Privacy Notice

This notice explains what personal data Copilot 365 (operated by LogiSam Ltd) collects, why we collect it, how we use it, and the rights you have under UK GDPR and applicable data-protection law.

Effective: 26 June 2026 Controller: LogiSam Ltd UK GDPR Compliant copilot-365.com

At a Glance — Key Facts

Data Controller
LogiSam Ltd, registered in England & Wales
Privacy Contact
Primary Lawful Bases
Legitimate interests, Contract performance, Consent
Typical Retention
Contact data: 3 years · SaaS logs: 12 months · Legal: 7 years
M365 Tenant Data
Read-only metadata access; never stored on our servers
Supervisory Authority
Information Commissioner's Office (ICO) — ico.org.uk

 Contents

  1. Introduction & Who We Are
  2. What Personal Data We Collect
  3. How We Collect Your Data
  4. Lawful Basis for Processing
  5. How We Use Your Data
  6. Cookies & Tracking Technologies
  7. Data Sharing & Third Parties
  8. International Data Transfers
  9. Data Retention
  10. Your Rights Under UK GDPR
  11. How to Exercise Your Rights
  12. Data Security
  13. Children's Privacy
  14. Third-Party Links
  15. Changes to This Notice
  16. Contact & Complaints

1 Introduction & Who We Are

This Privacy Notice is provided by LogiSam Ltd ("LogiSam", "we", "us", or "our"), the company that operates the Copilot 365 brand and the website https://www.copilot-365.com. LogiSam Ltd is a company incorporated and registered in England and Wales, with its principal registered office in London, United Kingdom, and operational presences in Riyadh, Saudi Arabia, and Dubai, United Arab Emirates.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), LogiSam Ltd is the Data Controller in respect of the personal data described in this notice. This means we determine the purposes for which, and the manner in which, your personal data is processed.

This notice applies to:

We are committed to processing your personal data lawfully, fairly, and transparently, and to upholding the data-protection rights afforded to you under UK GDPR. If you have any questions about this notice or how your data is handled, please contact us at privacy@copilot-365.com.

2 What Personal Data We Collect

The categories of personal data we collect depend on the nature of your interaction with us. Below we set out the categories of data collected across each service or touchpoint.

2.1 Website Visitors

When you visit our website, we automatically collect the following technical data through our analytics and infrastructure providers:

This data is processed in aggregated or pseudonymous form to understand how visitors use our website and to improve content and user experience. We do not routinely attempt to identify individual visitors solely from website analytics data.

2.2 Contact Forms, Demo Requests & Chatbot Enquiries

When you voluntarily submit an enquiry, request a demonstration, or interact with our website chatbot, we collect:

2.3 Training Bookings & Consultancy Engagements

When you or your organisation books a Microsoft Copilot training course or a consultancy engagement, we collect:

2.4 SaaS Product Users — Account Data

When an organisation subscribes to any of our SaaS products (Tenant Storage Optimiser, SafeScan, Copilot IQ, or NDMO Compliance Tracker), we collect account-level personal data including:

2.5 Microsoft 365 Tenant Metadata Accessed by TSO, SafeScan, and Copilot IQ

Important: Our SaaS tools access your Microsoft 365 tenant data on a strictly read-only basis via the Microsoft Graph API, using OAuth 2.0 delegated or application permissions that your administrator explicitly grants. We do not copy, store, or retain any M365 tenant content on our own servers. All tenant metadata accessed during a product session is processed transiently in memory and is not persisted beyond that session.

The specific M365 metadata accessed by each product is as follows:

Product Data Read (Read-Only) Purpose Stored?
TSO
(Tenant Storage Optimiser)
SharePoint site collections, OneDrive storage usage figures, mailbox size metadata, file count statistics, licence assignments Identify over-allocated storage, surface optimisation recommendations No — displayed in session only
SafeScan Microsoft Secure Score components, conditional-access policy names & states, multi-factor authentication status flags, external-sharing settings, audit-log configuration status Generate a read-only security posture report against M365 best-practice benchmarks No — report rendered in session only
Copilot IQ Microsoft Copilot licence assignments, Copilot usage analytics (feature-level aggregated counts), Teams activity summaries, adoption readiness signals Produce a Copilot adoption dashboard and ROI analysis for the customer's tenant No — dashboard rendered in session only

For a full breakdown of every Microsoft Graph permission SafeScan requests, what each permission reads, what it never reads, and the controller/processor relationship, see the dedicated SafeScan Product Privacy Notice.

