Privacy Policy

1. Controller and privacy contact

The controller for personal data processed through the Magrathean website and Magrathean business operations is:

Magrathean UK Ltd. Company number: 16955343 Registered office: 16 Caledonian Court, West Street, Watford, England, WD17 1RY Registered in: England and Wales Email: [email protected]

We have not appointed a statutory Data Protection Officer because we do not consider one to be mandatory for our current activities. Data-protection and privacy requests should be sent to the privacy contact above.

2. Scope of this policy

This policy applies to:

• the website at magrathean.uk;
• contact forms, email links, phone/contact reveal actions, booking requests, and enquiry routes;
• public tools, including Microsoft 365 score tools, website enquiry checks, Auditex summary-validation routes, and similar diagnostic tools;
• business outreach and unsubscribe/suppression handling;
• Meta/Facebook lead-form data we receive for Magrathean advertising campaigns;
• administration of proposals, invoices, customers, suppliers, professional-services work, and support;
• limited website analytics, attribution, anti-abuse, and server/security logs;
• Magrathean product pages and app-support routes.

Individual Apps or product sites may have their own app-specific privacy notices. Where an app-specific notice exists, that notice governs data processed by that App itself. This policy still applies to support requests, website visits, enquiries, app-store support communications, and Magrathean business administration connected with the App.

Some Magrathean product pages may link to .eu, .hu, App Store, GitHub, Google Play, or other third-party/product domains. Unless another legal notice identifies a different operator, Magrathean UK Ltd. is the Magrathean operator for its own product pages and support routes. Where local law requires a supplemental notice, local representative, or additional regulator wording, that should be provided in the relevant product-specific notice.

3. Summary of what we process

We process personal data for five main reasons:

1. To run the Site and public tools. This includes hosting, security, anti-spam, rate limiting, analytics where consented to, and form/API operation. 2. To respond to enquiries and provide services. This includes contact details, messages, meeting details, proposals, invoices, project records, and agreed customer-support information. 3. To operate diagnostic and lead tools. This includes Microsoft 365 score answers/results, score-report requests, safe Auditex summary uploads, and source/attribution data. 4. To run limited B2B outreach and advertising lead follow-up. This includes business contact data, public source information, Meta lead data, campaign metadata, unsubscribe records, and suppression lists. 5. To meet legal, tax, accounting, security, and record-keeping obligations.

We do not sell personal data. We do not knowingly collect children’s data through the Site. We do not want secrets, raw tenant exports, production personal-data dumps, special-category data, criminal-offence data, or payment-card data through public forms.

4. Personal data we collect directly from you

We may collect the following data when you give it to us:

4.1 Contact and enquiry data

Name, email address, phone number, company name, role, website URL, service interest, message content, preferred contact route, booking preferences, time zone, correspondence, attachments, and information you provide when you contact us.

4.2 Public tool data

For tools such as the Microsoft 365 score calculator, website enquiry check, score-report request, or Auditex summary-validation route, we may process:

• answers you provide;
• calculated score, risk band, summary, matrix, recommendations, and tool output;
• name, work email, company, approximate user count, main concern, consent selections, source URL, submission ID, and message content;
• safe summary artefact metadata, such as filename, tenant name where included in the summary, finding count, blocker count, validation status, upload ID, and summary JSON;
• technical security data such as user agent, origin, IP-derived hash, rate-limit data, and Turnstile/security-check status.

4.3 Business and professional-services data

For paid or proposed work, we may process business contact details, project correspondence, proposals, contracts, statements of work, invoices, payment records, support notes, access records, system descriptions, website content, DNS/hosting records, Microsoft 365/Entra/Intune/Defender/Exchange/SharePoint configuration information, device or endpoint information, logs, screenshots, audit notes, AI workflow information, staff contact data, supplier data, and other information needed to scope, deliver, support, invoice, or record the work.

We will agree a specific secure handling process before receiving raw tenant exports, secrets, high-risk datasets, or production personal data.

4.4 Payment, accounting, and supplier data

Customer, supplier, bank/payment, invoice, tax, accounting, expense, purchase, and contract records.

4.5 Marketing preference data

Email preferences, consent records, unsubscribe requests, suppression records, reply status, campaign status, and objections to marketing.

