Privacy Policy

Your privacy is important to us

Last updated: May 2026

Introduction

MetaGroups Technology Ltd ("we", "our", or "us") operates MetaGroups and is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

By using MetaGroups, you agree to the collection and use of information in accordance with this policy.

Service Provider:
MetaGroups Technology Ltd
Company Number: 17132777
Registered Address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

1. Information We Collect

1.1 Information from Microsoft Entra

When you synchronise with Microsoft Entra, we collect:

  • User information (names, email addresses, job titles, departments, locations)
  • Group information (group names, descriptions, membership lists)
  • Group membership relationships
  • User attributes used for dynamic group hierarchies

1.2 Account Information

Initial Setup

When you first create a MetaGroups account during the initial setup process, we collect:

  • Name and email address
  • Organisation name
  • Password (encrypted)
  • Phone number (if provided for two-factor authentication during initial setup)
Ongoing Access via Single Sign-On (SSO)

Once initial setup is complete, access to the MetaGroups platform is provided exclusively via Single Sign-On (SSO) using your organisation's existing Microsoft 365 credentials. At this stage, MetaGroups does not store or manage your password, as authentication is handled entirely by Microsoft's identity platform (Microsoft Entra ID). The password and two-factor authentication phone number collected during initial setup are no longer used for platform access once SSO has been configured and enabled.

1.3 Usage Information

We automatically collect:

  • Log data (IP addresses, browser type, pages visited, time spent)
  • Device information
  • Application performance data
  • Feature usage statistics

1.4 Audit Information

We track and store:

  • User actions within the application
  • Synchronisation history
  • Changes to user and group data
  • Login attempts and security events

2. How We Use Your Information

We use collected information for:

  • Service Delivery: Providing group management and synchronisation services
  • Dynamic Hierarchies: Creating and maintaining automatic group structures
  • Audit & Compliance: Maintaining audit trails as required by you
  • Support: Responding to your requests and providing customer support
  • Improvements: Analysing usage to improve our service
  • Security: Detecting and preventing fraud, abuse, and security incidents
  • Communications: Sending service-related announcements and updates

3. Data Storage and Security

3.1 Data Storage

All data is stored exclusively within the United Kingdom in Microsoft Azure data centres located in the UK South region. MetaGroups does not offer alternative data regions and does not store or process your data outside the United Kingdom.

3.2 Security Measures

We implement enterprise-grade security:

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (Azure Storage encryption)
  • Azure Key Vault for secrets management
  • Multi-tenant data isolation
  • Regular security audits and penetration testing
  • SOC 2 Type II compliant infrastructure

3.3 Multi-Tenancy

Each organisation's data is completely isolated using separate databases. No organisation can access another organisation's data.

4. Data Sharing and Disclosure

We do not sell your personal information. We may share data only in these limited circumstances:

4.1 Service Providers (Sub-processors)

We use the following trusted third-party service providers to deliver our services. Each provider is contractually bound to protect your data and to use it only for the specific purpose for which they are engaged:

  • Microsoft Corporation — Cloud hosting and infrastructure (Microsoft Azure, UK South region). All data processed by Microsoft in connection with the MetaGroups platform is stored and processed within the United Kingdom.
  • Atlassian Corporation — Support platform hosting and management (Jira Service Management). All data processed by Atlassian in connection with MetaGroups support services is stored and processed within the United Kingdom.
  • Google reCAPTCHA — Spam and bot protection for public-facing website forms (such as contact and enquiry forms). Google reCAPTCHA is used only on our public-facing website and is not deployed within the MetaGroups platform itself. For more information, see Google's Privacy Policy and reCAPTCHA Terms.
  • Google Analytics & Tag Manager — Website analytics, used only on our public-facing website (if you consent). Google Analytics is not deployed within the MetaGroups platform itself.

4.2 Legal Requirements

We may disclose information if required by law, court order, or government request.

4.3 Business Transfers

If MetaGroups is acquired or merged, customer data may be transferred. You will be notified of any such change.

