Privacy Policy

1. Introduction

Polaris Consulting, LLC ("Polaris," "we," "us," or "our") is a cybersecurity assessment and managed IT services company based in Los Angeles, California. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at polarisconsulting.net and use our security assessment platform (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of our Services.

Customers who have executed a Master Services Agreement ("MSA") with Polaris are also subject to the data protection and confidentiality provisions of that agreement. In the event of a conflict, the MSA shall control.

2. Information We Collect

2.1 Information You Provide Directly

When you use our contact form or sign up for our platform, we may collect:

• Your name
• Email address
• Phone number
• Company name
• Company size
• Message content submitted via contact forms

2.2 Client Environment Data (OAuth Consent)

When you connect your Microsoft 365 tenant to our platform via OAuth consent, we collect read-only data from your environment ("Client Data") for the sole purpose of performing security assessments. This includes:

• Microsoft 365 tenant configuration data
• Azure Active Directory settings (users, groups, conditional access policies)
• Security and compliance policy configurations
• Device compliance status
• Email security settings
• Microsoft Secure Score and security assessment data

We access this data using read-only OAuth permissions through the Microsoft Graph API. We request only the minimum permissions necessary to perform the contracted Services. We never have write access to your environment, and you can revoke access at any time through your Azure AD portal.

2.3 Information Collected Automatically

When you visit our website, we automatically collect certain information through analytics services:

• Browser type and version
• Pages visited and time spent
• Referring website
• Device type and screen resolution
• General geographic location (city/region level)
• Session recordings and heatmap data (via Microsoft Clarity)

3. Analytics and Tracking

We use Microsoft Clarity to understand how visitors interact with our website. Clarity provides:

• Session recordings: Anonymized replays of user sessions to understand navigation patterns
• Heatmaps: Aggregated visualization of clicks and scroll behavior
• Performance metrics: Page load times and interaction data

Microsoft Clarity does not collect personally identifiable information from session recordings. Sensitive input fields (such as passwords and payment forms) are automatically masked. For more information, see Microsoft Clarity's Terms of Service.

4. Cookies

We use the following types of cookies:

5. How We Use Your Information

We use the information we collect to:

• Perform security assessments of your Microsoft 365 and Azure environments
• Generate executive reports, IT operations reports, compliance workbooks, and gap analyses
• Respond to your inquiries and contact form submissions
• Provide customer support and communicate about our services
• Improve our website and platform through analytics
• Maintain the security and integrity of our Services
• Comply with legal obligations

Data minimization: We collect and retain only the data reasonably necessary to perform the Services. We shall not use your Client Data for any purpose other than performing the Services unless expressly authorized by you in writing.

6. Third-Party Services (Subprocessors)

We use the following third-party services to operate our platform. All subprocessors are bound by data protection obligations consistent with this Privacy Policy:

• Microsoft Azure: Cloud hosting infrastructure for our platform and API services
• Microsoft Graph API: Read-only data collection from your Microsoft 365 tenant (with your OAuth consent)
• Azure CosmosDB: Encrypted database storage for assessment data and account information
• Azure Blob Storage: Encrypted storage for generated reports
• Microsoft Clarity: Website analytics (session recording, heatmaps)
• Azure AD / Azure AD B2C: Authentication and identity management

7. Data Sharing and Disclosure

We do not sell your personal information or Client Data to third parties.

Your security assessment results, vulnerability findings, and compliance status constitute your confidential information. We shall not disclose such information to any third party without your written consent, except in aggregated, anonymized form that cannot reasonably be used to identify you.

We may share your information only in the following limited circumstances:

• Service providers: With the subprocessors listed in Section 6, subject to confidentiality obligations at least as protective as those in this Privacy Policy
• Legal requirements: When required by law, regulation, or legal process, provided that we give you prompt written notice and cooperate with any efforts to obtain protective treatment where feasible
• Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users
• With your consent: When you explicitly authorize sharing (e.g., sharing reports with specified email addresses)

8. Data Retention and Deletion

• Client Data: Upon termination of services or completion of the applicable engagement, Client Data shall be retained for a period not to exceed ninety (90) days, after which it shall be securely deleted. You may request earlier deletion in writing. We shall certify deletion upon request.
• Contact form submissions: Retained for 12 months, then automatically purged.
• Account information: Retained for the duration of your active account. You may request deletion at any time.
• Analytics data: Microsoft Clarity retains session data per their retention policies (typically 30 days for recordings).

9. Data Security

We implement industry-standard security measures to protect your information:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
• Encryption at rest: All stored data is encrypted using AES-256 encryption
• Web Application Firewall: Azure Front Door Premium with OWASP DRS 2.1 protects against common web attacks
• Network isolation: Database and storage services are protected by virtual network isolation and firewall rules
• Access controls: Role-based access controls, multi-factor authentication, and principle of least privilege for platform access
• Credential protection: All tokens and access mechanisms are protected using encryption at rest and in transit

10. Security Incident Notification

In the event we discover or reasonably suspect a security incident involving unauthorized access to, or disclosure of, your data, we shall notify you in writing within seventy-two (72) hours of discovery. The notification shall include the nature of the incident, the data affected, the corrective actions taken or planned, and a point of contact for further information.

11. Your Rights (California Residents — CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purpose for collecting it, and the third parties with whom we share it.
• Right to Delete: You may request that we delete the personal information we have collected about you, subject to certain legal exceptions.
• Right to Opt-Out: You have the right to opt out of the sale of your personal information. However, we do not sell personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, please contact us at info@polarisconsulting.net. We will respond to verified requests within 45 days.

12. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you via email or a prominent notice on our website. Your continued use of our Services after changes are posted constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your information is handled, please contact us: