Art. 1 Purpose
These Terms of Service (hereinafter the “Terms”) govern access to and use of the services offered by CoreLens, published by a French sole proprietor (auto-entrepreneur) registered with the Versailles Trade and Companies Register (RCS) under SIREN number 105 695 449 — SIRET 10569544900014, accessible at https://corelens.io.
The CoreLens Service consists of a SaaS platform for auditing and optimizing Microsoft 365 licenses (FinOps), including a named-user dashboard, automated recommendations, usage reports, and a Contract Intelligence module.
Use of the Service constitutes unconditional acceptance of these Terms in the version in force at the time of access.
Art. 2 Definitions
- “CoreLens”: the publisher of the Service, a sole proprietor registered under SIREN 105 695 449 — SIRET 10569544900014.
- “Client”: any natural or legal person who has subscribed to a CoreLens plan.
- “Service”: the CoreLens platform accessible at https://corelens.io.
- “Tenant”: the Client's Microsoft 365 / Entra ID environment, identified by its Tenant ID (GUID).
- “Tenant Data”: license, usage and user profile data accessible via the Microsoft Graph API with the Client's consent.
- “Audit”: the automated analysis of Tenant Data produced by the Service.
- “Report”: the output of the Audit in the form of a dashboard or exportable document.
Art. 3 Access to the Service
3.1 Access conditions
Access to the Service is subject to a valid CoreLens subscription (except for free Starter features) and to OAuth 2.0 sign-in with a Microsoft 365 account holding Global Administrator or Reports Reader permissions.
3.2 Authentication
CoreLens exclusively uses Microsoft OAuth 2.0 (OIDC protocol). No password is ever stored by CoreLens. The Client may revoke access at any time from the Microsoft Entra ID portal (> Enterprise applications).
3.3 Availability
CoreLens undertakes to keep the Service available with a target of 99% monthly uptime, excluding planned maintenance. Service status can be checked at corelens.io/status.
Art. 4 Use of the Service
4.1 Authorized use
The Client is authorized to use the Service to analyze the Microsoft 365 licenses and usage of its own tenant, for the duration of the subscribed plan.
4.2 Prohibited use
- Using the Service to analyze a third-party tenant without the explicit authorization of its owner;
- Attempting to circumvent authentication or authorization mechanisms;
- Extracting, reproducing or redistributing CoreLens’s analysis algorithms;
- Using the Service for unlawful purposes or in a manner contrary to public order.
4.3 Intellectual property
The CoreLens platform, its algorithms, interface and documentation are the exclusive property of the publisher. These Terms confer no ownership rights over these elements. Reports produced from the Client’s data belong to the Client.
Art. 5 What CoreLens does not see
| Data category | Examples | Collected by CoreLens? |
|---|---|---|
| Email content | Message bodies, attachments | ✗ Never |
| SharePoint / OneDrive files | Documents, business data | ✗ Never |
| Browsing history | Visited URLs, web activity | ✗ Never |
| Sensitive HR data | Salaries, appraisals, medical data | ✗ Never |
| Microsoft credentials | Passwords, application secrets | ✗ Never |
| Out-of-scope personal data | Any data other than M365 licenses and usage | ✗ Never |
Art. 6 What CoreLens receives
| Data collected | Purpose | Retention |
|---|---|---|
| Tenant ID (GUID) | Tenant identification, subscription verification | Subscription duration + 1 year |
| M365 users’ name, email, department | Producing the named-user audit report | Subscription duration + 1 year |
| Licenses assigned per user | Detecting inactive and over-provisioned licenses | Subscription duration + 1 year |
| Aggregated usage data (Teams, Exchange…) | Computing the adoption score and recommendations | Subscription duration + 1 year |
| Client contact email | Sending reports, billing, support | Subscription duration + 5 years (accounting) |
| Access logs | Security, anomaly detection | 90 days |
CoreLens undertakes not to use Tenant Data for commercial purposes towards third parties and not to resell it.
