ISO Assistant

Privacy Policy for ISO Assistant

Effective date: 16 July 2026Version: 2026-07-16

This Privacy Policy explains how Mercator Projects Pty Ltd collects, uses, stores, shares, and protects personal information through the ISO Assistant website, application, communications, and related services.

It is intended to support compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) in South Africa and, where applicable, the European Union General Data Protection Regulation (GDPR). Under POPIA, personal information may relate to natural or juristic persons. Under the GDPR, personal data relates to identified or identifiable natural persons.

1. Who we are

ISO Assistant is operated by Mercator Projects Pty Ltd, registration number 2019 / 008222 / 07, a company registered in the Republic of South Africa.

This policy applies to ISO Assistant at https://app.isoassistant.com/privacy, the ISO Assistant application, and related support, billing, and operational communications.

2. Our data-protection roles

We act as the responsible party or data controller when we decide why and how to process information needed to operate ISO Assistant, including account, billing, support, security, and service-administration information.

A business customer generally acts as the responsible party or data controller for personal information that it or its authorised users enter into ISO Assistant as customer content. For that customer content, we generally act as an operator or data processor and process it to provide the service, on the customer’s instructions, and as required by law.

Customers are responsible for giving appropriate notices to their employees, contractors, suppliers, clients, visitors, and other data subjects, and for establishing a lawful basis before placing their personal information in ISO Assistant.

3. Personal information we collect

The information we collect depends on how ISO Assistant is used.

  • Account and identity information, including names, email addresses, passwords stored as secure hashes, company membership, roles, permissions, and email preferences.
  • Company and subscription information, including company name, country, time zone, contact details, billing address, VAT number, plan, invoices, payment status, and payment references.
  • Customer content, including ISO documents, process information, audit records, incidents, nonconformities, corrective actions, objectives, risks, training records, maintenance and calibration records, supplier and customer-feedback information, meeting records, evidence, and uploaded attachments.
  • Support and communications information, including support tickets, feedback, emails, notification history, and information supplied when contacting us.
  • Technical and security information, including session identifiers, IP addresses where recorded, browser or user-agent information, timestamps, access and activity records, error information, and operational logs.
  • AI feature inputs and outputs when a customer chooses to use an AI-assisted feature, as described below.

4. Special personal information and sensitive data

Because ISO Assistant supports incident, health-and-safety, training, personnel, and audit workflows, customer content may contain health information, employment information, allegations, disciplinary or criminal-behaviour information, photographs, or other information treated as special personal information under POPIA or special-category or sensitive personal data under other laws.

Customers should only enter this information where it is necessary, relevant, proportionate, and lawfully permitted. Customers must apply appropriate access restrictions and must not use ISO Assistant to collect sensitive information merely because a field or upload feature is available.

The service is not intended to collect children’s personal information as part of account registration. If a customer places children’s information in customer content, that customer is responsible for ensuring that the processing is specifically authorised by applicable law.

5. Where information comes from

We receive information directly from account holders and authorised users, from the organisations that invite or administer those users, from data subjects who submit public feedback, and from service providers such as payment and email providers.

We also generate technical, security, billing, and usage records when the website and application are used.

6. Why we process information and our lawful grounds

We process personal information only where we have a lawful justification under applicable law. Depending on the context, this may be necessary to perform or enter into a contract, comply with a legal obligation, pursue a legitimate business interest that is not overridden by individual rights, protect a legitimate interest of a data subject or another person, or act with consent where consent is required.

  • Creating and administering accounts, company workspaces, roles, permissions, sessions, trials, subscriptions, and invoices.
  • Providing, maintaining, securing, troubleshooting, and improving ISO Assistant.
  • Storing and processing customer content on the customer’s instructions.
  • Sending account, security, support, workflow, assignment, reminder, billing, and service communications.
  • Processing payments and reconciling payment and subscription status.
  • Preventing fraud, misuse, unauthorised access, and security incidents, and maintaining appropriate audit records.
  • Complying with tax, accounting, legal, regulatory, dispute-resolution, and law-enforcement obligations.
  • Generating requested AI-assisted draft content when a customer actively uses that feature.

7. AI-assisted features

When an authorised user requests AI-assisted implementation content, relevant company-profile, process, and implementation information is sent to OpenAI’s API to generate the requested draft. Users should not include unnecessary personal information in AI prompts or implementation profiles.

AI-generated material is a draft support tool. ISO Assistant does not use AI output to make decisions that produce legal or similarly significant effects about individuals. Customers and authorised users must review and approve generated content before relying on it.

8. How we share information

We do not sell personal information. We share information only as needed to operate ISO Assistant, follow customer instructions, complete transactions, protect the service, or comply with law.

  • Vercel, for application hosting, content delivery, server functions, operational logs, and Vercel Blob object storage.
  • Neon, for managed PostgreSQL database hosting, resilience, and backup or restore capabilities.
  • Resend, for transactional and operational email delivery.
  • PayFast, for payment and recurring-subscription processing. PayFast receives payment information directly and ISO Assistant stores transaction and subscription references rather than full card details.
  • OpenAI, only when an authorised user requests an AI-assisted feature.
  • Professional advisers, auditors, insurers, regulators, courts, law-enforcement bodies, or potential business transaction counterparties where disclosure is lawful and reasonably necessary.

