Reach Seats

Privacy Policy

Last updated: March 17, 2026

1. Who We Are

Reach Seats (“we”, “us”, “our”) provides a SaaS platform that helps organizations identify unused software licenses. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our Service.

For questions about this policy, contact us at [email protected].

2. Data We Collect

We collect the following categories of data:

Account data

Name, email address, and profile information provided when you sign in via Google OAuth or Magic Link.

Organization data

Organization name and membership roles you configure within the Service.

Integration credentials

OAuth tokens and API keys for connected providers (Microsoft 365, Google Workspace, Slack, Freshservice). These are encrypted at rest using AES-256-GCM and decrypted only in memory during sync operations.

License and user data from connected providers

Email addresses, display names, last login timestamps, and license assignment data for users in your organization's connected platforms. This data belongs to your organization and is processed solely to provide the Service.

Usage data

Basic analytics such as page views, feature usage, and error logs, used to improve the Service. We do not sell this data.

3. How We Use Your Data

We use collected data to:

  • Provide, operate, and improve the Service.
  • Authenticate users and maintain session security.
  • Sync license data from connected providers on your behalf.
  • Calculate and display license waste estimates within your dashboard.
  • Send transactional emails (e.g. Magic Link sign-in, account notifications).
  • Respond to support requests and account inquiries.
  • Comply with legal obligations.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, or Switzerland, we process personal data under the following legal bases:

  • Contract performance — processing necessary to provide the Service you signed up for.
  • Legitimate interests — security monitoring, fraud prevention, and improving the Service.
  • Legal obligation — retaining records as required by applicable law.
  • Consent — where you have explicitly given consent, such as for optional communications.

For full details on your rights under GDPR, see our GDPR Data Processing Addendum.

5. Data Storage and Security

Data is stored in a PostgreSQL database hosted on infrastructure within the EU. OAuth tokens and API keys are encrypted at rest using AES-256-GCM before storage. Access to production data is restricted to authorized personnel only.

We use TLS/HTTPS for all data in transit. Sessions are managed via secure, HTTP-only cookies. We do not use JWT tokens for session management.

While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute security of your data.

6. Data Retention

We retain your account and organization data for as long as your account is active or as needed to provide the Service. License sync data is retained for up to 12 months of history to support trend analysis.

Upon account termination, we will delete your organization's data within 30 days, except where we are required to retain it by law.

7. Third-Party Services

The Service integrates with the following third-party platforms at your direction:

  • Microsoft 365 (Microsoft Corporation)
  • Google Workspace (Google LLC)
  • GitHub (GitHub, Inc.)
  • Slack (Salesforce, Inc.)
  • Freshservice (Freshworks Inc.)
  • Zoom (Zoom Video Communications, Inc.)
  • Jira (Atlassian Corporation)
  • Figma (Figma, Inc.)
  • Notion (Notion Labs, Inc.)
  • Zendesk (Zendesk, Inc.)

Data retrieved from these platforms is processed solely to provide the Service and is not shared with any other third party. Each platform's own privacy policy governs data held within their systems.

We may also use infrastructure and operational service providers (hosting, email delivery, error monitoring). These sub-processors access data only as necessary to perform their services and are bound by appropriate data processing agreements.

8. Cookies

We use strictly necessary session cookies to maintain your authenticated session. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required for strictly necessary cookies under ePrivacy regulations.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data (“right to be forgotten”).
  • Object to or restrict certain processing.
  • Receive your data in a portable format.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with your local supervisory authority.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

10. Children's Privacy

The Service is intended for business use only and is not directed at individuals under the age of 16. We do not knowingly collect personal data from minors.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or via a notice in the Service at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact

For privacy-related questions or to exercise your rights, contact us at [email protected].

HomeTerms of ServiceGDPR