Privacy Policy

Who we are

Apps 365 Ltd is the data controller responsible for the personal data described in this policy.

If you have any question about this policy or about how we handle your personal data, please contact us using the details above and mark your message for the attention of our Data Protection contact.

Scope of this policy

It is important to distinguish two different things:

• This website (governpoint.com). When you visit our website or contact us through it, we act as a data controller for the limited personal data you provide. That activity is the main focus of this policy.
• The GovernPoint product. GovernPoint is a SharePoint Framework (SPFx) web part that runs inside your own Microsoft 365 tenant. It analyses SharePoint governance metadata using the signed-in user's own permissions. We do not host, receive or store the content of your SharePoint documents. Our role in relation to data processed by the product within your tenant is explained in section 10.

Personal data we collect

We only collect the personal data we need. Through this website that means:

We do not intentionally collect special category data (such as health, race or political opinions) through this website, and we ask that you do not include such information in free-text fields.

How and why we use it

We use personal data for the following purposes, each with a lawful basis under the UK GDPR:

• To respond to your enquiries and provide demos - lawful basis: our legitimate interests in dealing with enquiries about our products, and taking steps at your request prior to entering into a contract.
• To provide customer support - lawful basis: legitimate interests, and performance of our contract with your organisation where one is in place.
• To send service or relationship communications you have asked for - lawful basis: legitimate interests or, for any marketing email, your consent, which you can withdraw at any time.
• To operate, secure and improve our website and understand how it is used - lawful basis: legitimate interests, and your consent for non-essential cookies and analytics.
• To comply with legal and regulatory obligations and to establish, exercise or defend legal claims - lawful basis: legal obligation and legitimate interests.

Where we rely on legitimate interests, we have considered the impact on your rights and do not use your data in ways that override your interests. You can object to this processing (see section 11).

Cookies & similar technologies

Cookies are small files placed on your device. We use a small number of them:

• Strictly necessary cookies keep the site working and secure - for example a session cookie and the security token that protects our forms, and a cookie that remembers your light/dark theme choice. These do not require consent.
• Analytics and marketing technologies help us understand site usage and follow up on enquiries. Depending on configuration these may include Google Analytics, the HubSpot tracking script and the Calendly scheduling widget. These are not strictly necessary and, under the Privacy and Electronic Communications Regulations (PECR), are only used on the basis of your consent.

You can control or delete cookies through your browser settings, and you can opt out of Google Analytics using Google's browser add-on. Blocking strictly necessary cookies may stop parts of the site from working. The third parties named above are independent controllers of the data they collect through their own technologies; please see their own privacy notices for details.

Who we share data with

We do not sell your personal data. We share it only with trusted service providers ("processors") who act on our instructions, and with others where the law allows or requires it:

• Hosting and email providers who store our website data and deliver our messages.
• HubSpot - our customer relationship management and marketing platform.
• Calendly - our meeting-scheduling provider.
• Google - website analytics, where enabled.
• Microsoft - the platform on which the GovernPoint product and our customers' tenants run.
• Professional advisers, regulators and law enforcement where we are legally required to disclose information, and any party to whom we may transfer our business.

We put appropriate contracts in place with our processors as required by the UK GDPR.

International transfers

Some of our providers (such as HubSpot and Google) are based in, or store data in, the United States or other countries outside the UK. Where personal data is transferred outside the UK, we rely on a valid transfer mechanism - such as UK 'adequacy' regulations including the UK Extension to the EU-US Data Privacy Framework, or the International Data Transfer Agreement / Addendum together with appropriate safeguards - so that your data continues to be protected.

How long we keep data

We keep personal data only for as long as we need it for the purposes set out above:

• Enquiry and demo-request details are kept while we deal with your request and, where it leads to a business relationship, for the duration of that relationship.
• Support tickets are kept while the matter is open and for a reasonable period afterwards for quality and reference purposes.
• Where we have no ongoing relationship, we delete or anonymise contact details typically within 24 months of last contact, unless we are required to keep them longer.

How we protect data

We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss or misuse. These include encryption of data in transit (HTTPS), access controls, security headers and a content-security policy, and limiting access to personal data to those who need it. No method of transmission over the internet is completely secure, but we work to protect your data and to respond promptly to any incident.

The product & your tenant

GovernPoint is deployed once as a SharePoint Framework (.sppkg) package via your SharePoint App Catalog and runs entirely within your Microsoft 365 environment. When it analyses your sites it uses the Microsoft Graph and SharePoint REST APIs as the signed-in user, reading governance metadata (such as permission, versioning, lifecycle and classification settings). It does not copy or transmit the content of your documents to us. Score history is written to a list inside your own tenant. As a result, for data handled by the product inside your tenant your organisation remains the data controller, and we do not act as a processor of your SharePoint content. Where we provide support and you choose to share information with us, we handle it as described in this policy.

Your rights

Under the UK GDPR you have the right to:

• be informed about how your data is used (this policy);
• access a copy of the personal data we hold about you;
• have inaccurate data corrected;
• have your data erased in certain circumstances;
• restrict or object to our processing, including processing based on legitimate interests and any direct marketing;
• data portability for data you provided to us, where applicable; and
• withdraw consent at any time where we rely on it, without affecting processing carried out beforehand.

To exercise any of these rights, email info@apps365ltd.com. We will respond within one month. There is normally no charge, and we may ask you to verify your identity.

How to complain

We hope to resolve any concern you raise with us directly. You also have the right to lodge a complaint with the UK's supervisory authority:

Changes to this policy

We may update this policy from time to time to reflect changes in our practices or the law. The "last updated" date at the top shows when it was most recently revised. Significant changes will be highlighted on this page.

Contact us

For any privacy question or request, contact us at info@apps365ltd.com or by post at Apps 365 Ltd, 20-22 Wenlock Road, London N1 7GU, United Kingdom.