Privacy Policy

1. Who We Are

TwelveSides Technologies Ltd ("TwelveSides", "we", "us", or "our") is the data controller for the personal data we collect about you. We are a company registered in England and Wales.

We operate Meridian Cloud ("the Service"), a unified IT management platform available at meridiancloud.tech.

This Privacy Policy explains how we collect, use, store, and share your personal data when you use the Service. It is compliant with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For data protection enquiries, contact us at privacy@meridiancloud.tech.

2. What Data We Collect

2.1 Account Data

When you register for the Service, we collect:

• Name, email address, and organisation name (typically obtained from Microsoft Entra ID during sign-up).
• Job title and role within your organisation.
• Billing information including payment card details (processed and stored by Stripe; we do not store full card numbers), billing address, and VAT number.
• Any communications, feedback, or support requests you send to us.

2.2 Microsoft 365 Data

When you connect your Microsoft 365 tenant to Meridian Cloud, we sync data via the Microsoft Graph API on a read-only basis. This includes:

• User accounts, groups, and directory information from Entra ID.
• Device inventory and compliance status from Intune.
• Licence assignment and usage data.
• Security alerts, Secure Score, and sign-in activity.
• Teams Phone configuration (call queues, auto attendants, number assignments).

We do not read your email content, files, or chat messages. We access only the administrative and security data necessary to provide the Service.

2.3 Usage Data

We automatically collect information about how you use the Service:

• Pages visited, features used, actions taken, and timestamps.
• Session duration and navigation patterns.
• Search queries within the Service.

2.4 Technical Data

We automatically collect technical information:

• IP address and approximate geographic location.
• Browser type and version.
• Operating system and device type.
• Screen resolution.

3. Legal Basis for Processing

We process your personal data on the following legal bases:

Purpose	Legal Basis
Providing and maintaining the Service	Performance of contract
Processing payments and billing	Performance of contract
Sending account-related communications	Performance of contract
Providing customer support	Performance of contract
Security monitoring and threat detection (Intelligence module)	Legitimate interest
Improving and developing the Service	Legitimate interest
Analysing usage trends and patterns	Legitimate interest
Detecting and preventing fraud or abuse	Legitimate interest
Sending marketing communications	Consent
Complying with legal obligations	Legal obligation

4. How We Use Your Data

4.1 Providing the Service

We use your data to operate Meridian Cloud, including syncing data from your connected services, displaying dashboards and reports, generating alerts, and providing the self-service portal.

4.2 Security Monitoring and the Intelligence Module

The Intelligence module analyses your IT environment data to provide AI-powered insights, risk scores, anomaly detection, and recommendations. This processing is performed using Azure AI Foundry and is based on the data you have connected to the Service.

4.3 Billing and Account Management

We use your billing information to process payments via Stripe, manage your Subscription, and send invoices and receipts.

4.4 Email Notifications

We send transactional and alert emails using SMTP2GO as our email delivery provider. These include account confirmations, password resets, alert notifications, and weekly summary reports. SMTP2GO may track email delivery status (opens, clicks) to ensure deliverability.

4.5 AI-Powered Insights

The Intelligence module uses Azure AI Foundry to generate insights about your IT environment. Your data is processed within the Azure UK West region. We do not use your data to train general-purpose AI models. AI processing is limited to generating insights specific to your organisation.

5. Data Sharing

We do not sell your personal data. We never have and we never will.

We share your data with the following categories of recipients:

5.1 Sub-Processors

We use a limited number of trusted third-party services to operate the Service. A full list is available on our Sub-Processors page. Key sub-processors include:

• Microsoft Azure — Cloud infrastructure, storage, and compute (UK West region).
• Microsoft Entra ID — Authentication and identity management.
• SMTP2GO — Email delivery for notifications and alerts.
• Stripe — Payment processing and billing.
• Azure AI Foundry — AI insights and copilot functionality (UK West region).

All sub-processors are contractually obligated to process your data only on our behalf and in accordance with our instructions.

5.2 Law Enforcement

We will only disclose your data to law enforcement or government authorities if we receive a valid legal order (such as a court order or warrant). We will notify you of such a request unless we are legally prohibited from doing so.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you of any such change and ensure the receiving entity is bound by equivalent data protection obligations.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:

• Account data: Retained for the duration of your account and for 30 days after account deletion.
• Billing data: Retained for 7 years after the end of the financial year in which the transaction occurred, as required by UK tax and accounting regulations.
• Microsoft 365 synced data: Retained for the duration of your Subscription and deleted within 30 days of termination.
• Usage data: Retained for up to 24 months, then anonymised or deleted.
• Technical data (logs): Retained for up to 90 days.
• Support communications: Retained for up to 3 years after your last interaction.

7. Your Rights (GDPR)

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can ask us to correct inaccurate or incomplete data.
• Right to erasure: You can ask us to delete your personal data in certain circumstances.
• Right to data portability: You can request your data in a structured, commonly used, machine-readable format.
• Right to restriction: You can ask us to restrict the processing of your data in certain circumstances.
• Right to object: You can object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, contact us at privacy@meridiancloud.tech. We will respond within one month of receiving your request. If the request is complex, we may extend this by a further two months and will notify you accordingly.

8. International Transfers

Your data is primarily stored and processed within the United Kingdom (Azure UK West region). Some of our sub-processors operate globally. Where we transfer data outside the UK, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office.
• Transfers to countries with an adequacy decision from the UK Government.

For details of where each sub-processor operates, see our Sub-Processors page.

9. Cookies and Tracking

We use only essential cookies required for the Service to function. Specifically:

• Authentication tokens: MSAL (Microsoft Authentication Library) tokens stored in localStorage to maintain your signed-in session.
• Session cookies: Used to maintain application state during your session.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies on the marketing site or in the application.

SMTP2GO may track email delivery status (opens and clicks) on transactional emails to ensure deliverability. This is disclosed here and in our Cookie Policy.

For full details, see our Cookie Policy.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access controls (RBAC) and managed identity for service-to-service authentication.
• Audit logging of all administrative actions.
• Regular security assessments and penetration testing.
• Secure development practices and code review.
• Incident response procedures and breach notification processes.

While we take all reasonable precautions, no method of transmission over the internet or method of electronic storage is 100% secure.

11. Children's Data

Meridian Cloud is a business-to-business service. The Service is not intended for use by individuals under the age of 18, and we do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete that data promptly.

12. Data Processing Agreement

Where we process Customer Data on your behalf (for example, Microsoft 365 data synced to the Service), we act as a data processor. Our Data Processing Agreement sets out the terms of this processing and forms part of our Terms of Service.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email or through a prominent notice in the Service at least 30 days before the changes take effect.

The "Effective date" at the top of this policy indicates when it was last revised. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

14. Contact

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

TwelveSides Technologies Ltd
Email: privacy@meridiancloud.tech
Website: meridiancloud.tech

You also have the right to contact the Information Commissioner's Office (ICO) if you have concerns about how we process your data: ico.org.uk.