At a Glance — Key Facts
Contents
- Introduction & Who We Are
- What Personal Data We Collect
- How We Collect Your Data
- Lawful Basis for Processing
- How We Use Your Data
- Cookies & Tracking Technologies
- Data Sharing & Third Parties
- International Data Transfers
- Data Retention
- Your Rights Under UK GDPR
- How to Exercise Your Rights
- Data Security
- Children's Privacy
- Third-Party Links
- Changes to This Notice
- Contact & Complaints
1 Introduction & Who We Are
This Privacy Notice is provided by LogiSam Ltd ("LogiSam", "we", "us", or "our"), the company that operates the Copilot 365 brand and the website https://www.copilot-365.com. LogiSam Ltd is a company incorporated and registered in England and Wales, with its principal registered office in London, United Kingdom, and operational presences in Riyadh, Saudi Arabia, and Dubai, United Arab Emirates.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), LogiSam Ltd is the Data Controller in respect of the personal data described in this notice. This means we determine the purposes for which, and the manner in which, your personal data is processed.
This notice applies to:
- Visitors to our website at https://www.copilot-365.com and all sub-pages;
- Individuals who submit enquiries, book demonstrations, or request consultancy via our contact forms or chatbot;
- Customers and end-users of our SaaS products: Tenant Storage Optimiser (TSO), SafeScan, Copilot IQ, and NDMO Compliance Tracker;
- Individuals who register for, or attend, Microsoft Copilot training programmes or consultancy engagements delivered by LogiSam; and
- Contacts at organisations with whom we have a business relationship.
We are committed to processing your personal data lawfully, fairly, and transparently, and to upholding the data-protection rights afforded to you under UK GDPR. If you have any questions about this notice or how your data is handled, please contact us at privacy@copilot-365.com.
2 What Personal Data We Collect
The categories of personal data we collect depend on the nature of your interaction with us. Below we set out the categories of data collected across each service or touchpoint.
2.1 Website Visitors
When you visit our website, we automatically collect the following technical data through our analytics and infrastructure providers:
- IP address (truncated before storage by Google Analytics 4 where IP anonymisation is enabled);
- Browser type and version, operating system, and device type;
- Referring URL and the pages you visit on our website;
- Session duration, clicks, and scroll depth as captured by analytics scripts;
- Cookie identifiers — see Section 6 for a full description of our cookie practices.
This data is processed in aggregated or pseudonymous form to understand how visitors use our website and to improve content and user experience. We do not routinely attempt to identify individual visitors solely from website analytics data.
2.2 Contact Forms, Demo Requests & Chatbot Enquiries
When you voluntarily submit an enquiry, request a demonstration, or interact with our website chatbot, we collect:
- Full name;
- Work email address;
- Organisation / company name;
- Job title or role (where provided);
- Country or region;
- Phone number (where provided); and
- The content of your message or enquiry, including any attachments you share.
2.3 Training Bookings & Consultancy Engagements
When you or your organisation books a Microsoft Copilot training course or a consultancy engagement, we collect:
- Delegate names and work email addresses for registration and course materials;
- Billing and invoicing information (company name, address, purchase-order reference);
- Dietary requirements or accessibility needs if you attend an in-person session (processed as special-category data under Article 9 UK GDPR where applicable);
- Post-training survey responses and feedback (optional, anonymised on request).
2.4 SaaS Product Users — Account Data
When an organisation subscribes to any of our SaaS products (Tenant Storage Optimiser, SafeScan, Copilot IQ, or NDMO Compliance Tracker), we collect account-level personal data including:
- Administrative contact name and work email address;
- Organisation name and tenant identifier (Microsoft Azure Active Directory / Entra ID Tenant ID);
- Subscription start and end dates;
- Product usage logs (feature accessed, timestamp, error events) — these logs are associated with a pseudonymous user identifier, not a named individual in our product database.
