Privacy Policy

1. Information We Collect

1.1 Personal Information

We collect the following types of personal information:

• Account Information: Name, email address, job title, company name
• Authentication Data: Encrypted passwords, MFA tokens, session data
• Profile Information: User preferences, role assignments, department details
• Contact Information: Phone numbers, business addresses (if provided)

1.2 Usage Information

We automatically collect information about how you use our service:

• Activity Logs: Login times, feature usage, ticket interactions
• Technical Data: IP addresses, browser type, device information
• Performance Data: Page load times, error reports, system performance
• Security Logs: Authentication attempts, security events

1.3 Business Data

Data you create and manage within the service:

• Tickets and Requests: Service desk tickets, attachments, comments
• Workflow Data: Custom workflows, approval processes, forms
• Configuration Data: System settings, user roles, permissions
• Reports and Analytics: Generated reports, dashboard configurations

2. How We Use Your Information

2.1 Service Provision

• Provide and maintain the ISMSVision service
• Process service desk tickets and requests
• Enable user authentication and access control
• Generate reports and analytics
• Facilitate team collaboration and workflow management

2.2 Service Improvement

• Analyze usage patterns to improve features
• Monitor system performance and reliability
• Develop new features and functionality
• Conduct beta testing and quality assurance

2.3 Communication

• Send service notifications and updates
• Provide customer support and assistance
• Share important security or service announcements
• Deliver beta program updates and feedback requests

3. Data Sharing and Disclosure

3.1 No Sale of Personal Data

We do not sell, rent, or trade your personal information to third parties. Your data is used solely to provide and improve our service.

3.2 Limited Sharing

We may share your information only in these specific circumstances:

• Service Providers: Trusted third-party vendors who help us operate the service (cloud hosting, email delivery)
• Legal Requirements: When required by law, court order, or government regulation
• Security Protection: To protect our rights, property, or safety, or that of our users
• Business Transfers: In the event of a merger, acquisition, or sale of assets

3.3 Data Processing Agreements

All third-party service providers are bound by strict data processing agreements and are required to maintain the same level of data protection as outlined in this policy.

4. Data Security

4.1 Technical Safeguards

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
• Access Controls: Role-based access control (RBAC) and principle of least privilege
• Authentication: Multi-factor authentication (MFA) support
• Network Security: Firewalls, intrusion detection, and DDoS protection
• Monitoring: 24/7 security monitoring and incident response

4.2 Operational Safeguards

• Regular Audits: Security assessments and penetration testing
• Employee Training: Security awareness and data protection training
• Incident Response: Documented procedures for security incidents
• Data Backups: Regular, encrypted backups with tested recovery procedures

4.3 Compliance

Our security practices align with industry standards including:

• ISO 27001 security management principles
• SOC 2 Type II compliance framework
• GDPR data protection requirements
• NIST Cybersecurity Framework

5. Your Privacy Rights

You have the following rights regarding your personal data:

5.1 Access and Portability

• Right to Access: Request a copy of your personal data
• Data Portability: Export your data in a machine-readable format
• Account Information: View and update your profile information

5.2 Correction and Deletion

• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data
• Right to Restriction: Limit how we process your data

5.3 Consent and Objection

• Withdraw Consent: Revoke consent for data processing
• Object to Processing: Object to certain types of data processing
• Marketing Opt-out: Unsubscribe from marketing communications

6. Data Retention

6.1 Retention Periods

• Account Data: Retained while your account is active
• Ticket Data: Retained for 7 years for audit and compliance purposes
• Log Data: Retained for 2 years for security and performance analysis
• Backup Data: Retained for 90 days in encrypted backups

6.2 Deletion Process

When data is deleted, we ensure secure deletion from all systems, including backups, within 30 days unless longer retention is required by law.

7. International Data Transfers

Your data may be processed in countries outside your residence. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs) for EU data transfers
• Adequacy decisions by relevant data protection authorities
• Certification schemes and codes of conduct
• Binding corporate rules for internal transfers

8. Cookies and Tracking

8.1 Essential Cookies

We use essential cookies for:

• User authentication and session management
• Security and fraud prevention
• Load balancing and performance optimization

8.2 Analytics and Performance

We use analytics cookies to understand how users interact with our service and improve performance. You can opt out of analytics tracking in your account settings.

9. Children's Privacy

ISMSVision is not intended for use by children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such information, we will delete it promptly.

10. Privacy Policy Updates

We may update this privacy policy to reflect changes in our practices or applicable laws. We will notify you of material changes by:

• Posting the updated policy on our website
• Sending email notifications to registered users
• Displaying prominent notices in the service

11. Contact Information

For privacy-related questions, concerns, or requests, please contact us: