Data Privacy & GDPR Compliance - Updated

Overview

ISMS Copilot is fully compliant with the General Data Protection Regulation (GDPR) and follows strict data privacy principles. This article explains your privacy rights, how we handle your data, and what controls you have over your information.

Who This Is For

This article is for:

• EU-based users concerned about GDPR compliance

• Data Protection Officers evaluating ISMS Copilot

• Compliance consultants handling client data under GDPR

• Anyone who wants to understand their privacy rights

GDPR Compliance Overview

How ISMS Copilot Meets GDPR Requirements

Data Minimization (Article 5(1)(c))

ISMS Copilot collects only the minimum data necessary to provide the service:

• Email address for account identification, authentication, and essential communications

• Authentication credentials (hashed passwords or OAuth tokens)

• Conversation history to provide context-aware AI responses

• Uploaded documents for analysis and compliance gap assessment

• Usage metadata for billing and service improvement

• Email engagement data (opens, clicks) for onboarding and product update emails (users can opt out)

Purpose Limitation (Article 5(1)(b))

Your data is used exclusively for:

• Providing AI-powered compliance assistance

• Managing your account and subscription

• Improving service performance and reliability

• Complying with legal obligations

Storage Limitation (Article 5(1)(e))

You have complete control over how long your data is retained:

• Set retention periods from 1 day to 7 years, or keep forever

• Automatic deletion of expired data runs daily

• Request immediate account and data deletion at any time

Data Protection by Design (Article 25)

Security and privacy are built into every ISMS Copilot feature:

• End-to-end encryption for all data

• Row-level security prevents unauthorized access

• Workspace isolation keeps client data separate

• Secure authentication with OAuth support

Your GDPR Rights

Right to Access (Article 15)

You have the right to access all your personal data stored in ISMS Copilot.

What you can access:

• Your account information (email, settings)

• All conversation history across workspaces

• Uploaded documents and files

• Usage metadata and timestamps

How to access your data:

1. Log in to your ISMS Copilot account

2. Navigate to your workspaces to view conversations

3. View uploaded files in each conversation thread

4. For a complete data export, contact support through the Help Center

Right to Rectification (Article 16)

You can update or correct your personal information at any time.

How to update your information:

1. Click the user menu icon (top right)

2. Select Settings

3. Your email address is displayed (to change it, contact support)

4. Update your data retention preferences

5. Click Save Settings

Expected result: Settings dialog closes and your changes are saved immediately.

Right to Erasure / "Right to Be Forgotten" (Article 17)

You can request complete deletion of your account and all associated data.

How to delete your data:

1. Click the user menu icon

2. Select Help Center → Contact Support

3. Submit a data deletion request

4. Support will verify your identity and confirm the request

5. All data is permanently deleted within 30 days

What gets deleted:

• Your account and email address

• All workspaces and conversation history

• All uploaded documents and files

• Custom workspace instructions

• Usage metadata and logs

What may be retained:

• Anonymized billing records (required for tax and accounting compliance)

• Anonymized analytics data (no personally identifiable information)

Right to Data Portability (Article 20)

You have the right to receive your data in a structured, machine-readable format.

How to export your data:

1. Contact support through the Help Center

2. Request a data export

3. Support will provide your data in JSON format containing:

   • Account information

   • Conversation history

   • Workspace configurations

   • Uploaded file metadata

4. Download the export file for use in other systems

Right to Restrict Processing (Article 18)

You can request temporary suspension of data processing while disputes are resolved.

When you can restrict processing:

• You contest the accuracy of personal data

• Processing is unlawful but you don't want data deleted

• You need the data for legal claims

• You've objected to processing pending verification

How to request restriction:

1. Contact support through the Help Center

2. Explain the reason for restriction

3. Support will review and implement appropriate restrictions

Right to Object (Article 21)

You can object to certain types of data processing.

What you can object to:

• Processing for direct marketing (ISMS Copilot doesn't perform marketing processing)

• Processing based on legitimate interests

• Automated decision-making (not currently used by ISMS Copilot)

How to object:

1. Contact support through the Help Center

2. Specify what processing you object to

3. Support will review and respond within 30 days

Data Processing Details

For authoritative information about AI provider routing, sub-processor lists, retention periods, and data transfer mechanisms, please refer to the canonical legal documents on our Trust Center:

• Data Processing Agreement — sub-processors, retention, transfer mechanisms

• Register of Processing Activities — complete processing records

The Trust Center is updated whenever AI provider arrangements or data handling practices change. Help center articles summarize these topics for convenience, but the Trust Center documents are the authoritative source.

Privacy by Design Features

PII Reduction Mode

ISMS Copilot offers automatic PII (Personally Identifiable Information) redaction to protect sensitive personal data before it reaches AI processing. When enabled, the system detects and redacts common PII patterns in your messages and uploaded documents.

What Gets Redacted:

• Personal names (e.g., "John Smith" → "[REDACTED_NAME]")

• Company and organization names

• Email addresses (e.g., "[email protected]" → "[REDACTED_EMAIL]")

• Phone numbers in various formats

How to Enable PII Reduction:

1. Navigate to Settings → Privacy or Data Protection

2. Toggle "Enable PII Reduction"

3. Review the confirmation popup explaining pattern-based limitations

4. Look for the green shield icon in your chat input to confirm activation

When PII reduction is active, you'll see a green shield icon in the chat input as visual confirmation that redaction is working.