2.5 Microsoft 365 Tenant Metadata Accessed by TSO, SafeScan, and Copilot IQ
Important: Our SaaS tools access your Microsoft 365 tenant data on a strictly read-only basis via the Microsoft Graph API, using OAuth 2.0 delegated or application permissions that your administrator explicitly grants. We do not copy, store, or retain any M365 tenant content on our own servers. All tenant metadata accessed during a product session is processed transiently in memory and is not persisted beyond that session.
The specific M365 metadata accessed by each product is as follows:
| Product | Data Read (Read-Only) | Purpose | Stored? |
|---|---|---|---|
| TSO (Tenant Storage Optimiser) |
SharePoint site collections, OneDrive storage usage figures, mailbox size metadata, file count statistics, licence assignments | Identify over-allocated storage, surface optimisation recommendations | No — displayed in session only |
| SafeScan | Microsoft Secure Score components, conditional-access policy names & states, multi-factor authentication status flags, external-sharing settings, audit-log configuration status | Generate a read-only security posture report against M365 best-practice benchmarks | No — report rendered in session only |
| Copilot IQ | Microsoft Copilot licence assignments, Copilot usage analytics (feature-level aggregated counts), Teams activity summaries, adoption readiness signals | Produce a Copilot adoption dashboard and ROI analysis for the customer's tenant | No — dashboard rendered in session only |
For a full breakdown of every Microsoft Graph permission SafeScan requests, what each permission reads, what it never reads, and the controller/processor relationship, see the dedicated SafeScan Product Privacy Notice.
The NDMO Compliance Tracker operates differently: it stores compliance evidence documents and audit trails uploaded by the customer within a dedicated, encrypted storage container scoped to that customer's account. These documents may contain personal data depending on what the customer uploads; the customer is the Data Controller in respect of any such content, and LogiSam acts as a Data Processor in accordance with a Data Processing Agreement.
2.6 Business Contact Data
We may hold personal data about named contacts at prospective or existing client organisations, including name, job title, work email address, and work telephone number. This data is typically obtained from business cards, LinkedIn profiles, publicly available company websites, or introductions made at industry events.
3 How We Collect Your Data
We collect personal data through the following means:
- Directly from you: when you complete a contact form, request a demonstration, subscribe to a newsletter, register for training, or engage our consultancy services;
- Automatically via your browser: through cookies, web-beacon pixels, and server logs when you visit our website (see Section 6);
- Via OAuth 2.0 consent grant: when an authorised administrator in your organisation grants our SaaS product permission to access your Microsoft 365 tenant via the Microsoft Graph API;
- From third-party sources: we may receive business-card data or introductions from partners, event organisers, or via LinkedIn where you have a public business profile; and
- Through CRM synchronisation: when our sales or customer-success team logs interactions following a meeting, call, or email exchange.
4 Lawful Basis for Processing
UK GDPR requires that every processing activity has a valid lawful basis under Article 6. Where we process special-category data (such as accessibility or dietary information), we additionally rely on a condition under Article 9. The table below sets out our lawful bases by processing purpose:
| Processing Purpose | Lawful Basis (Art. 6) | Further Detail |
|---|---|---|
| Website analytics and performance monitoring | Legitimate interests (Art. 6(1)(f)) | We have a legitimate interest in understanding how our website performs and how visitors navigate it, to improve the service. This interest is not overridden by your rights because the data is pseudonymous and aggregate. |
| Responding to enquiries and demo requests | Legitimate interests (Art. 6(1)(f)) or pre-contractual steps (Art. 6(1)(b)) | You have actively reached out to us requesting a response; we have a legitimate interest in responding to business enquiries and taking steps at your request prior to entering a contract. |
| Delivering training courses and consultancy | Contract performance (Art. 6(1)(b)) | Processing is necessary to fulfil our contractual obligations to you or your organisation. |
| Providing and supporting SaaS products | Contract performance (Art. 6(1)(b)) | Processing is necessary to deliver, maintain, and support the subscribed service. |
| Marketing communications to existing customers | Legitimate interests (Art. 6(1)(f)) | Soft opt-in under PECR where you are an existing customer. You may opt out at any time via the unsubscribe link in each email or by emailing us. |
| Marketing communications to prospects (newsletter, events) | Consent (Art. 6(1)(a)) | We request explicit consent before adding a prospect to our marketing list. You may withdraw consent at any time. |
| Business contact management (CRM) | Legitimate interests (Art. 6(1)(f)) | We have a legitimate interest in maintaining accurate records of business contacts for the purpose of managing client and partner relationships. |
| Compliance with legal obligations (tax, invoicing, audit) | Legal obligation (Art. 6(1)(c)) | We are required to retain certain financial records under UK tax and company law. |
| Accessibility/dietary data for in-person training | Explicit consent (Art. 9(2)(a)) | We request explicit consent and use this data solely to make necessary arrangements for your attendance. Data is deleted after the event. |
Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) to balance our interests against your rights and freedoms. You have the right to object to processing carried out on this basis — see Section 10.
