This Privacy Policy explains how Endiqo collects, uses, stores, protects, and discloses personal information when people use Endiqo products, websites, project workspaces, stakeholder discovery tools, and related services.
1. Who We Are
Endiqo provides software and consulting services that help organisations capture stakeholder input, analyse project needs, and prepare delivery artefacts.
2. Personal Information We Collect
We collect only the personal information reasonably needed to provide, secure, support, and improve Endiqo services.
This may include:
- Microsoft work sign-in details used for authentication, such as name, email address, identity provider, and user identifier.
- Project access information, such as the projects a person is authorised to access.
- Stakeholder input, including chat messages, discovery transcripts, submitted summaries, project comments, and related project information.
- Generated project artefacts, such as summaries, themes, requirements, workstreams, and analysis outputs that may refer to stakeholder input.
- Support, privacy, and security request records.
- Operational metadata, such as timestamps, access logs, diagnostic events, request identifiers, and security audit information.
We do not collect Microsoft passwords. Signing in with Microsoft does not give Endiqo access to your mailbox, Teams messages, calendar, OneDrive files, SharePoint files, or other Microsoft work content unless a separate integration is explicitly configured and authorised.
3. How We Collect Personal Information
We collect personal information when:
- a user signs in with their work Microsoft credentials;
- a customer, administrator, or stakeholder creates or accesses a project;
- a stakeholder provides input through an Endiqo discovery experience;
- a user submits, reviews, exports, or manages project information;
- someone contacts us for support, privacy, or security assistance;
- our systems generate operational logs or security records.
4. Why We Use Personal Information
We use personal information to:
- authenticate users and control project access;
- provide Endiqo products and project workspaces;
- capture and summarise stakeholder input;
- generate project analysis and delivery artefacts;
- support customer delivery, quality review, and traceability;
- respond to support, privacy, and security requests;
- maintain security, prevent misuse, and investigate incidents;
- comply with legal, contractual, accounting, audit, and regulatory obligations.
5. Use Of AI Services
Endiqo uses Azure OpenAI, Microsoft Copilot Studio, and related Microsoft Azure services to summarise, structure, analyse, or process stakeholder input and project information.
We use these services to support project delivery and improve the quality of outputs provided to customers. We do not use stakeholder input to train Endiqo-owned public AI models.
Based on Microsoft Azure OpenAI service terms and configuration available to us, prompts and completions are not used to train OpenAI or Microsoft foundation models. Selected prompts and completions may be retained by Microsoft for abuse monitoring or safety review. This helps detect misuse, protect the service, and improve safety controls.
6. Who Can Access Personal Information
Access is limited based on role and need.
Personal information may be accessed by:
- the stakeholder who provided the information, where access is available through the product or privacy request process;
- authorised customer users for the relevant project;
- Endiqo personnel and contractors who need access to provide, support, secure, or administer the service;
- platform administrators for security, privacy, lifecycle, or operational management;
- service providers who support hosting, authentication, AI processing, storage, monitoring, support, or security.
We use role-based access, project-level authorisation, and administrative controls to limit access to appropriate people.
7. Service Providers And Disclosure
We may disclose personal information to trusted service providers where needed to provide Endiqo services. This may include Microsoft Azure, Microsoft identity services, Azure OpenAI, Microsoft Copilot Studio, Dataverse, email, monitoring, source control, and support tooling.
We may also disclose information where:
- required or authorised by law;
- necessary to investigate security, fraud, abuse, or misuse;
- required to respond to a lawful request from a regulator or authority;
- necessary to protect the rights, safety, or property of Endiqo, our customers, or users;
- authorised by the customer or individual.
We do not sell personal information.
8. Where Information Is Hosted And Processed
Endiqo prefers Australian Azure regions where available, especially Southeast Australia and East Australia.
Core application, data, and AI-processing infrastructure is intended to be hosted in Australia where the relevant Azure service supports Australian regions.
Some web hosting infrastructure may be hosted outside Australia. In particular, Azure Static Web Apps does not currently provide Australian regions, and the current production web tier may be hosted in Western Europe. We disclose this as a data-residency exception. The web tier should not be treated as meaning all Endiqo infrastructure is hosted in Australia.
Some service providers may process operational or support information in other locations as part of providing their services. Where this occurs, we rely on contractual, technical, and organisational safeguards appropriate to the service.
9. Security
Endiqo applies practical security controls designed to protect personal information from misuse, interference, loss, unauthorised access, unauthorised modification, and unauthorised disclosure.
These controls include:
- Microsoft work identity authentication;
- role-based and project-based access controls;
- least-privilege administrative access;
- separation between development, test, and production environments;
- logging and monitoring for operational and security events;
- secure configuration and secret-management practices;
- controlled lifecycle dry-run, export, delete-preview, and deletion workflows;
- privacy request and breach response records;
- periodic review of access and retention obligations.
No system is perfectly secure, but we work to prevent, detect, and respond to security risks in a practical and proportionate way.
10. Retention
We retain personal information only for as long as needed for the purposes described in this policy, unless a longer period is required by law, contract, audit, dispute, security, or legitimate business needs.
Our practical retention approach includes:
- active stakeholder transcripts and draft sessions retained while the project is active;
- stale unsubmitted draft sessions reviewed after inactivity;
- submitted discovery input, summaries, and generated delivery artefacts generally retained for the project life plus 7 years;
- project access records retained for the project life plus a reasonable audit period;
- invitation tokens expiring by default;
- operational logs retained for a limited period and intended to contain metadata rather than raw transcripts or prompts;
- privacy request records retained for evidence of handling;
- data breach and incident records retained for incident history, assessment, notification, and remediation evidence.
Endiqo uses lifecycle controls and Platform Admin retention review tools to identify records due for review. Deletion or de-identification of submitted project records is controlled and requires appropriate review and approval.
Backups and platform-retained snapshots may retain information until they expire under the relevant platform retention process.
11. Access, Correction, Deletion, And De-identification Requests
You may contact us to request access to, correction of, deletion of, or de-identification of personal information Endiqo holds about you.
Please email privacy@endiqo.com.
We may need to verify your identity before acting on a request. We aim to acknowledge privacy requests within 2 business days and provide a substantive response within 30 calendar days where practical.
Some requests may require customer approval, contractual review, legal review, or technical assessment, especially where the information forms part of a project record, audit trail, generated artefact, or backup.
If we cannot fulfil a request, or can only fulfil it partly, we will explain why.
12. Complaints
If you have a privacy concern or complaint, please contact privacy@endiqo.com.
We will:
- acknowledge the complaint;
- record and review the issue;
- preserve relevant evidence;
- assess whether a data breach or other incident may have occurred;
- respond with the outcome and any remediation where appropriate.
If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner.
13. Data Breaches
Endiqo has a data breach response workflow for suspected unauthorised access, unauthorised disclosure, or loss of personal information.
Where we identify an eligible data breach under the Notifiable Data Breaches scheme, we will notify affected individuals and the Office of the Australian Information Commissioner where required.
We may also notify relevant customers, service providers, or other parties where appropriate to contain, investigate, or remediate an incident.
14. Children
Endiqo services are designed for business and organisational use. They are not intended for children.
15. Changes To This Policy
We may update this Privacy Policy from time to time. The current version will be published on our website with its effective date.
Material changes will be communicated where appropriate.
16. Contact Us
For privacy questions, requests, or complaints:
Email: privacy@endiqo.com
For security issues:
Email: security@endiqo.com
For product support:
Email: support@endiqo.com