Privacy Policy
Last Updated: 14 March 2026
1. Introduction
Govern.Cloud (“we,” “us,” “our,” or the “Company”) operates the Govern.Cloud platform (the “Service”), a cloud-based Microsoft 365 governance solution. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you visit our website at govern.cloud or use our Service.
We are committed to protecting your privacy and handling your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as other applicable data protection laws including the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (GDPR) where applicable.
By accessing or using our Service, you acknowledge that you have read and understood this Privacy Policy.
2. About Us
Govern.Cloud is an Australian-based company. For the purposes of applicable data protection laws:
- Australian Privacy Act: We are the entity responsible for the handling of your personal information.
- GDPR/UK GDPR: Where we process personal data of individuals located in the European Economic Area (EEA) or the United Kingdom, we act as a data controller for account and billing data, and as a data processor for Customer Data (as defined below) processed on behalf of our customers.
Contact Details:
- Email: privacy@govern.cloud
- Website: https://govern.cloud
3. Information We Collect
3.1 Account Information
When you register for our Service, we collect:
- Identity information: Your name and email address, obtained via Microsoft Entra ID (Azure AD) single sign-on authentication.
- Organisation information: Your Microsoft 365 tenant identifier, organisation name, and domain.
- Role information: Your role or permissions within your organisation’s Govern.Cloud account.
3.2 Billing and Payment Information
When you subscribe to our Service, we collect:
- Billing contact details: Name and email address of the billing contact.
- Payment information: Payment processing is handled entirely by Stripe, Inc. We do not store or have access to your full credit card numbers. We receive only a summary of transaction status and the last four digits of your payment method for reference purposes.
3.3 Customer Data (Microsoft 365 Tenant Data)
To provide our governance Service, we access and process data from your Microsoft 365 environment via the Microsoft Graph API, including:
- Workspace metadata: Names, descriptions, creation dates, and settings of Microsoft Teams, SharePoint sites, and Microsoft 365 Groups.
- Membership data: Lists of workspace owners, members, and their roles.
- Guest user information: External/guest user identities, access permissions, and invitation status.
- Activity and usage data: Workspace activity metrics, last activity dates, and usage statistics including Microsoft 365 Copilot usage metrics where enabled.
- Governance metadata: Lifecycle states, policy compliance status, sensitivity labels, and classification data.
Important: We access this data solely to provide governance insights and management capabilities to your organisation’s administrators. We do not access the content of your documents, emails, chats, or files.
3.4 Usage Data
We automatically collect certain information about how you interact with our Service:
- Log data: IP address, browser type, pages visited, time and date of access, and referring URLs.
- Platform usage: Features used, actions taken within the dashboard, and interaction patterns.
3.5 Cookies and Similar Technologies
Our website and Service use essential cookies required for authentication and session management. Our marketing website (govern.cloud) also uses analytics cookies (Google Analytics 4) to help us understand how visitors interact with the site. Analytics cookies are only set after you provide consent via our cookie banner. You can change your preferences at any time using the “Cookie Preferences” link in the website footer. For full details, see Section 10.
4. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Information Used | Legal Basis (GDPR) |
|---|---|---|
| Providing and operating the Service | Account Information, Customer Data | Performance of contract |
| Authenticating users via Microsoft SSO | Identity information, Tenant ID | Performance of contract |
| Processing payments and billing | Billing Information | Performance of contract |
| Generating governance reports and insights | Customer Data, Usage Data | Performance of contract |
| Sending transactional communications (e.g., approval notifications, lifecycle alerts, invitation emails) | Account Information | Performance of contract |
| Maintaining security and preventing fraud | Account Information, Usage Data | Legitimate interests |
| Improving and developing the Service | Usage Data (aggregated) | Legitimate interests |
| Complying with legal obligations | All categories as required | Legal obligation |
| Responding to support requests | Account Information, Usage Data | Performance of contract / Legitimate interests |
We do not sell your personal information to third parties. We do not use your personal information for direct marketing purposes without your explicit consent.
5. How We Share Your Information
We share personal information only in the following circumstances:
5.1 Service Providers (Sub-processors)
Our current sub-processors:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase, Inc. | Database hosting | Account data, Customer Data | Sydney, Australia (primary) |
| Vercel, Inc. | Application hosting and serverless functions | Account data, session data | Sydney, Australia (primary) |
| Microsoft Corporation | Microsoft 365 integration (Graph API), authentication (Entra ID) | Customer Data, Identity data | As per Microsoft’s data residency commitments |
| Stripe, Inc. | Payment processing | Billing and payment data | United States (PCI DSS compliant) |
| Resend, Inc. | Transactional email delivery | Email addresses, notification content | United States |
| Inngest, Inc. | Background job processing | Job metadata, workspace identifiers | United States |
| Google LLC | Website analytics (Google Analytics 4) | IP address (anonymised), pages visited, interaction data | United States |
We will notify customers of any material changes to our sub-processor list.
5.2 Legal Requirements
We may disclose personal information if required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, personal information may be transferred as part of that transaction. We will notify affected customers before their personal information becomes subject to a different privacy policy.
5.4 With Your Consent
We may share your information for other purposes with your explicit consent.
6. Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected:
- Account information: Retained for the duration of your active subscription and for 30 days following account termination to allow for data export.
- Customer Data (M365 tenant data): Retained for the duration of your active subscription. Upon termination, Customer Data is deleted within 30 days unless a longer retention period is required by law or requested by you.
- Billing records: Retained for 7 years to comply with Australian tax and accounting obligations.
- Usage logs: Retained for up to 12 months for security and service improvement purposes, then aggregated or deleted.
- Transactional emails: Retained for up to 90 days by our email provider.
7. Data Security
We implement appropriate technical and organisational measures to protect personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit: All data transmitted between your browser and our Service is encrypted using TLS 1.2 or higher.
- Encryption at rest: Customer data stored in our databases is encrypted at rest.
- Access controls: Role-based access controls limit access to personal information to authorised personnel only.
- Database isolation: Each customer’s data is stored in a separate, isolated database (database-per-tenant architecture), preventing cross-tenant data access.
- Authentication security: We use Microsoft Entra ID for authentication and do not store passwords.
- Regular security assessments: We conduct periodic security reviews and vulnerability assessments.
- Secure development practices: We follow secure coding practices and conduct code reviews.
No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.
8. International Data Transfers
Our primary data processing infrastructure is located in Sydney, Australia. However, some of our sub-processors operate in the United States and other jurisdictions. Where personal information is transferred outside of Australia, the EEA, or the United Kingdom, we ensure appropriate safeguards are in place, including:
- Transferring data to jurisdictions recognised as providing adequate data protection.
- Implementing contractual protections (such as Standard Contractual Clauses approved by the European Commission, where applicable).
- Ensuring our sub-processors maintain appropriate certifications and compliance frameworks.
9. Your Rights
9.1 Under the Australian Privacy Act
You have the right to:
- Access the personal information we hold about you.
- Request correction of any inaccurate or incomplete personal information.
- Complain to us or the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Australian Privacy Principles.
9.2 Under the GDPR / UK GDPR (where applicable)
If you are located in the EEA or the United Kingdom, you additionally have the right to:
- Request erasure of your personal data (“right to be forgotten”).
- Restrict processing of your personal data.
- Data portability: Receive your personal data in a structured, commonly used, machine-readable format.
- Object to processing based on legitimate interests.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with your local data protection authority.
9.3 Exercising Your Rights
To exercise any of these rights, please contact us at privacy@govern.cloud. We will respond to your request within 30 days (or such shorter period as required by applicable law). We may need to verify your identity before processing your request.
For Customer Data: As we process Customer Data on behalf of our customers (your organisation), requests relating to Customer Data within your Microsoft 365 environment should in the first instance be directed to your organisation’s administrator.
10. Cookies
Our Service and website use the following types of cookies:
Essential Cookies
Required for authentication, session management, and security. These cannot be disabled without affecting the functionality of the Service. Essential cookies are used on both the marketing website and the authenticated platform.
Analytics Cookies (Marketing Website Only)
Our marketing website at govern.cloud uses Google Analytics 4 (GA4) to help us understand how visitors interact with the site, including which pages are visited and how users navigate between them. GA4 sets the following cookies:
- _ga — Distinguishes unique visitors. Expires after 2 years.
- _ga_<container-id> — Maintains session state. Expires after 2 years.
Analytics cookies are only set after you provide explicit consent via our cookie banner, which appears on your first visit. We use c15t as our consent management tool, which implements Google Consent Mode v2 to ensure no analytics data is collected before consent is granted.
You can withdraw your consent at any time by clicking the “Cookie Preferences” link in the website footer.
We do not use advertising, remarketing, or third-party tracking cookies. We do not participate in any advertising networks.
Authenticated Platform
The authenticated Govern.Cloud platform (dashboard) uses essential cookies only. No analytics or tracking cookies are used within the platform.
11. Children’s Privacy
Our Service is designed for use by business organisations and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it promptly.
12. Third-Party Links
Our Service may contain links to third-party websites or services (such as Microsoft 365 admin centres). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.
13. Data Processing Agreement
For customers who require a Data Processing Agreement (DPA) for compliance with GDPR, UK GDPR, or other data protection regulations, please contact us at privacy@govern.cloud. We can provide a DPA that details our obligations as a data processor, including sub-processor management, data breach notification procedures, and audit rights.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:
- Posting the updated Privacy Policy on our website with a revised “Last Updated” date.
- Sending an email notification to the primary contact on your account for material changes.
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.
15. Complaints
If you believe we have breached the Australian Privacy Principles or applicable data protection laws, you may lodge a complaint with us at privacy@govern.cloud. We will investigate and respond within 30 days.
If you are not satisfied with our response, you may lodge a complaint with:
- Australia: The Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au
- United Kingdom: The Information Commissioner’s Office (ICO) at www.ico.org.uk
- European Union: Your local data protection supervisory authority
16. Contact Us
- Email: privacy@govern.cloud
- Website: https://govern.cloud
This Privacy Policy is provided as a good faith effort to inform you about our data practices. It does not constitute legal advice. We recommend seeking independent legal advice for your specific circumstances.