ISO-STANDARD.appISO-STANDARD.app
Legal

Privacy Notice

Last updated: 6/12/2026

1. Who we are

This privacy notice describes how ISO-Standard.app ("ISO-Standard.app", "we", "us"), trading as ISO-STANDARD.app, collects and processes personal data in connection with the ISO-STANDARD.app platform (the "Service"). For the personal data we collect from website visitors, account holders and end-users of customer workspaces, we act as data controller. Where we process customer-uploaded content on behalf of a customer organisation, we act as data processor for that customer.

2. Categories of personal data we collect

  • Account data — name, work email, hashed password, organisation, role.
  • Authentication data — login timestamps, IP address, session tokens, multi-factor secrets.
  • Workspace data — risks, controls, assets, audit notes and other content you submit. May include personal data about your colleagues (names, emails, role assignments).
  • Support & communications — messages you send to us, support tickets, email correspondence.
  • Usage & telemetry — pages visited, features used, performance metrics, error reports, device and browser identifiers.
  • Marketing — newsletter subscription status and engagement (only where you opt in).
Payment information (card details, billing address) is collected directly by Paddle, our Merchant of Record, and is not stored by us.

3. Purposes and legal bases

  • Provide the Service (account creation, workspace access, feature delivery) — performance of contract.
  • Security and fraud prevention (authentication, audit logs, abuse detection) — legitimate interests and legal obligation.
  • Customer support — performance of contract and legitimate interests.
  • Product improvement (aggregated usage analytics, error monitoring) — legitimate interests.
  • Billing and tax (handled by Paddle as Merchant of Record) — performance of contract and legal obligation.
  • Marketing communications — consent; you can withdraw at any time.
  • Legal compliance (responding to lawful requests, enforcing terms) — legal obligation and legitimate interests.

4. Who we share data with

We share personal data with the following categories of recipients:
  • Sub-processors — hosting, database, email delivery, error monitoring and AI features. The current list is published on our Trust page.
  • Paddle.com — our Merchant of Record, who handles the sale of subscriptions, payment processing, subscription management, tax compliance and invoicing.
  • Professional advisers — legal, accounting and audit firms, under confidentiality.
  • Authorities — law enforcement or regulators where required by law.
  • Successors — in connection with a merger, acquisition or sale of assets, subject to equivalent protections.
We do not sell personal data.

5. International transfers

We are based in the United Kingdom and some of our sub-processors are located outside the UK / EEA (notably in the United States). Where personal data is transferred outside the UK / EEA we rely on appropriate safeguards including the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or adequacy decisions where available.

6. Retention

We keep account data for the duration of your subscription and for a reasonable period afterwards to comply with legal and audit obligations (typically up to 7 years for financial records). Workspace content is retained for the lifetime of the workspace; you may export it at any time and request deletion when your subscription ends. Telemetry and error logs are retained for up to 90 days. Backups are retained for up to 35 days and then overwritten.

7. Your rights

Under UK and EU GDPR you have the right to: access your data; have it rectified; have it erased; restrict or object to its processing; data portability; and to withdraw consent at any time. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority. We will respond to verified requests within one month. To exercise your rights, contact support@iso-standard.app.

8. Security

We apply appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS) and at rest, tenant isolation, role-based access control, multi-factor authentication, audit logging, and least-privilege access to production systems. No internet service is perfectly secure — please report suspected vulnerabilities to support@iso-standard.app.

9. Cookies

We use a small number of strictly necessary cookies for authentication, session management and CSRF protection. We do not currently set advertising cookies. If we add analytics or marketing cookies in the future we will surface a cookie banner and let you manage preferences before non-essential cookies are set.

10. Children

The Service is intended for business use by adults. We do not knowingly collect personal data from children under 16.

11. Changes

We may update this notice from time to time. Material changes will be announced via in-product notice or by email to workspace owners. The "Last updated" date at the top of this page indicates when the notice was last revised.

12. Contact

Privacy questions and rights requests: support@iso-standard.app. Postal address available on request.