CoreLensFinOps Premium · M365 & Azure
FonctionnalitésTarifs🎭 Démo
Essai gratuit →Se connecter
FonctionnalitésTarifs🎭 DémoPourquoi CoreLensBlog FinOpsRéférentiel SKU M365Centre d'aideNouveautésÉtat du serviceContract IntelligenceNous contacter
Essai gratuit →Se connecter
🇫🇷 Version française (faisant foi)← Security & Privacy
Contents
1. Purpose2. Definitions3. Access to the Service4. Use of the Service5. What CoreLens does not see6. What CoreLens receives7. Intellectual property8. Client obligations9. Liability10. Pricing & termination11. GDPR & data retention12. Governing law
Contractual document
Terms of Service
Version 2.1Effective: June 24, 2026CoreLens · France
⚠️ Convenience translation
This page is an English translation of CoreLens’s Terms of Service provided for convenience only. In the event of any discrepancy or dispute, the French version (corelens.io/security/cgu) is the sole legally binding and authoritative text.
ℹ️ Summary (non-contractual)
CoreLens is a Microsoft 365 FinOps SaaS platform that connects to your tenant via OAuth 2.0 with your explicit consent. CoreLens accesses your license and usage data solely to produce your audit report. Your data is hosted in Europe. You may revoke access at any time from your Entra ID tenant.

Art. 1 Purpose

These Terms of Service (hereinafter the “Terms”) govern access to and use of the services offered by CoreLens, published by a French sole proprietor (auto-entrepreneur) registered with the Versailles Trade and Companies Register (RCS) under SIREN number 105 695 449 — SIRET 10569544900014, accessible at https://corelens.io.

The CoreLens Service consists of a SaaS platform for auditing and optimizing Microsoft 365 licenses (FinOps), including a named-user dashboard, automated recommendations, usage reports, and a Contract Intelligence module.

Use of the Service constitutes unconditional acceptance of these Terms in the version in force at the time of access.

Art. 2 Definitions

  • “CoreLens”: the publisher of the Service, a sole proprietor registered under SIREN 105 695 449 — SIRET 10569544900014.
  • “Client”: any natural or legal person who has subscribed to a CoreLens plan.
  • “Service”: the CoreLens platform accessible at https://corelens.io.
  • “Tenant”: the Client's Microsoft 365 / Entra ID environment, identified by its Tenant ID (GUID).
  • “Tenant Data”: license, usage and user profile data accessible via the Microsoft Graph API with the Client's consent.
  • “Audit”: the automated analysis of Tenant Data produced by the Service.
  • “Report”: the output of the Audit in the form of a dashboard or exportable document.

Art. 3 Access to the Service

3.1 Access conditions

Access to the Service is subject to a valid CoreLens subscription (except for free Starter features) and to OAuth 2.0 sign-in with a Microsoft 365 account holding Global Administrator or Reports Reader permissions.

3.2 Authentication

CoreLens exclusively uses Microsoft OAuth 2.0 (OIDC protocol). No password is ever stored by CoreLens. The Client may revoke access at any time from the Microsoft Entra ID portal (> Enterprise applications).

3.3 Availability

CoreLens undertakes to keep the Service available with a target of 99% monthly uptime, excluding planned maintenance. Service status can be checked at corelens.io/status.

Art. 4 Use of the Service

4.1 Authorized use

The Client is authorized to use the Service to analyze the Microsoft 365 licenses and usage of its own tenant, for the duration of the subscribed plan.

4.2 Prohibited use

  • Using the Service to analyze a third-party tenant without the explicit authorization of its owner;
  • Attempting to circumvent authentication or authorization mechanisms;
  • Extracting, reproducing or redistributing CoreLens’s analysis algorithms;
  • Using the Service for unlawful purposes or in a manner contrary to public order.

4.3 Intellectual property

The CoreLens platform, its algorithms, interface and documentation are the exclusive property of the publisher. These Terms confer no ownership rights over these elements. Reports produced from the Client’s data belong to the Client.

Art. 5 What CoreLens does not see

✓ Data minimization principle
CoreLens only collects data strictly necessary to produce the Audit. No email content, no files, no browsing history, and no sensitive HR data is ever transmitted to CoreLens.
Data categoryExamplesCollected by CoreLens?
Email contentMessage bodies, attachments✗ Never
SharePoint / OneDrive filesDocuments, business data✗ Never
Browsing historyVisited URLs, web activity✗ Never
Sensitive HR dataSalaries, appraisals, medical data✗ Never
Microsoft credentialsPasswords, application secrets✗ Never
Out-of-scope personal dataAny data other than M365 licenses and usage✗ Never

Art. 6 What CoreLens receives

Data collectedPurposeRetention
Tenant ID (GUID)Tenant identification, subscription verificationSubscription duration + 1 year
M365 users’ name, email, departmentProducing the named-user audit reportSubscription duration + 1 year
Licenses assigned per userDetecting inactive and over-provisioned licensesSubscription duration + 1 year
Aggregated usage data (Teams, Exchange…)Computing the adoption score and recommendationsSubscription duration + 1 year
Client contact emailSending reports, billing, supportSubscription duration + 5 years (accounting)
Access logsSecurity, anomaly detection90 days

CoreLens undertakes not to use Tenant Data for commercial purposes towards third parties and not to resell it.

