Welcome to ISMS Policy Generator. Our unwavering commitment to your privacy and the security of your personal data stands at the core of our services.
We recognize the significance of your control over your personal data. In this policy, we outline your rights related to your data, including the right to access, update, or delete your information, and the right to object to certain processing activities. Our goal is to ensure clarity and empower our users in all aspects of our data handling practices.
For specific information about our data processors and subprocessors, and our commitments under data protection regulations, please refer to our Data Processing Agreement and subprocessor documentation. Our dedication to maintaining the highest standards of data privacy and security is a testament to our commitment to you as a user-centric, compliant, and innovative service provider.
Short version #
Overall, we’re reasonable people treating your data with care, collecting the minimal amount needed for providing our services, not sharing it with third parties when not required, certainly not selling your data, and applying all the controls we can to make it safe.
- We collect personal data such as user name and email address. Additional names can be collected during the policy generation process (when asking who is responsible for an activity, for example).
- Payment data is processed through Stripe; we don’t directly handle these details.
- The most important data type we collect is information about your information security management system (ISMS) to generate the documents.
- We also need to collect basic company details to tailor the policies to your company (company name, location, industry, departments, etc.). We encourage you to not give people’s names when not absolutely required.
- Personal data is used to provide our services (so that you receive the policies by email) and handle user accounts (so that we can make sure the right client is billed).
- Used for technical support (in case you request help or raise an issue), marketing (with consent, we’ll inform you about updates to our services), and commercial management (billing, contracts, etc.).
- Not used for profiling (the info about your company is only use for generating policies tailored to your company. We dont use it otherwise). We don’t sell your data either.
- Shared with authorized team members, financial organizations (if necessary), and legal entities (as required).
- Key service providers include Bubble.io, OpenAI, MistralAI, Zapier, Google Docs (Policy Generation), Stripe (Payments Processing), and ConverKit/Tidio (Emailing/Customer support).
- Data transfers to the US are GDPR compliant.
- Retained as needed for service provision, typically 5 years post-account closure.
- Specific periods for different data types (e.g., invoices kept for 10 years).
- Includes rights to access, rectify, delete, object, and port data.
- Requests can be made via email.
- Subject to changes; users are encouraged to review it regularly.
In this document, the capitalized words will have the meanings given below:
“Data Controller”: Refers to the entity that determines the purposes and means of processing Personal Data. For ISMS Policy Generator, this is us, as we decide what Personal Data to collect, how to store it, and for what duration.
“Data Processor”: Refers to the entity that processes Personal Data on behalf of the Data Controller, according to the Data Controller’s instructions. For instance, our cloud hosting services provider acts as a Data Processor when storing Your Personal Data on our behalf.
“ISMS Policy Generator” or “We”: Refers to Powered by Better ISMS, incorporated in Paris, with the Registration Number: 87848573900022, and having its corporate seat at 60 rue François 1er, 75008 Paris, France.
“AI Provider”: Refers to any third-party artificial intelligence service provider, such as OpenAI or Mistral, whose APIs we use to generate tailored policies as part of our Services.
“Personal Data”: Any information that directly or indirectly identifies an individual.
“Platform”: The online platform operated by ISMS Policy Generator.
“Processing”: Any operation performed on Personal Data (e.g., collection, use, storage, transfer, deletion).
“Services”: All services provided by ISMS Policy Generator to you, including the Platform, policy generation using AI Providers, and any associated software, applications, and website.
“User” or “You”: Any individual or entity that subscribes to, accesses, or uses our Services.
“User Data”: Consists of:
- “Feedback”: Your feedback regarding the accuracy, relevance, and effectiveness of the Outputs, including any identified discrepancies or errors.
- “Inputs”: Any information security management answers given by you to the AI Provider through our Platform to generate accurate policy Outputs.
- “Outputs”: All content generated by our Services in response to your Inputs. They consist in information security policies paragraphs put together in policies documents.
Who is the Data Controller? #
ISMS Policy Generator as Data Controller
ISMS Policy Generator, powered by Better ISMS, is a French entity registered at the Trade register of Paris under number 87848573900022. We act as the Data Controller for the personal data we collect from our users.
You can contact us regarding any privacy concerns or inquiries at firstname.lastname@example.org.
ISMS Policy Generator as Data Processor
For businesses utilizing our services, ISMS Policy Generator acts as a Data Processor, handling personal data on your behalf. The specific processing activities we perform are detailed in the Data Processing Agreement (DPA), which is part of our commitment to upholding data privacy and security standards.
This DPA is accessible to all users upon registration on our platform and can be reviewed at any time at Data Processing Agreement.
