Legal

Privacy Policy

This policy explains what data AzureLayer collects, why we collect it, how we protect it, and the rights you have over it. The short version: we collect the minimum needed to run the service, we never sell it, and we never train AI models on your work items.

Last updated: July 1, 2026

1. Who we are

AzureLayer (“AzureLayer”, “we”, “us”) provides a productivity layer that connects to Microsoft Azure DevOps on your behalf. For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, we act as a data controller for account and website data, and as a data processor for the Azure DevOps content (work items, comments, time logs) we process on your instructions.

You can reach our privacy team at privacy@azurelayer.com.

2. Data we collect

We collect three categories of data:

  • Account data — name, work email, organization name, and authentication credentials (hashed). Provided by you at signup or waitlist registration.
  • Workspace content — work items, user stories, tasks, comments, time logs, and sprint metadata imported from Azure DevOps using the Personal Access Token (PAT) you supply. This data is processed solely to provide the service.
  • Usage data — product interactions, device and browser type, and diagnostic logs. Used for security, reliability, and product improvement.

3. How we use data

We use data to:

  • Provide, operate, and secure the AzureLayer service;
  • Sync changes between AzureLayer and your Azure DevOps organization;
  • Generate AI outputs you request (subtasks, summaries, reports);
  • Send transactional notifications you have enabled;
  • Respond to support requests and communicate service changes;
  • Comply with legal obligations.

We do not sell personal data. We do not use your workspace content to train AI models — content is processed transiently to produce the output you asked for and is not retained by model providers.

4. PAT tokens

Your Azure DevOps Personal Access Token is encrypted with AES-256 before storage, is never written to logs, and is used exclusively to perform the read and write operations you initiate. You can revoke the token from Azure DevOps at any time, which immediately severs AzureLayer’s access. Deleting your account deletes the stored token.

5. Legal bases (GDPR notice)

Where GDPR applies, we process personal data under the following legal bases:

  • Contract — to deliver the service you signed up for (Art. 6(1)(b));
  • Legitimate interests — service security, fraud prevention, and product analytics (Art. 6(1)(f));
  • Consent — marketing communications and non-essential cookies (Art. 6(1)(a)), withdrawable at any time;
  • Legal obligation — where retention or disclosure is required by law (Art. 6(1)(c)).

6. Data processing & subprocessors

When we process workspace content on your behalf, we do so only on your documented instructions, under a Data Processing Agreement (DPA) incorporating the EU Standard Contractual Clauses where transfers outside the EEA occur. Enterprise customers can request our signed DPA at legal@azurelayer.com.

We use a small number of vetted subprocessors (cloud hosting, email delivery, AI inference). Each is bound by contractual confidentiality and security obligations at least as protective as this policy. A current list is available on request.

7. Retention

Account data is retained while your account is active and deleted within 30 days of account deletion. Workspace content is deleted within 30 days of disconnecting your Azure DevOps organization or deleting your account. Backups expire on a rolling 35-day schedule. Diagnostic logs are retained for 90 days.

8. Your rights

Depending on your jurisdiction, you may have the right to access, correct, export, restrict, object to the processing of, or delete your personal data, and the right to lodge a complaint with a supervisory authority. To exercise any right, email privacy@azurelayer.com; we respond within 30 days.

9. Security

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access to production systems is restricted, logged, and protected by multi-factor authentication. See our Security Policy for the full posture, including our vulnerability disclosure process.

10. Children

AzureLayer is a business tool and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

11. Changes to this policy

We may update this policy as the service evolves. Material changes will be announced by email and in-app at least 14 days before taking effect. The “Last updated” date at the top reflects the current version.

Questions about this document? Contact us at legal@azurelayer.com. AzureLayer is an independent product and is not affiliated with, endorsed by, or sponsored by Microsoft Corporation. Azure and Azure DevOps are trademarks of Microsoft Corporation.