Privacy Policy

Introduction

Impact Agent ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website (www.impactagent.app), use our Microsoft 365 agent, or interact with our services.

Please read this privacy policy carefully. By using Impact Agent, you consent to the practices described in this policy.

Company details: We will add our legal entity name, registered address, and company details here.

Roles and Responsibilities (UK/EU)

Depending on how you use Impact Agent, our role under data protection law may differ:

• Website visitors and individual sign-ups: We generally act as the data controller for information collected via our website and direct communications.
• Microsoft 365-connected service (organisation use): The customer organisation is typically the data controller, and we act as a data processor when processing Microsoft 365 content on the organisation's behalf, under our contractual terms and Data Processing Addendum (DPA) where applicable.

Information We Collect

Information You Provide Directly

When you sign up for our waitlist or create an account, we may collect:

• Contact information: name, email address, job title, company name
• Account information: login and profile details for your Impact Agent account
• Communications: messages you send us, feedback, and survey responses
• Billing information: subscription and payment details (processed by our payment provider)

Information Collected Through Microsoft 365 Integration

When you connect Impact Agent to your Microsoft 365 account, we may access information you authorise via Microsoft Graph, such as:

• Email data: messages and related metadata (e.g., sender/recipients, timestamps, subject)
• Calendar data: meeting titles, attendees, and meeting-related content you have access to
• Teams messages: chat/channel messages you participate in
• Document information: file metadata and content from SharePoint/OneDrive that you have access to

Important: What we store (and what we don't)

Impact Agent is designed to generate summaries and extracted insights for you.

• Transient processing: We may temporarily process message/document content to generate summaries and insights.
• Persistence: By default, we aim not to persist raw Microsoft 365 content (e.g., full email bodies or chat transcripts) in our own systems beyond what is required for transient processing.
• Operational exceptions: In limited cases, we may retain minimal fragments of content (for example, short snippets, identifiers, or diagnostics) where reasonably necessary for security, abuse prevention, debugging, reliability, or customer support. We restrict access and apply retention limits.

Your saved outputs: We store the summaries/insights you choose to save, and may write outputs to your Microsoft 365 storage (for example, your OneDrive/SharePoint app folder) depending on how the product is configured.

Information Collected Automatically (Website)

When you visit our website, we may collect:

• Device information: browser type, operating system, device identifiers
• Usage data: pages visited, time spent, click patterns
• Log data: IP address, access times, referring URLs
• Cookies and similar technologies: see "Cookies and Tracking Technologies" below

How We Use Your Information

We use information to:

• Provide our services: generate summaries, track accomplishments, and create manager-ready updates
• Operate and support the service: authentication, account management, customer support
• Improve reliability and performance: diagnose issues, monitor service health, enhance user experience
• Communicate with you: service notices, support replies, product updates
• Marketing (where permitted): newsletters and product updates (you can opt out)
• Security: detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations: meet regulatory requirements and respond to lawful requests

AI Processing and Model Providers

Impact Agent uses AI to help generate summaries, extract insights, and structure updates.

• Model provider: We use Azure OpenAI.
• Region: Processing is configured for a single region: UK South. We design our system so that prompts/content used for AI processing stay within this Azure region.
• Training: We do not allow providers to train on customer content.
• Human review: We do not routinely have humans review your Microsoft 365 content. Access is restricted and may occur only when necessary for support, security, or troubleshooting, and subject to access controls.

Automated decision-making

Impact Agent produces drafts and recommendations (summaries/insights). It is not intended to make decisions with legal or similarly significant effects about you.

How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

Service Providers (Subprocessors)

We use third parties to operate the service, such as:

• Cloud hosting: Microsoft Azure (UK South region)
• Email delivery: SendGrid/Twilio (if used for transactional email)
• Customer relationship management: HubSpot (if used for sales/support workflows)
• Payment processing: Stripe
• Analytics: analytics tools (configured to minimise data collection)

These providers are contractually required to protect your information and use it only to provide services to us.

