1. Data Protection at a Glance
General Notes
The following notices provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you. For detailed information on the subject of data protection, please refer to our privacy policy listed below this text.
Data Collection on This Website
Who is responsible for the data collection on this website?
Data processing on this website is carried out by the website operator. His contact details can be found in the section "Note about the responsible entity" in this privacy policy.
How do we collect your data?
On the one hand, your data is collected when you provide it to us. This can be, for example, data that you enter in a contact form or when you sign in with your Microsoft Entra ID work or school account.
Other data is collected automatically or with your consent by our IT systems when you visit the website. This is mainly technical data (e.g., Internet browser, operating system, or time of the page view). This data is collected automatically as soon as you enter this website.
What do we use your data for?
Part of the data is collected to ensure error-free provision of the website. Other data is used to provide the IntuneBrew service, including authenticating you, deploying applications to your Microsoft Intune tenant, and sending you notifications about application updates.
What rights do you have regarding your data?
You have the right at any time to receive information free of charge about the origin, recipient, and purpose of your stored personal data. You also have a right to demand the correction or deletion of this data. If you have given your consent to data processing, you can revoke this consent at any time for the future. You also have the right, under certain circumstances, to demand the restriction of the processing of your personal data. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.
For this purpose, as well as for further questions on the subject of data protection, you can contact us at any time.
2. Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR:
Contract Performance (Art. 6(1)(b) GDPR)
Processing necessary to provide the IntuneBrew service, including authentication, app deployment, and account management.
Consent (Art. 6(1)(a) GDPR)
Where we explicitly ask for an optional communication or feature. You can withdraw consent at any time. Plausible Analytics does not use cookies and is not controlled by the site-preference cookie described below.
Legitimate Interests (Art. 6(1)(f) GDPR)
For security measures, fraud prevention, aggregate cookieless analytics, service improvement, and protecting our rights. We balance these interests against your privacy rights.
Legal Obligation (Art. 6(1)(c) GDPR)
When we are required to process data by law, such as for tax records or responding to legal requests.
3. Data We Collect
Identity and Authentication Data
When you sign in with Microsoft Entra ID, we receive:
- User Object ID (oid) - Your unique Microsoft identifier
- User Principal Name (upn) - Your work or school account username
- Email address
- Display name
- Tenant ID - Your organization's Microsoft identifier
Service and Preference Data
We collect data about how you use the service:
- Applications you deploy to Intune
- Deployment history and status
- User settings and preferences
- Notification preferences
- Email address used for requested notifications
- Slack or generic webhook URL, verification state, and delivery status when configured
- Role scope tag selections and other account settings
- Profile image (if uploaded)
Technical and Analytics Data
Hosting and security providers may process technical request data to operate and protect the service. Plausible separately records aggregate page-view data without cookies, cross-site tracking, or stored raw IP addresses:
- IP address
- Browser type and version
- Operating system
- Referring website
- Pages visited, referrer, and aggregate visit metrics
- Date and time of access
Authentication and Upload Processing
The standard sign-in flow uses Microsoft Authentication Library (MSAL) in your browser. If you instead connect a custom app registration, the resulting Microsoft Graph access token is held in a short-lived encrypted HttpOnly session cookie and is not exposed to client-side JavaScript.
When you start an Intune upload, the required Graph access token is encrypted with AES-256-GCM before it is placed in a GitHub repository-dispatch payload. A GitHub Actions job uses it to download the selected package and upload that package to Microsoft Intune's delegated upload location. Supabase stores the job's application name, status, timing, user identifier, and diagnostic result. It does not store the package binary or a plaintext Graph access token.
Feedback and Communications
When you submit feedback or contact us, we collect your name, email address, and the content of your message.
4. Hosting
Vercel
This website is hosted on Vercel. When you visit our website, Vercel may collect various log files including your IP addresses for security and performance purposes.
For more information, please refer to Vercel's privacy policy: vercel.com/legal/privacy-policy
5. Subprocessors
We use the following third-party services to process your data:
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database and backend services | United States |
| Vercel | Website hosting | United States |
| Microsoft Corporation | Entra ID authentication, Microsoft Graph, and Intune upload endpoints | EU / United States |
| GitHub, Inc. | Repository dispatch and GitHub Actions upload processing | United States |
| Resend | Email delivery | United States |
| Plausible Analytics | Cookieless, aggregate website analytics | European Union |
For enterprise customers, our Data Processing Agreement provides additional details about our subprocessor arrangements and commitments.
6. International Data Transfers
Transfers Outside the EEA
Some of our subprocessors are located in the United States. When your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:
- EU-U.S. Data Privacy Framework - For transfers to certified U.S. organizations
- Standard Contractual Clauses (SCCs) - EU-approved contract terms that provide adequate protection
- Technical Measures - Encryption and access controls to protect data in transit and at rest
7. Data Retention
We retain your data for different periods depending on the type and purpose:
| Data Type | Retention Period |
|---|---|
| Account data and preferences | While the account is active, then until a verified deletion request is completed |
| Upload status, deployment history, and audit records | While needed for account history, security, and troubleshooting, then deleted or anonymized after account deletion unless legally required |
| Hosting, workflow, and server logs | According to the configured retention of Vercel, GitHub, and other service providers |
| Plausible analytics | Aggregated according to the configured Plausible site retention |
| Support communications | While needed to resolve the request and establish or defend legal claims |
| Access tokens | Until token expiry or logout; encrypted upload copies exist only for the queued workflow's processing window |
| Local upload recovery state | Up to 1 hour in your browser's localStorage |
Provider-controlled logs and backups may persist for their documented lifecycle. We may retain data longer where required by law or necessary to establish, exercise, or defend legal claims. Deletion requests are handled through the contact method below and may require identity verification.
9. Your Rights
Under GDPR, you have the following rights regarding your personal data:
Right of Access (Art. 15)
Request a copy of your personal data we hold.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete data.
Right to Erasure (Art. 17)
Request deletion of your data ("right to be forgotten").
Right to Restrict Processing (Art. 18)
Request limitation of how we process your data.
Right to Data Portability (Art. 20)
Receive your data in a structured, machine-readable format.
Right to Object (Art. 21)
Object to processing based on legitimate interests.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent.
How to Exercise Your Rights
To exercise any of these rights, please contact us at support@ugurlabs.com. We will respond to your request within 30 days.
You also have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
10. Data Breach Notification
Our Commitment
In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours
- Notify affected individuals without undue delay if there is a high risk
- Document the breach and our response measures
- Take immediate steps to contain and mitigate the breach
For enterprise customers, our Data Processing Agreement provides additional details about breach notification procedures.
11. Automated Decision-Making
No Automated Decision-Making
IntuneBrew does not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you. All significant decisions involving your data are made by humans.
Automated Processing
We do use automated processing for operational purposes such as rate limiting (based on IP address and user ID), fraud detection, and service optimization. These do not make decisions that legally affect you.
12. General Notes and Mandatory Information
Privacy
The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the legal data protection regulations as well as this privacy policy.
Note on the Responsible Entity
The responsible party for data processing on this website is:
Ugur KocVon-Sauer-Str. 33b22761 Hamburg
Germany
Email: support@ugurlabs.com
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any significant changes by updating the "Last updated" date at the top of this page. For material changes, we may also notify you by email or through the Service.
Related Documents
- Terms of Service - Our service terms and conditions
- Data Processing Agreement - For enterprise and GDPR compliance
- Security Information - Our security practices
- Acceptable Use Policy - Usage guidelines