Privacy Policy
Last updated: April 22, 2026
1. Who we are
ISO27001KIT (operated under iso27001kit.com, the "Service") provides ISO 27001 implementation tools, document templates, an AI Assistant, the Risk Copilot platform, and the ISO 27001 Audit Room workspace. This Privacy Policy explains what information we collect, why we collect it, how we use it, and the choices you have.
The data controller is the operator of iso27001kit.com. You can contact us at contact@iso27001kit.com.
2. Information we collect
2.1 Account information
When you create an account we collect:
- Email address (required for sign-in and account recovery)
- Full name (optional)
- Phone number (optional)
- A securely hashed password, or your Google account identifier if you sign in with Google
2.2 Email verification (anonymous tools)
To use certain free tools without an account, we ask you to verify your email address. We store your email, a one-time verification token, the document or tool you requested, the time of the request, and the IP address used to verify, so we can prevent abuse and deliver the requested resource.
2.3 Payment and subscription information
Payments are processed by our payment provider, Lemon Squeezy. We do not see or store your full card number, CVV, or banking details. We receive and store: order ID, subscription ID, product purchased, billing email, country, plan status, and renewal/cancellation events. This information is used to fulfil your purchase, manage your subscription, and comply with tax and accounting obligations.
2.4 Tool and project content
When you use our implementation tools (SoA Generator, Gap Analysis, Risk Assessment, Asset Inventory, ISMS Scope Builder, ISO 27001 Audit Room checklist, etc.), the data you enter is held in your browser's local storage and, for Pro users, can be saved to your account. We treat this content as confidential and only access it where strictly necessary for support or to operate the Service.
2.5 Risk Copilot data
When you use Risk Copilot we store the records you create (risks, assets, controls, treatments, threats, vulnerabilities, business processes, incidents, audit log entries, settings) in our backend database, scoped to your user account by row-level security. Only you can read or modify your records; we do not access them except where required to operate the Service or where you ask us to provide support.
2.6 AI Assistant conversations
When you use the ISO 27001 AI Assistant, your messages are sent to our AI provider (Google Gemini, via the Lovable AI Gateway) to generate a response. We track metadata such as the number of messages you have used per day to enforce plan limits. We recommend you do not paste sensitive client data, secrets, or regulated personal data into the AI Assistant.
2.7 Click and usage analytics
We log a small amount of metadata about clicks on key buttons (button identifier, page path, timestamp, and your user ID if signed in) to understand which features are useful. We do not log the content of forms, exports, or AI conversations in this analytics stream. Click events are retained for up to 90 days.
2.8 Automatically collected technical data
- IP address (used for verification, fraud prevention, and abuse limits)
- Browser type and version, device type, screen size
- Pages visited, referring URL, and basic timing information
- Microsoft Clarity may record session interactions (heatmaps, scroll, clicks) on a sampled basis to help us improve the user experience
3. How we use your information
We process your data to:
- Create and manage your account and verify your identity
- Process payments and provision your subscription or Document Pack
- Deliver the tools, templates, AI Assistant, Risk Copilot, and ISO 27001 Audit Room you requested
- Send transactional emails (purchase confirmations, password resets, download links, verification codes)
- Send product update emails to registered users (you can opt out at any time)
- Provide customer support
- Detect, prevent, and respond to fraud, abuse, and security incidents
- Improve the Service through aggregated usage analysis
- Comply with legal, tax, and accounting obligations
Our legal bases under the GDPR are: performance of a contract (operating your account and delivering purchases), legitimate interest (fraud prevention, security, service improvement), consent (where required, e.g. optional analytics), and legal obligation (tax, accounting).
4. Service providers we share data with
We do not sell your personal data. We share the minimum necessary information with vetted service providers acting as processors on our behalf:
- Lovable Cloud (Supabase infrastructure): hosting, authentication, database, edge functions, and file storage.
- Lemon Squeezy: payment processing, subscription billing, and merchant-of-record tax handling.
- Lovable AI Gateway: routes requests from the AI Assistant to the underlying AI model providers.
- Google (Gemini models, accessed via the Lovable AI Gateway): generates AI Assistant responses from the messages you send.
- SMTP email provider (Hostinger): delivers transactional emails such as verification codes, password resets, and purchase confirmations.
- Microsoft Clarity: sampled session analytics for usability research.
- Google OAuth: only if you choose to sign in with Google.
We may also disclose information when required by law, to protect our rights or the safety of users, or in connection with a corporate transaction (with notice to affected users where feasible).
5. International transfers
Some of our service providers are located outside your country, including in the United States. Where personal data is transferred outside the EEA or UK, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and provider certifications.
6. Cookies and local storage
We use a limited set of cookies and browser storage:
- Authentication: to keep you signed in to your account.
- Local storage: to save your tool inputs, theme preference, and Risk Copilot organization name on your device.
- Analytics: Microsoft Clarity uses cookies to record sampled interactions for usability research.
You can clear cookies and local storage at any time in your browser settings. Disabling authentication cookies will sign you out.
7. Security
We protect your data using industry-standard measures, including:
- HTTPS/TLS for all traffic between your browser and our servers
- Hashed passwords (we never store plaintext passwords)
- Row-level security policies in the database so each user only sees their own data
- JWT verification on protected edge functions
- Restricted, least-privilege access for the small team that operates the Service
No system is 100% secure. If we ever become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by law.
8. Data retention
- Account data: kept for as long as your account is active, then deleted on request.
- Subscription and billing records: kept for the period required by tax and accounting law (typically up to 7-10 years).
- Email verification tokens: expire automatically and are cleaned up shortly after.
- Click analytics: retained for up to 90 days.
- Risk Copilot records and tool data: kept until you delete them or close your account.
- AI Assistant usage counters: reset daily; we do not retain conversation history beyond what is needed to deliver the response.
9. Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your account and associated data
- Cancel your subscription at any time
- Object to or restrict certain processing
- Withdraw consent where processing is based on consent
- Export your data in a portable format
- Lodge a complaint with your local data protection authority
To exercise any of these rights, email us at contact@iso27001kit.com from the address linked to your account. We respond within 30 days.
10. Children
The Service is intended for professionals and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Third-party links and content
Our Service may contain links to third-party websites (for example, our payment providers). We are not responsible for the privacy practices of those sites and recommend you read their own privacy policies.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date at the top and, where appropriate, notify you by email or in-app notice.
13. Contact
For any privacy-related question, contact:
