Last updated: 26 March 2026 · Version 1.0
ISO Application is operated by Fusionpact Technologies Inc., a company incorporated in Delaware, USA. We are committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (GDPR), the Digital Personal Data Protection Act 2023 (DPDP Act), and other applicable laws.
We collect: (a) Account data — name, email, organisation name, contact details provided during registration; (b) Certification data — client details, auditor information, audit records, NC findings, and certificates uploaded or created within the platform; (c) Usage data — feature usage, login timestamps, IP addresses, and audit logs; (d) Payment data — billing email and payment references (card details are processed by Stripe/Razorpay and never stored by us).
We use your data to: provide and improve the Service; send transactional emails (account setup, audit notifications, certificate issuance); process payments; comply with legal obligations; and respond to support requests. We do not use your data for advertising, profiling, or sell it to third parties.
For data you upload about your clients, auditors, and certification records, Fusionpact acts as a data processor on your behalf. You, as the Certification Body, are the data controller. We process this data solely on your documented instructions (i.e., your use of the Service).
All CB data is isolated using Row Level Security (RLS) at the database layer. This means no CB can access another CB's data — enforced mathematically, not just by application code. We implement encryption at rest (AES-256) and in transit (TLS 1.3), regular penetration testing, and access controls aligned with ISO 27001.
We retain your data for the duration of your subscription plus 90 days following termination (to allow data export). Audit logs are retained for 7 years to support accreditation requirements. You may request deletion of personal data at any time, subject to our legal retention obligations.
Under GDPR and the DPDP Act, you have the right to: access your personal data; correct inaccurate data; request deletion; restrict or object to processing; data portability; and lodge a complaint with a supervisory authority. To exercise these rights, contact privacy@fusionpact.com.
We use only essential cookies required for authentication and session management. We do not use advertising or tracking cookies. You can disable cookies in your browser settings, but this may affect platform functionality.
We use the following sub-processors: Supabase (database, EU/US), Vercel (hosting, global edge), Resend (transactional email), Stripe (payment processing), Anthropic (AI features). Each sub-processor is bound by data processing agreements. A full list is available on request.
Your data may be processed in countries outside India, including the EU and USA, by our sub-processors. All such transfers are subject to appropriate safeguards including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.
For privacy enquiries: privacy@fusionpact.com. Data Protection Officer: Fusionpact Technologies Pvt Ltd, Noida, UP, India.