Yarvis Privacy Policy
Document updated and applicable since: February 26th, 2026
Introduction
This Privacy Policy describes how Yarvis (“we”, “our”, or “the Service”) collects, uses, stores, and processes personal data when Yarvis is deployed within your organization’s Microsoft Teams environment. Yarvis is an AI-powered workplace assistant that integrates with Microsoft 365 and Microsoft Teams to help users manage calendars and communications. YAROOMS integration (room booking and work status) is available as a separate add-on module and is not required for core functionality.
This policy is intended to help your organization understand the data handling practices of Yarvis to meet its obligations under applicable privacy regulations, including the General Data Protection Regulation (GDPR) and similar frameworks.
By deploying and using Yarvis, the customer organization (“Tenant”) acknowledges this Privacy Policy on behalf of its end users.
Data Controller and Processor
Yarvis operates as a data processor on behalf of the customer organization, which acts as the data controller. Yarvis processes personal data solely for the purpose of providing the service as configured and authorized by the Tenant.
Data We Collect
Microsoft Identity and Profile Data
When a user authenticates via Microsoft Entra ID, we collect:
- User ID (Azure Active Directory object ID)
- Email address and display name
- Timezone (from mailbox settings)
- Directory role membership (for administrator detection)
Calendar Data
With the user’s delegated consent (Calendars.ReadWrite), Yarvis accesses:
- Event subject, description, start/end times, timezone
- Location and attendee list (email addresses and attendance status)
- All-day flags, recurrence rules, and meeting links
Yarvis can create, update, and delete calendar events on behalf of the user. Calendar data is not stored locally – it is accessed live from Microsoft Graph and is not retained after the session.
Email Data (Shared Mailbox Only)
Yarvis accesses a designated shared mailbox (not individual user inboxes) via application-level permissions (admin-consented). Accessed data includes:
- Message subject and body (HTML converted to plain text)
- Sender and recipient addresses and display names
- Conversation ID and received timestamp
- Internet message headers (used for spam and loop detection)
- Thread context: up to 20 prior messages in the same conversation
Email attachments are never downloaded. Only a boolean flag indicating the presence of attachments is read.
Portions of email content may be retained in the AI agent’s memory (see AI Agent Memory and Session History) where relevant for ongoing task context.
Microsoft Teams Conversation Data
When users interact with the Yarvis bot in Teams, the following is processed:
- User ID, display name, and email
- Conversation ID and type (direct message, group chat, or channel)
- Tenant ID
- Message text content directed at the bot
- Adaptive Card action payloads (button interaction data)
Conversation references (user/bot identifiers, conversation ID, service URL, last-seen timestamp) are stored to enable proactive messaging features such as morning briefings.
Yarvis only processes messages explicitly directed at the bot. General channel message history is not read.
YAROOMS Workplace Data (Add-on Module)
For customers who integrate their YAROOMS account (available as a separate add-on module), we access:
- Room and space information (names, capacities, features, availability)
- User’s room bookings (space, dates, title, status)
- User’s work status and planning entries (e.g., “In office”, “Work from home”)
- YAROOMS account profile (account ID, name, email, location, floor)
Yarvis can create and cancel room bookings, and set work status entries on behalf of the user.
AI Agent Memory and Session History
To provide context-aware assistance, Yarvis stores:
- AI agent memories: key facts derived from conversations, retained in a local encrypted database
- Session history: conversation logs
This data is retained for the duration of the customer’s active subscription and permanently deleted within 30 days of subscription termination if the subscription is not renewed.
Authentication Credentials
The following credentials are stored in encrypted form:
- Microsoft Graph OAuth access tokens and refresh tokens
- YAROOMS API tokens
Credentials are never written to logs or included in error messages. Decryption occurs only during active plugin operations.
Notification Preferences
User-configured preferences for notifications and morning briefings are stored in encrypted database.
