Privacy Policy

This policy explains how Stabilise Ltd collects, uses, stores, and protects personal data, including data received from Google APIs. It applies to stabilise.io, app.stabilise.io, the Stabilise desktop application, and the Stabilise Node device agent.

1. Introduction and Data Controller

Stabilise Ltd ("Stabilise", "we", "us", "our") is the data controller responsible for the personal data described in this policy. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Protection Contact
Email: privacy@stabilise.io
Stabilise Ltd, 6-7 St Cross Street, London, EC1N 8UB, United Kingdom

This policy applies to all Stabilise products and surfaces:

The marketing website at stabilise.io
The Stabilise dashboard at app.stabilise.io
The Stabilise desktop application for macOS
The Stabilise Node device agent

2. Data We Collect

We collect the following categories of personal data, only where it is necessary to operate the Service or where you have provided it directly.

Account information. Name, email address, organisation name, role, and job title.
Authentication data. OAuth tokens and other credentials issued by identity providers, encrypted at rest using AES-256 (pgsodium AEAD).
Directory data synced from identity providers. User names, email addresses, account status, suspension state, multi-factor authentication status, and last sign-in timestamps for accounts in your connected identity provider.
Licence assignment data from connected SaaS systems. Seat counts and licence assignments enumerated read-only from systems such as Google Workspace and Microsoft 365 to support billing reconciliation.
Device telemetry from Stabilise Node and the Stabilise desktop app. Operating system version, installed applications, patch status, screen lock policy, and disk encryption status, collected only from devices your organisation has explicitly enrolled.
Billing data. Processed by Stripe. Stabilise receives a tokenised reference and never sees full card details.
Usage data. Page visits, feature usage, session identifiers, and basic device information for security and product improvement.
Support communications. Emails, chat messages, and tickets you send to our support team.

3. Google User Data and Limited Use Disclosure

Where Stabilise receives information from Google APIs, the following applies in addition to the rest of this policy.

Stabilise's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

We use Google user data only to provide and improve user-facing features that are prominent in the Stabilise application's user interface (directory synchronisation, licence reconciliation, and identity sign-in).
We do not transfer Google user data to others, except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
We do not use Google user data to serve advertisements, including retargeting, personalised, or interest-based advertising.
We do not allow humans to read Google user data, unless we have the user's affirmative consent to view specific messages, we are doing so for security purposes (such as investigating abuse), to comply with applicable law, or for internal operations where the data has been aggregated and anonymised.

Stabilise requests the following Google OAuth scopes and uses each one strictly for the purpose described.

https://www.googleapis.com/auth/admin.directory.user.readonly (Sensitive, read-only). Used to read your organisation's directory of users so we can reconcile licence assignments, provide off-boarding visibility, report on multi-factor authentication coverage, and support identity management workflows. Stabilise does not write to, modify, or delete any user record.
https://www.googleapis.com/auth/apps.licensing (Sensitive, read-only). Used to enumerate Google Workspace licence assignments so your billing reflects actual seat usage. Stabilise does not assign, revoke, or change licences.
openid, email, profile (non-sensitive). Used to authenticate you when you sign into the Stabilise dashboard or desktop application via Supabase Auth.

Stabilise never writes to, modifies, or deletes anything in your Google Workspace. All Google API access is strictly read-only. Google user data is stored encrypted at rest and segregated by organisation using row-level security.

4. How We Use Your Data

We use the personal data described above for the purposes set out below. The lawful basis under UK GDPR is shown for each purpose.

Provision of the Service (contract). To deliver, maintain, and operate the Stabilise platform for your organisation.
Authentication and access control (contract). To sign you into the dashboard and desktop app, and to enforce role-based permissions.
Directory synchronisation (contract). To keep your view of identity provider users current.
Billing and subscription management (contract and legal obligation). To process payments through Stripe, issue invoices, and meet our statutory record-keeping obligations.
Customer support (contract and legitimate interest). To respond to support tickets and improve our service.
Security monitoring and abuse prevention (legitimate interest). To detect unauthorised access, investigate suspicious activity, and protect the platform.
Service improvement and analytics (legitimate interest). To understand how the product is used and improve it, using aggregated or pseudonymised data wherever practical.
Legal and regulatory compliance (legal obligation). To comply with applicable law, court orders, and regulator requests.
Marketing communications (consent). To send product updates and news where you have opted in. You may withdraw consent at any time.

We do not use personal data for automated decision-making with legal or similarly significant effects, and we do not profile users for advertising.

