Privacy Policy
Version 1.0 — Last updated: April 2026
1. Who We Are
R.A.I.D.E.N is a Microsoft 365 threat detection and investigation platform. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our Service. For the purposes of UK GDPR, we act as a data processor in relation to your organisation’s employee data, and as a data controller in relation to account and billing data.
2. What Data We Collect
Account data: Name, email address, organisation name, and billing contact information provided during registration.
Microsoft 365 audit log data: When you connect your Microsoft 365 tenant, we ingest audit log events which may include user email addresses, sign-in IP addresses, device identifiers, file names, email subject lines, and user activity timestamps. This data is processed solely for the purpose of threat detection and security investigation on your behalf.
Usage data: Information about how you interact with the Service, including log files, session data, and feature usage patterns, used to operate and improve the Service.
3. How We Use Your Data
- To provide the threat detection and investigation service you have subscribed to
- To generate security alerts, cases, and investigation reports
- To operate, maintain, and improve the Service
- To communicate with you about your account, subscription, and service updates
- To comply with legal obligations
We do not sell your data to third parties. We do not use your Microsoft 365 audit log data for any purpose other than providing the Service.
4. Data Storage and Transfers
Your data is stored on Railway infrastructure. Railway’s primary data centres are located in the United States. If you are based in the UK or EU, this constitutes an international transfer of personal data. We rely on Standard Contractual Clauses (SCCs) as the legal mechanism for such transfers where applicable.
We take reasonable technical and organisational measures to protect your data against unauthorised access, loss, or disclosure.
5. Data Retention
We retain Microsoft 365 audit log data for as long as your subscription is active plus a 90-day grace period. Account data is retained for as long as necessary to administer your account and comply with legal obligations. Upon account closure, you may request deletion of your data within 30 days.
6. Your Rights
Under UK GDPR and, where applicable, EU GDPR, you have rights including:
- Right of access: To request a copy of the personal data we hold about you
- Right to rectification: To correct inaccurate personal data
- Right to erasure: To request deletion of your personal data
- Right to restrict processing: To limit how we use your data
- Right to data portability: To receive your data in a machine-readable format
To exercise any of these rights, contact us using the details in your onboarding documentation. We will respond within 30 days.
7. Cookies
The Service uses session cookies strictly necessary for authentication. We do not use tracking cookies or third-party analytics cookies without your consent.
8. Sub-processors
We use the following sub-processors to operate the Service:
- Railway (Railwayapp, Inc.) — Infrastructure and database hosting (US)
- Resend — Transactional email delivery
- Microsoft Azure — Microsoft 365 API access (OAuth)
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by updating the version date above and, where appropriate, via email. Continued use of the Service after changes constitutes acceptance.
10. Contact
For privacy-related enquiries, to exercise your data rights, or to request our Data Processing Agreement (DPA), contact us via the support details provided in your onboarding documentation.