Privacy Policy
Last updated: 9 June 2026
1. Introduction
Provavio ("we", "us", "our") provides a Microsoft 365 IT automation platform accessible at provavio.com ("the Service"). This Privacy Policy explains how we collect, use, store and protect personal data in accordance with the General Data Protection Regulation (GDPR) and the Dutch Implementation Act (Uitvoeringswet AVG).
For questions about this policy, contact us at: hello@provavio.com
2. Who we are (Data Controller)
Provavio operates as the data controller for data collected through this website and the Service. We can be reached at hello@provavio.com.
3. What data we collect
3.1 Account & authentication data
- Name and email address (via Microsoft SSO / Entra ID)
- Microsoft Azure Object ID and Tenant ID
- Organisation name and tenant details
- User role within your organisation
3.2 Employee data (processed on behalf of customers)
When customers use Provavio to manage their Microsoft 365 environment, we process employee data on their behalf including:
- Employee names, email addresses and job titles
- Department and manager information
- Microsoft 365 license and group assignments
- Onboarding and offboarding records
- Access request history
For this data, Provavio acts as a data processor and the customer (organisation) acts as the data controller. A Data Processing Agreement (DPA) is available on request at hello@provavio.com.
3.3 Usage data
- Log data (actions performed, timestamps, IP addresses)
- Browser type and operating system
- Pages visited and features used
3.4 Communication data
- Emails sent to us (e.g. support requests)
4. Legal basis for processing
- Contract performance (Art. 6(1)(b) GDPR) — processing necessary to provide the Service to you
- Legitimate interests (Art. 6(1)(f) GDPR) — security logging, fraud prevention, service improvement
- Legal obligation (Art. 6(1)(c) GDPR) — where required by Dutch or EU law
- Consent (Art. 6(1)(a) GDPR) — for non-essential cookies (where applicable)
5. Sub-processors
We use the following third-party service providers to operate the Service. Each has been assessed for GDPR compliance and processes data only as instructed:
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting & CDN | USA (SCCs) |
| Microsoft Azure | Authentication (Entra ID / SSO) | EU / USA (SCCs) |
| Resend | Transactional email delivery | USA (SCCs) |
| Trigger.dev | Background job processing (provisioning) | EU |
| Database provider | Persistent data storage | EU |
SCCs = Standard Contractual Clauses approved by the European Commission.
6. Data retention
- Account data — retained for the duration of the active subscription, plus 90 days after termination to allow data export
- Employee data — retained as configured by the customer organisation, deleted upon account termination
- Log data — retained for 12 months for security and audit purposes
- Emails — retained for 24 months
7. Your rights
Under the GDPR you have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data ("right to be forgotten")
- Right to restriction — request that we limit how we use your data
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent
To exercise any of these rights, email us at hello@provavio.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens (AP).
8. Cookies
Provavio uses the following cookies:
- Session cookie (essential) — keeps you logged in during your session. This cookie is strictly necessary and does not require consent.
- CSRF token (essential) — protects against cross-site request forgery attacks.
We do not use advertising, tracking or analytics cookies. If this changes, we will update this policy and request your consent via the cookie banner.
9. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- TLS/HTTPS encryption for all data in transit
- Encryption at rest for sensitive credentials (Microsoft Graph client secrets)
- Role-based access controls within the platform
- No storage of Microsoft account passwords
- Regular dependency and security updates
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay.
10. Changes to this policy
We may update this Privacy Policy from time to time. We will notify registered users by email of material changes at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
11. Governing law
This Privacy Policy is governed by Dutch law. Any disputes shall be submitted to the competent court in the Netherlands.