5. Personal data we obtain from other sources

We may obtain personal data from sources other than you, including:

• public business websites, professional directories, company websites, business social pages, search results, or public contact pages;
• referrals, introductions, existing customers, suppliers, or professional contacts;
• Meta/Facebook lead forms submitted in response to Magrathean advertisements;
• analytics and advertising platforms that provide aggregated campaign, conversion, or lead metadata;
• app stores or platform providers for support, purchase, subscription, crash, or account-administration purposes where available to developers;
• GitHub, LinkedIn, Instagram, Google, Microsoft, Cloudflare, domain/hosting providers, or other platforms where you interact with us;
• customer systems, tenants, repositories, websites, or platforms where a customer has authorised access for a paid engagement.

Where we obtain personal data from another source and use it to contact you, we aim to provide privacy information at the first communication or within the required period unless an exemption applies.

6. Special-category, criminal-offence, children’s, and high-risk data

The Site and public tools are not intended to collect:

• health, biometric, genetic, political, religious, trade-union, sex-life, or sexual-orientation data;
• criminal-offence data;
• children’s data;
• payment-card data;
• passwords, tokens, keys, secrets, raw tenant exports, or confidential operational datasets;
• production personal-data dumps belonging to customers, staff, suppliers, or end users.

If you send this type of data without prior written agreement, we may delete, restrict, quarantine, or return it. If a paid engagement genuinely requires high-risk or special-category processing, we will agree the scope, lawful basis, security measures, and data-processing terms separately.

The Site is not directed at children under 16. Apps are not directed at children unless an app-specific notice says otherwise. If we learn that a child has provided personal data through a general Magrathean route, we will delete it where appropriate.

7. Purposes and lawful bases

We rely on the following lawful bases under UK GDPR, depending on the context.

Where we rely on legitimate interests, our interests are to operate and protect Magrathean, respond to business communications, provide requested tools, run proportionate B2B marketing, manage customer relationships, improve services, prevent fraud and abuse, and protect legal rights. You may object to processing based on legitimate interests.

8. Cookies, local storage, analytics, and similar technologies

We use strictly necessary technologies to provide the Site, secure forms, prevent abuse, remember privacy choices, route API requests, and operate requested features.

We use optional analytics and attribution technologies only where legally permitted and, for UK/EU users, only after valid consent where PECR/ePrivacy requires consent. Optional analytics and attribution may include:

• Google Analytics;
• Cloudflare Web Analytics;
• browser local storage for campaign attribution;
• UTM parameters and ad-click identifiers such as gclid, gbraid, wbraid, msclkid, or twclid;
• contact-reveal, contact-click, booking-click, score-started, score-completed, and form-submission events;
• Google Ads, Microsoft Ads, Microsoft Clarity, LinkedIn Insight Tag, or similar marketing tags if they are later enabled.

We will not intentionally load optional analytics or advertising tags, or write optional attribution identifiers to local storage, before consent where consent is legally required.

8.1 Technologies we may use

You can withdraw cookie/analytics consent through the Site’s cookie controls where available. You can also clear browser storage or use browser/content-blocking tools. Browser blocking is not a substitute for our consent obligations, but it may limit what your browser sends.

9. Cloudflare Turnstile and anti-abuse checks

We may use Cloudflare Turnstile or similar services to protect forms, public tools, and APIs. This may involve processing your IP address, browser/device signals, challenge token, action name, hostname, timing, and verification result. We use this for security, spam prevention, abuse prevention, rate limiting, and infrastructure protection.

10. Server logs and VPS/API operations

The Site and Tools API may create server, nginx, application, security, and admin logs. These may include IP address, request path, timestamp, HTTP status, user agent, referrer, request time, error information, API route, security status, and limited operational metadata.

Public APIs and tools may store data in server-side databases for contact submissions, score leads, Auditex summary validation, Meta leads, outreach campaigns, suppression records, ad snapshots, admin status, timer status, and backups. Access is restricted to authorised Magrathean personnel or processors.

11. Contact forms and score-tool submissions

When you submit a contact form or score-report request, we may store the submission in a database and send a notification email to Magrathean. The submission may include your name, email, company, message, service interest, score result, score answers, main concern, approximate user count, attribution data, origin, user agent, IP-derived hash, and submission ID.

We use this to respond, triage the enquiry, prevent abuse, avoid duplicate submissions, keep records, and improve contact paths. We do not require Microsoft tenant login, admin consent, mailbox access, raw evidence upload, or Microsoft Graph tokens for the public score tool.

12. Auditex summary validation

If an Auditex validation or upload route is available, it is intended for safe summary artefacts only. We may process filename, email if provided, lead ID if provided, tenant name where included in the summary, finding count, blocker count, validation status, recommended offer, and summary JSON.