5 How We Use Your Data
We use the personal data we collect for the following purposes:
- To operate and improve our website: monitoring performance, diagnosing technical issues, and optimising content, page layout, and navigation based on aggregated analytics insights;
- To respond to your enquiries and demonstrate our products: routing your contact-form submission to the appropriate team member and following up in a timely manner;
- To deliver SaaS products: authenticating your account, providing access to the Tenant Storage Optimiser, SafeScan, Copilot IQ, or NDMO Compliance Tracker, processing support tickets, and communicating service updates;
- To deliver training and consultancy: sending joining instructions, course materials, invoices, and post-event feedback surveys; managing delegate records; and issuing CPD certificates where applicable;
- For sales and marketing: sending relevant product updates, case studies, event invitations, and thought-leadership content to individuals who have consented or who are existing customers of ours (subject to your opt-out rights);
- For invoicing and financial administration: issuing invoices, processing payments (via our payment processor), and maintaining accounting records as required by law;
- To comply with legal and regulatory obligations: responding to lawful requests from regulators, law-enforcement bodies, or courts; and retaining records required by company law, tax law, or applicable sector regulations;
- To protect our legitimate business interests: detecting and preventing fraud, misuse of our services, or security incidents; and
- To personalise your experience: using analytics data to tailor the content and products we surface to visitors based on inferred interests (e.g., sector focus), subject to cookie consent choices.
We will not use your personal data for purposes incompatible with those stated in this notice without providing you with a further notice and, where required, obtaining your consent.
6 Cookies & Tracking Technologies
Our website uses cookies and similar tracking technologies. A cookie is a small text file placed on your device by a web server. Cookies allow us to remember your preferences, understand how you use our site, and deliver relevant content.
6.1 Categories of Cookies We Use
| Category | Purpose | Example | Consent Required? |
|---|---|---|---|
| Strictly Necessary | Essential for the website to function — session management, security tokens, cookie consent preferences | Session ID, consent-state cookie | No (necessary) |
| Analytics & Performance | Understand how visitors interact with the site; aggregate traffic data; identify pages with high bounce rates | _ga, _ga_J67FS1ETQ7 (Google Analytics 4) | Yes |
| Functional | Remember your preferences such as region or language to personalise your visit | Region preference cookie | Yes |
| Marketing / Targeting | Deliver relevant advertising and re-targeting across third-party platforms | LinkedIn Insight Tag (where active) | Yes |
6.2 Google Analytics 4
We use Google Analytics 4 (GA4) to collect website analytics data. GA4 uses cookies (primarily _ga and property-specific identifiers) to distinguish unique users and sessions. We have enabled IP anonymisation in GA4, meaning IP addresses are truncated within the EU/UK before storage. The data is processed by Google LLC under a data-processing agreement and is stored on Google's servers, primarily in the United States, under appropriate standard contractual clauses.
Google Analytics data is aggregated and does not allow us to identify individual visitors by name. You can opt out of Google Analytics tracking across all websites by installing the Google Analytics Opt-Out Browser Add-on.
