AnmeldenRegistrieren

Privacy Policy

Last updated: May 11, 2026

1. Introduction

IsoDora ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our ISO certification management platform.

2. Information We Collect

2.1 Personal Information

We collect information that you provide directly to us, including:

  • Name and contact information (email address, phone number)
  • Account credentials (username and password)
  • Organization information
  • Professional information
  • Payment information (processed securely through third-party providers)

2.2 Usage Information

We automatically collect certain information when you use our services:

  • Log data (IP address, browser type, operating system)
  • Device information
  • Usage patterns and preferences
  • Cookies and similar tracking technologies

2.3 Content and Documents

When you use our platform, we collect and process:

  • Documents you upload for compliance analysis
  • Interview responses and chat conversations
  • Assessment data and compliance records
  • Reports and analytics you generate

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process your transactions and send related information
  • Send you technical notices, updates, and support messages
  • Respond to your comments and questions
  • Analyze usage patterns to improve user experience
  • Detect, prevent, and address technical issues and security threats
  • Comply with legal obligations and enforce our Terms of Service

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), our legal basis for collecting and using your personal information depends on the specific context:

  • Contract Performance: Processing necessary to perform our contract with you
  • Consent: You have given us explicit consent to process your information
  • Legitimate Interests: Processing necessary for our legitimate business interests
  • Legal Compliance: Processing necessary to comply with legal obligations

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

  • Service Providers (sub-processors): With third-party providers who process data on our behalf — including OpenAI (AI analysis), Supabase (database and storage), Vercel (hosting), Stripe (payments), Resend (email), and Sentry (error tracking). Each is bound by a data processing agreement. See our Sub-processors page for the full, current list with data locations and transfer mechanisms.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • Legal Requirements: When required by law or to protect our rights
  • With Your Consent: When you explicitly authorize us to share your information

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

  • Encryption of data in transit and at rest
  • Regular security assessments and audits
  • Access controls and authentication
  • Employee training on data protection
  • Incident response procedures

7. Your Data Protection Rights

Under GDPR and other data protection laws, you have the following rights:

  • Access: Request copies of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data
  • Restriction: Request restriction of processing
  • Data Portability: Request transfer of your data
  • Objection: Object to our processing of your data
  • Withdraw Consent: Withdraw consent at any time

7.1 Self-Service Access

Sie können jederzeit eine Kopie Ihrer personenbezogenen Daten über die Schaltfläche "Meine Daten herunterladen" auf Ihrer Profilseite herunterladen. Der Export umfasst Ihr Profil, Chatsitzungen, Interviewantworten, Einwilligungsdatensätze und Audit-Log-Einträge, die Ihnen zugeordnet sind, und ist auf einen Export pro Stunde begrenzt. Sie können auch eine E-Mail an privacy@isodora.se senden, um ein förmliches Auskunftsersuchen nach Art. 15 DSGVO zu stellen.

7.2 Data Portability

Der Self-Service-Export auf Ihrer Profilseite liefert ein strukturiertes ZIP-Archiv mit JSON-Dateien und erfüllt Ihr Recht auf Datenübertragbarkeit gemäß Art. 20 DSGVO. Für maschinenlesbare Kopien in anderen Formaten wenden Sie sich an privacy@isodora.se.

7.3 Erasure and Retention Windows

Spezifische Aufbewahrungsfristen für Datenklassen, die ihren übergeordneten Datensatz überdauern (wie agentinterner Zustand), sind in unserer Datenaufbewahrungsrichtlinie dokumentiert.

8. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. When we no longer need your information, we will securely delete or anonymize it.

Aus technischen Gründen kann agentinterner Zustand mit globalen Kennungen — beispielsweise LangGraph-Checkpoints zur Anforderungsanalyse, die mit einer globalen Anforderungs-ID („req-[id]-…") verknüpft sind — zum Zeitpunkt der Löschung nicht immer einem bestimmten Nutzer oder einer Organisation zugeordnet werden. Diese Datensätze werden bis zu 30 Tage nach Konto- oder Organisationslöschung aufbewahrt, damit laufende Analysen sicher abgeschlossen werden können, und anschließend durch einen automatisierten nächtlichen Cron-Job entfernt. Vollständige Details finden Sie in unserer Datenaufbewahrungsrichtlinie.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. Where personal data is transferred outside the European Economic Area, we rely on the following safeguards:

  • OpenAI, Resend (US): Standard Contractual Clauses under Commission Decision 2021/914
  • Vercel, Stripe (US): EU-US Data Privacy Framework adequacy decision (Stripe additionally under Standard Contractual Clauses)
  • Supabase (EU): Data is hosted in the EU (eu-central-1, Frankfurt); no third-country transfer for stored data
  • Sentry: EU-hosted where available, otherwise Standard Contractual Clauses

A complete and current list of our sub-processors, including each provider's purpose, data location, and transfer mechanism, is available on our Sub-processors page.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our service and hold certain information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent.

11. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

Email: privacy@isodora.se
Data Protection Officer: dpo@isodora.se