Do not upload raw evidence, secrets, tokens, .env files, client secrets, access tokens, refresh tokens, password material, debug logs, mailbox contents, raw tenant exports, or personal-data dumps unless a secure written process has been agreed.

13. B2B outreach and suppression

We may process business contact data for limited B2B outreach about Magrathean services. This may include:

• contact name;
• business email address;
• company;
• base domain or website;
• region;
• segment or category;
• source URL;
• source file/reference;
• email-confidence note;
• outreach subject and message;
• campaign ID;
• send priority;
• sender/reply-to details;
• lead token;
• sent, failed, replied, unsubscribed, suppressed, or queued status;
• unsubscribe and suppression timestamps.

Sources may include public business websites, business directories, company pages, referrals, previous business interactions, or lawfully obtained lead data.

For corporate subscribers, PECR permits business marketing emails, but we still provide a clear identity and opt-out route. For individual subscribers, sole traders, and some partnerships, we will rely on consent or the soft opt-in only where PECR permits it. We maintain suppression lists so that we do not continue contacting people or domains that object.

14. Meta/Facebook lead forms and advertising campaigns

If you submit a Meta/Facebook lead form for Magrathean services, Meta may provide us with the data you submitted and campaign metadata. This may include:

• Meta lead ID;
• creation time;
• form ID;
• ad ID, ad set ID, campaign ID;
• name;
• email;
• phone;
• website URL;
• business type;
• decision-maker answer;
• site goal;
• budget answer;
• qualification status;
• raw lead-form JSON;
• follow-up status.

We use Meta lead data to respond to the enquiry, prioritise follow-up, measure campaign performance, avoid wasted ad spend, and manage campaign rules. Meta processes your interaction under its own terms and privacy notices. Once we receive lead data from Meta, Magrathean is controller for its copy of that data.

15. Limited automated scoring, triage, and profiling

We use limited automated scoring and triage:

• the Microsoft 365 score tool produces an indicative score and risk band from your answers;
• Meta lead rules may tag a lead as qualified, low priority, or rejected based on simple fields such as website URL, budget answer, decision-maker answer, or phone number;
• campaign and outreach systems may record status, suppression, and follow-up timing;
• analytics may group visits and contact events by page or campaign.

These rules help us prioritise review and respond. They do not make decisions with legal or similarly significant effects. You may object to this profiling and ask for human review.

16. Marketing communications

We may send:

• service communications, meeting emails, proposal emails, support emails, invoices, and operational messages;
• B2B outreach where permitted;
• marketing updates where you have consented, where the soft opt-in applies, or where business-to-business marketing is otherwise permitted.

Every marketing email should identify Magrathean and provide a way to object or unsubscribe. We will keep a suppression record to honour opt-outs. You cannot opt out of strictly necessary service, legal, invoice, security, or transactional messages.

17. Apps and product-specific notices

Magrathean Apps may process data locally on your device or through user-configured infrastructure. App-specific notices should explain the actual behaviour of each App, including device permissions, local storage, credentials, telemetry, analytics, crash reporting, subscriptions, App Store/Google Play processing, cloud sync, exports, network calls, and third-party SDKs.

Unless an app-specific notice says otherwise:

• Magrathean Apps are intended to avoid advertising SDKs and behavioural tracking;
• data processed by an App remains on your device or under your direct control where technically possible;
• credentials should be stored using platform-secured storage such as Apple Keychain where applicable;
• App Store or operating-system crash, purchase, subscription, receipt, or diagnostic processing may be handled by Apple, Google, or the platform provider under their own terms;
• support requests you send to Magrathean are processed under this policy.

If an App connects to your own servers, databases, SSH hosts, TeslaMate instance, MyTeslaMate endpoint, Cloudflare Access proxy, repository, terminal, quota service, or other configured destination, that connection is initiated by you and may be governed by the terms and privacy notices of the relevant service.

18. Professional-services and customer data

For paid work, we may process customer personal data as controller or processor depending on the engagement. The role should be stated in the relevant proposal, statement of work, agreement, or data-processing addendum.

Examples of professional-services data may include:

• business contact data for customer staff and suppliers;
• tenant, account, device, endpoint, group, licence, configuration, security, and audit metadata;
• website content, contact forms, hosting, DNS, email, analytics, and CMS records;
• AI workflow descriptions, approved sources, reviewer rules, prompts, outputs, and evaluation notes;
• security findings, control gaps, recommendations, screenshots, logs, and support notes.