6.3 Managing Your Cookie Preferences
On your first visit to our website, you will be presented with a cookie-consent banner that allows you to accept, reject, or customise non-essential cookies. You can change your preferences at any time by clicking the "Cookie Settings" link in the website footer.
You may also control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our website. For more information about managing cookies, visit www.aboutcookies.org.
7 Data Sharing & Third Parties
We do not sell, rent, or trade your personal data with third parties for their own marketing purposes. We share personal data with third parties only where necessary to deliver our services, comply with legal obligations, or protect our legitimate interests. The categories of recipients are set out below:
7.1 Cloud Infrastructure & Hosting
Our website and SaaS products are hosted on cloud infrastructure. We may use providers including Microsoft Azure for compute and storage, and content-delivery networks for website performance. These providers act as data processors on our behalf and are contractually bound to process data only on our documented instructions, maintain appropriate security measures, and assist us in meeting our data-subject rights obligations.
7.2 Microsoft (Graph API & M365)
When you grant our SaaS products permission to access your Microsoft 365 tenant, the data exchanged passes through Microsoft's Graph API infrastructure, which is governed by Microsoft's own Data Processing Agreement and privacy commitments. LogiSam does not retain any M365 tenant content or metadata beyond the active session — see Section 2.5 for full details.
7.3 CRM & Marketing Automation
We may use a Customer Relationship Management (CRM) platform to store and manage contact data and customer records. Where we do so, that provider acts as a data processor under a data-processing agreement. Personal data held in our CRM includes contact details, interaction history, and deal-stage information for active client and prospect relationships.
7.4 Email & Communication Services
Transactional emails (such as invoice delivery, training joining instructions, and support responses) are sent via email service providers. These providers process sender and recipient email addresses as necessary for delivery. We have data-processing agreements in place with all such providers.
7.5 Analytics Providers
As described in Section 6, we use Google Analytics 4. Google LLC processes website analytics data on our behalf under Google's standard Terms of Service and Data Processing Amendment. Where applicable, data is transferred to the United States under standard contractual clauses.
7.6 Payment Processors
Where payments are processed online, we use a PCI-DSS-compliant payment processor. We do not store full payment-card details on our own systems. The processor handles payment-card data in accordance with its own privacy notice and applicable card-scheme rules.
7.7 Professional Advisers & Regulators
We may share personal data with our legal advisers, accountants, auditors, or insurers where necessary for the purposes of obtaining professional advice or managing legal disputes. We will also disclose personal data to regulators, law-enforcement bodies, or courts where required to do so by law or a binding court order.
7.8 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of all or a portion of our business, personal data we hold may be transferred to the relevant third party as part of that transaction. We will notify you of any such transfer in accordance with applicable data-protection law.
8 International Data Transfers
LogiSam Ltd is headquartered in the United Kingdom, and the UK is our primary place of data processing. However, given the global nature of our operations and the cloud-based services we use, personal data may be transferred to, or accessed from, countries outside the UK or European Economic Area (EEA), including:
- Saudi Arabia (KSA): Our Riyadh office team may access customer account data and CRM records in the course of delivering services to clients in the GCC region. Saudi Arabia does not currently have a UK adequacy decision; transfers to our Saudi operations are therefore governed by International Data Transfer Agreements (IDTAs) — the UK equivalent of standard contractual clauses — incorporated into internal data-sharing arrangements between LogiSam Ltd and our regional operations.
- United Arab Emirates: Our Dubai office team similarly accesses personal data held in our central systems. The UAE does not currently benefit from a UK adequacy decision; transfers are governed by IDTAs as above.
- United States: Google Analytics 4 data is processed by Google LLC, which participates in the UK–US data bridge framework (an adequacy decision made by the UK Secretary of State under DPA 2018, Section 17A). Where the data bridge is relied upon, we verify that the recipient is certified. Additionally, Microsoft Azure data-centre locations are configured to remain within the UK or EEA where technically feasible.
