Privacy Policy

At Surveil, we provide business SaaS solutions for cloud optimization. We respect the privacy of our staff, clients, and visitors to our website(s) and applications.

This policy explains how we handle personal data in two distinct capacities:

As a Data Processor – When accessing and processing your Microsoft 365 tenant data on your behalf (we have read-only access; you maintain the master data in your source tenant)
As a Sub-Processor – When our sub-processors (e.g., Azure OpenAI) process data under our instructions

Your organization remains the Data Controller at all times. We process data solely according to your documented instructions and our contractual obligations under the EULA and Data Protection Agreement.

This policy covers how we collect information, what we do with it, and what controls you have over the information we collect.

We take our duty to process your personal data very seriously. This policy explains how we collect, manage, use, and protect your personal data.

We may change this policy from time to time to reflect the latest view of what we do with your information. Please check back frequently; you will be able to see if changes have been made by the date it was last updated.

Who Are We?

In this policy, references to Surveil, ITEXACT Limited, or to ‘we’ or ‘us’, are to ITEXACT Limited which is a company registered in England and Wales, at 2nd Floor, Woodside House, 261 Low Lane, Horsforth, Leeds, LS18 5NY, United Kingdom, Company No 6946307.

What Personal Data We Collect and How We Use It

Surveil are what is known as the ‘processor’ of the personal data you provide to us. We may collect basic personal data about you such as your name, postal address, telephone number or email address if you are purchasing a product, service, or event registration from us.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:

Identity Data may include first name, last name, city you work in, country you work in, company you work for, department you work for, your given name, your job title, office location, username or similar identifier, title.
Business Contact Data includes billing address, state, county, delivery address, email address and telephone numbers.
Financial Data includes bank account and payment details.
Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website or as may be configured within the Services. We use ZoomInfo and Google Analytics to gather insights on the IP addresses of those visiting the website, for the purposes of legitimate interest. No personally identifiable information is collected via ZoomInfo or Google Analytics, and only organizational domains are gathered.
Profile Data includes your username, purchases or orders made by you, preferences, feedback and survey responses.
Usage Data includes information about how you use the Services, including AI feature consumption metrics (token usage, prompt frequency, and feature interaction patterns).
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. Aggregated and de-identified data may be retained indefinitely for benchmarking, product improvement, and analytics purposes. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offenses without your specific consent under a separate agreement.

Microsoft 365 Integration Data

As a data processor, we access Microsoft 365 tenant data on your behalf to provide our services, including:

User identity attributes (email, display name, job title, department, location)
License cost, assignment and usage data
Consumption usage metrics for Microsoft 365 services
Security events and risk indicators
Billing and transaction data

We access this data in read-only mode. Your organization maintains the master data in your Microsoft 365 tenant and remains the Data Controller.

A complete list of all Microsoft 365 data fields we access and our processing purposes is documented in our End User License Agreement – Data Protection Schedule, Appendix 1.

AI and Machine Learning Processing

We use Azure OpenAI Service with Retrieval-Augmented Generation (RAG) architecture to power AI-enabled product features including the Cloud Assistant.

When you use AI features:

Your input data and generated outputs are processed through Azure OpenAI Service
Customer data is NOT used to train Microsoft’s or any third-party AI models
Processing occurs in Microsoft Azure data centers within the same region as your Surveil instance (EU or US)
All AI processing is subject to Microsoft Azure AI Services Terms

Token usage and consumption metrics are collected to support billing for consumption-based features. Detailed AI data handling terms are set out in our EULA Sections 3.11-3.15.

Why We Need It

We collect your personal data in connection with specific activities, such as campaign updates, newsletter requests, registration, product purchases, feedback, information you provide in public forums, at third party events or on our website(s) and social media.

The information is either needed to fulfil your request or to enable us to provide you with a more personalized service. You don’t have to disclose any of this information to browse our sites. However, if you choose to withhold requested information, we may not be able to provide you with certain services.

