Get in Touch
Get in Touch
Outcomemet
Get Started

Owner and Data Controller

OutcomeMet Limited, 128 City Road, London, United Kingdom, EC1V 2NX

Owner contact email: support@outcomemet.co.uk

Latest update: 13 April 2026

Scope of this Policy

This privacy policy applies to the OutcomeMap Azure DevOps extension and the associated licence and billing services operated by OutcomeMet Limited (collectively, "OutcomeMap" or "the Service"). It describes what personal data we collect, why we collect it, where it is processed, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

What Personal Data We Collect and Why

Data collected by the OutcomeMap extension (inside Azure DevOps)

OutcomeMap runs as a native extension inside your organisation's Azure DevOps environment. The following data is transmitted from the extension to our licence service each time a user opens OutcomeMap:

  • Azure DevOps organisation name — used as the unique identifier for your licence record.
  • User display name — used to identify who activated the licence or trial for notification purposes.
  • User email address — used to send new-install notifications to the OutcomeMet team and to associate the licence record with a contact.
  • Extension version number — used to track which version of OutcomeMap is in use for support and compatibility purposes.
  • Anonymised usage counts — screen views (roadmap, milestones, portfolio, dependency map) and feature events (plan created, export clicked, upgrade clicked, trial started). No content is included — only event counters.

This data is transmitted to our licence service at api.outcomemap.io over HTTPS and stored in Cloudflare KV (key-value storage) on Cloudflare's global network. The legal basis for this processing is our legitimate interest in operating, supporting, and improving the Service (UK GDPR Article 6(1)(f)).

What data never leaves Azure DevOps

All plan content, outcomes, key results, milestones, roadmap data, work item data, and milestone details are stored exclusively within your organisation's Azure DevOps environment using Microsoft's Extension Data Service. This data is never transmitted to OutcomeMet or any third party. OutcomeMet has no access to your plan or roadmap content.

Data collected when you contact us or purchase a subscription

When you contact us by email, complete a contact form, or purchase a Professional subscription, we may collect your name, email address, organisation name, and billing information. Billing and payment data is processed directly by Stripe and is subject to Stripe's own privacy policy — OutcomeMet does not store card or bank account details.

Microsoft Identity API

To resolve the current user's email address, the extension may make a request to Microsoft's identity API at app.vssps.visualstudio.com/_apis/profile/me using the user's own Azure DevOps session token. This call is made to Microsoft's infrastructure only and no data from this call is retained by OutcomeMet beyond what is described above.

Third-Party Data Processors

We use the following third-party services as data processors. Each is subject to its own privacy policy and data processing agreement.

  • Microsoft Azure DevOps — your plan and roadmap data is stored in Microsoft's Extension Data Service within your Azure DevOps organisation. Subject to your organisation's Microsoft agreement.
  • Cloudflare, Inc. — our licence service is accessible at api.outcomemap.io and runs on Cloudflare Workers and KV storage on Cloudflare's global network. Licence records, user identity data, and anonymised usage counts are stored here. Cloudflare is certified under the EU-US Data Privacy Framework. See Cloudflare's privacy policy.
  • Stripe, Inc. — payment processing for Professional subscriptions. Stripe handles card and bank details directly; OutcomeMet does not receive or store payment card data. See Stripe's privacy policy.
  • Resend — used to send internal new-install notification emails to the OutcomeMet team. Only the organisation name, user name, and email address are included in these notifications. See Resend's privacy policy.

Place of Processing

OutcomeMet Limited is based in the United Kingdom. Licence and identity data stored in Cloudflare KV may be processed on Cloudflare's global network, which includes servers outside the UK and EEA. Cloudflare provides appropriate safeguards for international transfers under the EU-US Data Privacy Framework and UK adequacy decisions. Payment data processed by Stripe may also be processed in the United States under equivalent safeguards.

Your Azure DevOps plan data remains within your organisation's Azure DevOps region as configured by your Microsoft agreement and is not transferred by OutcomeMet.

Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

  • Licence records (organisation name, user name, email, tier, version) — retained for the duration of the licence relationship and for up to 12 months after termination for legal and support purposes.
  • Anonymised usage counts — retained for up to 90 days of daily data; aggregate totals retained indefinitely in anonymised form.
  • Contact and billing records — retained for 7 years in accordance with UK financial record-keeping obligations.

To request deletion of your organisation's licence record, email support@outcomemet.co.uk with the subject "Data deletion request". We will action requests within 30 days.

Security

All data transmitted between the OutcomeMap extension and our licence service is encrypted in transit using TLS. Access to licence records is protected by an admin token known only to OutcomeMet staff. Stripe webhook events are verified using HMAC-SHA256 signature validation. We apply rate limiting to all public endpoints to prevent abuse.

The OutcomeMap extension declares the minimum required Azure DevOps permission scopes: vso.project, vso.work, vso.work_write, vso.extension.data, and vso.extension.data_write. No administrative, identity management, or code repository scopes are requested.

Cookies and Tracking

The OutcomeMap extension does not use cookies. It uses browser localStorage and sessionStorage within your Azure DevOps session to cache plan data, user preferences, and licence status locally in your browser. This data does not leave your device and is not accessible to OutcomeMet.

The OutcomeMet website (outcomemet.co.uk) may use standard web analytics. No advertising tracking or cross-site tracking is used.

Legal Basis for Processing

We process personal data on the following legal bases under UK GDPR:

  • Legitimate interests (Article 6(1)(f)) — licence validation, usage analytics, and new-install notifications are necessary for the operation and improvement of the Service.
  • Performance of a contract (Article 6(1)(b)) — billing and subscription data is processed to fulfil the Professional subscription agreement.
  • Legal obligation (Article 6(1)(c)) — financial records are retained as required by UK law.

Your Rights under UK GDPR

You have the following rights regarding personal data held by OutcomeMet:

  • Right of access — you may request a copy of the personal data we hold about you.
  • Right to rectification — you may ask us to correct inaccurate data.
  • Right to erasure — you may ask us to delete your personal data, subject to legal retention obligations.
  • Right to restrict processing — you may ask us to limit how we use your data.
  • Right to data portability — you may request your data in a structured, machine-readable format.
  • Right to object — you may object to processing based on legitimate interests.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.
  • Right to lodge a complaint — you may complain to the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, contact us at support@outcomemet.co.uk. We will respond within one month.

Additional Information

Legal action

Personal data may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from improper use of this Application or the related Services. The Owner may be required to reveal personal data upon request of public authorities.

System logs and maintenance

For operation and maintenance purposes, our licence service and any third-party services may collect system log data including IP addresses for security and rate-limiting purposes.

Changes to this privacy policy

We reserve the right to update this policy at any time. Where changes are material, we will notify users via the extension or by email where contact details are available. The date of the latest update is shown at the top of this page.

Definitions

Personal Data

Any information that directly or indirectly identifies a natural person.

Data Controller

OutcomeMet Limited — determines the purposes and means of processing personal data collected through the Service.

Data Processor

A third party that processes personal data on behalf of OutcomeMet, as listed in the Third-Party Data Processors section above.

Extension Data Service

Microsoft's built-in storage service for Azure DevOps extensions, used by OutcomeMap to store plan and roadmap data within your ADO organisation.

UK GDPR

The UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.

Legal information

This privacy policy relates solely to OutcomeMet Limited and the OutcomeMap Service. Latest update: 13 April 2026.

Ready to ELEVATE?

Start your journey towards success now by trying OutcomeMet today. Empower your team, delight your customers, and stay ahead of the competition. Don't delay, start optimising your product delivery right now!

Try for Free