Privacy Policy

1. Who we are

Azimuth IT ("we", "us", "our") is a managed service provider (MSP) delivering IT support, cybersecurity, and related professional services.

For the purposes of applicable data protection laws, we act as:

• a data controller for personal data relating to our website, enquiries, and business operations; and
• a data processor when processing personal data on behalf of our customers as part of contracted services.

2. Scope of this policy

This policy applies to personal data relating to:

• website visitors
• prospective and current customers
• authorised client users and contacts
• suppliers and professional contacts

Where we process personal data on behalf of customers, that processing is governed by contractual arrangements and applicable data processing agreements (DPAs).

3. Personal data we collect

We apply the principle of data minimisation and collect only personal data that is necessary to deliver our services or meet legal and regulatory obligations.

Categories of personal data may include:

• Identity and contact information: name, job title, organisation, email address, phone number
• Account and service information: usernames, tenant identifiers, licensing and subscription details
• Technical data: IP addresses, device identifiers, system logs, audit logs, and configuration data
• Communications: support tickets, emails, and call records
• Billing and administrative data: invoicing details and transaction references

We do not intentionally collect special category or sensitive personal data unless required to provide contracted services.

4. Purposes of processing

We process personal data for the following purposes:

• providing managed IT and cybersecurity services
• account administration and customer support
• monitoring, logging, and maintaining the security of systems
• meeting legal, regulatory, and contractual obligations
• business operations such as billing, record-keeping, and service improvement

We do not carry out automated decision-making or profiling.

5. Lawful bases for processing

Under UK GDPR, EU GDPR, and applicable Australian privacy laws, we rely on the following lawful bases where applicable:

• Performance of a contract
• Compliance with legal obligations
• Legitimate interests, including operating and securing our services, where these interests are not overridden by individual rights
• Consent, where required, which may be withdrawn at any time

We do not rely on consent where another lawful basis is more appropriate.

6. Data sharing and third parties

We may share personal data with trusted third parties where necessary to deliver our services, including:

• Microsoft (including Microsoft 365, Azure, and Entra ID services)
• technology vendors and service providers forming part of a customer's IT stack
• professional advisers, insurers, and regulators where required

We do not sell personal data.

All third parties are required to implement appropriate security and confidentiality safeguards.

7. International data transfers

Personal data may be processed or stored outside the UK, EU, or Australia due to the global nature of modern IT services.

Where international transfers occur, we ensure appropriate safeguards are in place, including:

• adequacy decisions
• standard contractual clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or equivalent mechanisms

8. Data retention

We retain personal data only for as long as necessary, including:

• service-related data: for the duration of the customer relationship
• business and financial records: typically up to six years to meet legal and accounting requirements
• security and audit logs: retained in accordance with operational and compliance needs

Personal data is securely deleted or anonymised when no longer required.

9. Security of personal data

We implement appropriate technical and organisational measures to protect personal data, including:

• access controls and least-privilege principles
• encryption where appropriate
• monitoring, logging, and audit controls
• supplier and vendor due diligence

While no system can be guaranteed to be completely secure, we take reasonable steps to protect personal data from unauthorised access, loss, or misuse.

10. Individual rights

Depending on jurisdiction, individuals may have the right to:

• access their personal data
• request correction of inaccurate data
• request erasure
• restrict or object to processing
• request data portability
• withdraw consent where applicable

Requests can be made using the contact details above.

Individuals also have the right to lodge a complaint with the relevant supervisory authority, including:

• the UK Information Commissioner's Office (ICO)
• an EU supervisory authority in their country of residence
• the Office of the Australian Information Commissioner (OAIC)

11. Cookies and website data

Our website may use cookies or similar technologies for essential functionality, security, and basic analytics.

Where required, consent mechanisms are provided. Additional information is available in our cookie notice.

12. Changes to this policy

We may update this policy from time to time. Material changes will be reflected by updating the "Last updated" date at the top of this page.