Data We Do Not Collect
Yarvis does not collect the following:
- Email attachment contents (only presence is noted)
- General Teams channel message history (only bot-directed messages)
- User passwords (authentication is fully delegated to Microsoft Entra ID; YAROOMS authentication is handled by YAROOMS where the add-on is enabled)
- Biometric, health, or sensitive special-category personal data
- Payment or financial data
- Device identifiers or IP addresses (beyond standard infrastructure logs)
Legal Basis for Processing
Yarvis processes personal data on the following legal bases under GDPR:
| Processing Activity | Legal Basis | Notes |
|---|---|---|
| User authentication and identity | Contract performance | Necessary to provide the service |
| Calendar read/write | Contract performance / Consent | User grants delegated OAuth scope |
| Shared mailbox processing | Legitimate interests | Admin-consented; serves business workflow |
| Teams messaging | Contract performance | Core service interaction |
| YAROOMS data (add-on module) | Contract performance / Consent | User connects YAROOMS account |
| AI memory and session history | Legitimate interests | Context for service continuity |
| Credential storage | Contract performance | Required for persistent service access |
Data Sharing and Sub-Processors
Yarvis shares data with the following third-party sub-processors:
| Sub-Processor | Data Shared | Purpose |
|---|---|---|
| Microsoft (Azure / Graph / Teams) | Identity, calendar, Teams messages | Core platform and identity services |
| Anthropic (Claude API) | Conversation text, calendar/email summaries | AI natural language processing |
| YAROOMS | User email, booking and planning data (add-on module only) | Room booking and work status management |
Regarding Anthropic: Conversation content submitted to the Claude API is processed in accordance with Anthropic’s API data usage policy. Anthropic does not store or train on API inputs. Conversation history and agent memories are stored locally within the Tenant’s database, not on Anthropic’s infrastructure.
Yarvis does not sell, rent, or share personal data with third parties for marketing purposes.
Data Retention
The following retention periods apply:
| Data Category | Retention Period | Deletion Mechanism |
|---|---|---|
| User profile (name, email, timezone) | For the duration of an active subscription | Automatic database cleanup |
| OAuth access and refresh tokens | Until user disconnects | Overwritten on disconnect |
| YAROOMS tokens | For the duration of an active subscription | Automatic database cleanup |
| Teams conversation references | For the duration of an active subscription (stale-flagged) | Automatic database cleanup |
| AI agent memories | For the duration of an active subscription | Automatic directory cleanup |
| Session history logs | For the duration of an active subscription | Automatic directory cleanup |
| Notification preferences | For the duration of an active subscription | Automatic database cleanup |
| Pending welcome notifications | Until delivered | Auto-deleted after delivery |
| Calendar and email data | Not stored locally | N/A – accessed live only |
Important: The data is retained for the duration of the customer’s active subscription and permanently deleted within 30 days of subscription termination if the subscription is not renewed.
Data Security
Yarvis implements the following technical security measures:
- Encryption at rest
- Tenant isolation
- Token protection
- Webhook validation
- Bot Framework domain validation
Data Subject Rights
Under applicable privacy regulations, individuals whose data is processed by Yarvis have the right to:
- Access: Request a copy of personal data held about them.
- Rectification: Request correction of inaccurate data.
- Erasure (“right to be forgotten”): Request deletion of personal data.
- Restriction: Request that processing be restricted in certain circumstances.
- Data portability: Receive data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
To exercise these rights, users should contact their organization’s administrator.
Data Transfers
Data may be transferred to and processed in countries outside the European Economic Area (EEA) in connection with the following:
- Microsoft services: Subject to Microsoft’s standard contractual clauses and Privacy Shield successor frameworks.
- Anthropic Claude API: Processed on Anthropic’s infrastructure, which may be located outside the EEA. Anthropic’s API data processing agreement governs these transfers.
Yarvis engages only sub-processors who provide sufficient guarantees of appropriate technical and organizational measures under GDPR Article 28.
Children’s Privacy
Yarvis is intended for use in professional workplace environments and is not directed at individuals under the age of 16. We do not knowingly collect personal data from minors.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to Tenant administrators. Continued use of the Service following notice of changes constitutes acceptance of the updated policy. The effective date at the top of this document will reflect the most recent revision.
Pricing and Subscription
Yarvis is offered under a subscription-based pricing model. Available plans, pricing details, and included features – including whether the YAROOMS add-on module is part of a given plan – are described on the Yarvis product website.
Data collected and processed by Yarvis may vary depending on the plan and modules activated for the Tenant. This Privacy Policy covers the full scope of data processing across all available modules; sections marked as relating to the YAROOMS add-on apply only where that module is enabled.
Data Controller & Brand Owner: YAROOMS INTERNATIONAL SA, dba YAROOMS. Registered address: Regele Ferdinand 22-26 3rd Floor, 400110 Cluj-Napoca, Cluj County, Romania. Company registration number: ROONRC.J2022005628124 | VAT/Tax ID: RO36814476. Privacy contact: dpo@yarooms.com . Yarvis is a registered trademark of Yarooms International SA. All rights reserved.