Legal Requirements

We may disclose information if required by law, court order, or government request, or if necessary to protect rights, safety, and security.

Business Transfers

If Impact Agent is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction. We will notify you where required.

Information About Other People (Third-Party Data)

When processing Microsoft 365 content, we may process personal data relating to other people (for example, email senders/recipients, meeting attendees, or chat participants) because their information appears in the content you have access to. We process this information only as needed to provide the service (for example, to generate summaries and identify recognition, decisions, and outcomes).

Data Retention

We keep information only as long as necessary for the purposes described in this policy, unless a longer period is required by law.

• Waitlist data: retained until you unsubscribe or request deletion.
• Account data: retained for the duration of your account, and then up to 36 months after account closure, unless we must keep it longer for legal, security, or dispute-resolution purposes.
• Website/usage analytics: retained for up to 36 months, then deleted or aggregated/anonymised where feasible.
• Customer support records: retained as needed to resolve issues and meet legal obligations.
• User-generated outputs (summaries/insights): retained according to your settings and where the data is stored (for example, in your Microsoft 365 storage).

You may request deletion of your data (see "Your Rights" below).

Data Security

We implement appropriate technical and organisational measures to protect information, including:

• Encryption in transit (TLS) and encryption at rest where supported
• Access controls, least-privilege permissions, and authentication requirements
• Monitoring and logging for security and reliability
• Security reviews and operational safeguards
• Staff training on data protection and security

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

Your Rights

Depending on your location, you may have the following rights:

UK and EU Residents (GDPR/UK GDPR)

• Access: request a copy of your personal data
• Rectification: correct inaccurate data
• Erasure: request deletion ("right to be forgotten")
• Restriction: limit processing in certain circumstances
• Portability: receive your data in a portable format
• Objection: object to processing based on legitimate interests
• Withdraw consent: withdraw consent at any time (where processing is based on consent)

California Residents (CCPA/CPRA)

• Know: request information about collection and disclosure
• Delete: request deletion of personal information
• Correct: request correction of inaccurate personal information
• Opt-out: opt out of sale/share (we do not sell personal information; if we use certain advertising tools, "share" may apply—see Cookies section)
• Non-discrimination: you won't be discriminated against for exercising rights

To exercise rights, contact: privacy@impactagent.app.

Cookies and Tracking Technologies

We use cookies and similar technologies for:

• Essential cookies: required for core website functionality
• Analytics cookies: to understand site usage and improve performance
• Marketing cookies (if enabled): used to measure campaigns or deliver relevant ads only where permitted and with consent

You can control cookies through browser settings and (where available) our cookie preference controls. Disabling some cookies may affect site functionality.

Microsoft 365 Access, Permissions, and Revocation

Impact Agent only accesses Microsoft 365 data according to the permissions you (or your organisation) grant.

You can revoke access by:

• Disconnecting the Microsoft 365 integration within Impact Agent (where available), and/or
• Removing the application's permissions in Microsoft Entra ID / your Microsoft account consent settings (organisation policies may apply).

International Data Transfers

Your information may be processed in countries outside your country of residence. Where we transfer personal data internationally, we use appropriate safeguards such as:

• Standard Contractual Clauses (SCCs)
• Data processing agreements with service providers
• Additional safeguards where required under UK/EU data protection law

Children's Privacy

Impact Agent is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected information from a child, we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will notify you by:

• Posting the updated policy on our website
• Email notification (for registered users, where appropriate)
• A notice in the application

The "Last updated" date at the top indicates when this policy was last revised.

Contact Us

If you have questions about this Privacy Policy or our data practices, contact:

Email: privacy@impactagent.app

Address: [Your business address]

Data Protection Officer: [If applicable]

If you are in the UK and have concerns, you may contact the Information Commissioner's Office (ICO).

Legal Basis for Processing (UK/EU)

We process personal data under these legal bases: