Legal

Privacy Policy

This policy explains how we process personal data when you visit our website or use the ISMSVision service. It is designed to meet UK GDPR and the Data Protection Act 2018. We describe what we collect, why we use it, how long we keep it, and the rights you have.

Controller: the operator of the ISMSVision service (“ISMSVision”, “we”, “us”). Last updated: 22 April 2026.

Summary. We process personal data to run the service, secure it, bill customers where applicable, and improve the product. We do not sell your personal data. Where we rely on subprocessors (for example hosting), we require them to protect data appropriately. You can exercise UK GDPR rights by contacting us; you may also complain to the ICO.

1. Scope

This policy applies to processing of personal data in connection with:

  • our public website and marketing pages;
  • accounts, authentication, and use of the ISMSVision application;
  • support, billing, and service communications; and
  • cookies and similar technologies on our sites, as described in section 9.

If your organisation uses ISMSVision, your organisation may also place business or employee data in the service. In many cases your organisation is an independent controller for that data, and we act as a processor under its instructions—your organisation’s privacy notice may also apply to you. This policy focuses on how ISMSVision processes personal data as a controller for its own purposes, and how we process data in the service more generally.

2. Personal data we process

Depending on how you interact with us, we may process:

  • Identity and contact data: name, email address, job title, organisation name, phone number if you provide it.
  • Account and security data: login identifiers, encrypted credentials, security logs, MFA-related signals, session and device metadata needed to secure access.
  • Service usage data: actions taken in the application, configuration you choose, and diagnostic or error information needed to operate and improve the service.
  • Content you submit: information you or your organisation stores in the service (for example tickets, documents, supplier records, risk entries). This may include personal data about your colleagues or third parties—your organisation is responsible for that content’s lawfulness.
  • Marketing and communications: preferences, records of correspondence, and newsletter or trial-related messages where applicable.
  • Technical data: IP address, browser type, approximate location derived from IP, timestamps, and similar technical identifiers from website and application access.

3. Purposes and lawful bases (UK GDPR)

We process personal data on the following bases:

  • Contract (Article 6(1)(b)): to provide the Service, create and administer accounts, and fulfil our agreement with you or your organisation.
  • Legitimate interests (Article 6(1)(f)): to secure the Service, prevent abuse, understand how the product is used in aggregate, improve features, and communicate proportionate service messages; where required, we balance these interests against your rights.
  • Legal obligation (Article 6(1)(c)): to comply with applicable law, court orders, or regulatory requests.
  • Consent (Article 6(1)(a)): where we ask for consent (for example non-essential cookies or certain marketing), you may withdraw consent at any time without affecting processing based on other lawful grounds.

4. Sharing and subprocessors

We use trusted service providers to host infrastructure, send email, monitor reliability, and similar functions. They may only process personal data on our instructions and subject to appropriate contractual commitments (including UK GDPR Article 28 terms where we act as processor for your organisation). We do not sell personal data.

We may disclose personal data if required by law, to protect the rights and safety of users, or in connection with a merger, acquisition, or asset sale, subject to confidentiality and continuity safeguards.

5. International transfers

Our primary processing is intended to take place in the United Kingdom and/or the European Economic Area. If personal data is transferred to countries not subject to an adequacy decision, we will ensure appropriate safeguards (for example the UK International Data Transfer Agreement or EU Standard Contractual Clauses, as applicable) unless another derogation applies.

6. Retention

We retain personal data only for as long as necessary for the purposes described in this policy, including to meet legal, accounting, or reporting requirements. Factors include whether you have an active account, whether data is needed to resolve disputes, and minimum statutory retention periods. Backup copies may persist for a limited period before overwriting. Specific retention periods may vary by data category; you may ask us for more detail in relation to your account.

7. Security

We implement appropriate technical and organisational measures appropriate to the risk, which may include access controls, encryption in transit where standard for web services, logging, patching, and staff training. No online service can be guaranteed fully secure; you should use strong passwords and MFA where offered.

8. Your rights

Under UK GDPR you have the right to:

  • access your personal data (subject access request);
  • rectify inaccurate data;
  • erase data in certain circumstances;
  • restrict processing in certain circumstances;
  • data portability where processing is automated and based on consent or contract;
  • object to processing based on legitimate interests (including profiling in scope of that objection);
  • withdraw consent where processing is consent-based; and
  • not be subject to solely automated decisions with legal or similarly significant effects, where applicable.

To exercise these rights, contact us at the address below. We will respond within one month in most cases (that period may be extended for complex requests—we will tell you if so). You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).

9. Cookies and similar technologies

We use cookies and similar technologies that are strictly necessary for the site and application to function (for example session and security cookies). Where we use optional analytics or marketing cookies, we will seek your consent in line with the Privacy and Electronic Communications Regulations (PECR) before placing them, except where strictly necessary.

10. Children

The Service is intended for business and professional use. It is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe we have collected such data, contact us and we will delete it.

11. Changes to this policy

We may update this policy to reflect changes to our processing or legal requirements. We will post the revised version on this page and adjust the “last updated” date. Material changes may be communicated by email or in-product notice where appropriate.

12. Contact

Data protection enquiries: privacy@ismsvision.com
General enquiries: sales@ismsvision.com

We are not required to appoint a Data Protection Officer under UK GDPR; the contacts above are responsible for handling privacy requests.

Terms of Use ← Home