Torna al Trust Center
In vigore dal: 2026-04-27
Disponibile solo in inglese. Questo documento legale è fornito in inglese come versione ufficiale. L'interfaccia del Trust Center è tradotta nella sua lingua.

Privacy Policy — ISMS Copilot

Overview

This Privacy Policy describes how ISMS Copilot ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our AI-powered compliance platform. This policy applies to all users of ISMS Copilot, including trial users, subscribers, and visitors to our website.

Effective Date: 2026-04-27. This Privacy Policy is updated regularly to reflect changes in our data processing practices and regulatory requirements.

Global Coverage: This policy covers both European (GDPR) and California (CCPA/CPRA) privacy requirements. EU users should focus on GDPR sections; California residents should also review the California Privacy Rights section.

Who This Is For

This Privacy Policy is for:

  • All ISMS Copilot platform users (compliance professionals, consultants, security teams)
  • Organizations evaluating ISMS Copilot for vendor risk assessments
  • Data Protection Officers conducting privacy reviews
  • Anyone seeking to understand how we handle personal information

Data Controller Information

ISMS Copilot is the data controller responsible for your personal information:

  • Name: ISMS Copilot (operated by Better ISMS EURL)
  • Jurisdiction: France (European Union)
  • Primary Data Location: Frankfurt, Germany (AWS EU-Central-1)
  • Privacy Contact: privacy@ismscopilot.com
  • Supervisory Authority: Commission Nationale de l'Informatique et des Libertés (CNIL)

Data Protection Officer

ISMS Copilot has not designated a Data Protection Officer as we do not meet the mandatory designation criteria under GDPR Article 37. For privacy inquiries, contact privacy@ismscopilot.com.

Information We Collect

Account Information

When you create an ISMS Copilot account, we collect:

  • Email address (for authentication and essential communications)
  • Password (hashed and encrypted, never stored in plain text)
  • Account creation and last login timestamps
  • User unique identifiers (UUIDs)

Conversation Data

When you use our AI compliance assistant, we process:

  • Your messages and queries
  • AI-generated responses
  • Conversation metadata (titles, timestamps, status)
  • Workspace configurations and custom instructions
  • Compliance-related content (policies, procedures, audit information you input)

You may input special category data (Article 9 GDPR) such as security incidents or compliance violations. You are responsible for ensuring you have legal authority to process such data before inputting it into the platform.

Uploaded Files

When you upload documents for analysis, we collect:

  • File content (PDF, DOCX, XLSX formats)
  • File names, sizes, and upload timestamps
  • Extracted document content and metadata
  • Document processing status

Slack Integration Data (heygrc bot)

If your organization is on a paid plan and an organization owner installs the heygrc Slack bot, we additionally process:

  • Slack workspace metadata captured during the OAuth install: workspace (team) ID, workspace name, bot user ID, and the ISMS Copilot user ID of the installer (for audit). The OAuth scope is bot-only — we do not request the workspace user directory, channel history, or file access.
  • An OAuth bot token issued by Slack, stored in an isolated slack_integration_secrets table with service-role-only access (encrypted at rest via the database infrastructure layer).
  • Message content of Slack messages addressed to the bot — direct messages or @heygrc channel mentions only. We do not read or store any message that is not addressed to the bot.
  • Slack user identifiers (slack_user_id) for the workspace member who sent each message addressed to the bot, recorded in the slack_threads mapping table for traceability.

The Slack integration is a paid-tier-only feature. Free / null-plan organizations cannot install the bot — the OAuth callback rejects the install with a "paid plan required" error.

Payment Information

For premium subscriptions, we collect:

  • Stripe customer IDs and subscription IDs
  • Payment metadata (we never store full credit card numbers)
  • Billing events and invoice information
  • Subscription status and tier information

Payment card data is handled exclusively by Stripe, our PCI DSS Level 1 compliant payment processor. ISMS Copilot never stores or processes credit card numbers.

