← Back to ISOXPERT Compliance360
ISOXPERT Compliance360

Privacy Policy

Effective date: [[YYYY-MM-DD]] · Last updated: [[YYYY-MM-DD]]

Draft pending legal review. Placeholders marked [[ … ]] must be completed and this policy reviewed by qualified counsel against GDPR (EU 2016/679), UK GDPR, and the applicable GCC Personal Data Protection Law(s) before it is relied upon.

1. Who we are (Controller)

ISOXPERT Compliance360 ("ISOXPERT", "we", "us") is a governance, risk and compliance (GRC) SaaS platform operated by [[LEGAL ENTITY NAME]], registered at [[REGISTERED ADDRESS]], [[COUNTRY]].

Controller vs. processor. For data about your own account and our direct customers we act as a controller. For personal data that a customer organization uploads about its employees, suppliers and customers, ISOXPERT acts as a processor on that organization's behalf under a Data Processing Agreement (Section 11).

2. The personal data we process

CategoryExamplesSource
Account & identityName, work email, role, organization, sign-in identifiersYou / your administrator; Google OAuth
Employee & competency recordsNames, employee IDs, department, manager, training, certificationsCustomer administrators; ERP integration
Compliance recordsAudits, non-conformances, CAPAs, incidents (incl. reporter/witness/investigator identities), management-review attendees & e-signaturesCustomer users
Business contactsSupplier and customer contact names, emails, phone numbers, addresses, countriesCustomer users
BillingOrganization, plan, subscription status, affiliate code (card data handled by Stripe, not stored by us)Stripe
Usage & audit logsUser ID/email, action, timestamp, field-level change history; AI usage meteringGenerated automatically
TechnicalAuthentication tokens/session, IP/connection metadata held by our providersAutomatic

We do not intentionally collect special-category data (Art. 9). Customers must not upload health, biometric or other sensitive data into free-text fields unless a lawful basis and DPA terms are in place.

3. Why we process it and our lawful basis (Art. 6)

PurposeLawful basis
Provide the platform and its featuresContract (Art. 6(1)(b))
Maintain audit trails and accountability recordsLegal obligation / legitimate interest (Art. 6(1)(c)/(f))
AI-assisted drafting and analysis (Google Gemini)Contract + legitimate interest (see Section 6)
Billing and subscription management (Stripe)Contract
Security, fraud prevention, service improvementLegitimate interest (Art. 6(1)(f))
Marketing communications (if any)Consent (Art. 6(1)(a)) — withdrawable at any time

4. How we share it (recipients / processors)

We share personal data only with the sub-processors listed on our sub-processor page (or on request), each under a data-processing agreement: Supabase (database, auth, hosting), Google (Gemini API) (AI features), Stripe (billing), Vercel (hosting), and optional customer-enabled ERP integrations (SAP / Oracle / Odoo). We do not sell personal data.

5. International transfers (Art. 44–49)

Our sub-processors may process data outside your country, including in the United States. Where data leaves the EEA/UK or a restricted GCC jurisdiction, transfers are covered by Standard Contractual Clauses and/or the provider's adequacy mechanism.

6. AI processing (Google Gemini)

Certain features send the relevant compliance content (e.g., audit details, findings, incident descriptions) to the Google Gemini API to generate drafts and analysis. Per Google's API terms, paid Gemini API content is not used to train Google's models. We send only the data needed for the requested feature and minimise/pseudonymise direct identifiers where practical.

7. Data subject rights (Art. 15–22)

You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to lodge a complaint with a supervisory authority. To exercise these rights, email [[privacy@your-domain.com]]; we respond within 30 days (GDPR) or the period required by the applicable PDPL. Where ISOXPERT acts as a processor, requests from a customer's employees are routed to that customer (the controller), whom we assist.

8. Retention

We retain personal data only as long as necessary for the purposes above and to meet legal and audit obligations. Compliance and audit records may be retained for the statutory period even after an account closes; where possible we pseudonymize rather than delete records that must be kept for audit integrity.

9. Security

Data is encrypted in transit (TLS). Access is controlled by authentication, role-based access control, and database row-level security that isolates each organization's data. Administrative secrets are held server-side only. We maintain an immutable change-audit log.

10. Cookies / local storage

ISOXPERT uses only strictly-necessary storage for authentication sessions and local app state. We do not use advertising or cross-site tracking cookies.

11. Data Processing Agreement (for customers)

Where ISOXPERT processes personal data on a customer's behalf, our DPA terms apply, including sub-processor terms, security measures, breach notification, and assistance with data subject requests and DPIAs. Contact [[privacy@your-domain.com]].

12. Changes & contact

We will post material changes here and notify account administrators. Questions: [[privacy@your-domain.com]].