Art. 7 Intellectual property
The entire CoreLens platform — source code, algorithms, interfaces, brand and documentation — is the exclusive property of the publisher, protected by copyright and trademark law.
Reports and exports produced from the Client’s data (CSV, Excel, PDF, HTML) belong to the Client. CoreLens reserves the right to use aggregated and anonymized metrics for internal statistical purposes.
Art. 8 Client obligations
- Use the Service in accordance with these Terms and CoreLens documentation;
- Only share CoreLens access with authorized personnel within its organization;
- Notify CoreLens within 48 hours of any suspected account compromise;
- Obtain internal authorizations (CISO, DPO) before connecting the tenant;
- Revoke OAuth consent upon subscription expiry, if desired.
Art. 9 Limitation of liability
The Service is provided “as is”. CoreLens does not guarantee the absolute accuracy of results, which depend on the data returned by the Microsoft Graph API. Recommendations are indicative and shall not be construed as legal or financial advice.
CoreLens’s liability is in any event limited to the amounts paid by the Client during the 12 months preceding the claim.
Art. 10 Pricing, billing and termination
10.1 Pricing
Pricing is as displayed on https://corelens.io/tarifs at the time of subscription. CoreLens may change pricing with 30 days’ notice by email, applicable at the next renewal.
10.2 Billing
Payment is monthly, charged automatically via Stripe. The Client receives an email confirmation at each renewal. Invoices are available on request at sales@corelens.io.
10.3 Termination by the Client
The Client may terminate at any time from its account area or by email to sales@corelens.io. Termination takes effect at the end of the current billing period. No minimum commitment. Termination free of charge.
10.4 Effects of termination
Upon termination, access to the Service is disabled. Tenant Data stored in CoreLens is deleted within 30 days. Exports already downloaded remain the property of the Client.
Art. 11 Personal data, GDPR & retention
11.1 CoreLens account data
CoreLens collects the Client contact’s data (professional email, Tenant ID) on the basis of contract performance (Art. 6.1.b GDPR), hosted in Europe (Supabase — Frankfurt), retained for the subscription duration + 5 years for accounting purposes.
11.2 Tenant data retention policy
| Data type | Retention period | Deletion |
|---|---|---|
| Audit snapshots (names, emails, licenses, usage) | Rolling 12 months | Automatic on the 1st of each month |
| Minimum 2 snapshots per tenant | Retained even if > 12 months | Enables historical comparison |
| Client account data (email, Tenant ID) | Subscription duration + 5 years | Accounting obligations (Art. L123-22 French Commercial Code) |
| Shared reports (/report/token) | 7 to 30 days depending on setting | Automatic upon expiry |
| All data upon termination | 30 days after termination | Complete and permanent purge |
Deletion is performed automatically by a monthly cron process. Deleted data is permanently erased — no backup is retained beyond the periods above. The Client may request early deletion of its data at privacy@corelens.io.
11.3 Data subject rights
Rights of access, rectification, erasure, portability and objection can be exercised at: privacy@corelens.io. Right to lodge a complaint with the CNIL (cnil.fr).
11.4 CoreLens sub-processors
- Supabase — database, hosted in Frankfurt (EU), GDPR-compliant
- Vercel — web platform hosting, EU region
- Stripe — payment processing, PCI-DSS compliant, financial data only
- Brevo — transactional emails, hosted in France, GDPR-compliant
- Microsoft Azure — Azure Functions, France Central region
Art. 12 Governing law and jurisdiction
These Terms are governed by French law. In the event of a dispute, the parties undertake to seek an amicable resolution within 30 days. Failing that, the dispute shall be submitted to the competent courts within the jurisdiction of the Versailles Trade and Companies Register (RCS).
Amendments to the Terms
CoreLens may amend these Terms with 30 days’ notice by email. Use of the Service after this period constitutes acceptance.
Contact
Questions about the Terms: legal@corelens.io
Privacy / DPA questions: privacy@corelens.io
Version 2.1 — June 2026 (English convenience translation of the French original). The French version at corelens.io/security/cgu is the sole legally binding text.