Analytics and Usage Data

To improve our service, we automatically collect:

  • User behavior events (page views, feature usage)
  • Session data and duration
  • Browser and device information
  • Error logs and performance metrics
  • User identifiers (UUID only) for error tracking in production (no email addresses or names)
  • IP addresses (anonymized)

Our analytics systems are configured with sendDefaultPii: false to prevent automatic collection of personally identifiable information. Conversation content and uploaded documents are never shared with analytics providers.

Email Communications Data

When you receive emails from us, we may collect:

  • Email engagement data (opens, clicks)
  • Subscription preferences
  • Unsubscribe status
  • Email delivery timestamps

How We Use Your Information

Service Delivery (Legal Basis: Contract Performance — Article 6(1)(b) GDPR)

  • Provide AI-powered compliance assistance
  • Authenticate your account and manage sessions
  • Process and store your conversations and uploaded files
  • Deliver features and functionality you've requested
  • Process subscription payments and manage billing

Service Improvement (Legal Basis: Legitimate Interest — Article 6(1)(f) GDPR)

  • Analyze platform usage to improve user experience
  • Monitor system performance and reliability
  • Identify and fix bugs and technical issues
  • Develop new features and capabilities

Security and Fraud Prevention (Legal Basis: Legitimate Interest — Article 6(1)(f) GDPR)

  • Detect and prevent unauthorized access
  • Monitor for suspicious activity or abuse
  • Protect platform integrity and user data
  • Respond to security incidents
  • Process all chat messages through automated content moderation to detect prohibited content under our Acceptable Use Policy

Content Moderation

All chat messages are processed through Mistral AI's moderation API (model: mistral-moderation-latest, EU residency, zero retention) regardless of your Advanced Data Protection setting. Moderation is a two-stage pipeline: a fast classifier followed by a judge model that reviews borderline cases. Moderation runs on Mistral on every request to ensure consistent, EU-residency safety review.

We retain moderation outputs as follows:

  • For non-flagged messages: No moderation record is stored. The message is processed and discarded by the moderation pipeline.
  • For flagged messages: A moderation_events record is retained containing only metadata — the message identifier, the thread identifier, the abuse categories matched, and a timestamp. The full message content is not stored in the moderation record. This metadata is retained for up to 12 months for safety/audit purposes, after which it is automatically purged.
  • Thread deletion lock: When a message in a thread has been flagged, the thread is locked from user-initiated deletion to prevent destruction of abuse evidence. Customer Content within a flagged thread is still subject to deletion on a verified Article 17 erasure request submitted to privacy@ismscopilot.com (see "Right to Erasure" below); we evaluate each such request against the legitimate-interest balancing test under Article 17(3) and respond within 30 days.

Communications (Legal Basis: Legitimate Interest — Article 6(1)(f) GDPR)

  • Send transactional emails (password resets, security alerts)
  • Provide onboarding guidance and product education
  • Share legal updates and important service changes
  • Deliver occasional product updates (you can unsubscribe anytime)

Legal Compliance (Legal Basis: Legal Obligation — Article 6(1)(c) GDPR)

  • Retain billing records for tax and accounting requirements (7 years)
  • Respond to lawful requests from authorities
  • Comply with applicable data protection laws

ISMS Copilot never uses your data for marketing, advertising, or selling to third parties. Your conversations and uploaded documents are never used to train AI models.

How We Share Your Information

Third-Party Service Providers (Data Processors)

We share your information with trusted service providers who help us deliver the platform. The complete list of sub-processors — including the routing logic and contractual controls described below — is maintained in our Data Processing Agreement (DPA). We provide 30 days advance notice of sub-processor changes via email to account holders.

Database and Storage (Always Active)

  • Supabase: Database and file storage (EU — Frankfurt, Germany)
  • AWS: Infrastructure (EU-Central-1, Frankfurt)

AI Processing

How your AI requests are routed depends on two factors: your subscription plan and whether Advanced Data Protection (ADP) Mode is enabled in your settings.

