Privacy Notice
AdminISO privacy policy and data protection
Last updated: March 30, 2025
1. Introduction
At AdminISO, we are committed to protecting and respecting your privacy. This Privacy Notice explains how we collect, use, store, and protect your personal information when you use our services, including our website (adminiso.io) and our SaaS platform. By using AdminISO, you agree to the practices described in this notice. This notice applies to both visitors to our website and customers of our platform.
2. Data Controller
The data controller for your personal data is AdminISO. For purposes of this notice, we act as data controllers for personal data we collect directly. When you use our platform to manage your organization's data, you act as the data controller and we act as data processors for such data.
3. Scope of Notice
This notice covers two types of data processing: (a) Data we collect directly from you as a visitor to our website or AdminISO customer; (b) Data you process through our platform to manage your enterprise quality systems. For the second type of data, you maintain primary responsibility as the data controller.
4. Information We Collect
We collect different types of information depending on your interaction with our services:
Website Data
When you visit our website or use our contact form, we collect: full name, email address, phone number, company name, message or inquiry, contact preference, and technical cookies necessary for site functionality.
Account and Billing Data
For AdminISO customers we collect: business registration information, contact details of administrators and users, billing and payment information, subscription and service usage history, technical support communications, and account configuration preferences.
Platform-Processed Data
Data you enter into AdminISO to manage your quality system, including: quality documents, process records, audit information, non-conformity data, quality objectives, supplier information, training records, and any other content related to your management system. This data remains under your control and ownership.
Technical and Usage Data
Technical information necessary to provide security and maintain continuous operations: connecting IP addresses, information about your browser and device (User-Agents), Two-Factor Authentication (2FA/TOTP) tokens, immutable forensic corporate audit logs, aggregated performance data, and automated backup routines.
5. How We Use Your Information
We use your personal information for the following legitimate purposes:
Service Provision
Provide access to AdminISO, process your registration and authentication, manage your account and subscription, facilitate use of platform functionalities, process payments and billing, provide specialized technical support, and perform data backups.
Improvement and Development
Analyze platform usage to improve functionalities, develop new features based on real needs, optimize performance and speed, personalize user experience, perform security analysis and fraud prevention, and develop educational content about quality systems.
Communication
Respond to contact form inquiries, send important service notifications, communicate updates and new functionalities, provide educational content about ISO and quality, send newsletters (with consent only), and facilitate communication during the sales process.
Legal Compliance and Security
Comply with legal and tax obligations, respond to requests from competent authorities, protect our legal rights and intellectual property, prevent fraud and illegal activities, maintain platform security, and resolve contractual disputes.
6. Legal Basis for Processing
The processing of your personal data is based on the following legal bases: (a) Contract performance: to provide AdminISO contracted services; (b) Legitimate interest: to improve our services, perform usage analysis and communicate with you about updates; (c) Consent: for sending promotional communications and processing sensitive data; (d) Legal obligation compliance: to meet applicable legal and tax requirements.
7. Information Sharing
We do not sell, rent, or share your personal information with third parties for commercial purposes. We share information only in the following limited circumstances:
Service Providers
We share the minimum necessary information with specialized service providers who supply infrastructure and operational capabilities, such as: providers of global cloud hosting for objects and applications, high availability caching and traffic management systems, secure verified transactional email platforms, and world-leading payment processors (with strict PCI DSS compliance). All our providers maintain enterprise-class certifications and rigid confidentiality agreements to safeguard your assets.
Legal Requirements
We may disclose information when required by law, court order, legal process, government investigation, or to protect our rights, property, security, or that of our users. In such cases, we limit disclosure to the minimum necessary and when legally possible, we will notify you about the request.
Business Transfers
In case of merger, acquisition, asset sale, or corporate restructuring, your information may be transferred as part of the transaction, always notifying you at least 30 days in advance and ensuring the acquirer maintains the same privacy protections.
8. Data Security
We secure your data using rigorous enterprise-grade technologies: advanced cryptographic protection for passwords using next-generation algorithms (Argon2id), mandatory Two-Factor Authentication (2FA), hardened restrictive HTTP headers, isolated multi-tenant architecture to prevent cross-leakage, proactive abuse mitigation via traffic controllers and Rate Limiting, and encrypted communications via TLS 1.3 and AES-256 environments at rest. Furthermore, our role-based access control operates under strict cross-verification security models.
9. Data Retention
We protect our users against unintentional data loss. Upon cancelation or expiration, we implement a Soft Delete lifecycle before definitive expurgation. Your data will enter an initial grace period (e.g., 30 days) followed by controlled retention intervals of up to an additional 90 days following cancelation, preventing irrecoverable deletion during administrative processes. If reactivation is not requested within these timeframes, the system proceeds with final purging. You also possess the technological means to request or execute immediate self-destruction if you so choose. Technical audit data is preserved immutably for forensic purposes in accordance with the law.
10. Your Rights
You have the following rights regarding your personal information:
Right of Access
Request information about what personal data we have about you, how we use it, who we share it with, and how long we will keep it.
Right of Rectification
Request correction of inaccurate, incomplete, or outdated information. You can update certain data directly from your account.
Right of Cancellation
Request deletion of your personal information when you consider it is not necessary for the purposes for which it was collected or when you withdraw your consent.
Right of Portability
Request the transfer of your data to another service provider in a structured and commonly used format.
Right of Objection
Object to the processing of your personal data for specific purposes such as direct marketing or when you consider it may cause you harm.
Exercising Rights
To exercise your rights, you can contact us at [email protected]. We will respond to your request within the legally established timeframes. Some data may be retained if legal or contractual obligations require it.
11. International Transfers
Your data may be transferred to and processed in countries other than your country of residence, primarily for cloud infrastructure services. When this occurs, particularly from the European Economic Area (EEA), we ensure appropriate safeguards are in place by consistently implementing the Standard Contractual Clauses (SCCs) approved by the European Commission, along with supplementary security measures equivalent to or exceeding those required in your jurisdiction.
12. Business Data Processing
For data you process through AdminISO to manage your quality system: (a) You maintain full ownership and control of this data; (b) We act only as data processors under your instructions; (c) We do not access this data except to provide authorized technical support; (d) We implement security measures to protect this data; (e) You are responsible for obtaining necessary consents from your employees and third parties.
13. Minors
AdminISO is directed exclusively to businesses and professionals. We do not intentionally collect personal information from minors under 18 years of age. If we discover we have collected information from a minor, we will delete it immediately and take measures to prevent future collection.
14. GDPR Compliance (EU Users)
If you are located in the European Economic Area (EEA), your data is processed under the guidelines of the General Data Protection Regulation (GDPR). You have extended rights, including the right to be forgotten, data portability in a machine-readable format, and the right to restrict processing. For international transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. AdminISO acts as a Data Processor for your organization's data. If you require a standard Data Processing Agreement (DPA) for your internal compliance, you can request it from our support team.
15. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). AdminISO DOES NOT sell or share your personal information under any circumstances ("Do Not Sell or Share My Personal Information"). You have the right to request access to your data, know what information we collect about you, and request its deletion, without facing any discrimination for exercising these rights.
16. Changes to this Notice
We may update this Privacy Notice occasionally to reflect changes in our practices, new functionalities, or for legal reasons. For significant changes, we will notify you at least 30 days in advance by email and through a prominent notice on our website. Your continued use of the service after changes constitutes your acceptance of the updated notice.
17. Contact
If you have questions about this Privacy Notice, wish to exercise your rights, or need more information about our privacy practices, you can contact us: