Lab539 AiTM Feed - Privacy Policy
Last updated: 2026-03-02
Lab539 Ltd (“we”, “us”, “our”) is a company incorporated in England and Wales (company number 14902643), registered at 128 City Road, London,
EC1V 2NX. We are the data controller for personal data processed through the AiTM Feed service and associated portal.
This policy explains what personal data we collect, why we collect it, how we use it, and your rights in relation to it.
What we collect and why
Account and subscription data
When you subscribe to AiTM Feed, we collect your name, email address, organisation name, and billing information. We use this to manage your
subscription, provide access to the service, process payments, and communicate with you about the service.
Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR).
Portal authentication
We support Google and Microsoft as identity providers via OAuth. When you authenticate, your identity provider shares basic profile information
with us: your name, email address, and a unique identifier. We use this solely to verify your identity against your subscription record.
We request the minimum permissions required. We do not maintain persistent access to your Google or Microsoft profile, and we do not access
any information beyond what is provided during the authentication flow.
For transparency, here is what each identity provider shares with us:
Microsoft:
{ "sub":"aBCDefGh12345678egldOBGIo6mlEMB8Ufy7HnqN539",
"name":"Firstname Lastname",
"family_name":"Lastname",
"given_name":"Firstname",
"picture":"https://graph.microsoft.com/v1.0/me/photo/$value",
"email":"firstname.lastname@example539.com" }
Google:
{ "sub":"123456789012345678901",
"name":"Firstname Lastname",
"given_name":"Firstname",
"family_name":"Lastname",
"picture":"https://lh3.googleusercontent.com/some/path-/img",
"email":"firstname.lastname@example539.com",
"email_verified":true }
We do not retain the authentication response after your session is verified.
Legal basis: Legitimate interest (Article 6(1)(f) UK GDPR) - necessary to securely authenticate users to the service.
Web server logs
We retain standard web server logs of portal activity for security monitoring and incident investigation. These logs may include IP addresses,
timestamps, and request details. We do not use these logs for analytics, profiling, or any purpose other than security.
Legal basis: Legitimate interest (Article 6(1)(f) UK GDPR) - necessary for the security of the service.
Microsoft Azure Marketplace
If you subscribe via the Microsoft Azure Marketplace, Microsoft may share your contact and organisation details with us as part of the
marketplace lead and subscription management process. We use this data solely to provision and manage your subscription. Microsoft’s
processing of your data is governed by their own privacy statement.
What we do not do
- We do not use tracking cookies or any form of analytics tracking within the portal.
- We do not profile users or monitor portal usage patterns.
- We do not share, sell, or provide your personal data to any third party for any purpose.
- We do not use your data for marketing unless you have explicitly opted in to receive communications from us.
Data sharing
We do not share your personal data with third parties except in the following limited circumstances:
- Payment processing: Billing data is shared with our payment processor to process subscription payments. They act as a data processor on our behalf.
- Legal obligation: We may disclose data if required to do so by law or in response to a valid legal request from a law enforcement authority.
Data retention
Account and subscription data is retained for the duration of your subscription and for up to 12 months after termination, after which it
is deleted.
We may retain basic records (name, organisation, subscription dates) for a longer period where required for accounting or legal
We may retain basic records (name, organisation, subscription dates) for a longer period where required for accounting or legal
purposes.
Web server logs are retained for 12 months, in line with our security policies, unless a security investigation requires longer retention of specific records.
Authentication data from identity providers is not retained beyond the session verification.
Your rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you
- Correct any inaccurate personal data
- Delete your personal data (subject to any legal obligations we may have to retain it)
- Restrict processing of your personal data in certain circumstances
- Object to processing based on legitimate interest
- Data portability - receive your data in a structured, commonly used format
To exercise any of these rights raise a support ticket with us (https://aitmfeed.com/support). We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at https:/
Revoking portal access
You can revoke the portal’s access to your identity provider at any time by removing the app registration within your Google or Microsoft account.
The Microsoft app is registered as “Lab539 AiTM Feed Portal” (app ID: 915bba4f-677e-4b17-bd7c-456a2c1a8427). Removing this will prevent
authentication until you re-consent.
Changes to this policy
We may update this policy from time to time. Material changes will be communicated via the email address associated with your subscription. The
“last updated” date at the top of this page will always reflect the most recent revision.