Please note that we directly provide our services to users who voluntarily subscribe through our platform. We do not operate through a marketplace or third-party agents, ensuring direct and transparent communication and data handling with our users.
For technical support purposes, our team may access user data (inputs used to generate policies). This access is strictly controlled and aligned with our privacy and security standards, ensuring the confidentiality and integrity of your data.
What Kind of Personal Data Do We Collect? #
Personal Data You Provide to Us
- Identity, Account, and Contact Data: On our platform, we collect essential details like your name, last name, and email address during the registration process. This information is necessary for you to access and use our services.
- Information Security Management System Data: While generating policies and procedures, we may collect data related to key roles within your Information Security Management System, such as the names of privacy, security, or continuity managers, and other key IT support roles.
- Payment Information: For fee-based services, payment processing is handled through Stripe. We use Stripe integration so your payment information is not collected in our systems.
- Inputs and Outputs: The data you input to generate policies (Prompts) and the resulting documentation (Outputs) are used solely for the functionality of the app. We do not use this data for purposes like selling or gathering intelligence on our clients. Our focus is exclusively on generating high-quality ISMS documentation.
For non-users on our public website:
- Tidio Chat: On our public website, we offer a chat service where visitors can ask questions and leave their email. This may subscribe them to our marketing emails through Convertkit, subject to their consent.
- Feedback Collection: We collect feedback through various methods, including emails, surveys, and video feedback using third-party provider vocalvideo.com. While primarily used for service improvement, we also use shapo.io to collect user reviews for testimonials on our public website.
Personal Data Generated by Your Use of Our Services
- Security Logs: We collect security logs to monitor system activities and maintain the security and integrity of our services. These logs include details such as status, date, type, user, workflow, location, data, duration, WU units, and may contain information like IP addresses and device information. This collection is essential for complying with applicable security standards and regulatory requirements.
- On our public website (ismspolicygenerator.com): Cookies for user consent management and third-party service functionalities (e.g., loom.com cookies for video content).
- In our application (app.ismspolicygenerator.com): Cookies that may relate to session management, user preferences, and security (e.g., Mixpanel cookies for user analytics, Bubble.io cookies for platform functionality).
Personal Data that is Indirectly Provided to Us
- Our services involve processing information inputted by users during policy generation. If users inadvertently include personal information, such as a home address in scenarios like defining the scope of their ISMS, this data is treated with strict confidentiality. We do not recommend sharing excessive personal information in the policy generators.Users have the right to request the removal of any such information from our systems. We are committed to ensuring that any indirectly provided personal data is handled responsibly and securely, with the utmost respect for user privacy.
Why Do We Use Your Personal Data? #
We use your personal data for the following purposes:
Provide Our Services
- Create and administer your account on the platform.
- Manage the security of the services, including monitoring system activities and ensuring data integrity.
- Generate documentation based on your inputs.
- Communicate with you for service-related purposes.
- Respond to your assistance requests and provide technical support.
- Train and improve our services, ensuring data is used responsibly and securely.
- Make aggregated statistics about the use of the services.
- Legal basis: Performance of the contract and our legitimate interest in providing quality services and continuously improving them.
- Send newsletters about our services via Convertkit.
- Engage with prospects through Convertkit email sequences and Tidio chat on our website.
- Lead development and invite you to our events.
- Legal basis: Your consent and our legitimate interests in promoting our services and business growth.
- Manage contracts, which includes agreement with our Terms of Service.
- Invoice services and process payments completely through Stripe (we do not directly process this data).
- Legal basis: The performance of the contract and our legal obligations for invoicing.
- Investigate and resolve disputes as described in our Terms of Service.
- Enforce our contract, including account suspension and monitoring for abuse.
- Legal basis: Our legitimate interest in protecting and exercising our legal rights and the performance of the contract.
Data Subject Requests
- Respond to your requests regarding your rights over your personal data.
- Legal basis: Our legal obligation to reply to your requests (contact: email@example.com).
How Long Do We Store Your Personal Data? #
Personal Data for Providing Services:
- Identity, Contract/Subscription, and Account Data: Retained for the duration of your active registration on the Platform and for 5 years after your account has been closed or deactivated, for evidentiary purposes. This includes data input into the Bubble app database.
- Generated Policies (Google Docs): Policies stored in Google Drive are retained for 5 years after your account closure or last use, ensuring consistency across our data storage practices. In the event of a user requesting account deletion, all associated policies and account data will be securely deleted.
- Security Data: Security logs are stored for 1 rolling year.
- Technical Support/Assistance Requests: Retained for the duration of processing the request and for 5 years after the resolution of your request, for evidentiary purposes.