5. Your Rights (UK GDPR)

Where MetaGroups acts as a Data Controller

Where MetaGroups collects and processes your personal data for its own purposes (for example, in respect of website visitors, marketing contacts, or individuals who contact us directly), MetaGroups acts as the data controller. In those circumstances, under the UK GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restrict Processing: Limit how we use your data
  • Data Portability: Receive your data in a machine-readable format
  • Object: Object to processing of your data
  • Withdraw Consent: Withdraw consent at any time

To exercise these rights in respect of data for which MetaGroups is the controller, please contact us at privacy@metagroups.apps.

Where MetaGroups acts as a Data Processor

Where MetaGroups processes personal data on behalf of an enterprise customer organisation (such as an employer or client who has contracted with MetaGroups for the provision of our services), MetaGroups acts as a data processor and that organisation acts as the data controller. In those circumstances, if you are an employee, contractor, or other member of staff of that organisation and you wish to exercise your data subject rights in respect of your personal data processed through the MetaGroups platform, you should direct your request to your organisation (the data controller) rather than to MetaGroups directly.

Where MetaGroups receives a data subject rights request directly that relates to personal data processed on behalf of a customer organisation, MetaGroups will promptly forward that request to the relevant customer organisation. MetaGroups will not respond to such requests directly without the authorisation of the relevant data controller, except where required to do so by law.

6. Data Retention

We retain data for as long as necessary to provide services:

  • Active Accounts: Data retained whilst account is active
  • Audit Logs: Retained per your plan (30–120 days)
  • Deleted Accounts: Data deleted within 30 days of account closure
  • Backups: Backup copies are deleted within 30 days of account closure or contract termination. Upon completion of deletion, written confirmation will be provided upon request. Where applicable law requires retention beyond this period, MetaGroups will notify the relevant customer of the nature and duration of the retention obligation, and any retained data will be held securely and used only for the purpose required by law.

7. Cookies and Tracking

We use cookies and similar tracking technologies to improve your experience and analyze site usage.

For detailed information about the cookies we use, how we use them, and how you can manage your cookie preferences, please see our Cookie Policy.

Key cookie types we use:

  • Essential Cookies: Required for authentication and security
  • Analytics Cookies: Understand how you use our service (can be disabled)

You can control cookies through your browser settings or by visiting our Cookie Policy page.

8. International Data Transfers

MetaGroups stores and processes all personal data exclusively within the United Kingdom. All infrastructure used to deliver the MetaGroups platform, and all sub-processors engaged by MetaGroups in connection with the platform, store and process data within the United Kingdom.

MetaGroups does not transfer personal data outside the United Kingdom. In the event that any international transfer of personal data were to become necessary in future, MetaGroups would ensure that an appropriate transfer safeguard is in place in accordance with Chapter V of the UK GDPR (such as an International Data Transfer Agreement ("IDTA") approved by the Information Commissioner's Office) and, where required, would obtain the prior written consent of the relevant customer organisation before any such transfer takes place.

9. Personal Data Breaches

MetaGroups maintains appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

In the event of a personal data breach affecting personal data processed on behalf of a customer organisation, MetaGroups will notify the relevant customer organisation without undue delay and in any event within 48 hours of becoming aware of the breach. Such notification will include, to the extent reasonably available at the time:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and personal data records affected;
  • The name and contact details of the relevant MetaGroups data protection contact;
  • A description of the likely consequences of the breach; and
  • A description of the measures taken or proposed to address the breach, including steps to mitigate its possible adverse effects.

Where it is not possible to provide all of the above information at the same time, MetaGroups will provide the information in phases without undue further delay.

Where a breach affects personal data for which MetaGroups is the data controller, MetaGroups will fulfil its notification obligations directly to the Information Commissioner's Office and to affected individuals as required by the UK GDPR.

10. Children's Privacy

MetaGroups is not intended for children under 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via:

  • Email notification
  • Prominent notice in the application
  • Updated "Last modified" date

Continued use after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions or to exercise your rights:

MetaGroups Technology — Data Protection Officer
Email: privacy@metagroups.technology
Address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection matters, at www.ico.org.uk.