Overview
This Privacy Policy describes how ISMS Copilot ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our AI-powered compliance platform. This policy applies to all users of ISMS Copilot, including trial users, subscribers, and visitors to our website.
Effective Date: November 2025. This Privacy Policy is updated regularly to reflect changes in our data processing practices and regulatory requirements.
Who This Is For
This Privacy Policy is for:
All ISMS Copilot platform users (compliance professionals, consultants, security teams)
Organizations evaluating ISMS Copilot for vendor risk assessments
Data Protection Officers conducting privacy reviews
Anyone seeking to understand how we handle personal information
Data Controller Information
ISMS Copilot is the data controller responsible for your personal information:
Name: ISMS Copilot
Jurisdiction: France (European Union)
Primary Data Location: Frankfurt, Germany (AWS EU-Central-1)
Supervisory Authority: Commission Nationale de l'Informatique et des Libertés (CNIL)
Information We Collect
Account Information
When you create an ISMS Copilot account, we collect:
Email address (for authentication and essential communications)
Password (hashed and encrypted, never stored in plain text)
Account creation and last login timestamps
User unique identifiers (UUIDs)
Conversation Data
When you use our AI compliance assistant, we process:
Your messages and queries
AI-generated responses
Conversation metadata (titles, timestamps, status)
Workspace configurations and custom instructions
Compliance-related content (policies, procedures, audit information you input)
You may input special category data (Article 9 GDPR) such as security incidents or compliance violations. You are responsible for ensuring you have legal authority to process such data before inputting it into the platform.
Uploaded Files
When you upload documents for analysis, we collect:
File content (PDF, DOCX, XLSX formats)
File names, sizes, and upload timestamps
Extracted document content and metadata
Document processing status
Payment Information
For premium subscriptions, we collect:
Stripe customer IDs and subscription IDs
Payment metadata (we never store full credit card numbers)
Billing events and invoice information
Subscription status and tier information
Payment card data is handled exclusively by Stripe, our PCI DSS Level 1 compliant payment processor. ISMS Copilot never stores or processes credit card numbers.
Analytics and Usage Data
To improve our service, we automatically collect:
User behavior events (page views, feature usage)
Session data and duration
Browser and device information
Error logs and performance metrics
IP addresses (anonymized)
Our analytics systems are configured with sendDefaultPii: false to prevent automatic collection of personally identifiable information. Conversation content and uploaded documents are never shared with analytics providers.
Email Communications Data
When you receive emails from us, we may collect:
Email engagement data (opens, clicks)
Subscription preferences
Unsubscribe status
Email delivery timestamps
How We Use Your Information
Service Delivery (Legal Basis: Contract Performance - Article 6(1)(b) GDPR)
Provide AI-powered compliance assistance
Authenticate your account and manage sessions
Process and store your conversations and uploaded files
Deliver features and functionality you've requested
Process subscription payments and manage billing
Service Improvement (Legal Basis: Legitimate Interest - Article 6(1)(f) GDPR)
Analyze platform usage to improve user experience
Monitor system performance and reliability
Identify and fix bugs and technical issues
Develop new features and capabilities
Security and Fraud Prevention (Legal Basis: Legitimate Interest - Article 6(1)(f) GDPR)
Detect and prevent unauthorized access
Monitor for suspicious activity or abuse
Protect platform integrity and user data
Respond to security incidents
Communications (Legal Basis: Legitimate Interest - Article 6(1)(f) GDPR)
Send transactional emails (password resets, security alerts)
Provide onboarding guidance and product education
Share legal updates and important service changes
Deliver occasional product updates (you can unsubscribe anytime)
Legal Compliance (Legal Basis: Legal Obligation - Article 6(1)(c) GDPR)
Retain billing records for tax and accounting requirements (7 years)
Respond to lawful requests from authorities
Comply with applicable data protection laws
ISMS Copilot never uses your data for marketing, advertising, or selling to third parties. Your conversations and uploaded documents are never used to train AI models.
