Overview
ISMS Copilot is fully compliant with the General Data Protection Regulation (GDPR) and follows strict data privacy principles. This article explains your privacy rights, how we handle your data, and what controls you have over your information.
Who This Is For
This article is for:
EU-based users concerned about GDPR compliance
Data Protection Officers evaluating ISMS Copilot
Compliance consultants handling client data under GDPR
Anyone who wants to understand their privacy rights
GDPR Compliance Overview
How ISMS Copilot Meets GDPR Requirements
Data Minimization (Article 5(1)(c))
ISMS Copilot collects only the minimum data necessary to provide the service:
Email address for account identification, authentication, and essential communications
Authentication credentials (hashed passwords or OAuth tokens)
Conversation history to provide context-aware AI responses
Uploaded documents for analysis and compliance gap assessment
Usage metadata for billing and service improvement
Email engagement data (opens, clicks) for onboarding and product update emails (users can opt out)
ISMS Copilot does not collect unnecessary personal information like phone numbers, addresses, or demographic data. Only essential data for service delivery is stored.
Purpose Limitation (Article 5(1)(b))
Your data is used exclusively for:
Providing AI-powered compliance assistance
Managing your account and subscription
Improving service performance and reliability
Complying with legal obligations
ISMS Copilot never uses your data for marketing, advertising, or selling to third parties. Your conversations and uploaded documents are never used to train AI models.
Storage Limitation (Article 5(1)(e))
You have complete control over how long your data is retained:
Set retention periods from 1 day to 7 years, or keep forever
Automatic deletion of expired data runs daily
Request immediate account and data deletion at any time
Data Protection by Design (Article 25)
Security and privacy are built into every ISMS Copilot feature:
End-to-end encryption for all data
Row-level security prevents unauthorized access
Workspace isolation keeps client data separate
Secure authentication with OAuth support
Your GDPR Rights
Right to Access (Article 15)
You have the right to access all your personal data stored in ISMS Copilot.
What you can access:
Your account information (email, settings)
All conversation history across workspaces
Uploaded documents and files
Usage metadata and timestamps
How to access your data:
Log in to your ISMS Copilot account
Navigate to your workspaces to view conversations
View uploaded files in each conversation thread
For a complete data export, contact support through the Help Center
Right to Rectification (Article 16)
You can update or correct your personal information at any time.
How to update your information:
Click the user menu icon (top right)
Select Settings
Your email address is displayed (to change it, contact support)
Update your data retention preferences
Click Save Settings
Expected result: Settings dialog closes and your changes are saved immediately.
Right to Erasure / "Right to Be Forgotten" (Article 17)
You can request complete deletion of your account and all associated data.
How to delete your data:
Click the user menu icon
Select Help Center → Contact Support
Submit a data deletion request
Support will verify your identity and confirm the request
All data is permanently deleted within 30 days
Account deletion is permanent and cannot be undone. All workspaces, conversations, uploaded files, and account settings will be permanently erased. Make sure to export any data you need before requesting deletion.
What gets deleted:
Your account and email address
All workspaces and conversation history
All uploaded documents and files
Custom workspace instructions
Usage metadata and logs
What may be retained:
Anonymized billing records (required for tax and accounting compliance)
Anonymized analytics data (no personally identifiable information)
Right to Data Portability (Article 20)
You have the right to receive your data in a structured, machine-readable format.
How to export your data:
Contact support through the Help Center
Request a data export
Support will provide your data in JSON format containing:
Account information
Conversation history
Workspace configurations
Uploaded file metadata
Download the export file for use in other systems
Data exports are typically provided within 72 hours. For large accounts with extensive conversation history, exports may take up to 5 business days.
Right to Restrict Processing (Article 18)
You can request temporary suspension of data processing while disputes are resolved.
When you can restrict processing:
You contest the accuracy of personal data
Processing is unlawful but you don't want data deleted
You need the data for legal claims
You've objected to processing pending verification
How to request restriction:
Contact support through the Help Center
Explain the reason for restriction
Support will review and implement appropriate restrictions
Right to Object (Article 21)
You can object to certain types of data processing.
What you can object to:
Processing for direct marketing (ISMS Copilot doesn't perform marketing processing)
Processing based on legitimate interests
Automated decision-making (not currently used by ISMS Copilot)
How to object:
Contact support through the Help Center
Specify what processing you object to
Support will review and respond within 30 days
Data Processing Details
Legal Basis for Processing
ISMS Copilot processes your data under the following legal bases:
Contract Performance (Article 6(1)(b))
Processing necessary to provide the AI compliance service
Managing your account and subscription
Delivering features you've requested
Legitimate Interests (Article 6(1)(f))
Improving service performance and reliability
Detecting and preventing fraud or abuse
Ensuring system security
Sending product updates and onboarding guidance to enhance platform experience
Legal Obligation (Article 6(1)(c))
Retaining billing records for tax compliance
Responding to lawful requests from authorities
Data Transfers
EU Data Residency
All ISMS Copilot database storage occurs exclusively in the European Union:
Primary storage: AWS Frankfurt, Germany
Database provider: Supabase (EU region)
Conversation history: Stored in EU regardless of AI provider
AI Processing Location (User-Controlled)
AI processing location depends on your Advanced Data Protection Mode setting:
Advanced Data Protection OFF (Default): AI processing occurs in the United States via xAI/OpenAI with 30-day retention
Advanced Data Protection ON: 100% EU processing via Mistral AI with zero retention
When Advanced Data Protection Mode is enabled, your core data processing (database storage and AI processing) occurs within the EU with zero AI provider retention. Note that email communications are still handled by US-based providers with Standard Contractual Clauses in place.
