Privacy Policy

Last Updated: February 2026

1. Introduction

SAR Portal (“we”, “us”, or “our”) operates the SAR Portal platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Company Details:

  • Legal Name: Sekhon IT Consultants Ltd. (trading as SAR Portal)
  • Company Registration: Ireland
  • Registered Address: 1 Beaufield Crescent, Maynooth, Co. Kildare, Republic of Ireland
  • Email: info@sarportal.com
  • Data Protection Officer: dpo@sarportal.com
  • Lead Supervisory Authority: Data Protection Commission (Ireland) - dataprotection.ie

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, company name, phone number
  • Billing Information: Processed securely through Stripe (we do not store full payment card details)
  • Case Data: Information you upload related to DSAR cases you manage
  • Communications: Messages you send to our support team

2.2 Information Collected Automatically

  • Usage Data: IP address, browser type, pages visited, time spent
  • Cookies: Authentication tokens, preferences, analytics
  • Security Logs: Login attempts, API access, rate limiting events

3. How We Use Your Information

We process personal data only for the following purposes:

  • Service Delivery: Provide, maintain, and improve SAR Portal
  • Authentication: Secure access via Azure Entra External ID
  • Billing: Process subscriptions and send invoices
  • Communication: Send service updates, security alerts, and support responses
  • Legal Compliance: Comply with GDPR and other data protection laws
  • AI Features: Provide risk assessment and text assistance (all processing is confidential and not used for training)
  • Security: Detect fraud, prevent abuse, and protect our systems

We process your personal data under the following legal bases:

Data Type Legal Basis Purpose
Account Information Contract Performance Providing the SAR Portal service
Billing Information Contract Performance Processing payments and invoices
Case Data Contract Performance Enabling DSAR management features
Marketing Communications Consent Sending newsletters and promotional content
Contact Form Submissions Legitimate Interests / Contract Responding to inquiries, demos, and sales requests
Usage Analytics Legitimate Interests Improving our service and user experience
Security Logs Legitimate Interests Protecting our systems and detecting fraud
Audit Logs Legal Obligation Compliance with tax and data protection laws

You may withdraw consent at any time for consent-based processing. For legitimate interests, you have the right to object (see Section 8).

5. Data Sharing and Disclosure

We do not sell your personal data. We share data only with:

5.1 Service Providers

  • Microsoft Azure Entra External ID: Authentication and identity management
  • Azure Cosmos DB: Database storage (AES-256 encryption at rest, EU region)
  • Azure Blob Storage: Document storage (AES-256 encryption at rest, EU region)
  • Azure OpenAI Service: AI-powered features including risk assessment and text assistance (your data is not used for model training, EU data centers)
  • Azure AI Document Intelligence: PDF text extraction for redaction analysis (EU data centers)
  • Azure AI Language Service: PII detection and entity recognition (EU data centers)
  • Stripe: Payment processing (PCI DSS Level 1 certified, EU data center)
  • Twilio SendGrid: Transactional email delivery (EU processing)
  • Google reCAPTCHA Enterprise: Bot protection and spam prevention
  • Microsoft Graph API: User invitation and management

We may disclose data when required by law, court order, or to protect our legal rights.

6. International Data Transfers

All customer data is stored and processed in EU data centers (Microsoft Azure EU regions).

6.1 Third Country Transfers

Any transfers outside the EU/EEA are protected by:

  • Standard Contractual Clauses (SCCs): European Commission’s 2021 SCCs for third country transfers
  • Microsoft’s EU Data Boundary: Azure services operate within Microsoft’s EU Data Boundary commitment
  • Adequacy Decisions: Transfers to countries with EU adequacy decisions (e.g., UK, Switzerland) rely on those decisions

6.2 UK Data Transfers

For services with UK-based processing, transfers are protected by the UK adequacy decision (adopted June 2021, extended by the European Commission until June 2028). All core data processing occurs within EU data centers to minimise third-country transfers.

