ISMS Copilot
Juridisch

Privacy Policy - ISMS Copilot

Overview

This Privacy Policy describes how ISMS Copilot ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our AI-powered compliance platform. This policy applies to all users of ISMS Copilot, including trial users, subscribers, and visitors to our website.

Effective Date: December 2025. This Privacy Policy is updated regularly to reflect changes in our data processing practices and regulatory requirements.

Global Coverage: This policy covers both European (GDPR) and California (CCPA/CPRA) privacy requirements. EU users should focus on GDPR sections; California residents should also review the California Privacy Rights section.

Who This Is For

This Privacy Policy is for:

  • All ISMS Copilot platform users (compliance professionals, consultants, security teams)

  • Organizations evaluating ISMS Copilot for vendor risk assessments

  • Data Protection Officers conducting privacy reviews

  • Anyone seeking to understand how we handle personal information

Data Controller Information

ISMS Copilot is the data controller responsible for your personal information:

  • Name: ISMS Copilot

  • Jurisdiction: France (European Union)

  • Primary Data Location: Frankfurt, Germany (AWS EU-Central-1)

  • Privacy Contact: [email protected]

  • Supervisory Authority: Commission Nationale de l'Informatique et des Libertés (CNIL)

Data Protection Officer

ISMS Copilot has not designated a Data Protection Officer as we do not meet the mandatory designation criteria under GDPR Article 37. For privacy inquiries, contact [email protected].

Information We Collect

Account Information

When you create an ISMS Copilot account, we collect:

  • Email address (for authentication and essential communications)

  • Password (hashed and encrypted, never stored in plain text)

  • Account creation and last login timestamps

  • User unique identifiers (UUIDs)

Conversation Data

When you use our AI compliance assistant, we process:

  • Your messages and queries

  • AI-generated responses

  • Conversation metadata (titles, timestamps, status)

  • Workspace configurations and custom instructions

  • Compliance-related content (policies, procedures, audit information you input)

You may input special category data (Article 9 GDPR) such as security incidents or compliance violations. You are responsible for ensuring you have legal authority to process such data before inputting it into the platform.

Uploaded Files

When you upload documents for analysis, we collect:

  • File content (PDF, DOCX, XLSX formats)

  • File names, sizes, and upload timestamps

  • Extracted document content and metadata

  • Document processing status

Payment Information

For premium subscriptions, we collect:

  • Stripe customer IDs and subscription IDs

  • Payment metadata (we never store full credit card numbers)

  • Billing events and invoice information

  • Subscription status and tier information

Payment card data is handled exclusively by Stripe, our PCI DSS Level 1 compliant payment processor. ISMS Copilot never stores or processes credit card numbers.

Analytics and Usage Data

To improve our service, we automatically collect:

  • User behavior events (page views, feature usage)

  • Session data and duration

  • Browser and device information

  • Error logs and performance metrics

  • User identifiers (UUID only) for error tracking in production (no email addresses or names)

  • IP addresses (anonymized)

Our analytics systems are configured with sendDefaultPii: false to prevent automatic collection of personally identifiable information. Conversation content and uploaded documents are never shared with analytics providers.

Email Communications Data

When you receive emails from us, we may collect:

  • Email engagement data (opens, clicks)

  • Subscription preferences

  • Unsubscribe status

  • Email delivery timestamps

How We Use Your Information

Service Delivery (Legal Basis: Contract Performance - Article 6(1)(b) GDPR)

  • Provide AI-powered compliance assistance

  • Authenticate your account and manage sessions

  • Process and store your conversations and uploaded files

  • Deliver features and functionality you've requested

  • Process subscription payments and manage billing

Service Improvement (Legal Basis: Legitimate Interest - Article 6(1)(f) GDPR)

  • Analyze platform usage to improve user experience

  • Monitor system performance and reliability

  • Identify and fix bugs and technical issues

  • Develop new features and capabilities

Security and Fraud Prevention (Legal Basis: Legitimate Interest - Article 6(1)(f) GDPR)

