Privacy policy

Last updated: 8 December 2025

1. Introduction

Procurli UAB (“Procurli”, “we”, “us”, “our”) provides AI-powered procurement automation tools that integrate with Microsoft 365 services (Outlook, Exchange Online, Office 365, Azure Active Directory).

This Privacy Policy explains what data we access, why we need it, how we process it, and your rights when you use Procurli applications.

2. Data We Access from Microsoft 365

To deliver the procurement automation functionality, Procurli requests the following permissions and accesses only the minimum data necessary:

  • Email metadata (sender, recipient, subject, date, message ID)

  • Full email content and attachments (to detect and extract purchase orders, order confirmations, invoices, delivery notes, and similar procurement documents)

  • User profile information (name, email address, tenant/organization ID)

  • Calendar data (only if the optional meeting-to-order feature is enabled)

  • OAuth 2.0 tokens and refresh tokens (for background processing and offline_access)

We do not access or process mailbox data beyond what is required for the procurement use case.

3. Why We Require These Permissions (Justification for Sensitive Permissions)

Many procurement-related documents arrive as regular emails or attachments from suppliers. There is no reliable way to identify these documents using only metadata — the actual content or attachment must be analysed.

Procurli therefore requires read access to emails and attachments so that our AI can:

  • Detect emails that contain procurement-related information (based on sender domains, keywords, attachment types, and content patterns)

  • Extract structured data (order numbers, amounts, dates, items, etc.)

  • Ignore and immediately discard emails that clearly do not relate to procurement

Emails that do not match procurement patterns are discarded within seconds and are never stored or logged.

4. How We Use the Data

We use the accessed data exclusively to:

  • Identify and extract procurement information from emails and attachments

  • Create structured records, automated confirmations, follow-ups, and discrepancy alerts

  • Synchronise extracted data with your ERP, procurement system, or internal tools

  • Provide analytics and performance insights within your Procurli tenant

  • Continuously improve the accuracy of our classification and extraction models using only anonymised, aggregated patterns (never raw customer data)

We do not use your emails, attachments, or any personal data to train public or third-party AI models.

5. Use of AI Services (OpenAI)

We use Microsoft Azure OpenAI Service [or: OpenAI API — delete the one that does not apply] exclusively for analysing email content and attachments to extract procurement data.

Important privacy commitments:

  • No email content or personal data is ever used to train or improve any public models

  • We use only models with zero-retention / no-training agreements

  • Raw emails and attachments are deleted from the AI provider’s systems immediately after processing (typically within seconds)

  • Only the minimal extracted structured fields are stored in our systems

6. Data Storage and Security

  • All customer data is stored in Microsoft Azure regions in the European Union (or the region selected by your organization)

  • Data in transit is protected with TLS 1.3; data at rest is encrypted with AES-256

  • Access is restricted through role-based access control (RBAC), least-privilege principles, and full audit logging

  • We undergo regular penetration testing and security audits

7. Data Sharing and Disclosure

We do not sell, rent, or share your data with third parties for marketing or any unrelated purpose.

We only share data with trusted subprocessors (listed in section 10) when strictly necessary to provide the service.

8. Data Retention

  • Raw emails and attachments: automatically deleted within 30 days of processing (or immediately after extraction if you enable “minimum retention” mode)

  • Extracted and structured procurement records: retained for the duration of your subscription + 90 days (or longer if required by your contract or audit requirements)

  • You can request immediate deletion of any or all data at any time

9. Your Rights and Control

You always remain in full control of your data:

  • Request access, correction, export, or deletion: info@procurli.com

  • Revoke Procurli’s access at any moment via: – Microsoft 365 admin center → Applications → Enterprise applications → Procurli → Permissions → Revoke admin consent – My Apps portal (myapps.microsoft.com) → click “…” next to Procurli → Remove

  • Tenant administrators can also adjust or remove granted permissions in Azure Portal at any time

10. Subprocessors

We use the following subprocessors:

  • Microsoft Azure (hosting, storage, compute)

  • Microsoft Azure OpenAI Service [or: OpenAI, Inc. — delete the one that does not apply] (AI processing only)

  • [Add any others you use, e.g., Sentry, PostgreSQL provider, etc.]

A current list of subprocessors and their roles is available on request.

11. Changes to This Policy

We will notify you by email and in-app at least 30 days before any material changes take effect.

12. Contact Information

Procurli UAB

Company code: 307191842

VAT: LT100018779616

Address: Žirmūnų g. 32B-5, LT-09228 Vilnius, Lithuania

Email: info@procurli.com