Privacy Policy
Privacy Policy
Last updated: 20 February 2026
This privacy policy explains what data we collect, why we collect it, who processes it, and what rights you have. It covers everything you interact with on this site and through our services — the website, the readiness assessment, and any follow-up communication.
We have written this policy in plain language because we believe you should be able to understand it without a law degree. If anything is unclear, contact us at DPO@isegrim-x.com.
Table of Contents
Who We Are
What We Collect and Why
1. Website
2. Readiness Assessment
3. Follow-Up
4. Web Chat
5. CRM
Third-Party Processors
Data Transfers Outside the EU
How Long We Keep Your Data
Cookies and Tracking
Your Rights
Changes to This Policy
Contact
Who We Are
This website is operated by:
ISEGRIM X AG
Commercial Register: HRB 741723, Register Court: Ulm, Germany
VAT Identification Number (§27a UStG): DE341171629
Responsible for content according to § 5 TMG and § 55 RStV: Alexander Fuerst (CEO)
We are the data controller for all personal data collected through this website and its connected services.
What We Collect and Why
We collect different data depending on how you interact with us. Here is a breakdown by touchpoint.
1. Website (iso27001-hub.com)
What we collect: Page views, browser type, referring URL, approximate location (country level), session duration. If you subscribe to the newsletter, we collect your email address.
Why: To understand which content is useful and to improve the site. Email addresses are collected to send you ISO 27001 insights if you opt in.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) for analytics. Consent (Art. 6(1)(a) GDPR) for the newsletter subscription.
2. Readiness Assessment
What we collect: Your company email address, your answers to the assessment questions, the path you take through the assessment, timestamps, and whether you complete or abandon the assessment.
Why: To provide you with a personalised readiness report and, if appropriate, follow-up guidance. Company email addresses are required to deliver results and to filter out non-business enquiries.
Legal basis: Consent (Art. 6(1)(a) GDPR) — you explicitly agree before starting the assessment.
3. Follow-Up Communication
What we collect: Email open and click data from follow-up emails.
Why: To understand whether our follow-up guidance is relevant and to improve the content we send.
Legal basis: Consent (Art. 6(1)(a) GDPR) — given when you submit your email for the assessment. You can withdraw consent at any time by clicking the unsubscribe link in any email or by contacting us directly.
4. Web Chat (IX Engine on /ask)
What we collect: The messages you send, the responses you receive, timestamps, your browser type, and an anonymised version of your IP address. If you choose to email yourself the conversation transcript, we also collect the email address you provide.
Why: To answer your questions about ISO 27001 in real time. If you request a transcript, we use your email address to deliver it and to create a contact record in our CRM so we can follow up with relevant guidance. Conversations are also logged on our servers to improve the quality and accuracy of the IX Engine's responses.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) for processing chat messages — you initiate the conversation, and processing is necessary to respond. Consent (Art. 6(1)(a) GDPR) for the email transcript — you explicitly enter your email address and submit it. A consent notice is displayed at the point of collection.
What happens if you don't request a transcript: Your conversation is processed in your browser's memory only. When you close the tab, it is gone. No email address is collected, and no CRM record is created. Anonymised conversation logs are still stored on our servers for service improvement.
5. CRM (HubSpot)
What we collect: Your email address, assessment results, tags based on your assessment path, and enriched company data derived from your email domain (company name, size, industry — where publicly available). If you request a web chat transcript, your email address, conversation history, and the hub you interacted with are also stored in HubSpot.
Why: To manage our relationship with you and to provide relevant follow-up based on your specific situation rather than generic content.
Legal basis: Consent (Art. 6(1)(a) GDPR) for assessment-related data. Legitimate interest (Art. 6(1)(f) GDPR) for enrichment from publicly available company information.
Third-Party Processors
We use the following third-party services to operate the ISO 27001 Info Hub. Each one processes personal data on our behalf under a Data Processing Agreement (DPA).
| Processor | Purpose | Location | DPA |
|---|---|---|---|
| Ghost (Ghost Foundation) | Website hosting, analytics, newsletter | Ireland (EU) | Yes |
| Infomaniak | VPS hosting | Switzerland | Yes |
| Anthropic | AI processing for bot responses | United States | Yes (DPA) |
| HubSpot | CRM, email follow-up, enrichment | United States (EU data center available) | Yes |
| Brevo (Brevo SA) | Transactional email delivery (chat transcripts) | France (EU) | Yes |
| Usercentrics (Cookiebot) | Cookie consent management | Germany (EU) | Yes |
Data Transfers Outside the EU
Some of our processors are located outside the European Economic Area. We take the following safeguards:
United States (Anthropic, HubSpot): Transfers are covered by the EU–US Data Privacy Framework where the processor is certified, or by Standard Contractual Clauses (SCCs) where they are not.
Switzerland (Infomaniak): Switzerland has an EU adequacy decision. No additional safeguards are required.
How Long We Keep Your Data
| Data type | Retention period | What happens after |
|---|---|---|
| Website analytics | 26 months | Automatically deleted by Ghost |
| Newsletter email | Until you unsubscribe | Deleted within 30 days of unsubscribe |
| Web chat conversations (no transcript requested) | 90 days | Automatically purged from server logs |
| Web chat transcripts (email requested) | 12 months after request | Deleted from our systems and HubSpot |
| Assessment results | 12 months after completion | Deleted from HubSpot and our systems |
| HubSpot CRM records | 24 months after last interaction | Automatically deleted |
| Follow-up email tracking | 12 months | Deleted with assessment data |
If you request deletion before these periods expire, we will process your request within 30 days.
Cookies and Tracking
This website uses cookies. Some are necessary for the site to function. Others help us understand how the site is used or support our marketing efforts.
Essential cookies
These are required for the website to work and cannot be disabled. They include Ghost session cookies and the Cookiebot consent cookie that remembers your cookie preferences.
Analytics cookies
Ghost collects anonymous usage statistics (page views, session duration, referral source). These cookies are only set after you give consent via the cookie banner.
Marketing cookies
We use a LinkedIn tracking pixel to measure the effectiveness of our LinkedIn campaigns. This pixel is only activated after you give explicit consent via the cookie banner. It allows LinkedIn to identify you as a visitor to our site for the purpose of showing you relevant content on LinkedIn. You can opt out at any time by adjusting your cookie preferences.
Managing your preferences
When you first visit the site, a cookie banner asks for your consent. You can change your preferences at any time by clicking the cookie settings link in the footer of any page. No non-essential cookies are set until you give consent.
Your Rights
Under GDPR, you have the following rights regarding your personal data:
Access — You can request a copy of all personal data we hold about you.
Rectification — You can ask us to correct inaccurate or incomplete data.
Deletion — You can ask us to delete your data. We will comply unless we have a legal obligation to retain it.
Restriction — You can ask us to temporarily stop processing your data while we resolve a dispute or verify accuracy.
Portability — You can request your data in a structured, machine-readable format.
Objection — You can object to processing based on legitimate interest. We will stop unless we can demonstrate compelling grounds.
Withdraw consent — Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, contact us at DPO@isegrim-x.com. We will respond within 30 days.
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with your local supervisory authority. For Germany, this is the relevant state data protection authority (Landesdatenschutzbehörde) for Baden-Württemberg:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
www.baden-wuerttemberg.datenschutz.de
Changes to This Policy
We may update this policy when our services or legal requirements change. The "Last updated" date at the top will always reflect the latest version. For significant changes, we will notify newsletter subscribers by email.
Contact
For any questions about this privacy policy or how we handle your data:
ISEGRIM X AG
Data Protection Contact: DPO@isegrim-x.com