Routing pathWhen it appliesAI providerLocationRetentionTraining
ADP enabled (any plan)ADP toggle ONMistral AIEU (Frankfurt)Zero retentionNo training
Paid, ADP offPaid plan + ADP OFFAnthropic ClaudeUnited States (SCC)Up to 30 days (abuse monitoring only — not training). Enable ADP for zero retention.No training
Free / null-plan, ADP offFree or null plan + ADP OFFOpenRouter aggregator routing to one of four allowlisted underlying providers: Inceptron, DeepInfra, Cerebras, Google VertexUnited States (SCC; DPF for Google Vertex)Zero retention (mandatory at OpenRouter account level)No training (set at OpenRouter account level)

About OpenRouter and the underlying providers (free-tier path). OpenRouter is a routing aggregator. We use OpenRouter so that requests can fail over automatically across a curated set of vetted hosts, increasing availability for free-tier users. We have configured layered controls at the OpenRouter account level on every request:

  • Zero Data Retention is mandatory. Per OpenRouter's published policy, when ZDR is enabled at the account level, requests can only be routed to endpoints with a Zero Data Retention policy. Your conversation content is not retained by any underlying provider.
  • No training, ever. Both "Free Training Disallowed" and "Paid Training Disallowed" are set at the account level. Your data cannot be used to train any model.
  • No publication. "Free Publication Disallowed" is set; the model-publication channel is closed.
  • Closed 4-provider allowlist. Only Inceptron, DeepInfra, Cerebras, and Google Vertex are permitted to serve our requests. We selected these four after a privacy review — each independently confirms zero retention or no-training-on-customer-data in their published policies, and each maintains GDPR-aligned transfer mechanisms (SCCs, with EU-US Data Privacy Framework certification for Google Vertex).
  • PRC-jurisdiction providers blocked. Alibaba Cloud Int., Baidu Qianfan, DeepSeek, Moonshot AI, Xiaomi, and Z.AI are all blocked at the OpenRouter account level. The control is jurisdiction-based: no Customer Content may transit infrastructure under People's Republic of China jurisdiction. This is a Schrems II–style supplementary measure aligned with EDPB Recommendations 01/2020.

Failover. If our default paid-tier provider (Anthropic) is unavailable, requests automatically fail over to Mistral AI in Frankfurt — Mistral is also our circuit-breaker destination so paid users always reach an EU-compatible provider during outages.

ADP as the EU-only opt-out. Enabling Advanced Data Protection Mode in your settings routes every AI request to Mistral AI (Frankfurt, EU, zero retention) regardless of your plan. ADP is the in-product control for any user who needs fully EU-based AI processing.

Slack-originated requests. Messages sent to the heygrc Slack bot follow the same routing as web chat — but because the bot is paid-tier-only, the OpenRouter free-tier path never applies. Slack-originated traffic is always either Anthropic (paid + ADP off) or Mistral (ADP on at the org level). The org's ADP setting governs all Slack workspace users; an individual Slack workspace member cannot select their own routing.

Content Moderation

All chat messages are processed through Mistral AI's moderation API (EU, zero retention) regardless of plan or ADP setting. See "Content Moderation" above for retention details.

Payment Processing

  • Stripe: Payment processing and subscription management (Global with EU DPA, PCI DSS Level 1 compliant)

Analytics and Monitoring

  • PostHog: Product analytics (EU — Frankfurt, Germany)
  • Sentry: Error tracking and monitoring (Germany). In production only, your user ID (UUID) is captured with error reports to enable faster troubleshooting. No email addresses, conversation content, or other personal information is sent.
  • Vercel: Web analytics and frontend hosting (GDPR-compliant)

Email Communications

  • SendGrid (Twilio): Transactional and legal update emails (United States with Standard Contractual Clauses)
  • Kit (ConvertKit): Onboarding and product update emails (United States with Standard Contractual Clauses)

You can unsubscribe from non-essential emails (product updates, onboarding sequences) at any time. Essential service notifications may still be sent as required by law or contract.

Document Processing

  • ConvertAPI: Document format conversion (EU endpoint, temporary processing only)
  • Fly.io: Backend API hosting and chat orchestration (EU deployment)

Optional Integrations

  • Slack: Activated only if a paid-organization owner installs the heygrc bot. When activated, Slack acts as both a source (we receive messages addressed to the bot) and a destination (we post AI responses back to the workspace). Slack itself is also a sub-processor (United States) — the OAuth bot token sits in our database, and we exchange workspace metadata with Slack at install time and during message events. Transfer mechanism: Standard Contractual Clauses with Slack Technologies, Inc. The integration is org-scoped and can be uninstalled at any time from the Slack workspace's app management UI; uninstall hard-deletes all our integration records (token, workspace metadata, Slack-thread mappings) within seconds via the app_uninstalled event.