6.3 Sub-Processor Locations

Sub-Processor Purpose Processing Location Transfer Mechanism
Microsoft Azure Cloud hosting, database, storage, AI EU (West Europe) N/A — EU only
Stripe Billing and payments EU (Ireland) EU-US DPF / SCCs
Twilio SendGrid Email delivery EU (configured) SCCs where applicable
Google reCAPTCHA Enterprise Bot protection Global Enterprise DPA / SCCs

7. Data Retention

  • Active Accounts: Data retained while subscription is active
  • Cancelled Accounts: Data available for export for 90 days. After 90 days, all tenant data (cases, documents, users, settings) is permanently deleted. You will receive a reminder email 10 days before deletion.
  • Audit Logs: Retained for 7 years (legal requirement)
  • Billing Records: Retained for 7 years (tax law requirement)
  • Contact Form Inquiries: Retained for 24 months, or longer if you become a customer
  • Marketing Data: Deleted immediately upon unsubscribe request

8. Your Rights Under GDPR

As an EU data subject, you have the following rights:

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Request deletion of your data
  • Right to Restriction: Limit how we process your data
  • Right to Data Portability: Receive your data in machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time
  • Right to Lodge a Complaint: Complain to your local Data Protection Authority

To exercise your rights, contact: dpo@sarportal.com

9. Security Measures

We implement technical and organisational security measures including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Multi-factor authentication (MFA) via Azure Entra External ID
  • Role-based access control (RBAC) with four defined roles
  • Secrets management via Azure Key Vault (HSM-backed)
  • Security headers (CSP, HSTS, and others)
  • Rate limiting on all public endpoints
  • Automated dependency scanning and code review
  • PII sanitisation in application logs (emails, phone numbers, names are masked)

For full details of our security controls, see our Security page.

10. AI and Automated Decision-Making

SAR Portal uses AI for:

  • Risk Scoring: Automated case risk assessment
  • Text Assistance: Suggestions for text improvement
  • Contextual Workflow Guidance: System-specific next-step recommendations based on your configured business systems (e.g., “Search Zendesk for this email”)
  • PDF Text Extraction: Automated text extraction from PDF documents using Azure Document Intelligence
  • Configurable PII Detection: Automated detection of personal data in documents based on your tenant-specific configuration (standard PII types, custom patterns, keyword lists) to assist with GDPR Article 15(4) compliance

10.1 Systems Configuration Data

You can configure which business systems your organization uses (e.g., CRM, email platforms, support systems). This configuration data is used solely to provide system-specific AI guidance tailored to your environment. This data includes:

  • System types and names (e.g., “Salesforce CRM”, “Zendesk Support”)
  • Optional system notes and data types stored
  • Business context description

This configuration data is stored securely in your tenant’s isolated database partition and is never shared with other tenants or used for any purpose other than generating contextual guidance for your organization.

10.2 PII Detection Configuration

You can customize PII detection settings including which data types to detect (names, emails, IBAN, etc.), custom regex patterns for business-specific identifiers, and keyword allow/deny lists. These settings control how AI analyzes documents but do not affect the underlying AI models.

Important: All AI-generated outputs are advisory only. No solely automated decisions are made that produce legal effects. Human review is always required for final decisions, including which personal data to redact. PII detection results must be reviewed and confirmed by a human operator before applying any redactions.

Data Processing: When you upload PDF documents, they are temporarily processed by Azure Document Intelligence to extract text. The extracted text is then analyzed by Azure OpenAI for PII detection based on your configured settings. Your documents and configuration are not used to train any AI models, and all processing occurs within EU data centers under Microsoft’s Data Processing Agreement.

11. Cookies and Tracking

We use cookies and similar technologies to operate our service. For full details, see our Cookie Policy.

11.1 Types of Cookies

Cookie Type Purpose Consent Required
Essential Cookies Authentication, security, session management No (strictly necessary)
Functional Cookies Remember preferences (theme, language) No (strictly necessary)
Analytics Cookies Understand usage patterns via Google Analytics Yes

When you first visit our website, you will see a cookie consent banner. You can:

  • Accept All: Enable all cookies including analytics
  • Essential Only: Only strictly necessary cookies
  • Manage Preferences: Customize your cookie choices

You can change your cookie preferences at any time via the cookie settings link in the footer.

11.3 Google Analytics

We use Google Analytics 4 to understand how visitors use our website. Google Analytics collects:

  • Pages visited and time spent
  • Device and browser information
  • Geographic region (country/city level)
  • Referral sources

Google Analytics uses cookies that expire after 2 years. Data is processed in accordance with Google’s privacy policy. IP addresses are anonymized before storage. You can opt out using the Google Analytics Opt-out Browser Add-on.

12. Children’s Privacy

SAR Portal is not intended for individuals under 16 years of age. We do not knowingly collect data from children.

13. Changes to This Privacy Policy

We may update this policy from time to time. We will notify you of material changes via email or in-app notification. Continued use after changes constitutes acceptance.

14. Contact Us

For privacy-related questions or to exercise your rights:

15. Supervisory Authority

You have the right to lodge a complaint with your local EU Data Protection Authority. A list of EU supervisory authorities is available at edpb.europa.eu.