  • Detect and prevent unauthorized access

  • Monitor for suspicious activity or abuse

  • Protect platform integrity and user data

  • Respond to security incidents

  • Process all chat messages through automated content moderation to detect prohibited content under our Acceptable Use Policy

  • Store flagged messages with metadata for legal compliance and admin review

Content Moderation: All chat messages are processed through automated moderation APIs (OpenAI by default, or Mistral AI when Advanced Data Protection is enabled) to detect violations of our Acceptable Use Policy. Clean (non-flagged) messages never have their content stored—only metadata and moderation scores are retained for 30 days. If content is flagged as potentially harmful or prohibited, the full message content and metadata are stored for 1 year and reviewed by administrators, even if Advanced Data Protection Mode is enabled. This ensures platform safety and legal compliance.

Communications (Legal Basis: Legitimate Interest - Article 6(1)(f) GDPR)

  • Send transactional emails (password resets, security alerts)

  • Provide onboarding guidance and product education

  • Share legal updates and important service changes

  • Deliver occasional product updates (you can unsubscribe anytime)

Legal Compliance (Legal Basis: Legal Obligation - Article 6(1)(c) GDPR)

  • Retain billing records for tax and accounting requirements (7 years)

  • Respond to lawful requests from authorities

  • Comply with applicable data protection laws

ISMS Copilot never uses your data for marketing, advertising, or selling to third parties. Your conversations and uploaded documents are never used to train AI models.

How We Share Your Information

Third-Party Service Providers (Data Processors)

We share your information with trusted service providers who help us deliver the platform. All processors have GDPR-compliant Data Processing Agreements.

A current list of all subprocessors is maintained in our Data Processing Agreement. We provide 30 days advance notice of subprocessor changes via email to account holders.

Database and Storage (Always Active)

  • Supabase: Database and file storage (EU - Frankfurt, Germany)

  • AWS: Infrastructure (EU-Central-1, Frankfurt)

AI Processing (User-Configurable via Advanced Data Protection Mode)

  • Default Mode (Advanced Data Protection OFF): xAI (Grok) and OpenAI (United States, 30-day retention, no training on data)

  • Advanced Data Protection ON: Mistral AI (European Union, zero retention, no training on data)

Content Moderation Processing

  • Default Mode: OpenAI Moderation API (United States, 30-day retention)

  • Advanced Data Protection ON: Mistral AI Moderation API (European Union, zero retention)

Moderation processing occurs for all chat messages to ensure platform safety. For non-flagged content, only metadata and moderation scores are stored (no message content), retained for 30 days. Flagged content includes full message text stored for 1 year regardless of ADP settings for legal compliance and safety review.

Organizations with EU data residency requirements should enable Advanced Data Protection Mode to ensure 100% EU processing with zero AI provider data retention.

Payment Processing

  • Stripe: Payment processing and subscription management (Global with EU DPA, PCI DSS Level 1 compliant)

Analytics and Monitoring

  • PostHog: Product analytics (EU - Frankfurt, Germany)

  • Sentry: Error tracking and monitoring (Germany). In production only, your user ID (UUID) is captured with error reports to enable faster troubleshooting. No email addresses, conversation content, or other personal information is sent.

  • Vercel: Web analytics and frontend hosting (GDPR-compliant)

Email Communications

  • SendGrid (Twilio): Transactional and legal update emails (United States with Standard Contractual Clauses)

  • Kit (ConvertKit): Onboarding and product update emails (United States with Standard Contractual Clauses)

You can unsubscribe from non-essential emails (product updates, onboarding sequences) at any time. Essential service notifications may still be sent as required by law or contract.

