Privacy policy
Last updated: July 2026
Data controller
SHELAON PARTNERS, SARL with a capital of €5,000, Paris Trade Register 899 165 872, 54 avenue Hoche, 75008 Paris, France. Contact: support@shelaon.com
For the data of your Microsoft tenant (users, devices, policies), your organisation remains the data controller; SHELAON PARTNERS acts as a processor within the meaning of Article 28 GDPR.
Data processed
- Account: name, work email address, Entra identifier (oid), organisation, role. No passwords: sign-in happens exclusively through your Microsoft SSO.
- Connected Microsoft tenant data: Intune policy metadata, users (name, UPN, licences, sign-in activity), enrolled devices (name, OS, compliance). No user access token or client secret is ever stored in our database.
- Audit log: every write action (deployment, exclusion, role change) is recorded with its author and timestamp.
- Billing: billing details and history, processed by Stripe. We store no card numbers.
- Cookies: technical cookies only (session, active tenant, anti-CSRF). No advertising cookies or third-party trackers.
Purposes and legal bases
- Providing the service (scan, deployment, reports) — performance of the contract (Art. 6(1)(b) GDPR).
- Security, logging and abuse prevention — legitimate interest (Art. 6(1)(f)).
- Billing and accounting obligations — legal obligation (Art. 6(1)(c)).
Sub-processors
| Sub-processor | Role | Location |
|---|---|---|
| Vercel Inc. | Application hosting | EU (Frankfurt) · US company |
| Neon Inc. | Database (encrypted at rest) | EU (Frankfurt) · US company |
| Microsoft Ireland Operations Ltd. | Identity (Entra ID) and Microsoft Graph API | EU (Ireland) |
| Stripe Payments Europe Ltd. | Payments and billing | EU (Ireland) |
| Resend Inc. | Transactional email | United States |
| HostedScan LLC | Continuous vulnerability testing (no customer data processed) | United States |
Transfers outside the European Union (Vercel, Neon, Resend, HostedScan — US companies) are governed by the European Commission's standard contractual clauses and, where applicable, the EU–US Data Privacy Framework.
Retention periods
- Account and tenant data: for the duration of the contract, then deleted within 30 days after termination.
- Audit log: rolling 12 months.
- Billing documents: 10 years (statutory accounting obligation).
Security
Database encrypted at rest (AES-256), traffic encrypted in transit (TLS 1.2+), authentication exclusively through Microsoft SSO (no passwords), no customer Microsoft secret persisted, append-only audit log, hosting in the European Union, and continuous vulnerability testing operated through HostedScan (OWASP, network, TLS).
Your rights
Under the GDPR you have rights of access, rectification, erasure, restriction, portability and objection. To exercise them: support@shelaon.com. You may also lodge a complaint with your supervisory authority (in France, the CNIL — www.cnil.fr).