G
GoPilot

Privacy Policy

Last updated: 9 March 2026

1. Overview

GoPilot ("we", "us", "our") provides a Microsoft 365 Copilot readiness assessment tool. This policy explains how we collect, use, and protect your information when you use our service at getgopilot.com ("the Service").

2. Information We Collect

Account Information

When you create an account, we collect your email address and password (stored securely via Supabase Auth). If you subscribe to a paid plan, payment is processed by Stripe — we do not store your credit card details.

Microsoft 365 Tenant Data

When you connect a Microsoft 365 tenant, we request read-only access to your tenant configuration via the Microsoft Graph API. We collect configuration metadata only (e.g. policy settings, licence counts, sharing settings). We do not access, read, or store the contents of emails, files, chats, or any user-generated content.

OAuth Tokens

Microsoft OAuth access and refresh tokens are encrypted using AES-256-GCM before storage. They are used solely to run assessments on your behalf and are never exposed in plaintext.

3. How We Use Your Information

  • To run automated and guided readiness assessments against your Microsoft 365 tenant
  • To generate scored readiness reports with remediation recommendations
  • To process payments and manage your subscription
  • To communicate essential service updates (e.g. security notices)

4. Data Storage & Security

Your data is stored in Supabase (PostgreSQL) with Row Level Security enforced on all tables — you can only access your own data. OAuth tokens are encrypted at rest with AES-256-GCM. All connections use HTTPS/TLS. The application is hosted on Vercel.

5. Data Sharing

We do not sell, rent, or share your personal data or tenant data with third parties. We use the following service providers to operate the Service:

  • Supabase — authentication and database hosting
  • Vercel — application hosting
  • Stripe — payment processing
  • Microsoft — Graph API for tenant assessments

6. Data Retention

Assessment data is retained for as long as your account is active. You can request deletion of your account and all associated data by contacting us. OAuth tokens are automatically invalidated when you disconnect a tenant.

7. Your Rights

You may request access to, correction of, or deletion of your personal data at any time by contacting us at the email below. You can disconnect your Microsoft 365 tenant at any time from your dashboard, which revokes our access.

8. Cookies

We use essential cookies only for authentication session management. We do not use tracking cookies or third-party advertising cookies.

9. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via the email associated with your account.

10. Contact

For privacy-related enquiries, contact us at support@getgopilot.com.

    GoPilot — Microsoft 365 Copilot Readiness Assessment