Privacy Policy

Effective Date: March 30, 2026

Publisher: Realizer Services Inc. | Contact: privacy@realizer.io

1. Introduction

This Privacy Policy describes how Realizer Services Inc. ("Realizer", "we", "us", "our") collects, uses, stores, and protects information in connection with our website and AccessPoint, our subject access request management solution for Microsoft 365 and Azure ("the App").

AccessPoint is designed with a data sovereignty model: customer data is stored and processed entirely within the customer's own Microsoft Azure subscription. Realizer does not host, store, or have standing access to customer data.

This policy covers three contexts:

• The Website — realizer.io and related pages
• The App — the AccessPoint software deployed in a customer's environment
• The Platform — Realizer's platform services that support licensing and Teams notifications

2. Data Controller and Data Processor Roles

• Customer organizations are the data controller for all personal data processed within AccessPoint. They determine the purposes and means of processing personal data related to their subject access requests.
• Realizer Services Inc. acts as a data processor only to the extent it processes limited data through the Platform (see Section 5). Realizer does not control or determine the purposes for which customer data is processed within AccessPoint.

3. Information Collected via the Website

Information You Provide

We collect information that you voluntarily provide, including:

• Contact form submissions: Name, email address, company, and message content
• Demo requests: Name, email, company, job title, and phone number
• Service inquiries: Information relevant to your training or consulting needs

Automatically Collected Information

When you visit our website, we may automatically collect:

• Browser type and version
• Operating system
• Pages visited and time spent
• Referring website
• IP address (anonymized)

We use this information to improve our website and user experience. We use privacy-respecting analytics and do not track users across other websites.

4. Data Processed by the App (Customer Environment)

All of the following data is stored and processed exclusively within the customer's own Azure subscription. Realizer does not have access to this data.

User Identity Data

Display name, email address, Entra ID object ID, and tenant ID — sourced from Microsoft Entra ID JWT tokens during authentication. Used for authentication, authorization, audit logging, and people picker functionality. Stored in the customer's Azure SQL database.

Subject Access Request Data

• Request details: titles, descriptions, request numbers, dates, statuses, priority levels
• Requestor information: names, contact details, addresses, organizational affiliations
• Assignment and task records: custodian assignments, contributor tasks, instructions, due dates
• Attestation records: formal attestations with e-signatures
• Audit history: timestamped records of all create, update, and delete actions with user attribution

Documents

• Files uploaded by users (Office documents, PDFs, images, email files)
• Converted PDF versions for preview and redaction
• Redacted document versions
• Response packages (ZIP and merged PDF exports)

Stored in the customer's Azure Blob Storage with Microsoft-managed encryption at rest (customer-managed keys optionally available).

Privacy by Design

AccessPoint enforces role-based data access:

• Custodians and Contributors never see requestor personally identifiable information (PII). They work from sanitized instructions.
• Notification templates for Custodian and Contributor roles automatically strip PII tokens before dispatch.
• Administrators control which users have access to the system and at what role level.

5. Data Processed by Realizer (Platform Services)

Realizer's Platform services process a limited set of data to support licensing and Teams notifications.

License Validation

When the App starts and periodically during use, it sends a request to Realizer's Platform API to validate the customer's subscription.

Data transmitted: Tenant ID (a Microsoft Entra ID identifier for the customer's organization).

Data NOT transmitted: No user names, email addresses, personal data, request content, documents, or customer business data.

Retention: Tenant ID and license status are retained for the duration of the subscription plus 90 days after expiration for billing reconciliation.

Teams Activity Feed Notifications

When a Teams activity feed notification is triggered, the customer's API sends a request to Realizer's Platform API, which sends the notification via Microsoft Graph on behalf of the customer's tenant.

Data transmitted: Recipient's Entra ID user ID, notification type and template parameters (e.g., request number, assignment name), and customer tenant ID.

Data NOT transmitted: No requestor PII, no document content, no request details beyond the notification parameters.

Retention: Notification metadata is retained in transit logs for 30 days for troubleshooting purposes, then automatically deleted.

6. Data We Do NOT Collect

Realizer does not collect, store, or have access to:

• Subject access request content or details
• Requestor personal information (names, addresses, contact details)
• Documents, redactions, or response packages
• User browsing behavior within the App, device information, or App telemetry
• Cookies or local storage identifiers from the App
• Location data

7. Data Storage and Security

Customer Data (App)

• Stored in the customer's Azure subscription (Azure SQL Database, Azure Blob Storage)
• Encrypted at rest using Microsoft-managed encryption keys (customer-managed keys optionally available for Blob Storage)
• Encrypted in transit via TLS 1.3
• Access controlled by the customer's Entra ID and Azure RBAC policies
• Realizer has no standing access to customer Azure resources

Platform Data (Realizer)

• Hosted on Azure infrastructure in Canada
• Encrypted at rest and in transit
• Access restricted to authorized Realizer personnel with MFA-protected accounts
• No customer content or PII is stored on Realizer infrastructure

Website Data

• Contact form submissions are stored securely using Microsoft Azure infrastructure hosted in Canada
• Encrypted at rest and in transit

8. Third-Party Data Sharing

Realizer does not sell, rent, or share customer data with third parties.

The only third-party service involved in data processing is Microsoft Graph API, which is used to:

• Send email notifications from the customer's shared mailbox (processed within the customer's tenant)
• Send Teams activity feed notifications (proxied through Realizer's Platform API using the publisher's app registration)
• Resolve user profiles for the people picker (processed within the customer's tenant)

No data is transmitted to any other third-party service.

9. Data Retention and Deletion

Customer Data

Data retention is fully controlled by the customer:

• Administrators configure retention periods per request type using the built-in Retention Review feature
• Expired requests and associated documents can be purged by the Administrator
• Deleting the Azure resources (SQL Database, Blob Storage) permanently destroys all data
• Realizer cannot recover customer data after deletion, as it does not hold copies

Platform Data

• License records: retained for the duration of the subscription plus 90 days
• Notification transit logs: retained for 30 days, then automatically deleted
• No customer content is retained on the Platform

Website Data

Contact form submissions and demo requests are retained for the duration of the business relationship. You may request deletion at any time.

10. Data Subject Rights

For End Users of the App

Requests related to personal data processed within AccessPoint (access, correction, deletion, portability) should be directed to the customer organization that deployed AccessPoint, as they are the data controller.

For Customer Organizations

As the data controller, customers can:

• Export or delete any data in their Azure SQL database and Blob Storage at any time
• Use the Retention Review feature to manage data lifecycle
• Decommission the entire environment by deleting their Azure resources

For Website Visitors and Platform Data

You have the right to:

• Request access to your personal information
• Request correction or deletion of your data
• Withdraw consent for communications at any time
• Lodge a complaint with a data protection authority

To exercise these rights, contact privacy@realizer.io.

11. International Data Transfers

• Customer data remains in the Azure region chosen by the customer during deployment. No cross-border transfer occurs unless the customer configures geo-redundant storage.
• Platform data (tenant ID, notification metadata) is processed on Realizer's Azure infrastructure in Canada.
• Website data is processed on Azure infrastructure in Canada.

12. Children's Privacy

AccessPoint is an enterprise business application. It is not directed at children and does not knowingly collect personal data from children under the age of 16.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through an updated effective date at the top of this page and notification to active customers via email.

14. Contact

For questions about this Privacy Policy or to exercise your data rights:

Realizer Services Inc.
Email: privacy@realizer.io
Website: realizer.io/privacy