Dovetail Privacy Policy 

Effective Date: 08 December 2025 

1. Introduction and Scope

1.1. This Privacy Policy (“Policy”) is issued by Pivotal Edge AI Limited (“Dovetail”, “we”, “us”, “our”) and governs the collection, use, and protection of personal data in connection with our website, Microsoft Copilot agents, and solutions offered via the Microsoft Marketplace. This Privacy Policy is designed to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025. 

1.2. This Policy applies to: a) Our public website and related marketing activities; b) Standard agents made available to customers, whether listed on Microsoft Marketplace or deployed directly; c) Managed solutions and bespoke agents developed for specific clients. 

1.3. For website and sales operations, Dovetail acts as a data controller. For agents deployed in your Microsoft 365 and/or Azure tenant, Dovetail does not access your tenant data and acts as a processor only where expressly agreed in writing. 

1.4. Unless agreed otherwise, agents run in your Microsoft 365 and/or Azure tenant. Dovetail does not have access to your data. For Microsoft Enterprise customers, Microsoft’s Enterprise Data Protection applies, you are encouraged to review Microsoft’s policies here: https://learn.microsoft.com/en-us/copilot/microsoft-365/enterprise-data-protection 

2. Data We Collect

2.1. We collect and process personal data to operate our business and deliver services. The categories of data collected include: 

1. a) Direct information you provide, such as name, work email, phone number, job title, company, and billing details.
2. b) Automatically collected information from our website, including IP address, device and browser details, pages viewed, referrers, and interaction events.
3. c) Information from third-party providers necessary to deliver services, such as Microsoft Graph metadata for authentication and permissions, and payment processors for billing.
4. d) Support and operational communications, including tickets, chat transcripts, feedback, and audit logs.
5. e) Usage metrics and agent telemetry, including anonymised data about agent interactions, feature usage, performance, error rates, and operational events.

2.2. For agents deployed in your Microsoft 365 and/or Azure tenant, we do not access or collect tenant data unless expressly authorised in writing. 

3. How We Use Data

3.1. We use personal data for the following purposes: 

1. a) To provide, support, and maintain our services and solutions.
2. b) To communicate with you regarding service updates, support, and operational matters.
3. c) To secure, monitor, and improve the performance and reliability of our services.
4. d) To meet legal and compliance obligations, including record-keeping and regulatory reporting.
5. e) To analyse usage metrics and agent telemetry for service improvement, metered charging, and verification of compliance with licensing terms. These metrics are used to improve service reliability, security, and user experience, as well as for metered charging purposes and to verify compliance with licensing terms.

3.2. Our lawful bases for processing personal data include performance of a contract, legitimate interests (such as security and service improvement), consent (for certain marketing activities), and legal obligation. 

3.3. For agents deployed in your Microsoft 365 and/or Azure tenant, agent processing occurs within your tenant unless otherwise agreed. We do not access tenant data or use your content to train foundation models. 

4. Responsible AI

4.1. We adhere to responsible AI principles, including fairness, transparency, accountability, and human oversight. 

4.2. Outputs generated by our agents are advisory in nature and subject to human review. Automated decision elements, where present, are accompanied by safeguards such as clear information, opportunities for user input, and mechanisms for meaningful human intervention and contestation and are always under the control of the client. 

4.3. We design and deploy AI agents in accordance with principles of fairness, transparency, and accountability. While we build systems to support responsible use, ultimate responsibility for deployment and human oversight rests with the client. 

4.4. Usage metrics and agent telemetry are monitored to ensure responsible operation, support continuous improvement, and uphold compliance with licensing and contractual obligations. 

4.4. We do not use customer content to train foundation models. Agent processing is designed to occur within your Microsoft 365 and/or Azure tenant unless otherwise agreed in writing. 

5. Data Sharing & Roles

5.1. We do not sell personal data. 

5.2. We share limited personal data with trusted subprocessors solely to deliver our services, including Microsoft services, payment processors, hosting providers, and support partners. 

5.3. For our website, marketing, and direct contracts, Dovetail acts as a data controller. 

5.4. For tenant-native agents, Dovetail acts on your documented instructions and does not access tenant content unless explicitly authorised in writing. 