Commercial Management Data:
- Invoices (Processed via Stripe): Kept for ten (10) years from the year-end date, in line with Stripe’s policies and GDPR requirements.
Marketing and Leads Data:
- Leads Identity and Contact Data: Retained for 3 years from the date of data collection.
- Guests Identity and Contact Data: Stored for 1 year after collection, extendable with user consent.
Dispute Resolution Data:
- Related Legal Data: Kept until the expiration of the appeal period and potentially archived for historical purposes.
Data for User Rights Requests:
- Related Data: Retained for a period of up to 3 months after the resolution of the request, and an additional 6 years for evidentiary purposes.
This policy ensures that we store your Personal Data no longer than necessary, respecting both legal obligations and your privacy rights, with a consistent and clear approach to data retention.
Who Do We Share Your Personal Data With? #
We share your Personal Data on a need-to-know basis with:
- Authorized Team Members: Access is granted to our marketing, product development, and technical support teams, adhering to the principle of least privilege.
Service Providers and Partners:
- Bubble.io: Our platform is built on Bubble.io, which uses US AWS servers for hosting.
- OpenAI and MistralAI: For generating policies through API calls; these providers are based in the US and Europe, respectively.
- Zapier: Facilitates the conversion of generated text into Google Docs policy documents and manages email dispatch. Zapier operates from the US.
- Google Docs: Used for storing generated policies, with data hosting likely in Europe (Ireland).
- ConvertKit: Planned for future email communications.
- Stripe: Manages billing and payment processing, based in Ireland and the US.
We ensure high data security standards in all our data sharing practices, and Data Processing Agreements are included in the terms and conditions with these providers.
Data Hosting and Transfers:
- We acknowledge that data transfers to the US occur due to the locations of some of our service providers. We are committed to managing these transfers in line with GDPR requirements and ensuring that our providers uphold high standards of data protection.
Legal and Regulatory Sharing:
- While we currently do not regularly share data with financial organizations or supervisory authorities, if such sharing becomes necessary, it will be conducted following the highest data security standards.
Legal and Debt-Related Sharing:
- Should the need arise to share data with legal entities, mediators, accountants, or debt collection agencies, it will be done in accordance with legal requirements and privacy standards.
For more detailed information on our subprocessors and their roles, please refer to our subprocessor documentation.
Do We Transfer Your Personal Data Outside of the European Union? #
While we prioritize selecting providers within the European Union to ensure strict adherence to GDPR, some of our core operations involve service providers located outside the EU. This includes providers like Bubble.io (using US AWS servers), Zapier and OpenAI (based in the US), and Google Docs (with data hosting in Europe, likely Ireland). Although MistralAI is based in Europe, the global nature of our services necessitates some data transfers to non-EU countries.
To safeguard your Personal Data in these transfers, we adhere to the following measures:
- Adequate Safeguards: We ensure that all contracts with service providers who process personal data outside the EU include adequate safeguards in compliance with Article 46 of the GDPR.
- Standard Contractual Clauses: We incorporate the most recent version of the European Commission’s Standard Contractual Clauses into our contracts with these providers. This helps ensure that your data is protected to the same standards as it would be within the EU.
Additionally, as part of our ongoing commitment to data protection, we conduct regular audits of our providers to assess their privacy and security standards, ensuring they align with our high expectations and GDPR requirements.
It’s important to note that while data transfers to the US occur due to the nature of our service providers, we actively manage these transfers to uphold the highest standards of data protection and privacy.
For more detailed information on our subprocessors and their roles, please refer to our subprocessor documentation.
Your Rights #
As a user of ISMS Policy Generator, you are entitled to various rights under the GDPR:
- Access: You have the right to know if we are processing your Personal Data, request a copy of such data, and obtain information about how we process it.
- Rectification: You can update or correct your Personal Data.
- Deletion: You have the right to request the deletion of your Personal Data.
- Objection: You can object to the processing of your Personal Data, except when we have a legal obligation to process it.
- Consent Withdrawal: You may withdraw your consent to the processing of your Personal Data at any time.
- Limitation: You can request that we temporarily freeze the processing of your Personal Data.
- Automated Decision: You have the right to not be subject to automated decision-making, including profiling. ISMS Policy Generator does not engage in such activities in the processing of Personal Data.
- Portability: You can obtain and transfer your Personal Data to another entity.
- Post Mortem: You can specify how you wish your Personal Data to be handled after your death.
- Lodge a Complaint: You have the right to lodge a complaint with the competent data protection authority, such as CNIL.
We are committed to addressing your requests promptly. However, please be aware that certain requests, particularly those affecting the technical aspects of our Services, may involve complex processes.
Exercising Your Rights:
To exercise these rights, please contact us at firstname.lastname@example.org.