How We Share Your Information
Third-Party Service Providers (Data Processors)
We share your information with trusted service providers who help us deliver the platform. All processors have GDPR-compliant Data Processing Agreements:
Database and Storage (Always Active)
Supabase: Database and file storage (EU - Frankfurt, Germany)
AWS: Infrastructure (EU-Central-1, Frankfurt)
AI Processing (User-Configurable via Advanced Data Protection Mode)
Default Mode (Advanced Data Protection OFF): xAI (Grok) and OpenAI (United States, 30-day retention, no training on data)
Advanced Data Protection ON: Mistral AI (European Union, zero retention, no training on data)
Organizations with EU data residency requirements should enable Advanced Data Protection Mode to ensure 100% EU processing with zero AI provider data retention.
Payment Processing
Stripe: Payment processing and subscription management (Global with EU DPA, PCI DSS Level 1 compliant)
Analytics and Monitoring
PostHog: Product analytics (EU - Frankfurt, Germany)
Sentry: Error tracking and monitoring (Germany)
Vercel: Web analytics and frontend hosting (GDPR-compliant)
Email Communications
SendGrid (Twilio): Transactional and legal update emails (United States with Standard Contractual Clauses)
Kit (ConvertKit): Onboarding and product update emails (United States with Standard Contractual Clauses)
You can unsubscribe from non-essential emails (product updates, onboarding sequences) at any time. Essential service notifications may still be sent as required by law or contract.
Document Processing
ConvertAPI: Document format conversion (EU endpoint, temporary processing only)
Fly.io: Backend API hosting and chat orchestration (EU deployment)
Legal Requirements
We may disclose your information when required by law or to:
Comply with legal processes (subpoenas, court orders)
Respond to lawful requests from government authorities
Protect our rights, property, or safety
Prevent fraud or abuse of the platform
No Sale of Personal Data
ISMS Copilot does not sell, rent, or trade your personal information to third parties for their marketing purposes.
International Data Transfers
Primary Data Storage
All ISMS Copilot database storage occurs in the European Union:
Location: Frankfurt, Germany (AWS EU-Central-1)
Provider: Supabase with AWS infrastructure
Coverage: All conversation history, uploaded files, and account data
Data Transfers Outside the EU
Some data is transferred to the United States with appropriate safeguards:
When Advanced Data Protection Mode is ON, core data processing (database and AI) occurs within the EU. Email communications to US-based providers still occur with Standard Contractual Clauses in place.
When Advanced Data Protection is OFF (default), conversation content is transferred to the United States for AI processing via xAI/OpenAI with 30-day retention. These transfers are subject to GDPR transfer requirements.
Transfers with Standard Contractual Clauses (SCC):
Email service providers (SendGrid, Kit) - United States
AI processing providers (xAI/OpenAI) when Advanced Data Protection is OFF - United States
EU-Only Processing Options:
Enable Advanced Data Protection Mode for EU-only AI processing
Unsubscribe from non-essential emails to minimize US transfers
Database storage always remains in the EU regardless of configuration
Data Retention
User-Controlled Retention
You control how long your data is retained:
Conversation history: 1 day to 7 years, or keep forever (configurable in Settings)
Uploaded documents: Linked to conversation retention settings
Automated deletion: Daily process removes expired data
Account-Related Retention
Active accounts: Retained while account is active
Session tokens: Expire after inactivity period
Temporary chats: Automatically deleted after 30 days
After Account Deletion
Personal data: Permanently deleted within 30 days
Billing records: Anonymized and retained for 7 years (legal requirement for tax compliance)
Backup data: Overwritten within 90 days
Analytics and Logs
PostHog analytics: Up to 7 years (anonymized)
Sentry error logs: 90 days
Access logs: 30-90 days per infrastructure provider policies
Data Security
Technical Security Measures
Encryption in transit: TLS 1.3 for all connections
Encryption at rest: Database and file storage encryption
Password security: Industry-standard hashing (irreversible)
Access control: Row-level security prevents unauthorized data access
Session management: Automatic timeout controls
Organizational Security Measures
Workspace isolation: Separate data for different projects/clients
User authentication: Required for all protected resources
MFA support: Multi-factor authentication available
Monitoring: Continuous error and security monitoring via Sentry
Incident response: 24-hour breach assessment and notification procedures
Data Minimization
Only essential data collected (email, messages, files)
No unnecessary demographic or contact information
Analytics configured to exclude PII
User-controlled retention periods
For detailed security documentation, visit our Trust Center or review our complete Register of Processing Activities.
Your Privacy Rights
Right to Access (Article 15 GDPR)
You have the right to access all personal data we hold about you.