The NDMO Compliance Tracker operates differently: it stores compliance evidence documents and audit trails uploaded by the customer within a dedicated, encrypted storage container scoped to that customer's account. These documents may contain personal data depending on what the customer uploads; the customer is the Data Controller in respect of any such content, and LogiSam acts as a Data Processor in accordance with a Data Processing Agreement.

2.6 Business Contact Data

We may hold personal data about named contacts at prospective or existing client organisations, including name, job title, work email address, and work telephone number. This data is typically obtained from business cards, LinkedIn profiles, publicly available company websites, or introductions made at industry events.

3 How We Collect Your Data

We collect personal data through the following means:

4 Lawful Basis for Processing

UK GDPR requires that every processing activity has a valid lawful basis under Article 6. Where we process special-category data (such as accessibility or dietary information), we additionally rely on a condition under Article 9. The table below sets out our lawful bases by processing purpose:

Processing Purpose Lawful Basis (Art. 6) Further Detail
Website analytics and performance monitoring Legitimate interests (Art. 6(1)(f)) We have a legitimate interest in understanding how our website performs and how visitors navigate it, to improve the service. This interest is not overridden by your rights because the data is pseudonymous and aggregate.
Responding to enquiries and demo requests Legitimate interests (Art. 6(1)(f)) or pre-contractual steps (Art. 6(1)(b)) You have actively reached out to us requesting a response; we have a legitimate interest in responding to business enquiries and taking steps at your request prior to entering a contract.
Delivering training courses and consultancy Contract performance (Art. 6(1)(b)) Processing is necessary to fulfil our contractual obligations to you or your organisation.
Providing and supporting SaaS products Contract performance (Art. 6(1)(b)) Processing is necessary to deliver, maintain, and support the subscribed service.
Marketing communications to existing customers Legitimate interests (Art. 6(1)(f)) Soft opt-in under PECR where you are an existing customer. You may opt out at any time via the unsubscribe link in each email or by emailing us.
Marketing communications to prospects (newsletter, events) Consent (Art. 6(1)(a)) We request explicit consent before adding a prospect to our marketing list. You may withdraw consent at any time.
Business contact management (CRM) Legitimate interests (Art. 6(1)(f)) We have a legitimate interest in maintaining accurate records of business contacts for the purpose of managing client and partner relationships.
Compliance with legal obligations (tax, invoicing, audit) Legal obligation (Art. 6(1)(c)) We are required to retain certain financial records under UK tax and company law.
Accessibility/dietary data for in-person training Explicit consent (Art. 9(2)(a)) We request explicit consent and use this data solely to make necessary arrangements for your attendance. Data is deleted after the event.

Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) to balance our interests against your rights and freedoms. You have the right to object to processing carried out on this basis — see Section 10.

5 How We Use Your Data

We use the personal data we collect for the following purposes:

We will not use your personal data for purposes incompatible with those stated in this notice without providing you with a further notice and, where required, obtaining your consent.

6 Cookies & Tracking Technologies

Our website uses cookies and similar tracking technologies. A cookie is a small text file placed on your device by a web server. Cookies allow us to remember your preferences, understand how you use our site, and deliver relevant content.

6.1 Categories of Cookies We Use

Category Purpose Example Consent Required?
Strictly Necessary Essential for the website to function — session management, security tokens, cookie consent preferences Session ID, consent-state cookie No (necessary)
Analytics & Performance Understand how visitors interact with the site; aggregate traffic data; identify pages with high bounce rates _ga, _ga_J67FS1ETQ7 (Google Analytics 4) Yes
Functional Remember your preferences such as region or language to personalise your visit Region preference cookie Yes
Marketing / Targeting Deliver relevant advertising and re-targeting across third-party platforms LinkedIn Insight Tag (where active) Yes

6.2 Google Analytics 4

We use Google Analytics 4 (GA4) to collect website analytics data. GA4 uses cookies (primarily _ga and property-specific identifiers) to distinguish unique users and sessions. We have enabled IP anonymisation in GA4, meaning IP addresses are truncated within the EU/UK before storage. The data is processed by Google LLC under a data-processing agreement and is stored on Google's servers, primarily in the United States, under appropriate standard contractual clauses.

Google Analytics data is aggregated and does not allow us to identify individual visitors by name. You can opt out of Google Analytics tracking across all websites by installing the Google Analytics Opt-Out Browser Add-on.

6.3 Managing Your Cookie Preferences

On your first visit to our website, you will be presented with a cookie-consent banner that allows you to accept, reject, or customise non-essential cookies. You can change your preferences at any time by clicking the "Cookie Settings" link in the website footer.