Important Limitations:

• Pattern-based detection: PII reduction uses regex patterns and may not catch all sensitive information

• Not 100% accurate: Some PII may slip through; some legitimate text may be redacted

• Not a substitute for data minimization: Always review data before uploading and avoid including unnecessary PII

• Applies before AI processing: Redaction happens before data reaches AI providers

PII reduction is a privacy enhancement, not a guarantee of complete anonymization. Always verify outputs against official standards and avoid uploading unnecessary personal data. This feature works best as an additional layer of protection alongside data minimization practices.

Use Cases:

• Processing client audit reports containing employee names

• Analyzing compliance policies with contact information

• Working with HR policies or incident reports

• Adding extra privacy protection when using Advanced Data Protection Mode

Combining with Advanced Data Protection:

For maximum privacy, enable both features:

• PII Reduction: Redacts personal data before AI processing

• Advanced Data Protection Mode: Ensures EU-only processing with zero AI provider retention

Together, these features provide strong privacy safeguards for sensitive compliance work.

Workspace Isolation

Workspaces provide data separation for multi-client scenarios:

• Each workspace maintains its own conversation history

• Uploaded files are tied to specific workspaces

• Custom instructions are workspace-specific

• Deleting a workspace removes all associated data

No Cross-User Data Sharing

ISMS Copilot implements strict data boundaries:

• Users cannot access other users' data

• AI responses are generated independently for each user

• Database queries automatically filter by authenticated user ID

• Even system administrators follow principle of least privilege

No AI Training on User Data

Your sensitive compliance data is never used for AI training:

• Conversations are not stored by OpenAI or other AI providers

• Uploaded documents remain confidential and private

• Client information never contributes to model improvement

• Each conversation is processed in isolation

Data Subject Requests

How to Submit a GDPR Request

1. Click the user menu icon (top right)

2. Select Help Center → Contact Support

3. Describe your request clearly:

   • "I request access to all my personal data under GDPR Article 15"

   • "I request deletion of my account under GDPR Article 17"

   • "I request a data export under GDPR Article 20"

4. Support will verify your identity and process the request

Response Timeframes

ISMS Copilot responds to GDPR requests according to regulation timelines:

• Acknowledgment: Within 24-48 hours

• Access requests: Within 30 days (typically within 72 hours)

• Deletion requests: Within 30 days

• Data portability: Within 30 days (typically within 72 hours)

• Rectification requests: Immediately for user-updateable fields; within 30 days for others

Identity Verification

To protect your data from unauthorized access, ISMS Copilot may verify your identity:

• You must submit requests from your registered email address

• For sensitive requests, additional verification may be required

• Support may ask security questions about your account

Children's Privacy

ISMS Copilot is not intended for children under 16:

• Service is designed for compliance professionals and businesses

• No parental consent mechanisms are provided

• If underage use is discovered, account will be terminated and data deleted

Privacy Policy Updates

How You'll Be Notified

When privacy practices change, ISMS Copilot will:

• Send email notification to your registered email address

• Display in-app notification upon next login

• Update the Privacy Policy with a "Last Updated" date

• Provide at least 30 days notice for material changes

Your Options

If you don't agree with privacy policy changes:

• Request account deletion before changes take effect

• Export your data before the effective date

• Contact support to discuss concerns

Supervisory Authority

As an EU-based service, ISMS Copilot is subject to data protection oversight.

Right to Lodge a Complaint

If you believe ISMS Copilot has violated your privacy rights, you can:

1. Contact ISMS Copilot support to resolve the issue directly

2. File a complaint with your local data protection authority

3. File a complaint with the French data protection authority (CNIL) where ISMS Copilot is established

Commission Nationale de l'Informatique et des Libertés (CNIL)

• Website: https://www.cnil.fr/en

• Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France

• Phone: +33 1 53 73 22 22

Best Practices for Compliance

For Consultants Handling Client Data

• Create separate workspaces for each client

• Set appropriate retention periods matching client contracts

• Anonymize sensitive personal data before uploading

• Inform clients that you use ISMS Copilot for compliance work

• Include ISMS Copilot in your data processing agreements

• Enable Advanced Data Protection Mode if clients require EU-only processing

For Organizations

• Document ISMS Copilot in your data processing register (see our Register of Processing Activities for reference)

• Include in Data Protection Impact Assessments (DPIA) if processing sensitive data

• Train staff on proper data handling within ISMS Copilot

• Configure retention periods to match your data retention policy

Transparency & Trust

Security Documentation

For detailed information about ISMS Copilot's security and privacy practices, visit our Security Collection:

• Detailed data processing descriptions

• Security measure documentation

• Complete sub-processor list with locations and DPA status

• Compliance certifications

• AI governance policies

You can also review our comprehensive Register of Processing Activities (RopA) for detailed technical and organizational measures.

System Status

Monitor service availability and security incidents at the Status Page:

• Real-time uptime monitoring via BetterStack

• Incident notifications and status updates

• Planned maintenance schedules

• Historical uptime data

• Transparent incident classification and escalation

Limitations

Current Privacy Features

• Automated data export is not available (must request through support)

• Email address changes require support assistance

• No self-service account deletion (must contact support)

• Cookie consent banner not implemented (no tracking cookies used)

What's Next

• Learn about security measures and encryption

• Set up workspaces to isolate client data

• Review our Transfer Impact Assessment

• Create a secure account with strong authentication

• Review our Security Collection for detailed privacy documentation

Getting Help

For privacy-related questions or GDPR requests:

• Contact support through the Help Center menu

• Email from your registered account email address

• Include "GDPR Request" in the subject line for faster processing

• Visit our Security Collection for detailed documentation