When Can We Use It

Any information collected by Surveil will only be processed lawfully in accordance with the UK GDPR, i.e. we will only process data based on:

the data subject giving explicit consent to Surveil;
it being necessary for the performance of a contract in which the client has signed up to;
it being necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Our Marketing

Sometimes, with your consent, we will process your personal data to provide you with information about our work or our activities that you have requested or are expecting.

On other occasions, we may process personal data when we need to do this to fulfil a contract (for example, if you have purchased a service from us) or where we are required to do this by law or other regulations.

Surveil also processes your data when it is in our legitimate interests to do this and when these interests do not override your rights. Please see the section on ‘Legitimate Interest’ for more information.

How We Obtain Your Details

We will also hold information about your details so that we can respect your preferences for being contacted by us.

We collect your personal information in several ways:

When you provide it to us directly;
When you provide permission to other organizations to share it with us (including social media platforms such as Facebook or Twitter);
When we collect it as you use our website;
When you have given it to a third-party and you have provided permission to pass your information on to us;
Through the use of marketing and analytics platforms as detailed in the “Marketing and Website Analytics Tools” section below;
From publicly available sources (where possible) to keep your information up to date.

We combine the information from these sources with the information you provide to us directly.

When providing permission for third-party organizations to share your data you should check their Privacy Policies carefully to understand fully how they will process your data.

Building Profiles of Contacts

The Company may make use of profiling and screening methods to produce relevant communications and provide a better experience for our contacts. Profiling can help us target our resources more effectively through gaining an insight into the background of our contacts and helping us to build relationships that are appropriate to their interests and requirements.

To do this we may use additional external sources of data to increase and enhance the information we hold about you. This may include obtaining details of changes of role, telephone numbers and other contact details, and consumption and demographic data generated through publicly available resources. It may include information from public registers and other publicly available sources such as Companies House, newspapers, and magazines.

If you do not wish your data to be used in any of the ways listed above or have questions about this, then please let us know, using the contact form on our ‘Contact Us’ page.

Marketing and Website Analytics Tools

We use the following third-party tools for marketing operations and website analytics. These tools process only website visitor information and our direct customer relationship data – they do NOT process customer product data from your Microsoft 365 tenant.

Current Providers:

HubSpot (USA) – CRM and marketing automation platform (migrating to, effective Q1 2025). Privacy Policy
ZoomInfo (USA) – Company domain identification from website visitor IP addresses. Only organizational data is collected; no personally identifiable information (PII). Consent can be withdrawn at any time. Privacy Policy
Microsoft Clarity (USA) – Website behavior analytics and session recording. Privacy Policy
Google Analytics – Aggregated website traffic insights. Only organizational domains are gathered; no PII is collected.

Legacy Systems (being phased out by December 2025):

Freshworks (USA/India) – CRM platform (ending December 2025)

We provide 30 days’ notice before adding new marketing or analytics vendors.

The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:

Performance of a contract with you: Where we need to fulfil the contract, we are about to enter into or have entered into with you.

Legitimate interests: We may use your personal data where it is necessary to conduct our business and pursue our legitimate interests, for example to prevent fraud and enable us to give you the best and most secure customer experience. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Legal obligation: We may use your personal data where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.

Consent: We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you subscribe to an email newsletter.

