Privacy Policy — Runner Images
Last updated: 2026-04-29
3SR, registered in France (228 Boulevard de la République, 33510 Andernos-les-Bains), publishes Runner Images on Microsoft Commercial Marketplace as an Azure Managed Application. This privacy policy describes the data practices specific to this product.
1. Data we collect
1.1 Inside your Azure tenant
The Managed Application deploys an Azure Compute Gallery and four image definitions in your Azure tenant. After admin consent (§3), 3SR's distribution Service Principal copies image versions from our central gallery into yours. The data stored in your gallery is exclusively the runner image VHDs (Ubuntu / Windows OS images with build tools pre-installed) — no personal data, no Customer-specific data.
1.2 What 3SR collects on its side
- Tenant metadata for distribution: your Azure tenant ID, subscription ID, resource group name, gallery name. Stored in the 3SR-side variable group of the build pipeline (Azure DevOps). Used to copy image versions to your gallery on the weekly schedule. Retention: duration of the subscription + 1 year.
- Admin consent state: whether your tenant has granted admin consent to 3SR's distribution Service Principal (AppId
7372b3fa-2250-4fdb-a127-294b5531f77b). Checked periodically; if revoked or expired, the tenant is removed from the distribution list and the customer is notified. - Marketplace lead capture: name, company, email, phone (optional). Stored in 3SR's Azure storage in EU. Retention: 5 years.
- Support emails at support@3sr.fr: your email + content. Stored on 3SR's Microsoft 365. Retention: 7 years.
- Operational notifications: email confirmations of consent validation, distribution starts/stops, image distribution failures. Sent to the contact email you provided. 3SR is copied for support traceability. Retention: 1 year.
2. Cookies and tracking
Runner Images uses no cookies. This public website (marketplace.3sr.fr) uses no third-party trackers and no cookies.
3. Admin consent and Service Principal access
To enable 3SR to publish image versions into your Compute Gallery, you grant administrative consent to the multi-tenant Service Principal 3SR-Runner-Images-Gallery (AppId 7372b3fa-2250-4fdb-a127-294b5531f77b). This consent is required for image distribution to function.
The consent is granted via the standard Microsoft Entra ID admin consent flow at:
https://login.microsoftonline.com/<your-tenant-id>/v2.0/adminconsent?client_id=7372b3fa-2250-4fdb-a127-294b5531f77b
The Service Principal receives only the Azure RBAC role required to publish image versions into the Compute Gallery deployed in your managed Resource Group — it has no access to other resources in your tenant.
You may revoke this consent at any time via Microsoft Entra ID portal → Enterprise Applications. After revocation, your tenant is removed from the distribution list and image updates stop. Existing images remain in your gallery.
4. Third-party services
3SR uses the following Microsoft services for the operation of Runner Images :
- Microsoft Azure (West Europe / France Central) — 3SR's central Compute Gallery, build pipeline (Azure DevOps), notifications
- GitHub — source of the open-source Packer scripts (repository
actions/runner-images) used to build the images. No Customer data is shared with GitHub.
The OS contents of the images themselves include open-source and commercial software provided by their respective owners (Microsoft, Canonical, Docker, npm, Python Software Foundation, etc.). 3SR does not redistribute commercial software requiring license validation; build tools are limited to what is freely redistributable per the upstream Packer scripts.
5. Legal basis (GDPR Art. 6)
- Distribution and consent state: necessity for the contracted service
- Lead capture & support: contractual interest + your explicit action
- Operational notifications: necessity for the service
6. Your rights (GDPR Chapter III)
Right to access, rectification, erasure, restriction, objection, portability. Contact dpo@3sr.fr — response within 30 days.
7. Subprocessors
| Service | Role | Location |
|---|---|---|
| Microsoft Azure (West Europe / France Central) | Distribution infrastructure (Compute Gallery 3SR, ADO pipeline, email notifications) | EU |
| Microsoft 365 | Email + ticketing | EU |
| GitHub Inc. (Microsoft) | Source of upstream Packer scripts (open-source, no Customer data sent) | US/EU |
8. Security
- 3SR systems use Microsoft Entra ID + MFA enforced
- The 3SR-side build pipeline runs on a dedicated agent pool (VMSS-DevOps-RunnerImage)
- The build SPN credentials are temporary (1-day validity, auto-rotated each pipeline run)
- Image build logs retained 90 days, then purged
9. Changes to this policy
Material changes announced via support@3sr.fr.
10. Complaints
French Data Protection Authority (CNIL) — https://www.cnil.fr.
11. Contact
3SR — 228 Boulevard de la République, 33510 Andernos-les-Bains, France. Privacy: dpo@3sr.fr · General: support@3sr.fr