At ISMS Copilot, we recognize the importance of the EU General Data Protection Regulation (GDPR) and are committed to ensuring that personal data is handled in a manner that respects individuals’ rights and privacy. While we no longer host conversation data in the EU, we apply GDPR principles to our operations regardless of scale. Our approach emphasizes minimal personal data processing and offers users control over their data.
Our services are designed to operate with minimal personal data. The primary personal data we collect and process is the user’s email address, which is required for account creation, authentication, essential communications, and (with explicit consent) optional updates or marketing messages.
Chatbot Conversations:
We do not require or intend for users to submit personal data within the chatbot interactions. The chatbots are intended to provide compliance assistance and general guidance. Users should not input personal, sensitive, or identifying data into the chatbot. If a user voluntarily includes such information (e.g., full name, contact details, or sensitive data) in a conversation, this is not required by our services and does not reflect our intended processing activities. Nevertheless, we provide mechanisms to delete or remove such data if requested.
No Profiling or Sensitive Data Processing:
We do not profile users based on their email addresses or attempt to derive additional personal attributes. Sensitive data categories (as defined under GDPR) are neither requested nor processed. The user email remains the only deliberately collected personal data.
We rely on contractual necessity (GDPR Art. 6(1)(b)) for processing the user’s email address to provide requested services and ensure account functionality. We rely on legitimate interests (GDPR Art. 6(1)(f)) for anonymized usage analytics that improve performance without identifying individuals. For any optional marketing emails, we rely on explicit, freely given consent (GDPR Art. 6(1)(a)), with a clear double opt-in process and an easy unsubscribe method at any time.
Users may request access to their personal data, seek corrections of inaccuracies, or request deletion of their email account data at any time. If a user inadvertently includes personal information in a chatbot conversation, they may request its removal. We respond promptly to all such requests, free of charge, and within GDPR-prescribed timelines. In the event we integrate more self-service tools, EU data subjects will have even greater autonomy to manage their data directly without relying solely on support interactions.
We strictly limit personal data to what is necessary. The user’s email is essential for account authentication and communications. Chatbot interactions are intended for compliance Q&A, not for personal data exchange. We promptly discourage users from entering personal data in conversations. If personal data is inadvertently submitted, we treat it as exceptional and ensure its removal upon the user’s request.
We retain user email addresses for the duration of the user’s account. If a user deletes their account, we remove their email address from our database. For chatbot conversation data, we consider it non-personal unless the user introduces personal information.
Non-temporary conversation logs are retained indefinitely as non-personal information, while temporary chat sessions are deleted automatically after 30 days. Should a user confirm personal data was inadvertently included, we will delete that specific data upon request.