Product Privacy Policy

Privacy Policy

Last updated: 08-Dec-2025
Applies to: MPower365 – Project Document Management System (PDMS) for Microsoft 365 (SharePoint, Teams, Outlook) including the External Stakeholder Portal for vendors, contractors, subcontractors, customers, and consultants.

1. Scope of this policy

This Privacy Policy explains how MPower365 – PDMS (“the Service”) collects, uses, discloses, and protects personal information when deployed in a customer’s Microsoft 365 tenant and when accessed by internal users and external project stakeholders via the PDMS portal. It does not cover unrelated sections of our corporate website.

2. Where MPower365 – PDMS is hosted and deployed

Customer tenant deployment: MPower365 – PDMS is provisioned inside the customer’s Microsoft 365 tenant (SharePoint/Teams/Entra ID) and processes project content and user data within that tenant’s services, subject to the customer’s Microsoft 365 configuration, policies, and regional data residency.
External Stakeholder Portal: The Service provides a secure portal for external parties to upload, share, review, approve, and acknowledge transmittals. Portal data is stored in the customer tenant’s configured repositories (e.g., SharePoint libraries) unless otherwise stated in a customer-specific agreement.

3. Roles (Controller vs. Processor)

For data processed within the customer’s tenant, the customer is the Data Controller; MPower365 acts as a Data Processor (or sub processor where applicable), processing personal data under the customer’s documented instructions and configuration. This aligns with GDPR role definitions.
For limited publisher managed telemetry/support data (see Section 6), we act as the Controller of that narrow set of data.

4. Personal information we process

Depending on configuration and use, the Service may process the following categories:
Identity & access data

Name, email, role, company/organization, user IDs (including Microsoft Entra ID object IDs), group memberships, authentication logs.

Project collaboration data

Transmittal metadata, documents, markups/comments, approvals, acknowledgements, workflow history, timestamps.

Contact & communications

Notifications (email/Teams), message headers, audit trails related to project document flows.

Technical & usage data

Device/browser type, IP address, session IDs, feature usage events, error logs; collected minimally to secure the Service and improve reliability. (Personal data like IP and device identifiers can be personal information under GDPR.)

Sensitive data

PDMS is not designed to require processing of sensitive personal data (e.g., health, biometric). If customers upload such data into project documents, they remain responsible as Controllers; we process only as instructed.

5. How and why we use personal information (purposes & legal bases)

We process personal information strictly to operate PDMS:

Provide the Service: Identity, access, and project data to enable document transmittals, reviews, approvals, acknowledgements, versioning, and audit trails.
Security & integrity: Authentication, authorization, logging for fraud/abuse prevention, incident detection.
Support & diagnostics (publisher‑managed): Minimal telemetry and error reports to troubleshoot issues and improve stability; no content of documents is analyzed by us.

6. Data locations, transfers, and residency

Tenant data: Stored and processed in Microsoft‑managed data centers per the customer’s Microsoft 365 configuration (including Multi‑Geo/EU Data Boundary where applicable). Data is encrypted at rest and in transit by Microsoft services.
Telemetry/support data (if collected by us): Stored in regions we disclose to the customer (and in the DPA). If cross‑border transfers occur, we use appropriate safeguards (e.g., SCCs) as required by GDPR.

7. Data retention

Project/tenant data: Retention is controlled by the customer via SharePoint/Teams/Records Management or Microsoft Purview policies (e.g., retention labels, legal holds). We do not override customer retention.
Telemetry/support: Retained only for the time necessary to provide support and improve reliability, then deleted or anonymized per our internal retention schedule and the customer’s instructions.

8. Security

We implement privacy‑by‑design and industry‑standard measures, including role‑based access controls, least privilege, audit trails, encryption in transit, and secure development lifecycle. Platform security and compliance controls rely on Microsoft 365 services (SharePoint/Teams/Entra ID). Customers can additionally enforce Conditional Access, MFA, and DLP/Purview policies.

9. External Stakeholder Portal specifics

External users access only the specific workspaces/items shared with them, governed by permission settings and project workflows.
All uploads, reviews, approvals, and acknowledgements are recorded as transmittals with metadata and timestamps for accountability.
The portal may send notifications (email or Teams) related to specific project actions.

10. Sub processors and integrations

Microsoft 365 Services (SharePoint, Teams, Exchange/Outlook, Entra ID) are foundational platforms and act as sub‑processors or infrastructure providers for tenant data. Compliance attestations are documented by Microsoft.
Any additional sub‑processors used for telemetry or support (if any) will be listed in a public registry or in the customer’s Data Processing Addendum (DPA) and notified prior to engagement.

11. Cookies and similar technologies

PDMS may use strictly necessary cookies/session storage for authentication and maintaining user sessions. We do not use portal cookies for behavioral advertising. Where analytics cookies are enabled for product improvement, we provide notice and obtain consent if required by applicable law

12. Your privacy rights
Depending on your location and the customer Controller’s policies:

GDPR (EEA/UK): Right to access, rectify, erase, restrict, object, and data portability; right to withdraw consent; right to lodge a complaint with a supervisory authority. Requests should be sent to the customer (Controller); we support the customer in fulfilling requests as their Processor.
California (CCPA/CPRA): Rights to know, access, correct, delete, opt‑out of sale/share, limit use of sensitive personal information, and non‑discrimination. If applicable, our customers will provide methods to submit requests (e.g., web form or email); we assist them as Processor.

13. Children’s privacy

PDMS is a business to business solution not intended for children. We do not knowingly collect personal information from children under the age specified by local law.

14. Data Processing Addendum (DPA)

For enterprise customers, a DPA governing Processor obligations, sub processors, international transfers, and security measures is available upon request and forms part of the service agreement.

15. Incident response and breach notification
We maintain procedures to detect, investigate, and remediate security incidents. Where an incident affects tenant data, we promptly notify the customer Controller and cooperate to meet legal notification obligations. (Customers may also receive platform notifications from Microsoft services as applicable.)

16. Changes to this policy
We may update this policy to reflect improvements or legal requirements. The “Last updated” date will change, and material updates will be communicated through the email.

17. How to contact us
Privacy & DPA/ Support requests: support@mpower365.com