Legal Requirements

We may disclose your information when required by law or to:

  • Comply with legal processes (subpoenas, court orders)
  • Respond to lawful requests from government authorities
  • Protect our rights, property, or safety
  • Prevent fraud or abuse of the platform

No Sale of Personal Data

ISMS Copilot does not sell, rent, or trade your personal information to third parties for their marketing purposes.

International Data Transfers

Primary Data Storage

All ISMS Copilot database storage occurs in the European Union:

  • Location: Frankfurt, Germany (AWS EU-Central-1)
  • Provider: Supabase with AWS infrastructure
  • Coverage: All conversation history, uploaded files, and account data

Data Transfers Outside the EU

Some processing is transferred to the United States with appropriate safeguards. We have conducted a Transfer Impact Assessment (TIA) covering all sub-processors located outside the European Economic Area, including the OpenRouter aggregator and each of the four underlying providers in the closed allowlist (Inceptron, DeepInfra, Cerebras, Google Vertex). The full TIA is available on request.

When Advanced Data Protection Mode is ON, core data processing (database and AI) occurs within the EU. Email communications to US-based providers still occur with Standard Contractual Clauses in place.

When ADP is OFF (default for free and paid users):

  • Free / null-plan users: AI requests are routed to OpenRouter and on to one of the four allowlisted underlying providers (US). Transfer mechanisms: SCCs with each underlying provider; EU-US Data Privacy Framework certification for Google Vertex. The OpenRouter account-level controls (mandatory ZDR, training-disallowed, allowlist, PRC-blocklist) act as Schrems II-style supplementary measures.
  • Paid users: AI requests are routed to Anthropic Claude (US). Transfer mechanism: SCCs.

Email transfers (SendGrid, Kit) to the US occur regardless of ADP, protected by SCCs.

EU-Only Processing Options:

  • Enable Advanced Data Protection Mode for EU-only AI processing
  • Unsubscribe from non-essential emails to minimize US transfers
  • Database storage always remains in the EU regardless of configuration

Data Retention

User-Controlled Retention

You control how long your data is retained:

  • Conversation history: 1 day to 7 years, or keep forever (configurable in Settings)
  • Uploaded documents: Linked to conversation retention settings
  • Automated deletion: Daily process removes expired data

Account-Related Retention

  • Active accounts: Retained while account is active
  • Session tokens: Expire after inactivity period
  • Temporary chats: Automatically deleted after 30 days

After Account Deletion

  • Personal data: Permanently deleted within 30 days
  • Billing records: Anonymized and retained for 7 years (legal requirement for tax compliance)
  • Backup data: Overwritten within 90 days

Analytics and Logs

  • PostHog analytics: Up to 7 years (anonymized)
  • Sentry error logs: 90 days
  • Access logs: 30-90 days per infrastructure provider policies

Moderation Retention

  • Non-flagged messages: No moderation record stored.
  • Flagged messages: Metadata only (message ID, thread ID, abuse categories, timestamp — no message content) retained for up to 12 months, then automatically purged.

Data Security

Technical Security Measures

  • Encryption in transit: TLS 1.3 for all connections
  • Encryption at rest: Database and file storage encryption
  • Password security: Industry-standard hashing (irreversible)
  • Access control: Row-level security prevents unauthorized data access
  • Session management: Automatic timeout controls

Organizational Security Measures

  • Workspace isolation: Separate data for different projects/clients
  • User authentication: Required for all protected resources
  • MFA support: Multi-factor authentication available
  • Monitoring: Continuous error and security monitoring via Sentry
  • Incident response: 24-hour breach assessment and notification procedures

Data Minimization

  • Only essential data collected (email, messages, files)
  • No unnecessary demographic or contact information
  • Analytics configured to exclude PII
  • User-controlled retention periods

For detailed security documentation, visit our Trust Center or review our Register of Processing Activities (RoPA) for the per-activity Article 30 processing inventory.