In all cases, we take steps to ensure that appropriate safeguards are in place before transferring personal data internationally, in compliance with Chapter V of UK GDPR. You may request a copy of the relevant transfer mechanism by contacting privacy@copilot-365.com.
9 Data Retention
We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or to comply with legal, regulatory, or contractual obligations. Our standard retention periods are set out below:
| Data Category | Retention Period | Reason |
|---|---|---|
| Website analytics data (GA4 cookies, session logs) | 14 months (GA4 default retention setting) | Standard analytics retention; then anonymised or deleted automatically |
| Contact-form enquiries (not converted to client) | 3 years from last interaction | Legitimate interest in maintaining records of business enquiries; after which we delete or anonymise |
| Active client / contract records | Duration of contract + 7 years | Legal obligation to retain financial and contractual records under the Limitation Act 1980 and HMRC guidance |
| Training delegate records | 3 years from course completion | CPD certificate verification and dispute resolution |
| SaaS product usage logs | 12 months from log generation | Operational support, debugging, and security incident investigation |
| NDMO Compliance Tracker documents | Retention defined by the customer's own Data Retention Policy (as Data Controller); default: duration of subscription + 90 days | Customer-controlled; LogiSam deletes upon contract termination or customer instruction |
| Marketing consent records | Until consent withdrawn + 3 years (proof of consent) | Accountability obligation under UK GDPR Article 7(1) |
| Dietary / accessibility data (in-person training) | Deleted within 30 days after the event | Data minimisation — no further purpose after the event |
| M365 tenant metadata (TSO, SafeScan, Copilot IQ) | Not retained — processed in session only | Read-only API access; data not persisted on our servers |
When personal data is no longer required, we dispose of it securely using industry-standard methods (cryptographic deletion, secure overwrite, or physical destruction of storage media where applicable).
10 Your Rights Under UK GDPR
Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights in respect of your personal data. These rights are not absolute and may be subject to limitations or exemptions in certain circumstances.
Right of Access
You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about how it is processed (a "Subject Access Request").
Right to Rectification
You have the right to have inaccurate personal data corrected, and to have incomplete data completed. We will respond to rectification requests without undue delay and in any event within one month.
Right to Erasure
You have the right to request the deletion of your personal data ("right to be forgotten") in certain circumstances — for example, where the data is no longer necessary for the purpose it was collected, or where you withdraw consent and there is no other lawful basis.
Right to Restriction
You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, while you contest the accuracy of the data, or while we assess an objection you have raised.
Right to Data Portability
Where processing is based on your consent or contract performance and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object
You have the right to object at any time to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will stop processing your data for that purpose immediately and without exception.
Right to Withdraw Consent
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. You can withdraw consent by using the unsubscribe link in our emails or by contacting us directly.
We will respond to all valid rights requests within one calendar month of receipt. In complex cases, we may extend this to three months, in which case we will notify you and explain the reason for the extension. We will not charge a fee for dealing with your request unless it is manifestly unfounded or excessive.
11 How to Exercise Your Rights
To exercise any of the rights described in Section 10, or to raise a question about how we process your personal data, please contact our Privacy team:
- By email: privacy@copilot-365.com
- By post: Data Privacy, LogiSam Ltd, London, United Kingdom
To help us process your request efficiently, please include:
- Your full name;
- The email address associated with your account or enquiry;
- A clear description of the right you wish to exercise; and
- Any relevant context (e.g., the product or service you used).
We may need to verify your identity before processing certain requests (particularly Subject Access Requests) to ensure we do not disclose personal data to an unauthorised person. We will ask you to provide a reasonable form of identification. We will process your request as quickly as possible and in any event within the statutory one-month period.
If you are not satisfied with our response to your request, or if you believe we have not complied with our obligations under UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — see Section 16.
12 Data Security
We take the security of your personal data seriously. We have implemented appropriate technical and organisational security measures designed to protect personal data against accidental loss, unauthorised access, use, alteration, or disclosure. These measures include, but are not limited to:
- Encryption in transit: All data transmitted between your browser and our website, and between our systems and third-party service providers, is encrypted using TLS 1.2 or higher (HTTPS). We enforce HTTPS sitewide and use HSTS headers.