In default mode, while your database storage remains in the EU, conversation content is sent to US-based AI providers (xAI/OpenAI) for processing. These providers retain data for 30 days but do NOT use it for AI model training.
Third-Party Processors
The following third-party services have limited access to data:
AI Processing Providers (User-Configurable with Automatic Failover)
You can control which AI provider processes your conversations through the Advanced Data Protection Mode setting. ISMS Copilot now includes automatic failover to ensure service continuity during provider outages:
Default Mode (Advanced Data Protection OFF): xAI (Grok) and OpenAI with Mistral failover
Location: United States (with EU failover)
Retention: 30 days (temporary processing cache); zero retention during Mistral failover
Training: API data is NOT used for AI model training
Use case: Standard compliance work with enhanced reliability
Automatic failover: If OpenAI experiences outages, your requests automatically switch to Mistral AI (EU-based, zero retention) without service interruption
Advanced Data Protection Mode (ON): Mistral AI
Location: European Union
Retention: Zero (no data retention)
Training: NOT used for AI model training
Use case: Maximum privacy, EU data sovereignty requirements
December 2025 update: Automatic AI provider failover ensures your compliance work continues uninterrupted even during OpenAI outages. During failover, processing automatically switches to EU-based Mistral with zero data retention.
Organizations with strict EU data residency requirements can enable Advanced Data Protection Mode to ensure 100% EU processing with zero AI provider data retention. Learn how to enable this feature.
Other Third-Party Services
Stripe (Payment Processing): Payment and billing information only. GDPR-compliant with EU data processing agreement.
PostHog (Analytics): Anonymized usage data only. EU-hosted. No personal conversations or documents shared.
Sentry (Error Monitoring): Error logs and stack traces. Germany-based. Personal data is filtered before sending.
Email Communications: SendGrid and Kit handle transactional emails, legal updates, and onboarding sequences. US-based with Standard Contractual Clauses. Users can unsubscribe from non-essential emails.
Advanced Data Protection Mode
ISMS Copilot gives you control over where your AI conversations are processed and how long AI providers retain your data.
Two Processing Options:
Default Mode (Advanced Data Protection OFF): xAI/OpenAI process conversations in the US with 30-day retention
EU-Only Mode (Advanced Data Protection ON): Mistral AI processes conversations in the EU with zero retention
When to Enable Advanced Data Protection:
Your organization has mandatory EU data residency requirements
You're handling highly sensitive client data
GDPR compliance requires minimizing data transfers outside the EU
Client contracts prohibit US-based data processing
You want maximum privacy with zero AI provider data retention
Compliance consultants working with European clients should consider enabling Advanced Data Protection Mode to meet strict data sovereignty requirements. Learn how to configure this setting.
Important Distinction:
Advanced Data Protection controls AI provider retention (30 days vs zero). Your ISMS Copilot conversation history retention is controlled separately through your user settings (1 day to 7 years). Both retention settings work independently.
International Data Transfers
ISMS Copilot's approach to international data transfers depends on your configuration:
Core Data Processing
Database storage: Always in EU (Frankfurt, Germany)
AI processing: EU or US depending on Advanced Data Protection Mode setting
Analytics: EU endpoints only (PostHog EU, Sentry Germany)
File conversion: EU endpoint (ConvertAPI)
Email Communications (US-Based with Safeguards)
Email addresses and engagement data are transferred to US-based email service providers (SendGrid and Kit) for transactional emails, legal updates, and onboarding sequences. These transfers are protected by Standard Contractual Clauses approved by the European Commission.
Users can unsubscribe from non-essential emails (product updates, onboarding sequences) at any time to minimize data transfers. Essential service notifications (security alerts, account changes) may still be sent as required by law or contract.
For organizations with strict EU-only data residency requirements, you should:
Enable Advanced Data Protection Mode to keep AI processing in the EU
Unsubscribe from marketing/product emails to minimize US transfers
Document the remaining email communication transfers in your data processing records
Data Retention Periods
Active Data
Conversation history: Based on your user-defined retention period (1 day to 7 years, or forever)
Uploaded documents: Same as conversation history
Account information: Retained while account is active
After Account Deletion
Personal data: Deleted within 30 days
Anonymized billing records: 7 years (tax compliance requirement)
Backup data: Overwritten within 90 days
Privacy by Design Features
Workspace Isolation
Workspaces provide data separation for multi-client scenarios:
Each workspace maintains its own conversation history
Uploaded files are tied to specific workspaces
Custom instructions are workspace-specific
Deleting a workspace removes all associated data
Compliance consultants should create separate workspaces for each client. This ensures client data remains isolated and simplifies compliance with confidentiality obligations.