Your Privacy Rights

Right to Access (Article 15 GDPR)

You have the right to access all personal data we hold about you.

How to exercise:

  • Log in to view conversations and files through the platform interface
  • For a complete data export, use the in-app data export tool in Settings → Data Protection (available to all plans)
  • We provide your data in JSON format (typically within 72 hours)

Right to Rectification (Article 16 GDPR)

You can update or correct your personal information.

How to exercise:

  • Update account settings through the Settings dialog (accessible via user menu)
  • For email address changes, contact privacy@ismscopilot.com
  • Changes are applied immediately for self-service updates

Right to Erasure / "Right to Be Forgotten" (Article 17 GDPR)

You can request complete deletion of your account and data.

How to exercise:

  • Use the in-app account deletion in Settings → Data Protection (self-service, available to all plans)
  • For deletion of specific content within a flagged thread (see "Content Moderation" above), email privacy@ismscopilot.com — we evaluate each request against the legitimate-interest balancing test under Article 17(3) and respond within 30 days
  • All data is permanently deleted within 30 days

Account deletion is permanent and cannot be undone. All workspaces, conversations, and uploaded files will be permanently erased. Export any needed data before requesting deletion.

Right to Data Portability (Article 20 GDPR)

You can receive your data in a structured, machine-readable format.

How to exercise:

  • Use the in-app data export tool in Settings → Data Protection
  • Export is provided in JSON format
  • Export includes account information, conversations, and file metadata

Right to Restrict Processing (Article 18 GDPR)

You can request temporary suspension of data processing.

How to exercise: Email privacy@ismscopilot.com explaining the reason for restriction. We will respond within 30 days.

Right to Object (Article 21 GDPR)

You can object to certain types of data processing.

How to exercise: Email privacy@ismscopilot.com specifying what processing you object to. We will review and respond within 30 days.

Right to Withdraw Consent

Where processing is based on your consent (such as non-essential email communications), you may withdraw consent at any time by clicking unsubscribe in any email or adjusting preferences in Settings. Withdrawal does not affect processing that occurred before withdrawal.

Right to Lodge a Complaint

You have the right to file a complaint with a supervisory authority:

Commission Nationale de l'Informatique et des Libertés (CNIL)

  • Website: https://www.cnil.fr/en
  • Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
  • Phone: +33 1 53 73 22 22

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional privacy rights.

Information We Collect (CCPA Categories)

In the past 12 months, we have collected the following categories of personal information from California residents:

  • Identifiers: Email addresses, account IDs, IP addresses (anonymized)
  • Commercial information: Subscription records, payment history, billing information
  • Internet or network activity: Usage data, session logs, feature interactions, error logs
  • Professional information: Compliance-related content you input (policies, audit data, risk assessments)
  • Inferences: Usage patterns derived from analytics (anonymized)

We do not collect sensitive personal information as defined by CCPA (e.g., Social Security numbers, driver's license numbers, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, or union membership).

Business Purposes for Collection

We collect and use personal information for the following business purposes:

  • Providing the ISMS Copilot platform and AI compliance assistance
  • Processing payments and managing subscriptions
  • Authenticating and securing your account
  • Improving service quality and developing new features
  • Detecting and preventing fraud, security incidents, and abuse
  • Debugging and error tracking
  • Complying with legal obligations

Disclosure of Personal Information

We share personal information with the following categories of third parties for business purposes (the routing depends on your plan and ADP setting — see "AI Processing" above for the full matrix):

  • Cloud service providers: Supabase, AWS (database and storage)
  • AI service providers: Anthropic (paid non-ADP), OpenRouter aggregator routing to Inceptron / DeepInfra / Cerebras / Google Vertex (free non-ADP), or Mistral AI (ADP)
  • Payment processors: Stripe (payment processing)
  • Analytics providers: PostHog, Sentry, Vercel
  • Email service providers: SendGrid, Kit
  • Document processors: ConvertAPI, Fly.io

No Sale or Sharing: ISMS Copilot does not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

Your California Privacy Rights

Right to Know

You have the right to request that we disclose:

  • Categories of personal information we've collected about you
  • Categories of sources from which the information was collected
  • Business or commercial purpose for collecting the information
  • Categories of third parties with whom we share personal information
  • Specific pieces of personal information we've collected about you

Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations to retain billing records, moderation metadata for flagged content per our Acceptable Use Policy).

Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you.

Right to Opt-Out

You have the right to opt out of:

  • Sale of personal information: Not applicable (we don't sell personal information)
  • Sharing for cross-context behavioral advertising: Not applicable (we don't engage in this practice)

Right to Limit Use of Sensitive Personal Information

Not applicable — we do not collect or use sensitive personal information as defined by CCPA.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights.

How to Exercise Your California Rights

Submit a request: Email privacy@ismscopilot.com with "CCPA Request" in the subject line. Specify which right you're exercising (Know, Delete, Correct).

Verification process: We will verify your identity by confirming your registered email address. For sensitive requests, we may require additional verification. You may designate an authorized agent to make requests on your behalf (we will require written authorization).

Response timeline:

  • Acknowledgment within 10 business days
  • Response within 45 days (may extend up to 90 days for complex requests)

California "Shine the Light" Law

Under California Civil Code Section 1798.83, California residents may request information about our disclosure of personal information to third parties for direct marketing purposes. ISMS Copilot does not disclose personal information to third parties for their direct marketing purposes.

Automated Processing

ISMS Copilot uses AI to assist with compliance content generation, but does not make automated decisions that produce legal effects or similarly significantly affect you under GDPR Article 22. All compliance decisions remain under your control. Content moderation flags are reviewed by humans before any account action is taken.

Cookies and Tracking

Essential Cookies

We use strictly necessary cookies for:

  • User authentication and session management
  • Security and fraud prevention
  • Platform functionality

Analytics Cookies

With your consent, we use analytics cookies to:

  • Understand platform usage patterns
  • Improve user experience
  • Monitor performance

We do not use advertising or marketing cookies. All analytics are configured to exclude personally identifiable information.

Privacy-First Analytics: PostHog operates in cookieless mode with in-memory persistence only. No cookies or browser storage are written to your device. Anonymous usage is tracked via privacy-preserving server-side hashing, and user profiles are created only for authenticated sessions.

Children's Privacy

ISMS Copilot is not intended for individuals under 16 years of age:

  • Our service is designed for compliance professionals and businesses
  • We do not knowingly collect data from children
  • If we discover underage use, we will terminate the account and delete the data

User Responsibilities

While ISMS Copilot provides GDPR-compliant infrastructure, you (as data controller for your own processing) are responsible for ensuring your use of the platform complies with applicable regulations.

You are responsible for:

  • Ensuring legal basis exists before uploading personal data
  • Configuring appropriate data retention periods for your organization
  • Maintaining separate workspaces for different clients or data categories
  • Informing individuals when their data is processed through ISMS Copilot
  • Including ISMS Copilot in your own data processing records
  • Conducting Data Protection Impact Assessments (DPIA) when processing high-risk data
  • Not uploading special category data (Article 9 GDPR) without appropriate safeguards

Changes to This Privacy Policy

How We Notify You

When we update this Privacy Policy, we will:

  • Send email notification to your registered email address
  • Display in-app notification upon next login
  • Update the "Effective Date" at the top of this policy
  • Provide at least 30 days notice for material changes

Your Options

If you don't agree with changes:

  • Enable Advanced Data Protection Mode to keep AI processing within the EU regardless of routing changes
  • Request account deletion (self-service in Settings → Data Protection) before changes take effect
  • Export your data before the effective date
  • Email privacy@ismscopilot.com to discuss concerns or to formally object under your DPA where applicable

Contact Us

For privacy questions or rights requests, email privacy@ismscopilot.com. Include "Privacy Request" or "GDPR Request" in the subject for priority handling.

Response Times:

  • Acknowledgment: Within 24-48 hours
  • Full response: Within 30 days (typically within 72 hours)