Privacy Policy - SAR Portal

1. Introduction

SAR Portal ("we", "us", or "our") operates the SAR Portal platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Company Details:

Legal Name: SAR Portal (powered by Sekhon IT Consultants Ltd., Ireland)
Registered Address: 1 Beaufield Crescent, Maynooth, Co. Kildare, W23 D2H4, Republic of Ireland
Email: info@sarportal.com
Data Protection Officer: dpo@sarportal.com

2. Information We Collect

2.1 Information You Provide

Account Information: Name, email address, company name, phone number
Billing Information: Processed securely through Stripe (we do not store full payment card details)
Case Data: Information you upload related to DSAR cases you manage
Communications: Messages you send to our support team

2.2 Information Collected Automatically

Usage Data: IP address, browser type, pages visited, time spent
Cookies: Authentication tokens, preferences, analytics
Security Logs: Login attempts, API access, rate limiting events

3. How We Use Your Information

We process personal data only for the following purposes:

Service Delivery: Provide, maintain, and improve SAR Portal
Authentication: Secure access via Azure Entra External ID
Billing: Process subscriptions and send invoices
Communication: Send service updates, security alerts, and support responses
Legal Compliance: Comply with GDPR and other data protection laws
AI Features: Provide risk assessment and text assistance (all processing is confidential and not used for training)
Security: Detect fraud, prevent abuse, and protect our systems

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

Contract Performance: Providing the SAR Portal service
Consent: Where you have given explicit consent (e.g., marketing emails)
Legitimate Interests: Improving our service, security, fraud prevention
Legal Obligation: Compliance with tax, accounting, and data protection laws

5. Data Sharing and Disclosure

We do not sell your personal data. We share data only with:

5.1 Service Providers

Microsoft Azure Entra External ID (AzureAd): Authentication and identity management
Azure Cosmos DB (Cosmos): Database storage (AES-256 encryption at rest, Ireland region)
Azure Blob Storage (AzureBlob): Document storage (AES-256 encryption at rest, Ireland region)
Azure OpenAI Service (AzureOpenAI): AI-powered features including risk assessment and text assistance (your data is not used for model training, EU data centers)
Azure AI Document Intelligence (AzureDocumentIntelligence): PDF text extraction for redaction analysis (GDPR-compliant, EU data centers)
Azure AI Language Service (AzureLanguage): PII detection and entity recognition (GDPR-compliant, EU data centers)
Stripe: Payment processing (PCI DSS Level 1 certified)
SendGrid (Smtp): Transactional email delivery
Google reCAPTCHA Enterprise (RecaptchaEnterprise): Bot protection and spam prevention
Microsoft Graph API (Graph): User invitation and management

5.2 Legal Requirements

We may disclose data when required by law, court order, or to protect our legal rights.

6. International Data Transfers

All customer data is stored in EU data centers (Ireland region). Any transfers outside the EU are protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission
Microsoft's EU Data Boundary commitments
Adequacy decisions where applicable

7. Data Retention

Active Accounts: Data retained while subscription is active
Cancelled Accounts: Data available for export for 90 days. After 90 days, all tenant data (cases, documents, users, settings) is permanently deleted. You will receive a reminder email 10 days before deletion.
Audit Logs: Retained for 7 years (legal requirement)
Billing Records: Retained for 7 years (tax law requirement)
Marketing Data: Deleted immediately upon unsubscribe request

8. Your Rights Under GDPR

As an EU data subject, you have the following rights:

Right to Access: Request a copy of your personal data
Right to Rectification: Correct inaccurate data
Right to Erasure: Request deletion of your data
Right to Restriction: Limit how we process your data
Right to Data Portability: Receive your data in machine-readable format
Right to Object: Object to processing based on legitimate interests
Right to Withdraw Consent: Withdraw consent at any time
Right to Lodge a Complaint: Complain to the Data Protection Commission (Ireland)

To exercise your rights, contact: dpo@sarportal.com

9. Security Measures

We implement industry-standard security measures:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Multi-factor authentication (MFA)
Role-based access control (RBAC)
Regular security audits and penetration testing
Automated vulnerability scanning
Intrusion detection and monitoring
Annual third-party security reviews

10. AI and Automated Decision-Making

SAR Portal uses AI for:

Risk Scoring: Automated case risk assessment
Text Assistance: Suggestions for text improvement
Contextual Workflow Guidance: System-specific next-step recommendations based on your configured business systems (e.g., "Search Zendesk for this email")
PDF Text Extraction: Automated text extraction from PDF documents using Azure Document Intelligence
Configurable PII Detection: Automated detection of personal data in documents based on your tenant-specific configuration (standard PII types, custom patterns, keyword lists) to assist with GDPR Article 15(4) compliance

10.1 Systems Configuration Data

You can configure which business systems your organization uses (e.g., CRM, email platforms, support systems). This configuration data is used solely to provide system-specific AI guidance tailored to your environment. This data includes:

System types and names (e.g., "Salesforce CRM", "Zendesk Support")
Optional system notes and data types stored
Business context description

This configuration data is stored securely in your tenant's isolated database partition and is never shared with other tenants or used for any purpose other than generating contextual guidance for your organization.

10.2 PII Detection Configuration

You can customize PII detection settings including which data types to detect (names, emails, IBAN, etc.), custom regex patterns for business-specific identifiers, and keyword allow/deny lists. These settings control how AI analyzes documents but do not affect the underlying AI models.

Important: All AI-generated outputs are advisory only. No solely automated decisions are made that produce legal effects. Human review is always required for final decisions, including which personal data to redact. PII detection results must be reviewed and confirmed by a human operator before applying any redactions.

Data Processing: When you upload PDF documents, they are temporarily processed by Azure Document Intelligence (Microsoft Ireland) to extract text. The extracted text is then analyzed by Azure OpenAI for PII detection based on your configured settings. Your documents and configuration are not used to train any AI models, and all processing occurs within EU data centers under Microsoft's Data Processing Agreement.

11. Cookies and Tracking

We use the following types of cookies:

Essential Cookies: Required for authentication and security
Functional Cookies: Remember your preferences (theme, language)
Analytics Cookies: Understand how you use our service

You can control cookies through your browser settings.

12. Children's Privacy

SAR Portal is not intended for individuals under 16 years of age. We do not knowingly collect data from children.

13. Changes to This Privacy Policy

We may update this policy from time to time. We will notify you of material changes via email or in-app notification. Continued use after changes constitutes acceptance.

14. Contact Us

For privacy-related questions or to exercise your rights:

Email: dpo@sarportal.com

15. Supervisory Authority

You have the right to lodge a complaint with the Irish Data Protection Commission:

Website: www.dataprotection.ie
Email: info@dataprotection.ie
Phone: +353 57 868 4800