Effective Date: 13 February 2026
Last Updated: 13 February 2026
Version: 1.0
System Prototypers Ltd (“we”, “us”, “our”) operates the ISO Mate platform, which includes:
- The ISO Mate web application at
console.isomate.io - The ISO Mate API at
api.isomate.io - The ISO Mate marketing website at
isomate.io
This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use any of these services (collectively, the “Services”). By using our Services, you agree to the practices described in this policy.
1. Information We Collect
1.1 Information You Provide Directly
| Data Category | Specific Data | When Collected |
|---|---|---|
| Account Registration | Full name, email address, password | When you create an ISO Mate account |
| Profile Information | Mobile phone number (with country code), timezone, locale/language preference | When you update your profile settings |
| Organisation Details | Organisation (account) name, logo, timezone, billing address | When you create or manage an organisation |
| Billing Information | Billing contact name, billing email address | When you set up billing for a subscription |
| User-Generated Content | Issues, tasks, test cases, notes, diagrams, custom object entries, chat messages, calendar events, compliance documents, and any other content you create within the platform | During normal use of the platform |
| Communication Data | Emails sent/received through connected mailboxes, feedback submissions, support requests | When you use email integration or contact us |
| Marketing Website | Name, email address, and any information submitted through contact or enquiry forms | When you submit a form on isomate.io |
1.2 Information Collected Automatically
| Data Category | Specific Data | Purpose |
|---|---|---|
| Authentication Logs | Login timestamps, IP address at login, login method (password, Google OAuth, 2FA) | Security monitoring and account protection |
| Audit Logs | Event type (login, logout, password changes, data exports, account actions), IP address, user agent string, outcome (success/failure), timestamps | Security, compliance, and accountability |
| Device & Browser Information | User agent string, browser type and version, operating system | Service compatibility and security |
| Cookies | Language preference cookie (isomate_lang) on the marketing website; session and authentication tokens on the application | Maintaining your session and language preference |
1.3 Information from Third Parties
- Google OAuth: If you sign in or register using Google, we receive your name, email address, and Google account identifier. We do not receive your Google password.
- Stripe: Our payment processor Stripe handles all payment card data. We do not store credit card numbers, CVVs, or full card details on our servers. Stripe may share transaction identifiers, subscription status, and billing metadata with us.
- Connected Mailboxes: If you connect an email mailbox, we access and store email metadata and content as configured by you for the mailbox integration feature.
2. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Providing the Services: Operating the platform, authenticating users, managing accounts and organisations, processing your content and data | Performance of contract |
| Billing & Subscriptions: Processing payments via Stripe, managing subscription lifecycle, sending billing notifications | Performance of contract |
| Security: Detecting and preventing unauthorised access, monitoring for suspicious activity, enforcing account lockouts after failed login attempts, two-factor authentication | Legitimate interest |
| Audit & Compliance: Maintaining immutable audit logs of security-relevant events for compliance and accountability | Legitimate interest / Legal obligation |
| Communications: Sending transactional emails (password resets, email verification, calendar reminders, billing notifications, user invitations), in-app notifications | Performance of contract |
| Improvement: Analysing usage patterns to improve platform features, fix bugs, and optimise performance | Legitimate interest |
| Marketing Website: Responding to enquiries submitted through the website, setting language preferences | Consent / Legitimate interest |
We do not sell your personal information to third parties. We do not use your content data (issues, tasks, test cases, notes, etc.) for advertising or profiling purposes.
3. Data Sharing and Disclosure
We share personal information only in the following circumstances:
3.1 Within Your Organisation
ISO Mate is a multi-tenant platform. Data you create within an organisation (account) is accessible to other members of that organisation based on their assigned roles and permissions. Organisation administrators can manage user access and view audit logs.
3.2 Service Providers
We use trusted third-party service providers to operate our Services:
| Provider | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | All platform data (encrypted at rest and in transit) |
| Stripe | Payment processing | Billing contact details, subscription information |
| Xero | Accounting integration | Invoice and billing data |
| Google (OAuth) | Authentication | Authentication tokens (only when you choose Google sign-in) |
All service providers are contractually obligated to protect your data and use it only for the purposes we specify.
3.3 Legal Requirements
We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
3.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.
4. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and profile data | Retained while your account is active. Deleted or anonymised upon account deletion request. |
| User-generated content | Retained while the associated organisation account is active. Deleted when the organisation is removed. |
| Audit logs | Retained for a minimum of 12 months for security and compliance purposes. Audit logs are append-only and cannot be modified or deleted during the retention period. |
| Consent records | Retained for the duration of the consent plus a reasonable period thereafter to demonstrate compliance. |
| Billing and transaction data | Retained as required by applicable tax and financial regulations (typically 7 years). |
| Marketing website form submissions | Retained for up to 24 months unless you request earlier deletion. |
| Cookies (marketing website) | Language preference cookie expires after 1 year. |
5. Data Security
We implement appropriate technical and organisational measures to protect your personal information, including:
- Encryption: Data is encrypted in transit (TLS/HTTPS) and at rest.
- Authentication: Passwords are hashed using bcrypt with a configurable cost factor. We support two-factor authentication (2FA) via SMS and recovery codes.
- Access Control: Role-based access control (RBAC) with granular permissions ensures users only access data they are authorised to see.
- Account Protection: Automatic account lockout after repeated failed login attempts. Password history enforcement prevents reuse of recent passwords.
- Audit Trail: Immutable, append-only audit logs record all security-relevant events including logins, password changes, data exports, and account modifications.
- Infrastructure: Hosted on AWS with industry-standard security controls, network isolation, and monitoring.
- Token-Based Authentication: API access uses Laravel Sanctum token-based authentication with scoped, revocable tokens.
While we take reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
6. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of the personal data we hold about you. | Use the data export feature in your account settings, or contact us. |
| Rectification | Request correction of inaccurate or incomplete personal data. | Update your profile directly in the application, or contact us. |
| Erasure | Request deletion of your personal data (subject to legal retention requirements). | Use the account deletion feature, or contact us. Note: audit logs may be retained as required by law. |
| Data Portability | Receive your data in a structured, commonly used, machine-readable format. | Use the data export feature (CSV/PDF) available throughout the platform. |
| Restriction | Request that we limit the processing of your personal data in certain circumstances. | Contact us with your request. |
| Objection | Object to processing based on legitimate interests. | Contact us with your objection. |
| Withdraw Consent | Where processing is based on consent, you may withdraw it at any time. | Contact us or adjust your preferences in account settings. Withdrawal does not affect the lawfulness of prior processing. |
To exercise any of these rights, contact us at privacy@isomate.io. We will respond within 30 days of receiving your request.
7. Cookies and Tracking
7.1 ISO Mate Application
The ISO Mate web application uses only essential cookies and local storage required for authentication and session management. We do not use advertising or third-party tracking cookies in the application.
7.2 Marketing Website (isomate.io)
The marketing website uses the following cookies:
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
isomate_lang | Stores your preferred language for the website | 1 year | Functional |
| WordPress session cookies | Required for website functionality | Session / 2 weeks | Essential |
We do not use analytics, advertising, or social media tracking cookies unless separately disclosed with your consent.
8. International Data Transfers
ISO Mate is hosted on Amazon Web Services in the Asia-Pacific (Sydney) region (ap-southeast-2). If you access our Services from outside Australia or New Zealand, your data will be transferred to and processed in Australia.
Where we transfer personal data internationally, we ensure appropriate safeguards are in place, including:
- Standard contractual clauses approved by relevant data protection authorities
- Data processing agreements with all service providers
- Encryption of data in transit and at rest
9. Children’s Privacy
ISO Mate is a business-to-business platform designed for professional use. Our Services are not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.
10. Third-Party Links and Integrations
Our Services may contain links to third-party websites or integrate with third-party services (such as Google OAuth, Stripe, and Xero). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party service you interact with.
11. Data Anonymisation
ISO Mate supports data anonymisation for user accounts. When an account is anonymised, personally identifiable information (name, email, phone number) is replaced with anonymised values. The anonymisation timestamp is recorded, and the process is irreversible. Anonymised data may be retained for statistical and compliance purposes.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by law)
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
- Document the breach, its effects, and the remedial actions taken
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the “Last Updated” date at the top of this page
- Increment the version number
- Notify registered users via email or in-app notification for significant changes
- Where required, request renewed consent before applying changes that affect how we process your data
Continued use of the Services after changes take effect constitutes acceptance of the updated policy.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: privacy@isomate.io
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.
New Zealand residents: You may contact the Office of the Privacy Commissioner at privacy.org.nz.
Australian residents: You may contact the Office of the Australian Information Commissioner at oaic.gov.au.
EU/EEA residents: You may contact your local supervisory authority under the GDPR.