How to exercise:
Log in to view conversations and files through the platform interface
For a complete data export, contact support through the Help Center
We will provide your data within 30 days (typically within 72 hours)
Right to Rectification (Article 16 GDPR)
You can update or correct your personal information.
How to exercise:
Update account settings through the Settings dialog (accessible via user menu)
For email address changes, contact support
Changes are applied immediately for self-service updates
Right to Erasure / "Right to Be Forgotten" (Article 17 GDPR)
You can request complete deletion of your account and data.
How to exercise:
Contact support through the Help Center with a deletion request
We will verify your identity and confirm the request
All data is permanently deleted within 30 days
Account deletion is permanent and cannot be undone. All workspaces, conversations, and uploaded files will be permanently erased. Export any needed data before requesting deletion.
Right to Data Portability (Article 20 GDPR)
You can receive your data in a structured, machine-readable format.
How to exercise:
Contact support requesting a data export
We will provide your data in JSON format within 72 hours
Export includes account information, conversations, and file metadata
Right to Restrict Processing (Article 18 GDPR)
You can request temporary suspension of data processing.
How to exercise: Contact support explaining the reason for restriction. We will respond within 30 days.
Right to Object (Article 21 GDPR)
You can object to certain types of data processing.
How to exercise: Contact support specifying what processing you object to. We will review and respond within 30 days.
Right to Lodge a Complaint
You have the right to file a complaint with a supervisory authority:
Commission Nationale de l'Informatique et des Libertés (CNIL)
Website: https://www.cnil.fr/en
Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Phone: +33 1 53 73 22 22
Cookies and Tracking
Essential Cookies
We use strictly necessary cookies for:
User authentication and session management
Security and fraud prevention
Platform functionality
Analytics Cookies
With your consent, we use analytics cookies to:
Understand platform usage patterns
Improve user experience
Monitor performance
We do not use advertising or marketing cookies. All analytics are configured to exclude personally identifiable information.
Children's Privacy
ISMS Copilot is not intended for individuals under 16 years of age:
Our service is designed for compliance professionals and businesses
We do not knowingly collect data from children
If we discover underage use, we will terminate the account and delete the data
User Responsibilities
While ISMS Copilot provides GDPR-compliant infrastructure, you (as data controller for your own processing) are responsible for ensuring your use of the platform complies with applicable regulations.
You Are Responsible For:
Ensuring legal basis exists before uploading personal data
Configuring appropriate data retention periods for your organization
Maintaining separate workspaces for different clients or data categories
Informing individuals when their data is processed through ISMS Copilot
Including ISMS Copilot in your own data processing records
Conducting Data Protection Impact Assessments (DPIA) when processing high-risk data
Not uploading special category data (Article 9 GDPR) without appropriate safeguards
Changes to This Privacy Policy
How We Notify You
When we update this Privacy Policy, we will:
Send email notification to your registered email address
Display in-app notification upon next login
Update the "Effective Date" at the top of this policy
Provide at least 30 days notice for material changes
Your Options
If you don't agree with changes:
Request account deletion before changes take effect
Export your data before the effective date
Contact support to discuss concerns
Contact Us
For Privacy Questions or Rights Requests
Click the user menu icon (top right)
Select Help Center
Submit your request or question
Include "Privacy Request" or "GDPR Request" in the subject for priority handling
Response Times:
Acknowledgment: Within 24-48 hours
Full response: Within 30 days (typically within 72 hours)
Additional Resources
Register of Processing Activities (RopA) - Detailed data processing documentation
Data Privacy & GDPR Compliance - User-focused GDPR rights guide
Security & Data Protection Overview - Security measures and controls
Trust Center - Comprehensive security and privacy documentation
Status Page - System availability and incident notifications
Limitations
Current Implementation Status
Automated data export not available (must request through support)
Email address changes require support assistance
No self-service account deletion (must contact support)
Cookie consent banner not implemented (no tracking cookies used)
What's Next
Enable Advanced Data Protection Mode for EU-only AI processing
Set up workspaces to isolate client data
Secure your account with strong authentication
Review the Data Processing Agreement for B2B vendor relationships
Getting Help
For privacy-related questions, GDPR requests, or concerns:
Contact support through the Help Center menu
Email from your registered account email address
Include "Privacy Request" or "GDPR Request" for faster processing
Visit the Trust Center for detailed documentation