mail.secretexpiry.com) – After a tenant is successfully connected, with a welcome message and next steps.
- Expiry alerts (alerts@mail.secretexpiry.com) – When a secret or certificate is about to expire (configurable: 90, 30, 14, 7, 1 days before).
- Connection lost (alerts@mail.secretexpiry.com) – When syncing a tenant repeatedly fails and the tenant is automatically deactivated.
- Magic link (via Supabase) – One-time sign-in link by email.
No advertising or marketing emails are sent. Email delivery is automatically stopped on bounces (bounce handling via Resend webhooks).
9. Data security
We employ the following technical and organizational measures:
- TLS encryption for all data transmission (HTTPS, HSTS)
- Row-Level Security (RLS) in the database – each user sees only their own data
- AES-256-GCM encryption for OAuth state parameters (10-minute TTL)
- Content Security Policy (CSP) to protect against cross-site scripting
- Rate limiting to protect against brute-force and abuse attacks
- Bot protection (Cloudflare Turnstile) at login
- Validation against disposable email domains
10. Retention period
- User data – Stored for as long as the account exists. Upon account deletion, all data is deleted immediately and completely (cascading: tenants, app registrations, secrets, notification settings).
- Billing data – In accordance with statutory retention periods (§ 147 AO, § 257 HGB) for up to 10 years.
- Stripe webhook events – Maximum of 30 days to ensure payment idempotency.
- Error logs (Sentry) – In accordance with Sentry's retention policy, 90 days by default.
- Rate-limiting data (IP addresses) – Maximum of 1 minute (sliding window), then automatically deleted.
11. Your rights
You have the following rights under the GDPR at any time:
- Access (Art. 15) – What data is stored about you
- Rectification (Art. 16) – Correction of inaccurate data
- Erasure (Art. 17) – Deletion of your data ("right to be forgotten")
- Restriction (Art. 18) – Restriction of processing
- Data portability (Art. 20) – Export of your data in a common format
- Objection (Art. 21) – Objection to processing based on legitimate interests
- Withdrawal of consent (Art. 7(3)) – At any time with effect for the future
To exercise your rights, please contact: info@secretexpiry.com
12. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent supervisory authority is determined by the controller's registered seat.
13. Third-country transfer
Where data is transferred to third countries (in particular the USA), this is done on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR and/or the EU-U.S. Data Privacy Framework (DPF). The processors used (Stripe, Resend, Sentry, Cloudflare) are subject to corresponding safeguards.
14. Changes to this privacy policy
We reserve the right to adapt this privacy policy to reflect changes in the law or in the service. The current version is always available on this page. In the event of material changes, we will inform registered users by email.