Privacy Policy

This Privacy Policy describes how Prismatic Enterprises ("we," "us," or "our") collects, uses, and protects information when you use UserDesk ("the Service"). We are committed to protecting your privacy and handling your data transparently.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

We collect the minimum information necessary to operate the Service:

We use the information we collect to:

• •Authenticate you and verify your identity within your Microsoft 365 tenant.
• •Enforce role-based access control within the portal (Admin, Member, Viewer).
• •Display your tenant’s Microsoft 365 users, groups, and licenses through the Microsoft Graph API.
• •Maintain audit logs of actions taken through the Service for accountability and compliance.
• •Process subscription payments through Stripe.
• •Communicate with you about your account, service updates, or support requests.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

• •Contract performance — processing your account data, Microsoft 365 access, and subscription management is necessary to provide the Service you signed up for (Article 6(1)(b)).
• •Legitimate interest — processing analytics data (page views, referrer domains) and maintaining audit logs is necessary for our legitimate interests in improving the Service and ensuring security, where those interests are not overridden by your rights (Article 6(1)(f)).
• •Consent — processing your email address for marketing communications (newsletters, product updates) is based on your explicit opt-in consent. You may withdraw consent at any time by clicking the unsubscribe link in any email or contacting us (Article 6(1)(a)).
• •Legal obligation — we may process or retain data where required by applicable law, regulation, or legal process (Article 6(1)(c)).

Understanding how UserDesk accesses your Microsoft 365 data is critical to evaluating our privacy practices:

• •UserDesk uses delegated permissions (not application permissions). Every API call to Microsoft Graph is made as the signed-in user, using their own OAuth token.
• •When no user is signed in, UserDesk has zero access to your Microsoft 365 tenant. There are no standing tokens, no background processes, and no service accounts.
• •OAuth tokens are encrypted and stored only in the user’s browser session cookie. They are never written to our database or logged.
• •Your organization’s Global Administrator controls which permissions are granted. Admin consent can be revoked at any time by removing UserDesk from Azure Portal → Enterprise Applications.

We do not sell, rent, or trade your personal information. We share data only with the following third-party services, which are necessary to operate the Service:

• •Microsoft Graph API — to read and write Microsoft 365 data on your behalf (using your own delegated token).
• •Stripe — to process subscription payments. Stripe receives your billing email and payment method. See Stripe’s privacy policy at stripe.com/privacy.
• •Vercel — to host the Service. Vercel may process server logs containing IP addresses and request metadata. See Vercel’s privacy policy at vercel.com/legal/privacy-policy.
• •Supabase (PostgreSQL) — to host our database containing portal metadata and audit logs. Database is hosted in the United States (AWS us-east-1). No Microsoft 365 tokens or passwords are stored in this database.

We may also disclose information if required by law, regulation, or legal process, or to protect the rights, safety, or property of Prismatic Enterprises, our users, or the public.

UserDesk uses cookies strictly for authentication and session management:

• •Session cookie — contains your encrypted OAuth token and session data. This cookie is HttpOnly, Secure, and SameSite=Lax. It expires when you sign out or close your browser.
• •CSRF token cookie — used to prevent cross-site request forgery during authentication. This is a security measure required by the OAuth flow.

We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party cookie-based tracking. We do not use Google Analytics, Facebook Pixel, or similar services.

• •Account data (tenant ID, user emails, roles) is retained for the duration of your active subscription.
• •Audit logs are retained for the duration of your subscription and are available for export upon request.
• •After subscription cancellation, we retain your data for 30 days to allow for reactivation. After this period, your data may be permanently deleted.
• •Marketing data (newsletter subscriptions, lead magnet downloads) is retained until you unsubscribe or request deletion. Unsubscribing removes you from all future mailings immediately.
• •You may request deletion of your data at any time by contacting us at hello@getuserdesk.com.

We implement appropriate technical and organizational measures to protect your data:

• •All data in transit is encrypted using TLS 1.2 or higher.
• •OAuth tokens are encrypted at rest within browser session cookies using server-side encryption keys.
• •Our database is encrypted at rest and accessible only through authenticated, encrypted connections.
• •We enforce HTTPS on all endpoints. HTTP requests are automatically redirected to HTTPS.
• •Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) are applied to all responses.

For a detailed explanation of our security architecture, including breach resilience analysis, see our Security page.

Under the GDPR and similar data protection laws, you have the following rights regarding your personal data. These rights apply regardless of your location, though specific enforcement mechanisms vary by jurisdiction:

• •Access — request a copy of the personal data we hold about you (GDPR Article 15).
• •Rectification — request correction of inaccurate personal data (GDPR Article 16).
• •Erasure — request deletion of your personal data, also known as the “right to be forgotten” (GDPR Article 17).
• •Portability — request your data in a structured, machine-readable format (GDPR Article 20).
• •Objection — object to our processing of your personal data, including for direct marketing (GDPR Article 21).
• •Restriction — request restriction of processing in certain circumstances (GDPR Article 18).
• •Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing (GDPR Article 7(3)).
• •Lodge a complaint — you have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated.

To exercise any of these rights, contact us at hello@getuserdesk.com. We will respond within 30 days of receiving your request. For EU/EEA residents, we will respond within the GDPR-mandated timeframe of one calendar month.

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and we ensure our sub-processors (Vercel, Supabase, Stripe) maintain equivalent safeguards. A Data Processing Agreement (DPA) incorporating SCCs is available upon request for enterprise customers.

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address associated with your account) or through a notice in the Service at least 14 days before the changes take effect. Your continued use of the Service after the changes take effect constitutes acceptance of the updated policy.

For enterprise and EU/EEA customers who require a formal Data Processing Agreement, we provide a DPA that incorporates Standard Contractual Clauses (SCCs). You can download a draft copy here:

Download Data Processing Agreement (PDF)

To execute the DPA, please email a signed copy to hello@getuserdesk.com.

If you have questions about this Privacy Policy or our data practices, contact us at hello@getuserdesk.com.

Prismatic Enterprises
Pennsylvania, United States