Privacy Policy

Athena is a product of Lewis Enright Limited, a company registered in England and Wales. We trade as SharePoint Artistry.

For the purposes of UK data protection law, Lewis Enright Limited is the data controller for the personal data described in this policy. That means we decide why and how your data is used.

You can reach us about anything in this policy, including any request to exercise your rights, at:

• Email: [email protected]
• Post: Lewis Enright Limited, 1 Hawthorn Way, Billingshurst, England, RH14 9GX
• Company number: 16295026
• ICO registration reference: ZC030848

We are registered with the Information Commissioner's Office (ICO), the UK's data protection regulator.

We handle personal data in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). Where we sell to or interact with people in the EU, we also follow the EU GDPR.

There are two different things to keep separate here.

The first is this website and our sales and support activity. When you fill in a form, book a demo, start a trial, or email us, we act as the data controller for that information, and the rest of this policy explains how we handle it.

The second is the Athena software itself. Athena is a set of SharePoint Framework (SPFx) webparts that you install into your own Microsoft 365 tenant. It runs entirely inside that tenant. The content your staff create in Athena, such as noticeboard posts, knowledge base articles, org chart entries, and event details, is stored in your own SharePoint lists, inside your own Microsoft 365 environment. That data does not leave your tenant boundary and is not sent to us or to any third party. We do not host it, we do not have standing access to it, and we cannot see it unless you specifically grant us access for support and show it to us.

In data protection terms, for the personal data your organisation puts into Athena, your organisation is the controller and Microsoft is your hosting provider under your existing Microsoft 365 agreement. We are not a processor of that data in normal operation, because it never reaches us. If a support situation requires us to access your tenant, we will agree the terms of that access with you first, and we can put a data processing agreement in place on request.

We try to collect as little as possible. Depending on how you interact with us, we may hold:

When you visit the website. Your IP address, browser and device type, the pages you view, and the approximate region you connect from. This comes through our hosting and security providers and is used to keep the site running and secure. See our Cookie Policy for detail. We do not currently run any analytics, advertising, or tracking cookies.

When you contact us or book a demo. Your name, work email address, company name, job title, and anything you choose to write in your message.

When you start a trial or buy a subscription. Your name, work email, company name, billing contact details, and your Microsoft 365 tenant identifier or domain so we can support your deployment. Card payments are handled entirely by Stripe; we never see or store your full card number.

When you email us for support. Your contact details and the contents of your messages, plus any information you share to help us resolve an issue.

We do not seek to collect special category data (such as health, race, or political views), and we ask that you do not send it to us.

Under the UK GDPR we have to have a lawful basis for each use of your data. Ours are as follows.

To respond to enquiries and provide demos, our basis is our legitimate interest in answering people who get in touch, and where you have asked us to do something, taking steps to enter into a contract.

To set up and run your trial and subscription, including billing through Stripe and giving you support, our basis is performance of our contract with you.

To send you service messages about your account, your trial, billing, security, or changes to the product or these policies, our basis is performance of our contract and our legitimate interest in keeping you informed.

To send marketing emails about Athena to business contacts, our basis is legitimate interest where you are an existing or prospective business customer, or your consent where the law requires it. You can opt out at any time using the unsubscribe link or by emailing us.

To keep the website and our systems secure and working, our basis is our legitimate interest in protecting our business and our users.

To meet our legal and accounting obligations, for example keeping invoices, our basis is compliance with a legal obligation.

Where we rely on legitimate interests, we have weighed those interests against your rights and we believe our use is reasonable and expected. You can ask us about this balancing exercise at any time.

We do not sell your personal data. We share it only with the suppliers who help us run the business, and only as far as they need it. Our main suppliers are:

• Stripe for payment processing and subscription billing.
• Cloudflare for website hosting, content delivery, performance, and protection against attacks.
• Microsoft for our own email and business systems, and as the platform your Athena tenant runs on.

Each of these acts as our processor (or, for Microsoft as your own tenant host, as your processor), handles data under contract, and is required to keep it secure. We may also share data with our professional advisers, such as accountants and lawyers, where needed, and with authorities or other parties where the law requires it or to protect our rights.

If our business is ever sold or reorganised, personal data may be transferred as part of that, and we will tell you if that changes how your data is handled.

Some of our suppliers, including Stripe and Cloudflare, are based in or process data in countries outside the UK, including the United States. Where data leaves the UK, we rely on legal safeguards approved for this purpose, such as the UK's adequacy regulations, the UK extension to the EU-US Data Privacy Framework, or the International Data Transfer Agreement and Standard Contractual Clauses with additional protections. You can ask us for more detail on the safeguards that apply.

We keep personal data only as long as we need it.

Enquiry and demo information is kept for up to 24 months after our last contact, unless you become a customer. Customer account and billing records are kept for the life of your subscription and then for as long as the law requires us to keep financial records, which is currently six years. Support correspondence is kept for up to 24 months after an issue is resolved. Marketing contact data is kept until you opt out or ask us to delete it.

When we no longer need data, we delete it or make it anonymous.

Under UK data protection law you have the right to:

• ask for a copy of the personal data we hold about you;
• ask us to correct data that is wrong or incomplete;
• ask us to delete your data in certain circumstances;
• ask us to restrict or stop using your data in certain circumstances;
• object to us using your data where we rely on legitimate interests, and object to direct marketing at any time;
• ask us to transfer your data to you or another provider in a portable format, where that right applies;
• withdraw your consent at any time where we relied on consent.

To use any of these rights, email us at [email protected]. We will respond within one month. There is normally no charge. We may need to confirm your identity first so that we do not give your data to the wrong person.

If you are unhappy with how we have handled your data, please tell us first so we can try to put it right. You also have the right to complain to the ICO.

• Website: ico.org.uk
• Helpline: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We may update this policy from time to time. When we make a significant change, we will update the date at the top and, where appropriate, let you know by email or a notice on the site. Please check back now and then.

Questions about this policy or your data can go to [email protected].