Legal
Privacy Policy
Last updated: 25 May 2026 · Version 1.0
This Privacy Policy explains how SharePoint Forge( “we”, “us”, “our”) collects, uses, shares and protects personal data when you use our website (sharepointforge.co.uk) and customer portal. We are committed to handling your data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
1. Who we are (the data controller)
For the purposes of UK GDPR, the data controller is:
- Greg Jennings trading as SharePoint Forge (United Kingdom) — sole trader
- Business address: 3 Derby Road, WN8 8BP
- ICO registration: PENDING
- Contact: privacy@sharepointforge.co.uk
2. What personal data we collect
We collect only what we need to operate the service:
- Account data:name, work email address, Microsoft Object ID (from Microsoft sign-in via Clerk), your organisation's verified business domain, your role in your organisation, and the time you last signed in.
- Purchase data: billing address, VAT identifier (if provided), Stripe customer reference, and records of invoices issued.
- Entitlement data: which packages you have purchased, when each was downloaded, your subscription status, and renewal dates.
- Support data: content of any support tickets you raise, plus any files attached to them.
- Security and audit data: IP addresses and browser user agents recorded against authentication events, package downloads, and ticket activity (used for fraud prevention and compliance accountability under Art. 5(2)).
- Analytics data (consent-based, pseudonymous): if you consent to analytics cookies, Microsoft Clarity collects pseudonymous session data — clicks, mouse movement, scroll behaviour and session replays — on our public marketing pages. Form inputs are obscured by strict input masking. We describe this as pseudonymous rather than anonymous because ICO guidance treats session-replay data as personal data. See our Cookie Policy for the full disclosure and our DPIA position.
- Deployment telemetry: SharePoint Forge packages installed in your Microsoft 365 tenant call back to our API when rendered. We record the Microsoft tenant ID, tenant hostname, package version, component identifier, SharePoint site and web identifiers (opaque GUIDs — never raw site URLs), the originating IP address, browser user agent, and the licence verdict we returned. Where the calling page exposes one we also record the user object ID (Microsoft Entra ID identifier for the signed-in user) so we can count unique users per tenant. The user object ID is stored as both the raw value and a salted SHA-256 hash.
We do not collect special category data (Art. 9 UK GDPR) and we do not knowingly collect data from children.
3. Why we collect it and our lawful basis
| Purpose | Personal data | Lawful basis (Art. 6) |
|---|---|---|
| Account creation and authentication | Name, email, Microsoft ID | Contract (Art. 6(1)(b)) |
| Processing your purchase | Billing data, Stripe reference | Contract (Art. 6(1)(b)) |
| Granting access to purchased packages | Entitlement, download history | Contract (Art. 6(1)(b)) |
| Sending transactional emails (purchase, billing, support) | Name, email | Contract (Art. 6(1)(b)) |
| Tax records and accounting compliance | Invoice data | Legal obligation (Art. 6(1)(c)) |
| Security monitoring and fraud prevention | IP, user agent, audit log | Legitimate interests (Art. 6(1)(f)) |
| Improving the marketing website | Anonymous Clarity sessions | Consent (Art. 6(1)(a)) |
| Verifying licence status for deployed packages and monitoring deployment health | Tenant ID, hostname, version, user object ID, IP, user agent | Contract (Art. 6(1)(b)) |
Legitimate interests assessment (LIA): we rely on legitimate interests for security monitoring. The interest is preventing fraud, unauthorised downloads and credential abuse. Processing is necessary because no less-intrusive method exists, and your privacy interests are protected by minimum retention and strict access controls. You can object to this processing under Art. 21 (see section 7).
Marketing email — we don't send any. Email to customers is strictly transactional (purchase confirmation, renewal reminders, support ticket replies, sub-processor change notices, billing failures). We do not operate a marketing list, newsletter or promotional email programme, and we will not add you to one without obtaining your express opt-in consent at the point of collection — in line with PECR reg.22. If we ever introduce one we will update this Policy and present an opt-in choice before sending.
4. Who we share it with (sub-processors)
We share personal data only with the service providers required to operate SharePoint Forge. Each is bound by a written Data Processing Agreement under Art. 28 UK GDPR. Current sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe Ltd / Stripe Inc. | Payment processing and billing portal | Ireland / United States |
| Clerk Inc. | User authentication and session management | United States |
| Supabase Inc. | Database and private file storage | European Union (eu-west-1, Ireland) |
| Resend (Plus Five Five, Inc.) | Transactional email delivery | United States |
| Vercel Inc. | Web hosting and content delivery | United States (edge: global) |
| Microsoft Corporation (Clarity) | Pseudonymous analytics + session replay on marketing pages only (strict input masking enabled) — never on /portal | United States |
We do not sell personal data, and we do not share it with advertising or marketing platforms.
5. International transfers
Several sub-processors above are based outside the UK. Transfers are made under appropriate safeguards as required by Art. 44–46 UK GDPR:
- UK Addendum to the EU Standard Contractual Clauses (UK SCCs / IDTA) with all US sub-processors, supplemented by transfer impact assessments where applicable.
- EU Standard Contractual Clauses (Module 2: Controller-to-Processor) as the underlying mechanism for EU/UK transfers to the US.
We will provide a copy of these safeguards on request to privacy@sharepointforge.co.uk.
6. How long we keep your data (retention)
We retain personal data only for as long as needed for the purpose for which it was collected, unless the law requires longer (Art. 5(1)(e)):
| Data category | Retention period | Reason |
|---|---|---|
| Active account + entitlements | For the duration of your subscription | Contract |
| Account data after closure | 12 months, then anonymised | Dispute resolution window |
| Invoices and billing records | 6 years from issue | HMRC / VAT record-keeping (legal obligation) |
| Support tickets | 24 months from last activity, or until you request earlier deletion | Service quality + dispute resolution |
| Authentication and audit log entries | 12 months | Security monitoring |
| Download events | 6 years (linked to invoices) | Refund / dispute evidence |
| Marketing analytics (Clarity) | Up to 90 days (Microsoft default) | Sub-processor retention policy |
| Deployment telemetry — raw events | 90 days | Operational diagnostics |
| Deployment telemetry — per-tenant aggregates (install date, version history, render counts) | For the duration of your subscription + 12 months | Customer support and licence dispute resolution |
| Backups | Purged within 35 days of primary deletion | Disaster recovery |
7. Your rights
Under UK GDPR you have the following rights:
- Access (Art. 15): request a copy of the personal data we hold about you.
- Rectification (Art. 16): correct any inaccurate or incomplete data.
- Erasure (Art. 17): request deletion of your data in certain circumstances.
- Restriction (Art. 18): limit how we process your data.
- Portability (Art. 20): receive data you provided to us in a structured, machine-readable format.
- Object (Art. 21): object to processing based on legitimate interests or to direct marketing (absolute right for direct marketing).
- Withdraw consent (Art. 7(3)): withdraw consent for analytics cookies at any time via the control.
- Automated decision-making (Art. 22): you have the right not to be subject to a decision based solely on automated processing where it produces legal effects or similarly significantly affects you, except where the decision is necessary for entering into or performance of a contract with us, authorised by law, or based on your explicit consent — and in those cases you retain the right to obtain human intervention, express your view, and contest the decision. See §7a below for the one automated decision we operate.
7a. Automated decisions we operate
We operate one solely-automated decision in the service: the SharePoint Forge package licence verdict. When a SharePoint Forge package is rendered inside your Microsoft 365 tenant it queries our licence API, which returns an automated verdict (active / past-due / cancelled / expired / unlicensed) based on the entitlement record for your tenant. The package uses that verdict to decide whether to render normally, render with a warning banner, or refuse to render.
| Item | Detail |
|---|---|
| Lawful basis | Art. 22(2)(a) — necessary for performance of a contract (your subscription) |
| Inputs | Microsoft tenant ID, package slug, current entitlement status from Stripe |
| Logic | Look up the entitlement; if status ∈ {active, trialling} and not past period end, verdict = active; otherwise the verdict reflects the underlying Stripe state |
| Effect on you | Whether the package you bought renders in your tenant. No legal effect on individuals; the verdict applies to the tenant, not to a person |
| Your rights | Obtain human review, contest the verdict, or correct underlying data — email privacy@sharepointforge.co.uk and we will respond within five (5) working days |
| Override path | Our support team can issue a manual override if the verdict is wrong (e.g. Stripe sync lag, tenant mis-linked). Documented in our internal support playbook |
We do not use profiling, scoring or personality assessment of any kind. No content of your support tickets, telemetry or portal activity feeds the verdict — only the subscription status does.
To exercise any right, email privacy@sharepointforge.co.uk. We will respond within one calendar month (Art. 12(3)), extendable by up to two further months for complex requests with notification within the first month. There is no charge unless your request is manifestly unfounded or excessive.
8. How we keep your data secure
We apply technical and organisational measures appropriate to the risk (Art. 32):
- Encryption in transit (HTTPS / TLS 1.2+) and at rest (database, file storage, backups)
- Authentication via Microsoft work accounts; personal-email domains blocked
- Package files served from a private storage bucket via short-lived signed URLs (90 seconds, single-use)
- Audit logging of authentication events, downloads, ticket activity and consent decisions
- Principle of least privilege on internal database access
- Webhook signature verification for incoming Stripe events
- Content-Security-Policy headers and CSRF origin checks on all state-changing endpoints
- Rate limiting on downloads, contact form, and ticket creation
9. Data breach notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours where required (Art. 33), and notify affected individuals without undue delay where the breach is likely to result in a high risk (Art. 34).
10. Cookies
Strictly-necessary cookies only by default; pseudonymous Microsoft Clarity analytics on marketing pages with your explicit consent. Full disclosure including providers, lifetimes and the Clarity session-replay DPIA position is in our Cookie Policy. You can change your preferences at any time using the control.
11. Right to lodge a complaint
If you are unhappy with how we have handled your data, you have the right to complain to the UK Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
12. Changes to this policy
We review this Privacy Policy at least annually and whenever our processing materially changes. Material changes will be notified by email to active customers and by a notice on this page. The “Last updated” date at the top reflects the most recent change.
13. Contact
For any privacy question: privacy@sharepointforge.co.uk. For general enquiries: contact form.