9. International processing and transfers

Mercator Projects is established in South Africa, while some service providers and technical infrastructure operate in the United Kingdom, European Economic Area, United States, and other countries. Personal information may therefore be processed outside the country where the data subject or customer is located.

Where POPIA applies, we take steps intended to satisfy section 72, including using recipients subject to appropriate laws or binding contractual protections. Where the GDPR applies, we use an applicable transfer mechanism such as an adequacy decision, the European Commission’s Standard Contractual Clauses, or another lawful safeguard, together with supplementary measures where required.

Customers should consider their own cross-border transfer obligations before entering personal information into ISO Assistant.

10. Security

We use administrative, technical, and organisational safeguards intended to protect the confidentiality, integrity, and availability of personal information. Current application controls include tenant-scoped access checks, role and permission controls, password hashing, secure HTTP-only session cookies in production, session revocation, persistent login abuse protection, browser security headers, private storage and authenticated delivery for customer attachments, input and file-type validation, and activity or audit records for selected sensitive actions.

Our hosting and database providers support encrypted transport and encryption at rest, access controls, monitoring, resilience, backups, and independently assessed security programmes. Selected company logos are intentionally stored as public assets; customer attachments are stored privately.

No internet service can guarantee absolute security. Customers must protect user credentials, limit permissions to what each user needs, promptly remove access that is no longer required, and notify us of suspected unauthorised access.

11. Retention and deletion

We retain personal information only for as long as reasonably necessary for the purposes described in this policy, the customer relationship, legal and accounting obligations, dispute resolution, security, and enforcement.

Retention periods depend on the type of record, the customer’s instructions, the duration of the account, statutory requirements, and whether the information is needed to establish, exercise, or defend legal claims. Terms-acceptance, billing, security, and audit records may be kept longer than ordinary operational records where reasonably necessary.

When information is no longer authorised or required to be retained, we will delete, destroy, or de-identify it as reasonably practicable. Residual copies may remain temporarily in protected backups until those backups are rotated, unless longer retention is legally required.

Subscription cancellation does not automatically delete a workspace. A designated workspace owner may request permanent deletion through Billing. The request starts a 30-day grace period, is disclosed to active administrators, and may be cancelled before processing begins. After the grace period, active database records and stored files are removed. Residual encrypted copies may remain temporarily in restricted provider backups until normal backup rotation and are not available through the application or used for ordinary business purposes.

12. Cookies and electronic communications

ISO Assistant currently uses an essential session cookie to keep users signed in and secure authenticated access. The cookie is HTTP-only, uses SameSite protection, is marked secure in production, and is not used for advertising.

We do not currently use non-essential advertising or behavioural-tracking cookies. If that changes, we will update this policy and implement consent or preference controls where required.

Operational emails include account, workflow, assignment, reminder, support, security, billing, and subscription messages. Users can manage available reminder and notification preferences in their account. Essential service, security, billing, and legal communications may still be sent where necessary.

13. Your privacy rights

Depending on the law that applies and our role in the processing, a data subject may have rights to be informed, request access, request correction, request deletion or destruction, restrict processing, object to processing, request portability, withdraw consent, and complain to a regulator. These rights may be limited where an exemption applies or where retention or processing is required by law.

Send requests to info@isoassistant.com. We may need to verify identity and authority before acting. Where the GDPR applies, we will respond within the legally required period, normally one month, unless a lawful extension applies.

14. Requests involving customer-managed content

If personal information was placed in ISO Assistant by one of our business customers, that customer is usually the responsible party or controller and is best placed to respond to the request. A data subject should normally contact that organisation first.

If we receive a request relating to customer-managed content, we may refer it to the relevant customer and will provide reasonable assistance required by applicable law and our contractual obligations.

15. Security incidents and data breaches

We maintain processes to investigate suspected security incidents. Where there are reasonable grounds to believe personal information has been accessed, acquired, lost, altered, or disclosed without authorisation, we will notify affected customers, regulators, and data subjects as required by our role and applicable law.

Customers must notify us promptly if an incident may affect ISO Assistant credentials, accounts, customer content, or integrations.

16. Business service and children

ISO Assistant is a business service and is not directed to children or intended for personal use by children. A person creating an account must be authorised to act for the relevant organisation.

17. Changes to this policy

We may update this Privacy Policy to reflect changes in the service, providers, law, or our processing practices. The updated policy will be published at the privacy-policy address with a revised effective date and version.

Where a change materially affects how we process personal information, we will take reasonable steps to provide additional notice where required.

18. Contact and complaints

Information Officer and privacy contact: Eugene van der Watt

Mercator Projects Pty Ltd

23 Cape Point Main Rd, Castle Rock, Simon’s Town, 7975, South Africa

Email: info@isoassistant.com

Telephone: +27 (0)83 226 6899

A person may also complain to the Information Regulator (South Africa) or, where the GDPR applies, the competent supervisory authority in the European Economic Area.