No Cross-User Data Sharing
ISMS Copilot implements strict data boundaries:
Users cannot access other users' data
AI responses are generated independently for each user
Database queries automatically filter by authenticated user ID
Even system administrators follow principle of least privilege
No AI Training on User Data
Your sensitive compliance data is never used for AI training:
Conversations are not stored by OpenAI or other AI providers
Uploaded documents remain confidential and private
Client information never contributes to model improvement
Each conversation is processed in isolation
This is a critical difference from general AI tools like ChatGPT free tier, which may use conversations for training. ISMS Copilot guarantees your compliance data remains completely confidential.
Data Subject Requests
How to Submit a GDPR Request
Click the user menu icon (top right)
Select Help Center → Contact Support
Describe your request clearly:
"I request access to all my personal data under GDPR Article 15"
"I request deletion of my account under GDPR Article 17"
"I request a data export under GDPR Article 20"
Support will verify your identity and process the request
Response Timeframes
ISMS Copilot responds to GDPR requests according to regulation timelines:
Acknowledgment: Within 24-48 hours
Access requests: Within 30 days (typically within 72 hours)
Deletion requests: Within 30 days
Data portability: Within 30 days (typically within 72 hours)
Rectification requests: Immediately for user-updateable fields; within 30 days for others
If ISMS Copilot needs to extend the response deadline (e.g., for complex requests), you'll be notified within 30 days with an explanation and estimated completion date.
Identity Verification
To protect your data from unauthorized access, ISMS Copilot may verify your identity:
You must submit requests from your registered email address
For sensitive requests, additional verification may be required
Support may ask security questions about your account
Children's Privacy
ISMS Copilot is not intended for children under 16:
Service is designed for compliance professionals and businesses
No parental consent mechanisms are provided
If underage use is discovered, account will be terminated and data deleted
Privacy Policy Updates
How You'll Be Notified
When privacy practices change, ISMS Copilot will:
Send email notification to your registered email address
Display in-app notification upon next login
Update the Privacy Policy with a "Last Updated" date
Provide at least 30 days notice for material changes
Your Options
If you don't agree with privacy policy changes:
Request account deletion before changes take effect
Export your data before the effective date
Contact support to discuss concerns
Supervisory Authority
As an EU-based service, ISMS Copilot is subject to data protection oversight.
Right to Lodge a Complaint
If you believe ISMS Copilot has violated your privacy rights, you can:
Contact ISMS Copilot support to resolve the issue directly
File a complaint with your local data protection authority
File a complaint with the French data protection authority (CNIL) where ISMS Copilot is established
Commission Nationale de l'Informatique et des Libertés (CNIL)
Website: https://www.cnil.fr/en
Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Phone: +33 1 53 73 22 22
Best Practices for Compliance
For Consultants Handling Client Data
Create separate workspaces for each client
Set appropriate retention periods matching client contracts
Anonymize sensitive personal data before uploading
Inform clients that you use ISMS Copilot for compliance work
Include ISMS Copilot in your data processing agreements
Enable Advanced Data Protection Mode if clients require EU-only processing
For Organizations
Document ISMS Copilot in your data processing register (see our Register of Processing Activities for reference)
Include in Data Protection Impact Assessments (DPIA) if processing sensitive data
Train staff on proper data handling within ISMS Copilot
Configure retention periods to match your data retention policy
Need help with GDPR compliance documentation? ISMS Copilot can assist with creating data processing agreements, privacy policies, and DPIA templates specific to your organization.
Transparency & Trust
Security Documentation
For detailed information about ISMS Copilot's security and privacy practices, visit our Security Collection:
Detailed data processing descriptions
Security measure documentation
Complete sub-processor list with locations and DPA status
Compliance certifications
AI governance policies
You can also review our comprehensive Register of Processing Activities (RopA) for detailed technical and organizational measures.
System Status
Monitor service availability and security incidents at the Status Page:
Real-time uptime monitoring via BetterStack
Incident notifications and status updates
Planned maintenance schedules
Historical uptime data
Transparent incident classification and escalation
Limitations
Current Privacy Features
Automated data export is not available (must request through support)
Email address changes require support assistance
No self-service account deletion (must contact support)
Cookie consent banner not implemented (no tracking cookies used)
What's Next
Review our Security Collection for detailed privacy documentation
Getting Help
For privacy-related questions or GDPR requests:
Contact support through the Help Center menu
Email from your registered account email address
Include "GDPR Request" in the subject line for faster processing
Visit our Security Collection for detailed documentation