CloudOrbit

Privacy Policy

Last updated: 10 June 2026

This policy explains how we handle personal information across the CloudOrbit website, portal, support, onboarding and integrations.

1. Introduction

This Privacy Policy explains how CYH & CO PTY LTD (ABN 48 668 871 743) ("CloudOrbit", "we", "us") collects, uses, discloses and protects personal information in connection with the CloudOrbit website at cloudorbit.com.au, the CloudOrbit customer and administrator portals, onboarding, support, and Microsoft cloud integrations (together, the "Service").

We handle personal information in accordance with applicable Australian privacy law, including the Australian Privacy Principles where they apply to us. This policy should be read together with our Terms of Use.

2. Information We Collect

We collect the following categories of information:

A. Account and identity information

  • name
  • email address / user principal name (UPN)
  • organisation
  • role
  • Microsoft tenant identifier
  • authentication metadata (such as sign-in identifiers and tokens issued by your identity provider)

B. Customer and tenant metadata

  • customer name and domain
  • tenant identifier
  • connector status
  • onboarding status
  • Support Access records (scope, reason, approver and time limits)

C. Microsoft cloud metadata (where connected)

  • Microsoft 365 licence information and assigned-licence metadata
  • user metadata required for licence, security and reporting insights
  • Azure subscription, resource and cost metadata
  • Microsoft Entra ID sign-in activity (sign-in logs) used for security and reporting insights
  • security, compliance and governance posture metadata

D. Technical and usage information

  • IP address
  • browser and device information
  • logs and audit events
  • pages viewed and actions taken
  • error and performance telemetry

E. Support and communications

  • support requests and related correspondence
  • emails and contact-form submissions
  • onboarding notes

3. Information We Do Not Intentionally Collect

  • We do not intend to collect unnecessary sensitive personal information.
  • We do not intentionally collect payment card details unless and until a payment processor is integrated, in which case those details are handled by that processor.
  • We do not require customer content — such as email body content, documents or private files — for core cost, licence and resource visibility, unless a future feature explicitly requires it and the Customer consents.

4. How We Use Information

We use information to:

  • provide and operate the Service;
  • authenticate users and map them to the correct Customer tenant;
  • produce dashboards and reports;
  • monitor licences, cost, resources, and security, compliance and governance posture;
  • generate recommendations and advisory insights;
  • manage Support Access and audit privileged actions;
  • maintain the security and integrity of the Service;
  • improve and develop the Service;
  • comply with our legal obligations.

5. Microsoft Graph and Azure Data Use

  • Access to Microsoft cloud data depends on the consent and permissions granted in the Customer's Microsoft tenant.
  • We use that data to provide visibility, reporting, recommendations and governance insights.
  • Where your permissions allow, connected data may include Microsoft Entra ID sign-in activity, used for security and reporting insights.
  • We request read-only permissions wherever possible.
  • The Customer may revoke CloudOrbit's access at any time through Microsoft Entra ID / Azure.

7. Sharing of Information

We may share information with:

  • hosting and infrastructure providers;
  • Microsoft Azure (hosting) and Microsoft identity and cloud APIs;
  • support and service providers acting on our behalf;
  • professional advisers (such as legal and accounting advisers);
  • legal, regulatory or law-enforcement authorities where required or permitted by law.

We do not sell personal information.

We do not sell personal information to third parties.

8. Sub-processors

We use the following sub-processors to provide the Service (this list may be updated):

  • Microsoft Azure — hosting, storage, compute and monitoring;
  • Microsoft Entra ID — authentication;
  • Azure Application Insights / Log Analytics — telemetry and logging;
  • GitHub — source control and deployment workflow;
  • [ADD ANY OTHER SUB-PROCESSORS].

9. Data Hosting and International Transfers

  • CloudOrbit’s infrastructure is globally distributed across Microsoft Azure regions to provide redundancy, resilience and availability.
  • Consistent with its read-only, Zero Trust design, CloudOrbit does not store your Microsoft cloud content or datasets. It processes metadata to present insights and retains only the limited operational metadata required to run the Service.
  • Because the Service is offered globally, information may be processed in the locations where CloudOrbit and its sub-processors operate. Where information is transferred across borders, we take reasonable steps to ensure appropriate safeguards apply.

10. Security

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

  • role-based access control and least-privilege access;
  • encryption in transit and at rest;
  • audit logging of privileged actions;
  • logical customer isolation;
  • Support Access approval workflow;
  • secret management and monitoring.

11. Data Retention

  • Retention of source data from your Microsoft cloud environment follows Microsoft’s own data retention — CloudOrbit reads this data to present insights rather than maintaining its own long-term copy.
  • Account and customer metadata is retained while your account is active.
  • Connector and sync metadata is retained while the integration is active.
  • Audit and Support Access records are retained while the account is active, unless a different period is agreed or required by law.
  • Data relating to deleted or terminated customers is handled in accordance with the relevant agreement.
  • We may retain certain information where required by law.

12. Cookies and Website Analytics

  • essential and authentication/session cookies are used to operate the Service;
  • analytics cookies may be used to understand and improve usage [CONFIRM whether analytics are used];
  • you can control cookies through your browser settings, though disabling some cookies may affect functionality;
  • [ADD COOKIE BANNER / consent mechanism if required].

13. Your Rights

Subject to applicable law, you may request to:

  • access the personal information we hold about you;
  • correct inaccurate information;
  • request deletion of information;
  • restrict or object to certain processing, where applicable;
  • make a privacy complaint.

How to exercise your rights

Contact us at privacy@cloudorbit.com.au. Where the information relates to a Customer's tenant, we may need to direct the request to that Customer as the controller of the data.

Australian individuals may also contact the Office of the Australian Information Commissioner (OAIC). EU/UK individuals may have rights under the GDPR / UK GDPR where it applies.

14. Children

The Service is intended for business and organisational use and is not directed to children. We do not knowingly collect personal information from children.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date above and, where changes are material, take reasonable steps to notify affected users or customers.

16. Contact

For privacy enquiries or requests, contact privacy@cloudorbit.com.au.