We do not want unnecessary personal data. Customers remain responsible for deciding what personal data they instruct us to process, for providing privacy notices to their own staff or users where required, and for ensuring they have a lawful basis to disclose personal data to us.

19. Who we share personal data with

We may share personal data with the following categories of recipients where necessary:

We do not sell personal data. We do not share personal data with data brokers for resale.

Some providers act as processors for Magrathean. Some, such as Meta, Apple, Google, Microsoft, LinkedIn, GitHub, payment providers, or app stores, may also act as independent controllers for aspects of their own services.

20. International transfers

Some providers may process personal data outside the United Kingdom or the European Economic Area. Where a restricted transfer occurs, we use a lawful transfer mechanism where required. This may include:

• UK adequacy regulations;
• the UK Extension to the EU-US Data Privacy Framework where applicable to a certified US recipient;
• the UK International Data Transfer Agreement;
• the UK Addendum to EU Standard Contractual Clauses;
• EU Standard Contractual Clauses;
• Binding Corporate Rules;
• another lawful safeguard or derogation.

We assess transfer risk where required and may request vendor transfer documentation before using a provider for higher-risk processing.

21. Retention

We keep personal data only for as long as reasonably needed for the purpose collected, unless a longer period is required for legal, tax, accounting, dispute, security, regulatory, insurance, or suppression reasons.

When a retention period expires, we delete, anonymise, or archive the data in a restricted form unless continued retention is justified.

22. Security measures

We use technical and organisational measures intended to protect personal data. These may include:

• TLS/encryption in transit at the public edge;
• secure hosting and access controls;
• least-privilege administrative access;
• admin tokens or authenticated admin routes;
• IP hashing for rate-limiting records where appropriate;
• Cloudflare Turnstile or equivalent anti-abuse checks;
• server-side rate limiting;
• restricted access to SQLite databases, backups, logs, and environment files;
• secret-management controls;
• security headers and no-store controls for APIs;
• backup controls;
• monitoring, audit, and incident review;
• internal minimisation rules for raw evidence, tenant exports, credentials, and secrets.

No system is completely secure. If we become aware of a personal data breach requiring notification, we will notify the ICO and/or affected individuals where required by law.

23. Your rights

Subject to legal conditions and exemptions, you have the following rights under UK GDPR:

• access to your personal data;
• correction of inaccurate or incomplete data;
• deletion where continued processing is not justified;
• restriction of processing;
• objection to processing based on legitimate interests;
• objection to direct marketing;
• data portability where processing is based on consent or contract and carried out by automated means;
• withdrawal of consent where processing is based on consent;
• not to be subject to solely automated decisions with legal or similarly significant effects, subject to exceptions.

To exercise rights, contact [email protected]. We may ask you to verify your identity. We normally respond within one month unless the law permits an extension.

If your request relates to data we process on behalf of a customer as processor, we may refer the request to that customer.

24. Complaints

You can complain to the UK Information Commissioner’s Office (ICO). The ICO website is https://ico.org.uk/make-a-complaint/.

We would prefer the opportunity to address concerns first, so please contact us at [email protected].

25. Your choices

You can:

• avoid submitting a form and contact us by email instead;
• ask us not to use your data for marketing;
• unsubscribe from outreach emails using the link or reply route provided;
• reject optional analytics and marketing cookies through the Site’s cookie controls where available;
• clear browser cookies and local storage;
• object to legitimate-interest processing;
• request deletion, subject to legal and suppression-list limits;
• avoid using third-party links or embeds if you do not want those providers to receive data.

26. Third-party links and external services

The Site may link to LinkedIn, GitHub, Apple App Store, Google Play, Meta/Facebook, Instagram, Google Calendar, Microsoft, Cloudflare, product sites, customer websites, repository pages, or other external services.

When you follow a third-party link, interact with an embedded service, install an App, use an app store, submit a Meta lead form, or use a customer-selected platform, that third party may process your data under its own terms and privacy notice.

27. Changes to this policy

We may update this policy to reflect changes in law, guidance, Site behaviour, Services, Apps, processors, cookies, analytics, outreach, or business operations.

The effective date at the top shows when the current version took effect. Material changes will be highlighted on the Site where appropriate.

28. Contact

Privacy questions, rights requests, complaints, and objections should be sent to:

Magrathean UK Ltd. 16 Caledonian Court West Street Watford England WD17 1RY

Email: [email protected]