We set out below in a table format, a summary of all the ways we will use personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground, we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity	Type of data	Lawful basis for processing including basis of legitimate interest
To register a new customer	(a) Identity (b) Contact	Performance of a contract with you
To process and deliver an order including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us	(a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing & Communications	(a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us)
To manage our relationship with a customer which will include: (a) Notifying customers about changes to our terms or privacy policy (b) Asking a customer to leave a review or take a survey	(a) Identity (b) Contact (c) Profile (d) Marketing and Communications	(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To enable you to partake in a prize draw, competition or complete a survey	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications	(a) Performance of a contract with you (b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
To administer and protect our business and the Services (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	(a) Identity (b) Contact (c) Technical	(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise) (b) Necessary to comply with a legal obligation
To deliver relevant content and advertisements to customers and measure or understand the effectiveness of the advertising	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical	Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences	(a) Technical (b) Usage	Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Services updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations about goods or services that may be of interest to you	(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile	Necessary for our legitimate interests (to develop our products/services and grow our business)
To process employment applications.	(a) Identity (b) Contact	Necessary for our legitimate interests (to develop our products/services and grow our business)
To provide software to customers, including the Surveil suite of software and SaaS; and professional and support services, including implementation and configuration.	(a) Identity (b) Contact (c) Technical (d) Usage (f) Technical	Performance of a contract with you. This is part of our Software value add features for the Customer
To fix problems with our products, including answering support questions and resolving disputes.	(a) Identity (b) Contact (c) Profile (d) Usage (f) Technical	Performance of a contract with you

We only disclose information to third parties or individuals when obliged to by law, for purposes of national security, taxation and criminal investigations and the following:

If you have agreed that we may do so
When we use other companies to provide services on our behalf, e.g., processing, mailing or delivering orders, answering customers’ questions about products or services, sending mail and emails, customer analysis, assessment and profiling, when using auditors/advisors or processing credit/debit card payments
To our subsidiaries or partners
If we receive a complaint about any content you have posted or transmitted to or from one of our sites, to enforce or apply our End User License Agreements (EULA) or if we believe that we need to do so to protect and defend the rights, property or personal safety of Surveil, our websites and for other lawful purposes
If we merge with another organization to form a new entity, information may be transferred to the new entity.
We may disclose aggregate statistics about our site visitors, contacts, customers and sales to describe our services and operations to prospective partners, customers, advertisers and other reputable third parties and for other lawful purposes, but these statistics won’t include any personally identifying information.
If we run an event in partnership with other named organizations your details may need to be shared. We will be very clear what will happen to your data when you register.
If you have opted into training delivered by our accredited partner, Source Code Control (SCC) – you can view SCC’s privacy policy here

We will never sell or rent your personal information to other organizations.

Retaining Your Information

We hold your information for only as long as is necessary for each purpose we use it:

Customer Product Data – Retained for the duration of your contract plus 1 month. After this period, data is either returned to you or securely deleted according to your instructions (per EULA Clause 8 of the Data Protection Schedule).
Usage Analytics and Aggregated Data – Retained indefinitely in aggregated and de-identified form for benchmarking, product development, and service improvement purposes. No personal data can be isolated from this aggregated data.
Account and Financial Records – Retained for 7 years to comply with UK accounting, tax, and legal record-keeping requirements.
Marketing Consent and Communications – Retained until consent is withdrawn or for 3 years following your last interaction with our marketing communications, whichever comes first.
Website Analytics Data (ZoomInfo, Clarity, Google Analytics) – Organizational domain data is retained according to each vendor’s retention policies. Individual consent can be withdrawn at any time.

If you decide not to follow Surveil anymore or request that we have no further contact with you, we will keep some basic information in order to avoid sending you unwanted materials in the future and to ensure that we don’t accidentally duplicate information.

All the personal data we control is only processed by our staff, however for the purposes of IT hosting and maintenance, your information may be situated outside of the UK and European Economic Area (EEA).

Sub-Processors and Data Hosting

We maintain a complete, current list of all sub-processors who may access customer data at our Trust Center: trust.surveil.co

Our primary sub-processors include:

Microsoft Azure (UK/EU/US regions) – Cloud hosting and AI services
Surveil Inc. (USA) – Affiliated service provider.
UAB Absolute Systems Lithuania (Lithuania) – Affiliated service provider

In accordance with our EULA (Clause 5.3), we provide customers with 14 days’ written notice before appointing any new sub-processor. Customers may object on reasonable grounds during this notice period.