You may also control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our website. For more information about managing cookies, visit www.aboutcookies.org.

7 Data Sharing & Third Parties

We do not sell, rent, or trade your personal data with third parties for their own marketing purposes. We share personal data with third parties only where necessary to deliver our services, comply with legal obligations, or protect our legitimate interests. The categories of recipients are set out below:

7.1 Cloud Infrastructure & Hosting

Our website and SaaS products are hosted on cloud infrastructure. We may use providers including Microsoft Azure for compute and storage, and content-delivery networks for website performance. These providers act as data processors on our behalf and are contractually bound to process data only on our documented instructions, maintain appropriate security measures, and assist us in meeting our data-subject rights obligations.

7.2 Microsoft (Graph API & M365)

When you grant our SaaS products permission to access your Microsoft 365 tenant, the data exchanged passes through Microsoft's Graph API infrastructure, which is governed by Microsoft's own Data Processing Agreement and privacy commitments. LogiSam does not retain any M365 tenant content or metadata beyond the active session — see Section 2.5 for full details.

7.3 CRM & Marketing Automation

We may use a Customer Relationship Management (CRM) platform to store and manage contact data and customer records. Where we do so, that provider acts as a data processor under a data-processing agreement. Personal data held in our CRM includes contact details, interaction history, and deal-stage information for active client and prospect relationships.

7.4 Email & Communication Services

Transactional emails (such as invoice delivery, training joining instructions, and support responses) are sent via email service providers. These providers process sender and recipient email addresses as necessary for delivery. We have data-processing agreements in place with all such providers.

7.5 Analytics Providers

As described in Section 6, we use Google Analytics 4. Google LLC processes website analytics data on our behalf under Google's standard Terms of Service and Data Processing Amendment. Where applicable, data is transferred to the United States under standard contractual clauses.

7.6 Payment Processors

Where payments are processed online, we use a PCI-DSS-compliant payment processor. We do not store full payment-card details on our own systems. The processor handles payment-card data in accordance with its own privacy notice and applicable card-scheme rules.

7.7 Professional Advisers & Regulators

We may share personal data with our legal advisers, accountants, auditors, or insurers where necessary for the purposes of obtaining professional advice or managing legal disputes. We will also disclose personal data to regulators, law-enforcement bodies, or courts where required to do so by law or a binding court order.

7.8 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or a portion of our business, personal data we hold may be transferred to the relevant third party as part of that transaction. We will notify you of any such transfer in accordance with applicable data-protection law.

8 International Data Transfers

LogiSam Ltd is headquartered in the United Kingdom, and the UK is our primary place of data processing. However, given the global nature of our operations and the cloud-based services we use, personal data may be transferred to, or accessed from, countries outside the UK or European Economic Area (EEA), including:

In all cases, we take steps to ensure that appropriate safeguards are in place before transferring personal data internationally, in compliance with Chapter V of UK GDPR. You may request a copy of the relevant transfer mechanism by contacting privacy@copilot-365.com.

9 Data Retention

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or to comply with legal, regulatory, or contractual obligations. Our standard retention periods are set out below:

Data Category Retention Period Reason
Website analytics data (GA4 cookies, session logs) 14 months (GA4 default retention setting) Standard analytics retention; then anonymised or deleted automatically
Contact-form enquiries (not converted to client) 3 years from last interaction Legitimate interest in maintaining records of business enquiries; after which we delete or anonymise
Active client / contract records Duration of contract + 7 years Legal obligation to retain financial and contractual records under the Limitation Act 1980 and HMRC guidance
Training delegate records 3 years from course completion CPD certificate verification and dispute resolution
SaaS product usage logs 12 months from log generation Operational support, debugging, and security incident investigation
NDMO Compliance Tracker documents Retention defined by the customer's own Data Retention Policy (as Data Controller); default: duration of subscription + 90 days Customer-controlled; LogiSam deletes upon contract termination or customer instruction
Marketing consent records Until consent withdrawn + 3 years (proof of consent) Accountability obligation under UK GDPR Article 7(1)
Dietary / accessibility data (in-person training) Deleted within 30 days after the event Data minimisation — no further purpose after the event
M365 tenant metadata (TSO, SafeScan, Copilot IQ) Not retained — processed in session only Read-only API access; data not persisted on our servers

When personal data is no longer required, we dispose of it securely using industry-standard methods (cryptographic deletion, secure overwrite, or physical destruction of storage media where applicable).

