Vamo is a recruiting platform. When you connect your Microsoft account, we use the Microsoft Graph API exclusively to send recruitment emails and track their delivery on your behalf. This page explains exactly what we access, what we don't, and how we comply with the Microsoft APIs Terms of Use and Microsoft's privacy requirements.
What we use Outlook for
Our use falls within Microsoft's permitted use cases for productivity and CRM applications, specifically recruiting outreach sent through your connected Outlook or Microsoft 365 account. We use Outlook access to:
- Send personalized recruitment emails to candidates on your behalf
- Help you compose and customize outreach templates with per-candidate variables
- Track delivery status of messages we sent, so you know when to follow up
- Read your mailbox timezone so scheduled emails arrive at the right local time
Permissions we request
We use delegated permissions only. The app acts as you, within the limits of what you've authorized, and never has tenant-wide access. We request only what's needed:
| Scope | Why we need it |
|---|---|
| Mail.Send | Send outreach emails on your behalf |
| Mail.ReadBasic | Read message envelopes (subject, date, read status) for delivery tracking. Does not include message body or attachments |
| MailboxSettings.Read | Read your timezone to schedule emails correctly |
| offline_access | Maintain sending capability for scheduled follow-up sequences without requiring you to re-authenticate |
We use Mail.ReadBasic rather than the broader Mail.Read. It exposes
only message envelopes, not body content.
What we don't do
- Read or scan the body content of any existing messages in your inbox
- Store copies of email messages on our servers
- Use your Microsoft account data to train AI or ML models
- Share your Outlook data with advertisers, data brokers, or third parties
- Access your contacts, calendar, Teams messages, OneDrive, or any other Microsoft 365 service
- Use your data for advertising or behavioral profiling
- Store your Microsoft password. We use only OAuth 2.0 tokens issued by Microsoft.
Security
We apply the following protections to your Microsoft credentials and any data we handle:
- OAuth tokens are encrypted at rest using AES-256 and in transit over TLS 1.2+
- Only authorized Vamo systems may use your tokens. No individual has access to them.
- We retain only minimal metadata (message ID, sent timestamp) for sequence tracking. Message content is never stored.
- Tokens are invalidated and deleted immediately when you disconnect your account
Your controls
You can revoke Vamo's access to your Microsoft account at any time from your Microsoft Account app permissions page, or by disconnecting your account in Vamo's settings. Either action immediately invalidates all tokens we hold. Microsoft 365 administrators can also revoke access org-wide from the Entra admin center.
You can request deletion of all account data, including any stored Outlook metadata, by emailing privacy@vamo.xyz.
Questions
Reach us at support@vamo.xyz for general questions, privacy@vamo.xyz for privacy concerns, or legal@vamo.app for enterprise and M365 admin inquiries. This policy supplements our main Privacy Policy.