Our internal policy prioritizes data storage within the UK or EEA. Where data is stored outside the EEA, we ensure GDPR compliance through approved transfer mechanisms including the US-UK Data Bridge and Standard Contractual Clauses.

International Data Transfers

When we transfer personal data outside the UK or European Economic Area (EEA), we use the following approved safeguard mechanisms:

US-UK Data Bridge – The UK Extension to the EU-US Data Privacy Framework (Article 45 UK GDPR) enables transfers from the UK to certified US organizations without additional safeguards.
UK International Data Transfer Agreement (IDTA) – Issued by the UK Information Commissioner under Section 119A(1) of the Data Protection Act 2018.
EU Standard Contractual Clauses (2021 version) – As published by the European Commission for transfers from the EEA.

All international transfers are documented and conducted in accordance with our EULA Data Protection Schedule (Section 10).

Transfers to Microsoft Azure are subject to Standard Contractual Clauses between Surveil and Microsoft Azure.

Security and Compliance

Surveil maintains industry-leading security and compliance certifications:

ISO 27001 – International standard for information security management systems
ISO 27701 – International standard for privacy information management systems
ISO 42001 – International standard for artificial intelligence management systems
SOC 2 Type II – Annual independent audit of security, availability, and confidentiality controls
Microsoft 365 App Certification – Verified compliance with Microsoft’s security, privacy, and compliance requirements

Our current security posture, including detailed compliance reports and penetration test summaries, is available at our Trust Center: trust.surveil.co

We implement appropriate technical and organizational measures including:

Encryption of data in transit and at rest
Multi-factor authentication and role-based access controls
Regular security assessments and penetration testing
24/7 security monitoring and incident response capabilities
Annual third-party vendor assessments

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

You have a number of rights under data protection laws in relation to your personal data.

Request access to your personal data (commonly known as a “subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which overrides your right to object.
You also have the absolute right to object at any time to the processing of your personal data for direct marketing purposes.
Request the transfer of your personal data to you or to a third party. We will provide you, or a third party you have chosen, with your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided with consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios: If you want us to establish the data’s accuracy; Where our use of the data is unlawful but you do not want us to erase it; Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure you have the right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you wish to talk through anything in our privacy policy, find out more about your rights or obtain a copy of the information we hold about you, please contact our team (details at the bottom of this page) who will be happy to help. If you wish to raise a complaint about how we have handled your personal data, you can contact our data protection officer who will investigate the matter. If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the ICO.

Our data protection lead can be contacted at:

ITEXACT Limited trading as Surveil, St Martins House, Ockham Road South, East Horsley, KT24 6RX

Or via Email: privacy@surveil.co

Please note that emails may be monitored or recorded.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

When we process your personal information for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection and any other relevant law. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Changes to the privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review. This version was last updated on 6 October 2025.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

Remember, you can change the way you hear from us or withdraw your permission for us to processing your personal data at any time by using the form on our Contact Us page or unsubscribing to email notification.

Links to third-party vendor privacy policies are provided in the “Marketing and Website Analytics Tools” section above.

___

ITEXACT Limited trading as Surveil

Registered: 2nd Floor, Woodside House, 261 Low Lane, Horsforth, Leeds, LS18 5NY, UK

Operating: St Martins House, Ockham Road South, East Horsley, KT24 6RX, UK

Company No 6946307

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

How it works

Problems we're solving

Industries we're helping

Analyze, Optimize, Secure, and Control IT Investments

Explore Navigator for Partners

What's New

Cloud Budgeting

Security Risks

Quality Procurement

Productivity

Disparate Data Sources

Hybrid Working

Energy & Resources

Financial Services

Health Care & Life Sciences

Manufacturing

Legal Services

Retail

Our Vision

On-Demand Executive Briefing

Leadership

Trust Center

Contact Us

Partners

Surveil Hub

Platform Tour