Privacy
Privacy policy draft.
ChangeWitness is designed to store the least data required for detection, history, billing, reliability, and delivery.
Data We Store
Normalized product data required to operate the service.
- Tenant and workload identifiers
- Source event identifiers and nonreversible hashes
- Event type, exact operation, and timestamps
- Actor identifiers supplied by Microsoft
- Target identifiers and names required for human-readable alerts
- Exact changed properties supplied by Microsoft
- Deterministic correlation evidence
- Routing and delivery state
- Usage and billing references
Raw Payloads
Raw Microsoft payloads are not retained after successful normalization.
Raw payloads exist only in encrypted transport, Supabase Queues, and worker memory. Successful queue messages are deleted immediately after normalized persistence. Logs contain payload hashes and internal IDs, not raw payloads.
Poison messages may be moved to a restricted encrypted dead-letter queue for a maximum of 24 hours. Queue archival is not enabled for queues that can contain raw Microsoft payloads.
Retention
Default retention depends on the tenant plan.
| Data | Trial | Starter | Pro |
|---|---|---|---|
| Normalized change history | 7 days | 30 days | 90 days |
| Delivery history | 7 days | 30 days | 90 days |
| Source receipt dedupe keys | 30 days | 90 days | 180 days |
| Product audit log | 365 days | 365 days | 365 days |
| Dead-letter raw payload | Maximum 24 hours | Maximum 24 hours | Maximum 24 hours |
Billing and invoice records follow applicable accounting requirements and remain logically separated from product event history.
Your Rights
Data-subject requests and account controls.
Subject to applicable law, individuals may request access, correction, export, restriction, objection, or deletion of personal data. Organization Owners, Admins, and Analysts can export normalized events subject to role and tenant filters. Contact [PRIVACY EMAIL] to submit a request or ask a privacy question.
Deletion
Disconnect first, then remove tenant or organization data.
Disconnecting a workload stops collection and deletes its active Microsoft subscriptions. Tenant deletion starts a 7-day recoverable period. Product event data, destinations, secrets, routing, and connector metadata are purged within 30 days of confirmed deletion.
Billing records subject to legal retention remain access-restricted and separated. Organization deletion requires Owner reauthentication and typed confirmation.
Contact
Privacy contact details are pending.
[COMPANY LEGAL NAME]
[REGISTERED ADDRESS]
[PRIVACY EMAIL]