5.5. Subprocessors, if any, are subject to written agreements and appropriate safeguards. A list of subprocessors is available upon request. 

5.6. Usage metrics and agent telemetry may be shared with subprocessors only as necessary for service delivery, metered charging, and licensing compliance, and always subject to contractual safeguards. 

6. Retention & Deletion

6.1. We retain personal data only for as long as necessary to provide services, fulfil contractual and legal obligations, and resolve disputes. 

6.2. Typical retention periods are as follows: a) Website analytics: 12–24 months; b) Contract and billing records: up to 7 years to meet tax and accounting requirements; c) Support records: up to 24 months; d) Usage metrics and agent telemetry: retained for the duration required to support metered charging, licensing compliance, and service improvement, subject to applicable legal requirements. 

6.3. You may request deletion of your personal data, subject to legal and contractual exceptions. 

7. Your Rights

7.1. Depending on your jurisdiction, you may have rights regarding your personal data, including: 

1. a) The right to access, correct, or delete your personal data;
2. b) The right to data portability;
3. c) The right to restrict or object to certain processing activities;
4. d) The right to opt out of certain profiling or automated decision-making;
5. e) The right to opt out of the sale or sharing of personal data, and to limit the use of sensitive personal information (for US residents, including Californians, under CCPA/CPRA).

7.2. UK and EU residents may exercise rights under UK GDPR and EU GDPR. US residents may exercise rights under applicable state privacy laws. 

7.3. To exercise your rights, contact us at privacy@pivotaledge.ai. We will verify your request and respond within applicable statutory timeframes. 

7.4. If you are in the UK and are not satisfied with our response, you may complain to the Information Commissioner’s Office (ICO). https://ico.org.uk/make-a-complaint. 

8. Security

8.1. We implement technical and organisational measures to protect personal data, including encryption, access controls, least-privilege administration, vulnerability management, and continuous monitoring. 

8.2. Where our solutions integrate with Microsoft services, we align with Microsoft’s enterprise privacy and data governance commitments and leverage their compliance certifications as applicable. However, when agents run inside a client’s Microsoft 365 or Azure tenant, the client retains responsibility for configuring, securing, and managing those environments, including access controls and data protection measures. 

8.3. Usage metrics and agent telemetry are protected using appropriate safeguards to ensure confidentiality, integrity, and availability. 

9. International Transfers

9.1. If we transfer personal data internationally, we implement appropriate safeguards to protect your rights and interests. 

9.2. For transfers from the United Kingdom, we use the Information Commissioner’s Office (ICO) International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs). 

9.3. For transfers from the European Economic Area (EEA), we rely on the European Commission’s SCCs and conduct transfer risk assessments where required. 

9.4. Where required by law, we will notify you of international transfers and provide information about the safeguards in place. 

10. Cookies & Tracking

10.1. Our website uses cookies and similar technologies to enable functionality, perform analytics, and improve user experience. 

10.2. Where required by law, we present a consent banner and provide controls for managing cookie preferences. 

10.3. You may also manage cookies through your browser settings. 

10.4. Usage metrics and agent telemetry collected via our agents do not use cookies and are processed in accordance with this Policy. 

11. Microsoft Marketplace & App Stores

11.1. For agents listed on Microsoft Marketplace, we comply with all applicable Marketplace policies and listing requirements. 

11.2. Marketplace customers should review Microsoft’s privacy statement and terms relevant to their Microsoft accounts and tenant. 

11.3. Where our agents are distributed via other app stores or platforms, we comply with the relevant privacy and security requirements of those platforms. 

12. Updates & Contact

12.1. We may update this Privacy Policy to reflect changes in laws, our services, or operational practices. The updated version will be posted with a new effective date. 

12.2. If changes materially affect your rights, we will provide additional notice where required by law. 

12.3. For questions, requests, or complaints regarding this Policy or your personal data, contact us at privacy@pivotaledge.ai. 

12.4. If you are in the United Kingdom and are not satisfied with our response, you may contact the Information Commissioner’s Office (ICO).