5. Data Sharing and Sub-processors

Stabilise does not sell personal data and does not share Google user data with third parties for advertising. We share data only with the sub-processors listed below, each of which provides infrastructure or services necessary to operate the platform.

Supabase (database, authentication, file storage). Hosting in the European Union.
Stripe (payment processing). Hosting in the United States with UK GDPR-compliant data transfer mechanisms.
Vercel (application hosting and edge delivery). Hosting in multiple regions, with primary processing in the European Union where available.
Railway (background services for the Slack ingestion pipeline and embedding service). Hosting in the United States.
Voyage AI (text embeddings for the internal knowledge base). Hosting in the United States.
Google Cloud Storage and Tailscale (where used by the Stabilise Node device agent for secure connectivity and artefact storage). Hosting in the regions selected by your organisation at enrolment.

We may also share data with our professional advisers (legal, accounting, insurance) where strictly necessary, and with law enforcement or regulators where required by law.

We require every sub-processor to provide appropriate security and confidentiality protections, including a written data processing agreement.

6. International Transfers

Most personal data is processed within the United Kingdom and the European Economic Area. Where a sub-processor processes data outside those areas, we rely on the UK Government's Standard Contractual Clauses (with the UK International Data Transfer Addendum), or another lawful transfer mechanism such as adequacy decisions where available. Transfer impact assessments are documented for any new transfer.

7. Data Security

Stabilise is Cyber Essentials Plus certified. We maintain a layered set of technical and organisational controls including:

AES-256 encryption at rest for sensitive credentials and OAuth tokens, using pgsodium authenticated encryption
TLS encryption for all data in transit
Row-level security at the database layer to enforce organisation-level isolation
Role-based access control with the principle of least privilege
Audit logging of credential access and administrative actions
Annual third-party penetration testing of the platform and supporting infrastructure
Background checks, written confidentiality undertakings, and security training for all personnel with access to customer data
Documented incident response and breach notification procedures meeting the 72-hour notification requirement under UK GDPR

8. Data Retention

We retain personal data only for as long as needed to provide the Service or to meet legal obligations.

Active accounts. Account, directory, licence, and device telemetry data is retained for the life of the account.
After account deletion. All personal data, including OAuth tokens and synced Google user data, is removed within 30 days, except where applicable law requires longer retention (for example, financial records under UK tax law, retained for six years).
Support communications. Retained for up to three years for service quality and dispute resolution purposes.
Backups. Encrypted backups containing personal data are retained for up to 35 days and then automatically destroyed.

9. Your Rights Under UK GDPR

You have the following rights in respect of your personal data:

Right of access. Request a copy of the personal data we hold about you.
Right to rectification. Ask us to correct inaccurate or incomplete data.
Right to erasure. Request that we delete your personal data, subject to legal retention requirements.
Right to restriction. Ask us to limit how we process your data in defined circumstances.
Right to object. Object to processing carried out under our legitimate interests.
Right to data portability. Receive your personal data in a structured, machine-readable format.
Right to withdraw consent. Where processing relies on your consent, you may withdraw it at any time.
Right to lodge a complaint. File a complaint with the Information Commissioner's Office at ico.org.uk.

To exercise any of these rights, email privacy@stabilise.io. We will respond within one month, extendable by a further two months for complex requests.

10. Account and Data Deletion

You can delete your Stabilise account and all associated personal data, including any data received from Google APIs, at any time.

In the dashboard. Settings > Account > Delete Account.
By email. Send a deletion request from your registered email address to privacy@stabilise.io with the subject line "Delete my account".

Account deletion removes all OAuth tokens, directory data, licence data, device telemetry, and other personal data we hold from our live systems within 30 days of the request. Encrypted backups containing the data are aged out within a further 35 days. We retain only the minimum data legally required (for example, invoice records under UK tax law).

Full step-by-step instructions are available at stabilise.io/data-deletion.

11. Children

The Stabilise Service is intended for use by businesses and is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact privacy@stabilise.io and we will delete it.

12. Cookies

The Stabilise dashboard uses essential cookies for authentication and session management. The Stabilise marketing site at stabilise.io uses essential cookies and may use privacy-respecting analytics that do not identify individual visitors. We do not use third-party advertising cookies, cross-site tracking, or retargeting. You can manage cookies in your browser at any time.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be highlighted on this page and, where appropriate, notified to you by email or in the dashboard. The version in force is always the one published at stabilise.io/privacy.

14. Contact

For any privacy question, request, or complaint, contact us at privacy@stabilise.io. For general support, contact support@stabilise.io.

Stabilise Ltd, 6-7 St Cross Street, London, EC1N 8UB, United Kingdom.

Last updated: May 2026.