Skip to content
Beer Mug Logo
IntuneBrewby UgurLabs.com

Legal

Privacy Policy

Learn how we collect, use, and protect your personal information when you use IntuneBrew.

Last reviewed
Last reviewed: July 14, 2026
Effective date
Effective: July 14, 2026
Document owner
Owner: Ugur Koc, IntuneBrew maintainer
Next scheduled review
Next scheduled review: January 14, 2027

1. Data Protection at a Glance

General Notes

The following notices provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you. For detailed information on the subject of data protection, please refer to our privacy policy listed below this text.

Data Collection on This Website

Who is responsible for the data collection on this website?

Data processing on this website is carried out by the website operator. His contact details can be found in the section "Note about the responsible entity" in this privacy policy.

How do we collect your data?

On the one hand, your data is collected when you provide it to us. This can be, for example, data that you enter in a contact form or when you sign in with your Microsoft Entra ID work or school account.

Other data is collected automatically or with your consent by our IT systems when you visit the website. This is mainly technical data (e.g., Internet browser, operating system, or time of the page view). This data is collected automatically as soon as you enter this website.

What do we use your data for?

Part of the data is collected to ensure error-free provision of the website. Other data is used to provide the IntuneBrew service, including authenticating you, deploying applications to your Microsoft Intune tenant, and sending you notifications about application updates.

What rights do you have regarding your data?

You have the right at any time to receive information free of charge about the origin, recipient, and purpose of your stored personal data. You also have a right to demand the correction or deletion of this data. If you have given your consent to data processing, you can revoke this consent at any time for the future. You also have the right, under certain circumstances, to demand the restriction of the processing of your personal data. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

For this purpose, as well as for further questions on the subject of data protection, you can contact us at any time.

3. Data We Collect

Identity and Authentication Data

When you sign in with Microsoft Entra ID, we receive:

  • User Object ID (oid) - Your unique Microsoft identifier
  • User Principal Name (upn) - Your work or school account username
  • Email address
  • Display name
  • Tenant ID - Your organization's Microsoft identifier

Service and Preference Data

We collect data about how you use the service:

  • Applications you deploy to Intune
  • Deployment history and status
  • User settings and preferences
  • Notification preferences
  • Email address used for requested notifications
  • Slack or generic webhook URL, verification state, and delivery status when configured
  • Role scope tag selections and other account settings
  • Profile image (if uploaded)

Technical and Analytics Data

Hosting and security providers may process technical request data to operate and protect the service. Plausible separately records aggregate page-view data without cookies, cross-site tracking, or stored raw IP addresses:

  • IP address
  • Browser type and version
  • Operating system
  • Referring website
  • Pages visited, referrer, and aggregate visit metrics
  • Date and time of access

Authentication and Upload Processing

The standard sign-in flow uses Microsoft Authentication Library (MSAL) in your browser. If you instead connect a custom app registration, the resulting Microsoft Graph access token is held in a short-lived encrypted HttpOnly session cookie and is not exposed to client-side JavaScript.

When you start an Intune upload, the required Graph access token is encrypted with AES-256-GCM before it is placed in a GitHub repository-dispatch payload. A GitHub Actions job uses it to download the selected package and upload that package to Microsoft Intune's delegated upload location. Supabase stores the job's application name, status, timing, user identifier, and diagnostic result. It does not store the package binary or a plaintext Graph access token.

Feedback and Communications

When you submit feedback or contact us, we collect your name, email address, and the content of your message.

4. Hosting

Vercel

This website is hosted on Vercel. When you visit our website, Vercel may collect various log files including your IP addresses for security and performance purposes.

For more information, please refer to Vercel's privacy policy: vercel.com/legal/privacy-policy

5. Subprocessors

We use the following third-party services to process your data:

ServicePurposeLocation
SupabaseDatabase and backend servicesUnited States
VercelWebsite hostingUnited States
Microsoft CorporationEntra ID authentication, Microsoft Graph, and Intune upload endpointsEU / United States
GitHub, Inc.Repository dispatch and GitHub Actions upload processingUnited States
ResendEmail deliveryUnited States
Plausible AnalyticsCookieless, aggregate website analyticsEuropean Union

For enterprise customers, our Data Processing Agreement provides additional details about our subprocessor arrangements and commitments.

6. International Data Transfers

Transfers Outside the EEA

Some of our subprocessors are located in the United States. When your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • EU-U.S. Data Privacy Framework - For transfers to certified U.S. organizations
  • Standard Contractual Clauses (SCCs) - EU-approved contract terms that provide adequate protection
  • Technical Measures - Encryption and access controls to protect data in transit and at rest

7. Data Retention

We retain your data for different periods depending on the type and purpose:

Data TypeRetention Period
Account data and preferencesWhile the account is active, then until a verified deletion request is completed
Upload status, deployment history, and audit recordsWhile needed for account history, security, and troubleshooting, then deleted or anonymized after account deletion unless legally required
Hosting, workflow, and server logsAccording to the configured retention of Vercel, GitHub, and other service providers
Plausible analyticsAggregated according to the configured Plausible site retention
Support communicationsWhile needed to resolve the request and establish or defend legal claims
Access tokensUntil token expiry or logout; encrypted upload copies exist only for the queued workflow's processing window
Local upload recovery stateUp to 1 hour in your browser's localStorage

Provider-controlled logs and backups may persist for their documented lifecycle. We may retain data longer where required by law or necessary to establish, exercise, or defend legal claims. Deletion requests are handled through the contact method below and may require identity verification.

8. Cookies and Tracking

What Are Cookies?

Cookies are small text files stored on your device when you visit websites. We use cookies and similar technologies to provide and improve our service.

Service Cookies and Site Preferences

Authentication Cookies

Created only when required by the sign-in method you use.

  • msal.cache.encryption - Session key material managed by MSAL v4
  • intunebrew_tenant_session - Encrypted HttpOnly custom-connection session

Notice Preference

  • cookie-consent - Remembers that this privacy notice was acknowledged or dismissed

Cookieless Analytics

Plausible helps us understand aggregate site use without setting analytics cookies. The preference cookie does not switch Plausible on or off.

  • Plausible Analytics - No cookies, cross-site identifiers, or visitor profiles

Managing Cookies

You can manage browser storage and the site-preference notice:

  • Through the privacy notice when you first visit
  • By clearing cookies in your browser settings
  • By using browser extensions that block tracking

Blocking the authentication session cookie or browser storage can prevent sign-in, custom tenant connections, and upload-state recovery from working correctly.

Browser Storage

MSAL v4 stores authentication artifacts in browser localStorage. It encrypts those artifacts using a key derived from a base key in the msal.cache.encryption session cookie, except when Microsoft's "Keep me signed in" option is selected. The custom app-registration flow uses a separate encrypted HttpOnly cookie whose lifetime is aligned with the Graph token. Active upload names and progress may be kept in localStorage for up to one hour so the interface can recover after a refresh. These storage areas can be cleared through browser settings or by signing out where applicable.

9. Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15)

Request a copy of your personal data we hold.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete data.

Right to Erasure (Art. 17)

Request deletion of your data ("right to be forgotten").

Right to Restrict Processing (Art. 18)

Request limitation of how we process your data.

Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format.

Right to Object (Art. 21)

Object to processing based on legitimate interests.

Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent.

How to Exercise Your Rights

To exercise any of these rights, please contact us at support@ugurlabs.com. We will respond to your request within 30 days.

You also have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

10. Data Breach Notification

Our Commitment

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected individuals without undue delay if there is a high risk
  • Document the breach and our response measures
  • Take immediate steps to contain and mitigate the breach

For enterprise customers, our Data Processing Agreement provides additional details about breach notification procedures.

11. Automated Decision-Making

No Automated Decision-Making

IntuneBrew does not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you. All significant decisions involving your data are made by humans.

Automated Processing

We do use automated processing for operational purposes such as rate limiting (based on IP address and user ID), fraud detection, and service optimization. These do not make decisions that legally affect you.

12. General Notes and Mandatory Information

Privacy

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the legal data protection regulations as well as this privacy policy.

Note on the Responsible Entity

The responsible party for data processing on this website is:

Ugur KocVon-Sauer-Str. 33b
22761 Hamburg
Germany

Email: support@ugurlabs.com

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by updating the "Last updated" date at the top of this page. For material changes, we may also notify you by email or through the Service.

Related Documents