LEGAL

Privacy Policy

Last updated: 18 April 2026 · Lensory · Governed by New Zealand law

In plain English

What this policy means for you — the short version

What we collect When you sign in with Google or GitHub we receive your email address, display name, and profile picture. We also store a link between your account and your Azure identity (UPN, tenant ID) so your audit history works across sessions. We record metadata about audits you run (resource group name, resource count, timing) — not the actual resource configuration data.

What we never store Your Azure Cloud Shell access token is decoded in-memory to read your identity — it is never saved to our database. The actual Azure resource configuration data your audit fetches is never sent to our servers; your Excel report is generated entirely in your browser.

How long we keep it Login sessions expire after 30 days. Your audit history stays until you delete individual runs or your account. Deleting your account removes everything — there are no hidden backups.

Who we share it with We use Google and GitHub for sign-in only. Our backend runs on Railway and our frontend is served by Cloudflare — both are US-based, so your data is processed offshore. We do not sell your data or share it with advertisers.

Your rights You can request a copy of your data, ask us to correct it, or delete your account and all associated data at any time. Under the New Zealand Privacy Act 2020 you may also complain to the Privacy Commissioner if you feel we've handled your data incorrectly.

Cookies We use a single HTTP-only session cookie to keep you logged in. There are no tracking cookies, advertising cookies, or third-party analytics on this site.

The plain English summary above is for readability only. The full legal policy below governs your use of the service.

1. Who we are

Azure Resource Audit ("the Service") is operated by Lensory ("we", "us", "our"). Our registered address and full legal entity details are available on request. For privacy enquiries, contact us at [email protected].

This Privacy Policy applies to personal information we collect when you use the Service, in accordance with the New Zealand Privacy Act 2020 and its Information Privacy Principles (IPPs).

2. Information we collect

2.1 Account information (OAuth)

When you authenticate via Google or GitHub, we receive and store:

Email address (used as your primary identifier)
Display name
Profile picture URL
OAuth provider name and provider-assigned user ID

2.2 Azure identity information

When you link your Azure identity, we decode and store the following claims from your Azure Cloud Shell access token:

User Principal Name (UPN)
Azure Object ID (OID)
Azure Tenant ID
Display name as returned by Azure Active Directory
Timestamp of last link activity

The access token itself is never persisted. It is decoded in server memory solely to extract the above identity claims, then discarded.

2.3 Audit run metadata

For each audit you run, we store a summary record containing:

Resource group name
Azure subscription name and subscription ID
Count of resources audited, settings evaluated, and errors encountered
Audit mode (Discovery or Compliance)
Duration in seconds
Timestamp

The actual Azure resource configuration data retrieved during an audit is never transmitted to our servers. It is processed entirely within your browser and used only to generate the Excel report locally.

2.4 Session data

We issue a cryptographically random session token, stored in a secure HTTP-only cookie. This token is used to authenticate your requests. Sessions expire after 30 days of inactivity or upon explicit logout.

2.5 Technical and operational data

Our infrastructure providers (Railway, Cloudflare) may record standard server logs including IP addresses, user agents, and request timestamps for operational and security purposes. This data is subject to those providers' own privacy policies and is not stored in our application database.

3. How we use your information

We use the information we collect for the following purposes:

Service delivery: authenticating your identity, associating audit history with your account, and allowing you to access past audit runs.
Security: detecting and preventing unauthorised access, abuse, and fraud, including rate limiting authentication endpoints.
Service improvement: understanding aggregate usage patterns (e.g. how many audits are run) to improve the product. We do not profile individual users for this purpose.
Legal compliance: meeting our obligations under applicable law.

We do not use your personal information for targeted advertising, profiling for third-party marketing, or any purpose incompatible with those listed above.

4. Legal basis for processing

Under the New Zealand Privacy Act 2020, we collect and hold personal information only when it is necessary for a lawful purpose connected with the Service, and when collection by the means used is not intrusive in the circumstances (IPP 1).

Specifically:

Account and session data: collected to perform the contract with you (providing the Service you signed up for).
Azure identity data: collected with your active consent (you initiate the linking step) to associate audit history with your Azure tenancy.
Audit metadata: collected as a necessary part of delivering the audit history feature you use.
Technical logs: processed under legitimate interest for security and operational purposes.

5. Offshore disclosure and transfer

We are based in New Zealand and this policy is governed by the New Zealand Privacy Act 2020. However, we use the following offshore service providers to operate the Service:

Railway (United States) — backend application hosting and PostgreSQL database. Your personal information is stored on Railway's infrastructure. Railway's privacy policy is available at railway.com/legal/privacy.
Cloudflare (United States, with global edge network) — frontend hosting and content delivery. Cloudflare may process request metadata including IP addresses. Cloudflare's privacy policy is available at cloudflare.com/privacypolicy.

In accordance with IPP 12 of the New Zealand Privacy Act 2020, we take reasonable steps to ensure that these overseas recipients do not breach the Privacy Act in relation to that information. Both Railway and Cloudflare operate under privacy frameworks we consider comparable to New Zealand's requirements. The specific infrastructure region may change as the Service scales; we will update this policy if that affects your rights materially.

By using the Service, you acknowledge that your personal information will be processed outside of New Zealand as described above.

6. Google and GitHub OAuth providers

Authentication is performed via OAuth 2.0 with Google LLC and GitHub, Inc. During the authentication flow, those providers share limited profile information with us as described in Section 2.1. We do not receive your password or any payment information from those providers. Your use of Google and GitHub services is governed by their respective terms and privacy policies, which we encourage you to review.

7. Cookies and local storage

We set one cookie: a session cookie (session) that is HTTP-only, Secure (in production), and scoped to this domain. It contains an opaque random token — no personal information is embedded in the cookie itself.

We do not use:

Tracking or analytics cookies
Advertising or retargeting cookies
Third-party cookies of any kind
localStorage or sessionStorage for personal data persistence

8. Data retention

Sessions: automatically deleted after 30 days or upon logout.
Audit run records: retained until you delete them via the application or delete your account.
Account and Azure identity data: retained until you delete your account.
Account deletion: deletion cascades to all associated sessions, Azure identity links, and audit run records. We do not retain backups of deleted accounts beyond our standard database backup rotation window (typically 7 days).

9. Security

We take reasonable steps to protect personal information from loss, unauthorised access, use, modification, or disclosure. Measures include:

HTTP-only, Secure session cookies
Rate limiting on authentication endpoints (10 requests per 60 seconds per IP)
CORS policy restricted to the application's own domain
Parameterised database queries (protection against SQL injection)
Transport Layer Security (TLS) enforced on all endpoints
Scoped access controls — audit runs are only accessible by the authenticated user who created them

No transmission over the internet is completely secure. If you believe your account has been compromised, contact us immediately at [email protected].

10. Your rights

Under the New Zealand Privacy Act 2020, you have the right to:

Access the personal information we hold about you (IPP 6).
Correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (IPP 7).
Erasure of your account and all associated personal data by contacting us or using the account deletion feature in the application.
Portability of your audit history data on reasonable request.

To exercise any of these rights, contact us at [email protected]. We will respond within 20 working days as required by the Privacy Act 2020.

If you are unsatisfied with how we handle your request, you may lodge a complaint with the Office of the Privacy Commissioner of New Zealand at privacy.org.nz.

11. Children

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from anyone under 16. If we become aware that we have collected such information, we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the Service after a change constitutes acceptance of the updated policy. We encourage you to review this page periodically.

13. Contact us

For any privacy-related questions, requests, or concerns:

Email: [email protected]
General support: [email protected]
Contact form: azcheck.dev/contact