Privacy Policy
Last updated: 21 May 2026
1. Who we are
Monokel is an exposure intelligence service for Microsoft 365, operated by Lesec AB (“Monokel”, “we”, “us” or “our”), a company registered in Sweden under company registration number 559495-0270.
We are responsible for the personal data described in this policy in the circumstances set out in section 3 below. If you have any questions about this policy or how we handle personal data, please contact us through our website at www.monokel.app.
2. Scope
This policy applies to:
- The Monokel website at www.monokel.app — including booking a demo and contacting us; and
- The Monokel product at app.monokel.app — the application that analyses a customer’s Microsoft 365 environment.
It does not cover third-party websites or services we link to. Those services have their own privacy policies.
3. Our role: controller and processor
Data protection law distinguishes between a controller (who decides why and how personal data is processed) and a processor (who processes personal data on a controller’s behalf). Our role depends on the data:
- We are the controller for personal data relating to website visitors, people who book a demo or contact us, and the account details of users who sign in to the product.
- We are a processor for the Microsoft 365 data we analyse on behalf of a customer. The customer (your organisation) is the controller of that data and determines the purposes of its processing. For that data, this policy is supplemented by the agreement (including any data processing terms) between us and the customer.
4. Personal data we collect
4.1 Website visitors and demo bookings
When you book a demo or contact us, we collect the details you provide — typically your name, work email address, organisation, and any message or scheduling information. Demo bookings are handled through our scheduling provider, Cal (see section 8). We also collect limited technical data (such as IP address and basic server logs) needed to operate the site securely.
4.2 Product account users
When your organisation uses Monokel, we process account information for the people who sign in — typically name, work email address, organisation, role, and authentication identifiers — to provide and secure the service.
4.3 Microsoft 365 data processed on a customer’s behalf
To analyse a customer’s Microsoft 365 environment, Monokel reads configuration and exposure data through the Microsoft Graph API using read-only access. We never modify anything in the customer’s environment. This data may include personal data such as:
- Identity and directory information — accounts, administrative roles, MFA status, sign-in and conditional-access configuration;
- Email and collaboration configuration — forwarding rules and mail-flow / authentication settings (DMARC/SPF/DKIM);
- Device and endpoint state — Intune compliance, endpoint protection status;
- Application and permission data — OAuth grants and application credentials;
- Sharing and access exposure — external sharing, public links, and guest accounts.
We process this data only to provide the service to the customer, on the customer’s instructions. The customer controls who in their organisation can access it within the product.
5. Cookies
The Monokel website does not use advertising or analytics tracking cookies. We use only cookies that are strictly necessary to operate the site and the product (for example, to keep you signed in and to maintain security). Our demo-scheduling provider, Cal, may set its own cookies when you open the booking widget — see Cal’s privacy policy for details.
6. Why we use personal data and our legal basis
Where we act as controller, we rely on the following legal bases under the GDPR:
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Responding to demo requests and enquiries | Our legitimate interest in responding to you, and/or taking steps at your request before entering a contract (Art. 6(1)(b) and (f)) |
| Providing, securing and operating the product to account users | Performance of a contract, and our legitimate interest in keeping the service secure (Art. 6(1)(b) and (f)) |
| Operating and protecting our website (logs, security) | Our legitimate interest in a secure, functioning website (Art. 6(1)(f)) |
| Meeting legal and accounting obligations | Compliance with a legal obligation (Art. 6(1)(c)) |
For Microsoft 365 data we process as a processor, the legal basis is determined by the customer as controller.
7. How we share personal data
We do not sell personal data. We share it only with service providers (sub-processors) who help us run Monokel, and only as needed. Our main providers are:
| Provider | Purpose | Data location |
|---|---|---|
| Google Cloud Platform | Hosting and infrastructure | European Union |
| Cal (cal.eu) | Demo scheduling / booking | European Union |
We may also disclose personal data where required by law, or to protect our rights, users or the security of the service.
8. International transfers
We host and process personal data within the European Union, including with the providers listed in section 7.
9. How long we keep data
We keep personal data only as long as needed for the purposes above, then delete or anonymise it. Demo and enquiry data is kept for as long as needed to follow up and for a reasonable period afterwards. Account and product data is kept for the duration of the customer relationship and deleted or returned afterwards in line with our agreement with the customer.
10. How we protect data
We use technical and organisational measures appropriate to the risk, including encryption in transit, strict read-only access to customer Microsoft 365 environments, access controls, and logging. No method of transmission or storage is completely secure, but we work to protect personal data and to continuously improve our safeguards.
11. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased in certain circumstances;
- restrict or object to certain processing;
- receive your data in a portable format; and
- withdraw consent where processing is based on consent.
To exercise these rights, please contact us through our website at www.monokel.app. If our processing concerns Microsoft 365 data we handle on behalf of a customer, please direct your request to that organisation (the controller); we will assist them as required.
You also have the right to lodge a complaint with a supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) — www.imy.se.
12. Children
Monokel is a business service and is not directed at children. We do not knowingly collect personal data from children.
13. Changes to this policy
We may update this policy from time to time. When we do, we will revise the “Last updated” date above and, where appropriate, notify you.
14. Contact us
This service is operated by Lesec AB (company registration number 559495-0270). For any privacy question or request, please contact us through our website at www.monokel.app.