10 Your Rights Under UK GDPR

Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights in respect of your personal data. These rights are not absolute and may be subject to limitations or exemptions in certain circumstances.

Right of Access

You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about how it is processed (a "Subject Access Request").

Email privacy@copilot-365.com

Right to Rectification

You have the right to have inaccurate personal data corrected, and to have incomplete data completed. We will respond to rectification requests without undue delay and in any event within one month.

Email privacy@copilot-365.com

Right to Erasure

You have the right to request the deletion of your personal data ("right to be forgotten") in certain circumstances — for example, where the data is no longer necessary for the purpose it was collected, or where you withdraw consent and there is no other lawful basis.

Email privacy@copilot-365.com

Right to Restriction

You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, while you contest the accuracy of the data, or while we assess an objection you have raised.

Email privacy@copilot-365.com

Right to Data Portability

Where processing is based on your consent or contract performance and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Email privacy@copilot-365.com

Right to Object

You have the right to object at any time to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will stop processing your data for that purpose immediately and without exception.

Email privacy@copilot-365.com

Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. You can withdraw consent by using the unsubscribe link in our emails or by contacting us directly.

Email privacy@copilot-365.com

We will respond to all valid rights requests within one calendar month of receipt. In complex cases, we may extend this to three months, in which case we will notify you and explain the reason for the extension. We will not charge a fee for dealing with your request unless it is manifestly unfounded or excessive.

11 How to Exercise Your Rights

To exercise any of the rights described in Section 10, or to raise a question about how we process your personal data, please contact our Privacy team:

To help us process your request efficiently, please include:

We may need to verify your identity before processing certain requests (particularly Subject Access Requests) to ensure we do not disclose personal data to an unauthorised person. We will ask you to provide a reasonable form of identification. We will process your request as quickly as possible and in any event within the statutory one-month period.

If you are not satisfied with our response to your request, or if you believe we have not complied with our obligations under UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — see Section 16.

12 Data Security

We take the security of your personal data seriously. We have implemented appropriate technical and organisational security measures designed to protect personal data against accidental loss, unauthorised access, use, alteration, or disclosure. These measures include, but are not limited to:

However, no method of transmission over the internet, and no method of electronic storage, is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. If you have reason to believe that your interaction with us is no longer secure, please notify us immediately at privacy@copilot-365.com.

13 Children's Privacy

Our website and SaaS products are designed for use by business professionals and are not intended for, and should not be used by, individuals under the age of 18 years. We do not knowingly collect personal data from children under the age of 18.

If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at privacy@copilot-365.com. If we become aware that we have inadvertently collected personal data from a child under 18, we will take prompt steps to delete that information from our systems.

14 Third-Party Links

Our website may contain links to third-party websites, resources, or services that are operated by organisations other than LogiSam Ltd. These third-party sites have their own privacy policies, and LogiSam is not responsible for the privacy practices or the content of those sites.

Third-party links on our website may include links to: Microsoft product pages and the Microsoft Trust Centre; our partners' websites (including logisam.com and impactera.ae); social-media platforms (LinkedIn, X/Twitter, GitHub); and publicly available Microsoft documentation. We encourage you to review the privacy notices of any third-party sites you visit before submitting any personal data to them.

The inclusion of a link to a third-party website on our site does not constitute an endorsement of that site, its content, or its privacy practices.

15 Changes to This Notice

We may update this Privacy Notice from time to time to reflect changes in our data-processing activities, new legal requirements, or improvements in our practices. When we make material changes to this notice, we will:

We encourage you to review this notice periodically to stay informed about how we protect your personal data. Your continued use of our website or services after the effective date of any changes constitutes your acknowledgement of the updated notice.

Previous versions of this Privacy Notice are available on request by contacting privacy@copilot-365.com.

16 Contact & Complaints

If you have any questions, concerns, or requests relating to this Privacy Notice or the way we handle your personal data, please contact us using the details below. We take all privacy-related enquiries seriously and will endeavour to respond promptly.

Contact Our Privacy Team

For any data-protection enquiries, Subject Access Requests, or rights-related matters:

Right to Lodge a Complaint

If you are not satisfied with our response to a data-protection concern, or if you believe that we are not processing your personal data in accordance with UK GDPR or the Data Protection Act 2018, you have the right to lodge a complaint with the UK supervisory authority:

We would, however, appreciate the opportunity to address your concern before you approach the ICO, so please do contact us in the first instance.

This Privacy Notice was last reviewed and updated on 26 June 2026. It applies to all personal data processed by LogiSam Ltd in connection with the Copilot 365 brand and the website https://www.copilot-365.com.