Privacy Policy
Last updated: April 2026
Grenadier Computing Ltd ("we", "us", "our") operates the Pain Points platform ("Platform"). This Privacy Policy explains how we collect, use, and protect information when you use the Platform.
1. Who We Are
Pain Points is operated by Grenadier Computing Ltd, registered in England and Wales. For privacy enquiries, contact us at privacy@painpointsapp.com.
2. Information We Collect
From Microsoft Entra ID
When you sign in, we receive the following from your organisation's Microsoft 365 tenant:
- Your display name and email address
- Your Azure AD user identifier and tenant identifier
We do not receive or store your Microsoft password.
Information you provide
- Pain point submissions (title, description, category, frequency, impact)
- Comments, proposals, and votes
- Organisation settings and preferences
Generated by the Platform
- Login timestamps and session data
- Activity metrics and gamification scores
- Audit logs of administrative actions
3. How We Use Your Information
- Provide and operate the Platform
- Authenticate your identity via Microsoft Entra ID
- Display pain points, comments, and proposals within your organisation
- Calculate cost impact and generate dashboard analytics
- Track gamification progress (points, badges, streaks)
- Send transactional emails (e.g. partner verification)
We do not sell your data, use it for advertising, or share it with third parties for their own marketing purposes.
4. Lawful Basis for Processing
| Purpose | Lawful Basis |
|---|---|
| Providing the Platform | Performance of contract |
| Authentication via Microsoft Entra ID | Performance of contract |
| Transactional emails | Performance of contract |
| Security monitoring and audit logs | Legitimate interest |
| Analytics and usage metrics | Legitimate interest |
5. Data Sharing and Sub-processors
We share data only with the following third-party sub-processors, which are necessary to deliver the Platform:
- Microsoft Azure — Cloud hosting, SQL Server database, Key Vault, Entra ID authentication (UK South)
- Cloudflare — DNS management, DDoS protection, edge caching (Global)
- Google Analytics — Anonymous website usage analytics on the marketing site only, with consent (United States)
We will notify Partners of changes to this list with reasonable advance notice.
6. Data Storage and Security
- All data is hosted on Microsoft Azure, UK South region
- Data is encrypted in transit (TLS 1.2+) and at rest (Azure SQL TDE)
- Authentication is handled by Microsoft Entra ID. We never store passwords
- Secrets are managed via Azure Key Vault with managed identity access
- Role-based access control ensures partner-level data isolation
7. Data Retention
- Data is retained for the duration of your active subscription
- Upon account deletion, all data is permanently removed within 30 days
- Backups containing deleted data are purged within 90 days
8. Your Rights
Under UK GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data (profile data syncs from Microsoft Entra ID)
- Erase your data ("right to be forgotten")
- Export your data in a machine-readable format
- Object to processing based on legitimate interest
- Lodge a complaint with the Information Commissioner's Office (ICO)
To exercise any of these rights, contact your organisation's administrator or email privacy@painpointsapp.com.
9. Cookies and Analytics
The Pain Points application uses session storage (not cookies) to maintain your authentication state.
Our marketing website (painpointsapp.com) uses Google Analytics to understand how visitors use the site. Google Analytics sets cookies to collect anonymous usage data such as pages visited, time on site, and referral source. No personally identifiable information is collected.
You are asked for consent before any analytics cookies are set. If you decline, no cookies are placed and no data is sent to Google. You can change your preference at any time by clearing your browser's local storage for this site.
10. Children
The Platform is designed for business use and is not intended for individuals under 18. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Partners will be notified of material changes. Continued use of the Platform after notification constitutes acceptance.
12. Contact
For any privacy-related questions or requests:
Grenadier Computing Ltd
privacy@painpointsapp.com