Art. 7 Intellectual property

The entire CoreLens platform — source code, algorithms, interfaces, brand and documentation — is the exclusive property of the publisher, protected by copyright and trademark law.

Reports and exports produced from the Client’s data (CSV, Excel, PDF, HTML) belong to the Client. CoreLens reserves the right to use aggregated and anonymized metrics for internal statistical purposes.

Art. 8 Client obligations

  • Use the Service in accordance with these Terms and CoreLens documentation;
  • Only share CoreLens access with authorized personnel within its organization;
  • Notify CoreLens within 48 hours of any suspected account compromise;
  • Obtain internal authorizations (CISO, DPO) before connecting the tenant;
  • Revoke OAuth consent upon subscription expiry, if desired.
⚠️ Client’s internal responsibility
The Client is responsible for obtaining the necessary authorizations from its employees before launching a named-user audit. CoreLens acts as a data processor within the meaning of Art. 28 GDPR; the Client remains the data controller.

Art. 9 Limitation of liability

The Service is provided “as is”. CoreLens does not guarantee the absolute accuracy of results, which depend on the data returned by the Microsoft Graph API. Recommendations are indicative and shall not be construed as legal or financial advice.

CoreLens’s liability is in any event limited to the amounts paid by the Client during the 12 months preceding the claim.

Art. 10 Pricing, billing and termination

10.1 Pricing

Pricing is as displayed on https://corelens.io/tarifs at the time of subscription. CoreLens may change pricing with 30 days’ notice by email, applicable at the next renewal.

10.2 Billing

Payment is monthly, charged automatically via Stripe. The Client receives an email confirmation at each renewal. Invoices are available on request at sales@corelens.io.

10.3 Termination by the Client

The Client may terminate at any time from its account area or by email to sales@corelens.io. Termination takes effect at the end of the current billing period. No minimum commitment. Termination free of charge.

10.4 Effects of termination

Upon termination, access to the Service is disabled. Tenant Data stored in CoreLens is deleted within 30 days. Exports already downloaded remain the property of the Client.

Art. 11 Personal data, GDPR & retention

✓ CoreLens: data processor within the meaning of Art. 28 GDPR
CoreLens processes the personal data of the Client’s employees (names, emails, M365 usage) solely on the Client’s instructions and for the exclusive purpose of the audit. A Data Processing Agreement (DPA) is available on request at privacy@corelens.io.

11.1 CoreLens account data

CoreLens collects the Client contact’s data (professional email, Tenant ID) on the basis of contract performance (Art. 6.1.b GDPR), hosted in Europe (Supabase — Frankfurt), retained for the subscription duration + 5 years for accounting purposes.

11.2 Tenant data retention policy

Retention period — CNIL compliance (13-month recommendation)
CoreLens applies an automatic retention policy to stored audit snapshots.
Data typeRetention periodDeletion
Audit snapshots (names, emails, licenses, usage)Rolling 12 monthsAutomatic on the 1st of each month
Minimum 2 snapshots per tenantRetained even if > 12 monthsEnables historical comparison
Client account data (email, Tenant ID)Subscription duration + 5 yearsAccounting obligations (Art. L123-22 French Commercial Code)
Shared reports (/report/token)7 to 30 days depending on settingAutomatic upon expiry
All data upon termination30 days after terminationComplete and permanent purge

Deletion is performed automatically by a monthly cron process. Deleted data is permanently erased — no backup is retained beyond the periods above. The Client may request early deletion of its data at privacy@corelens.io.

11.3 Data subject rights

Rights of access, rectification, erasure, portability and objection can be exercised at: privacy@corelens.io. Right to lodge a complaint with the CNIL (cnil.fr).

11.4 CoreLens sub-processors

  • Supabase — database, hosted in Frankfurt (EU), GDPR-compliant
  • Vercel — web platform hosting, EU region
  • Stripe — payment processing, PCI-DSS compliant, financial data only
  • Brevo — transactional emails, hosted in France, GDPR-compliant
  • Microsoft Azure — Azure Functions, France Central region

Art. 12 Governing law and jurisdiction

These Terms are governed by French law. In the event of a dispute, the parties undertake to seek an amicable resolution within 30 days. Failing that, the dispute shall be submitted to the competent courts within the jurisdiction of the Versailles Trade and Companies Register (RCS).

Amendments to the Terms

CoreLens may amend these Terms with 30 days’ notice by email. Use of the Service after this period constitutes acceptance.

Contact

Questions about the Terms: legal@corelens.io
Privacy / DPA questions: privacy@corelens.io

CoreLens · Sole proprietor (auto-entrepreneur) · SIREN 105 695 449 · SIRET 10569544900014 · RCS Versailles · corelens.io · legal@corelens.io
Version 2.1 — June 2026 (English convenience translation of the French original). The French version at corelens.io/security/cgu is the sole legally binding text.
CoreLens© 2026 · SIREN 105 695 449 · SIRET 10569544900014 · France
HomeSecuritylegal@corelens.io