Document Processing

  • ConvertAPI: Document format conversion (EU endpoint, temporary processing only)

  • Fly.io: Backend API hosting and chat orchestration (EU deployment)

We may disclose your information when required by law or to:

  • Comply with legal processes (subpoenas, court orders)

  • Respond to lawful requests from government authorities

  • Protect our rights, property, or safety

  • Prevent fraud or abuse of the platform

No Sale of Personal Data

ISMS Copilot does not sell, rent, or trade your personal information to third parties for their marketing purposes.

International Data Transfers

Primary Data Storage

All ISMS Copilot database storage occurs in the European Union:

  • Location: Frankfurt, Germany (AWS EU-Central-1)

  • Provider: Supabase with AWS infrastructure

  • Coverage: All conversation history, uploaded files, and account data

Data Transfers Outside the EU

Some data is transferred to the United States with appropriate safeguards. We have conducted Transfer Impact Assessments for all processors located outside the European Economic Area. These assessments evaluate recipient country surveillance laws and the effectiveness of our supplementary safeguards.

When Advanced Data Protection Mode is ON, core data processing (database and AI) occurs within the EU. Email communications to US-based providers still occur with Standard Contractual Clauses in place.

When Advanced Data Protection is OFF (default), conversation content is transferred to the United States for AI processing via xAI/OpenAI with 30-day retention. These transfers are subject to GDPR transfer requirements.

Transfers with Standard Contractual Clauses (SCC):

  • Email service providers (SendGrid, Kit) - United States

  • AI processing providers (xAI/OpenAI) when Advanced Data Protection is OFF - United States

EU-Only Processing Options:

  • Enable Advanced Data Protection Mode for EU-only AI processing

  • Unsubscribe from non-essential emails to minimize US transfers

  • Database storage always remains in the EU regardless of configuration

Data Retention

User-Controlled Retention

You control how long your data is retained:

  • Conversation history: 1 day to 7 years, or keep forever (configurable in Settings)

  • Uploaded documents: Linked to conversation retention settings

  • Automated deletion: Daily process removes expired data

  • Active accounts: Retained while account is active

  • Session tokens: Expire after inactivity period

  • Temporary chats: Automatically deleted after 30 days

After Account Deletion

  • Personal data: Permanently deleted within 30 days

  • Billing records: Anonymized and retained for 7 years (legal requirement for tax compliance)

  • Backup data: Overwritten within 90 days

Analytics and Logs

  • PostHog analytics: Up to 7 years (anonymized)

  • Sentry error logs: 90 days

  • Access logs: 30-90 days per infrastructure provider policies

  • Moderation metadata (non-flagged): Metadata and moderation scores only (no message content), retained for 30 days

  • Flagged content and metadata: Full message content and metadata stored for 1 year for compliance and safety review

Data Security

Technical Security Measures

  • Encryption in transit: TLS 1.3 for all connections

  • Encryption at rest: Database and file storage encryption

  • Password security: Industry-standard hashing (irreversible)

  • Access control: Row-level security prevents unauthorized data access

  • Session management: Automatic timeout controls

Organizational Security Measures

  • Workspace isolation: Separate data for different projects/clients

  • User authentication: Required for all protected resources

  • MFA support: Multi-factor authentication available

  • Monitoring: Continuous error and security monitoring via Sentry

  • Incident response: 24-hour breach assessment and notification procedures

Data Minimization

  • Only essential data collected (email, messages, files)

  • No unnecessary demographic or contact information

  • Analytics configured to exclude PII

  • User-controlled retention periods

For detailed security documentation, visit our Security Collection or review our complete Register of Processing Activities.

Your Privacy Rights

Right to Access (Article 15 GDPR)

You have the right to access all personal data we hold about you.

How to exercise:

  1. Log in to view conversations and files through the platform interface

  2. For a complete data export, contact support through the Help Center

  3. We will provide your data within 30 days (typically within 72 hours)

Right to Rectification (Article 16 GDPR)

You can update or correct your personal information.

How to exercise:

  1. Update account settings through the Settings dialog (accessible via user menu)

  2. For email address changes, contact support

  3. Changes are applied immediately for self-service updates

Right to Erasure / "Right to Be Forgotten" (Article 17 GDPR)

You can request complete deletion of your account and data.