- Encryption at rest: Personal data stored in our databases and cloud storage is encrypted at rest using AES-256 or equivalent industry-standard encryption.
- Access controls: Access to personal data is restricted on a least-privilege basis. Employees and contractors are granted access only to the data they need to perform their job functions. All access is authenticated using strong passwords and multi-factor authentication (MFA).
- Penetration testing and vulnerability management: Our SaaS products and infrastructure are subject to regular security assessments. Critical vulnerabilities are remediated on a risk-prioritised basis.
- OAuth 2.0 for M365 access: Our SaaS products access Microsoft 365 tenant data using Microsoft's official OAuth 2.0 authorisation framework. Tokens are scoped to the minimum permissions required, are short-lived, and are never stored beyond the active session.
- Staff training: All LogiSam personnel who handle personal data receive data-protection training on joining and on an annual basis.
- Incident response: We maintain an incident-response procedure for data breaches. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, will notify affected individuals without undue delay.
However, no method of transmission over the internet, and no method of electronic storage, is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. If you have reason to believe that your interaction with us is no longer secure, please notify us immediately at privacy@copilot-365.com.
13 Children's Privacy
Our website and SaaS products are designed for use by business professionals and are not intended for, and should not be used by, individuals under the age of 18 years. We do not knowingly collect personal data from children under the age of 18.
If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at privacy@copilot-365.com. If we become aware that we have inadvertently collected personal data from a child under 18, we will take prompt steps to delete that information from our systems.
14 Third-Party Links
Our website may contain links to third-party websites, resources, or services that are operated by organisations other than LogiSam Ltd. These third-party sites have their own privacy policies, and LogiSam is not responsible for the privacy practices or the content of those sites.
Third-party links on our website may include links to: Microsoft product pages and the Microsoft Trust Centre; our partners' websites (including logisam.com and impactera.ae); social-media platforms (LinkedIn, X/Twitter, GitHub); and publicly available Microsoft documentation. We encourage you to review the privacy notices of any third-party sites you visit before submitting any personal data to them.
The inclusion of a link to a third-party website on our site does not constitute an endorsement of that site, its content, or its privacy practices.
15 Changes to This Notice
We may update this Privacy Notice from time to time to reflect changes in our data-processing activities, new legal requirements, or improvements in our practices. When we make material changes to this notice, we will:
- Update the "Effective Date" at the top of this page;
- Publish the updated notice on our website at https://www.copilot-365.com/privacy.html; and
- Where required by law or where the change materially affects how we process your data, notify you by email or by a prominent notice on our website.
We encourage you to review this notice periodically to stay informed about how we protect your personal data. Your continued use of our website or services after the effective date of any changes constitutes your acknowledgement of the updated notice.
Previous versions of this Privacy Notice are available on request by contacting privacy@copilot-365.com.
16 Contact & Complaints
If you have any questions, concerns, or requests relating to this Privacy Notice or the way we handle your personal data, please contact us using the details below. We take all privacy-related enquiries seriously and will endeavour to respond promptly.
Contact Our Privacy Team
For any data-protection enquiries, Subject Access Requests, or rights-related matters:
Right to Lodge a Complaint
If you are not satisfied with our response to a data-protection concern, or if you believe that we are not processing your personal data in accordance with UK GDPR or the Data Protection Act 2018, you have the right to lodge a complaint with the UK supervisory authority:
- Information Commissioner's Office (ICO)
- Website: https://ico.org.uk
- Telephone: 0303 123 1113 (UK)
- ICO helpdesk: https://ico.org.uk/make-a-complaint/
We would, however, appreciate the opportunity to address your concern before you approach the ICO, so please do contact us in the first instance.
This Privacy Notice was last reviewed and updated on 26 June 2026. It applies to all personal data processed by LogiSam Ltd in connection with the Copilot 365 brand and the website https://www.copilot-365.com.