Privacy Policy
How Policytab collects, uses, and protects your information.
Last updated: 22 June 2026
1. Data We Collect
We collect information you provide when you create an account or sign in with email and password, including your name, email address, and workspace membership.
We also collect usage data such as pages visited, features used, and diagnostic logs to maintain and improve the service.
Account data: When you authenticate with email and password, we store your display name, email address, and role within your MSP workspace. For MSP accounts we also store the list of customer tenants you manage.
Tenant configuration data: When you connect a customer tenant, we read Conditional Access policies, named locations, authentication methods, and user registration details from the Microsoft Graph API. This data is stored in a per-tenant isolated schema.
Usage and diagnostic data: We collect page views, feature usage events, browser type, operating system, IP address (truncated), and error logs. We use these to monitor service health and improve the product.
Cookies: We use strictly necessary cookies for session management and authentication on the product. The public marketing site may load Google Ads conversion measurement when we enable it for campaign attribution; that tag can set advertising cookies in your browser. The signed-in application does not load advertising tags.
2. How We Use Your Data
Your information is used to authenticate your identity, provision your workspace, deliver the Policytab service, and communicate important product updates.
We do not sell your personal data. We do not use your Conditional Access policy data for any purpose other than delivering the service to you.
Specifically, we process your data to: (a) authenticate and authorize access to the platform; (b) sync and analyse Conditional Access policies, MFA posture, and drift detection across your managed tenants; (c) generate alerts, audit logs, and compliance reports; (d) send transactional emails such as alert notifications, billing receipts, and security notices; (e) monitor, debug, and improve service reliability and performance.
We do not use your tenant security configuration data to train machine-learning models or build aggregate benchmarks, or for any purpose beyond providing the service to you.
3. Data Sharing & Third Parties
We share data only with infrastructure providers necessary to operate the service (hosting, database, authentication). All sub-processors are bound by data processing agreements.
Our current sub-processors are:
- Supabase, Inc. - Database hosting and authentication (data stored in AWS ca-central-1).
- Amazon Web Services, Inc. - Cloud infrastructure (ca-central-1).
- Vercel, Inc. - Application hosting, edge network, and serverless functions.
- Microsoft Corporation - Microsoft Graph API integration for reading Entra ID tenant data. Microsoft processes data according to your existing Microsoft agreement.
- Stripe, Inc. - Payment processing. We do not store card numbers; Stripe handles PCI-DSS compliance.
- SMTP2GO - Transactional email delivery (contact form, invites, and authentication emails).
We may disclose data if required by law, court order, or to protect the rights and safety of our users and the public. We will notify you of such requests where legally permitted.
4. Data Retention
We retain your account data for as long as your account is active. If you delete your account, we remove personally identifiable information within 30 days, except where retention is required by law or legitimate audit obligations.
Active accounts:Account profile data and tenant configuration snapshots are retained for the duration of your subscription. Historical policy snapshots are retained for up to 12 months (365 days) to support drift detection and change rollback. Audit log and in-app alert history follow your plan's retention window: 30 days during the Pro trial and on Pro, and unlimited on Enterprise. Operational alert records may include sign-in IP addresses within that same window.
Deleted accounts: Upon account deletion or subscription cancellation, we delete personally identifiable information within 30 days. Anonymised, aggregated usage statistics may be retained indefinitely. Audit log entries required for compliance are retained for 90 days after deletion, then purged.
Backups: Encrypted database backups are retained for up to 30 days and then automatically destroyed.
5. Security
Sensitive credentials (such as Graph app secrets) are encrypted at rest. Other data relies on provider-default encryption for the hosting platform. Access is scoped to your workspace, and all administrative actions are audit-logged.
Additional security measures include: workspace-scoped tenant access so one workspace cannot read another customer's tenant data through Policytab; least-privilege backend access; automated vulnerability scanning of dependencies; and regular review of access logs.
If we become aware of a data breach that affects your personal data, we will notify you and any applicable supervisory authority within 72 hours as required by GDPR.
6. Your Rights
You may request access to, correction of, or deletion of your personal data at any time. For EU residents, this includes rights under GDPR such as data portability and the right to object to processing.
Specifically, you have the right to: (a) Access— request a copy of all personal data we hold about you; (b) Rectification— correct inaccurate or incomplete data; (c) Erasure— request deletion of your data (subject to legal retention requirements); (d) Portability— receive your data in a structured, machine-readable format; (e) Objection— object to processing based on legitimate interest; (f) Restriction— request we limit processing while a complaint is resolved.
To exercise any of these rights, email support@policytab.com. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with your local data protection authority.
7. International Transfers
Your data may be processed in the European Union, the United States, or other regions where our sub-processors operate. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the sub-processor's participation in a recognised adequacy framework, to ensure an adequate level of protection.
8. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.
9. Contact
For privacy-related inquiries, reach us at support@policytab.com.