How to exercise:

  1. Contact support through the Help Center with a deletion request

  2. We will verify your identity and confirm the request

  3. All data is permanently deleted within 30 days

Account deletion is permanent and cannot be undone. All workspaces, conversations, and uploaded files will be permanently erased. Export any needed data before requesting deletion.

Right to Data Portability (Article 20 GDPR)

You can receive your data in a structured, machine-readable format.

How to exercise:

  1. Contact support requesting a data export

  2. We will provide your data in JSON format within 72 hours

  3. Export includes account information, conversations, and file metadata

Right to Restrict Processing (Article 18 GDPR)

You can request temporary suspension of data processing.

How to exercise: Contact support explaining the reason for restriction. We will respond within 30 days.

Right to Object (Article 21 GDPR)

You can object to certain types of data processing.

How to exercise: Contact support specifying what processing you object to. We will review and respond within 30 days.

Where processing is based on your consent (such as non-essential email communications), you may withdraw consent at any time by clicking unsubscribe in any email or adjusting preferences in Settings. Withdrawal does not affect processing that occurred before withdrawal.

Right to Lodge a Complaint

You have the right to file a complaint with a supervisory authority:

  • Commission Nationale de l'Informatique et des Libertés (CNIL)

  • Website: https://www.cnil.fr/en

  • Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France

  • Phone: +33 1 53 73 22 22

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional privacy rights.

Information We Collect (CCPA Categories)

In the past 12 months, we have collected the following categories of personal information from California residents:

  • Identifiers: Email addresses, account IDs, IP addresses (anonymized)

  • Commercial information: Subscription records, payment history, billing information

  • Internet or network activity: Usage data, session logs, feature interactions, error logs

  • Professional information: Compliance-related content you input (policies, audit data, risk assessments)

  • Inferences: Usage patterns derived from analytics (anonymized)

We do not collect sensitive personal information as defined by CCPA (e.g., Social Security numbers, driver's license numbers, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, or union membership).

Business Purposes for Collection

We collect and use personal information for the following business purposes:

  • Providing the ISMS Copilot platform and AI compliance assistance

  • Processing payments and managing subscriptions

  • Authenticating and securing your account

  • Improving service quality and developing new features

  • Detecting and preventing fraud, security incidents, and abuse

  • Debugging and error tracking

  • Complying with legal obligations

Disclosure of Personal Information

We share personal information with the following categories of third parties for business purposes:

  • Cloud service providers: Supabase, AWS (database and storage)

  • AI service providers: xAI, OpenAI (default mode), or Mistral AI (Advanced Data Protection mode)

  • Payment processors: Stripe (payment processing)

  • Analytics providers: PostHog, Sentry, Vercel

  • Email service providers: SendGrid, Kit

  • Document processors: ConvertAPI, Fly.io

No Sale or Sharing: ISMS Copilot does not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

Your California Privacy Rights

Right to Know

You have the right to request that we disclose:

  • Categories of personal information we've collected about you

  • Categories of sources from which the information was collected

  • Business or commercial purpose for collecting the information

  • Categories of third parties with whom we share personal information

  • Specific pieces of personal information we've collected about you

Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations to retain billing records).

Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you.

Right to Opt-Out

You have the right to opt out of:

  • Sale of personal information: Not applicable (we don't sell personal information)

  • Sharing for cross-context behavioral advertising: Not applicable (we don't engage in this practice)

Right to Limit Use of Sensitive Personal Information

Not applicable — we do not collect or use sensitive personal information as defined by CCPA.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. You will not receive:

  • Denied goods or services

  • Different prices or rates

  • Different level or quality of service

How to Exercise Your California Rights

Submit a request:

  1. Log in to your ISMS Copilot account

  2. Click the user menu icon (top right) and select Help Center

  3. Submit your request with "CCPA Request" in the subject line

  4. Specify which right you're exercising (Know, Delete, Correct)

Verification process:

  • We will verify your identity by confirming your registered email address

  • For sensitive requests, we may require additional verification

  • You may designate an authorized agent to make requests on your behalf (we will require written authorization)

Response timeline:

  • Acknowledgment within 10 business days

  • Response within 45 days (may extend up to 90 days for complex requests)

Data Retention

We retain personal information for California residents using the same criteria described in the "Data Retention" section above:

  • Conversation history: User-configurable (1 day to 7 years, or keep forever)

  • Account data: While account is active

  • Billing records: Anonymized and retained for 7 years (legal requirement)

  • Analytics: Up to 7 years (anonymized)

California "Shine the Light" Law

Under California Civil Code Section 1798.83, California residents may request information about our disclosure of personal information to third parties for direct marketing purposes. ISMS Copilot does not disclose personal information to third parties for their direct marketing purposes.

Automated Processing

ISMS Copilot uses AI to assist with compliance content generation, but does not make automated decisions that produce legal effects or similarly significantly affect you under GDPR Article 22. All compliance decisions remain under your control. Content moderation flags are reviewed by humans before any account action is taken.

Cookies and Tracking

Essential Cookies

We use strictly necessary cookies for:

  • User authentication and session management

  • Security and fraud prevention

  • Platform functionality

Analytics Cookies

With your consent, we use analytics cookies to:

  • Understand platform usage patterns

  • Improve user experience

  • Monitor performance

We do not use advertising or marketing cookies. All analytics are configured to exclude personally identifiable information.

Privacy-First Analytics: PostHog operates in cookieless mode with in-memory persistence only. No cookies or browser storage are written to your device. Anonymous usage is tracked via privacy-preserving server-side hashing, and user profiles are created only for authenticated sessions.

Children's Privacy

ISMS Copilot is not intended for individuals under 16 years of age:

  • Our service is designed for compliance professionals and businesses

  • We do not knowingly collect data from children

  • If we discover underage use, we will terminate the account and delete the data

User Responsibilities

While ISMS Copilot provides GDPR-compliant infrastructure, you (as data controller for your own processing) are responsible for ensuring your use of the platform complies with applicable regulations.

You Are Responsible For:

  • Ensuring legal basis exists before uploading personal data

  • Configuring appropriate data retention periods for your organization

  • Maintaining separate workspaces for different clients or data categories

  • Informing individuals when their data is processed through ISMS Copilot

  • Including ISMS Copilot in your own data processing records

  • Conducting Data Protection Impact Assessments (DPIA) when processing high-risk data

  • Not uploading special category data (Article 9 GDPR) without appropriate safeguards

Changes to This Privacy Policy

How We Notify You

When we update this Privacy Policy, we will:

  • Send email notification to your registered email address

  • Display in-app notification upon next login

  • Update the "Effective Date" at the top of this policy

  • Provide at least 30 days notice for material changes

Your Options

If you don't agree with changes:

  • Request account deletion before changes take effect

  • Export your data before the effective date

  • Contact support to discuss concerns

Contact Us

For Privacy Questions or Rights Requests

  1. Click the user menu icon (top right)

  2. Select Help Center

  3. Submit your request or question

  4. Include "Privacy Request" or "GDPR Request" in the subject for priority handling

Response Times:

  • Acknowledgment: Within 24-48 hours

  • Full response: Within 30 days (typically within 72 hours)

Additional Resources

Limitations

Current Implementation Status

  • Automated data export not available (must request through support)

  • Email address changes require support assistance

  • No self-service account deletion (must contact support)

  • Cookie consent banner not implemented (no tracking cookies used)

What's Next

Getting Help

For privacy-related questions, GDPR requests, or concerns:

  • Contact support through the Help Center menu

  • Email from your registered account email address

  • Include "Privacy Request" or "GDPR Request" for faster processing

  • Visit the Trust Center for detailed documentation

Was dit nuttig?