Skip to main content

Privacy

Privacy policy draft.

ChangeWitness is designed to store the least data required for detection, history, billing, reliability, and delivery.

Data We Store

Normalized product data required to operate the service.

  • Tenant and workload identifiers
  • Source event identifiers and nonreversible hashes
  • Event type, exact operation, and timestamps
  • Actor identifiers supplied by Microsoft
  • Target identifiers and names required for human-readable alerts
  • Exact changed properties supplied by Microsoft
  • Deterministic correlation evidence
  • Routing and delivery state
  • Usage and billing references

Raw Payloads

Raw Microsoft payloads are not retained after successful normalization.

Raw payloads exist only in encrypted transport, Supabase Queues, and worker memory. Successful queue messages are deleted immediately after normalized persistence. Logs contain payload hashes and internal IDs, not raw payloads.

Poison messages may be moved to a restricted encrypted dead-letter queue for a maximum of 24 hours. Queue archival is not enabled for queues that can contain raw Microsoft payloads.

Retention

Default retention depends on the tenant plan.

DataTrialStarterPro
Normalized change history7 days30 days90 days
Delivery history7 days30 days90 days
Source receipt dedupe keys30 days90 days180 days
Product audit log365 days365 days365 days
Dead-letter raw payloadMaximum 24 hoursMaximum 24 hoursMaximum 24 hours

Billing and invoice records follow applicable accounting requirements and remain logically separated from product event history.

Your Rights

Data-subject requests and account controls.

Subject to applicable law, individuals may request access, correction, export, restriction, objection, or deletion of personal data. Organization Owners, Admins, and Analysts can export normalized events subject to role and tenant filters. Contact [PRIVACY EMAIL] to submit a request or ask a privacy question.

Deletion

Disconnect first, then remove tenant or organization data.

Disconnecting a workload stops collection and deletes its active Microsoft subscriptions. Tenant deletion starts a 7-day recoverable period. Product event data, destinations, secrets, routing, and connector metadata are purged within 30 days of confirmed deletion.

Billing records subject to legal retention remain access-restricted and separated. Organization deletion requires Owner reauthentication and typed confirmation.

Contact

Privacy contact details are pending.

[COMPANY LEGAL NAME]

[REGISTERED ADDRESS]

[PRIVACY EMAIL]