Last updated: June 2026

Privacy Policy

ThemisIQ ("we", "our", "us") is committed to protecting your personal data. This policy explains what data we collect, why we collect it, how we use it, and what rights you have.

This policy applies to visitors to themisiq.net and users of the ThemisIQ application at app.themisiq.net.

1. Who we are

ThemisIQ is a governance, risk, and compliance (GRC) platform. Our contact email is [email protected].

2. Data we collect

2.1 When you visit this website

• IP address and browser user agent (collected by our server for security logging).
• Pages visited and time spent (if you accept analytics cookies).

2.2 When you submit a demo request

• Full name, work email address, and company name.
• These are used solely to respond to your request and are not shared with third parties for marketing.

2.3 When you use the ThemisIQ application

• Account credentials (username and bcrypt-hashed password).
• Activity logs (actions taken within the platform, stored for audit compliance).
• Compliance data you enter (risks, audits, incidents, DPIA records, etc.) — this data belongs to your organisation and we process it on your behalf.

3. Legal basis for processing (GDPR)

• Contractual necessity: processing required to provide the platform to you.
• Legitimate interest: security logging, fraud prevention, product improvement.
• Consent: analytics cookies (you can withdraw consent at any time via the cookie banner).

4. How we use your data

• To provide and operate the ThemisIQ platform.
• To respond to demo requests and support enquiries.
• To send operational emails (password resets, SLA alerts, compliance reminders) when you are a registered user.
• To maintain security audit logs as required by applicable compliance frameworks.

5. Data sharing

We do not sell or rent your personal data. We may share data with:

• Cloud infrastructure providers (Hetzner) for hosting — governed by their data processing agreement.
• Email delivery services (SendGrid or Microsoft) for transactional email — governed by their data processing agreement.
• Law enforcement if required by law.

6. Data retention

• Demo requests: retained for 90 days, then deleted.
• User account data: retained for the duration of your subscription plus 30 days after termination.
• Audit logs: retained for 7 years to meet regulatory requirements (ISO 27001, SOC 2, GDPR Art. 30).

7. International transfers

Your data is hosted on servers within the European Union (Hetzner, Germany). If data is transferred outside the EEA, we ensure appropriate safeguards are in place under GDPR Chapter V.

8. Cookies

We use the following cookies:

• Essential cookies: session authentication cookie (ofa_session), CSRF protection cookie. These cannot be disabled — the platform cannot function without them.
• Preference cookies: cookie_consent — stores your cookie choice (localStorage only, not transmitted to server).
• Analytics cookies: only set if you click "Accept all" on the cookie banner. Used to understand how the site is used.

You can change your cookie preferences at any time by clearing your browser's localStorage for themisiq.net.

9. Your rights

Under GDPR and applicable data protection law, you have the right to:

• Access the personal data we hold about you (Art. 15).
• Rectification of inaccurate data (Art. 16).
• Erasure ("right to be forgotten") where no legal obligation to retain exists (Art. 17).
• Restriction of processing in certain circumstances (Art. 18).
• Data portability in a machine-readable format (Art. 20).
• Object to processing based on legitimate interest (Art. 21).
• Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with your national data protection authority.

10. Security

We implement technical and organisational security measures including: bcrypt password hashing (cost factor 12), TLS encryption in transit, HTTPS enforced via Cloudflare, session token SHA-256 hashing, Content Security Policy headers, and role-based access control.

11. Changes to this policy

We may update this policy periodically. Material changes will be communicated via the application or email. The "Last updated" date at the top of this page reflects the current version.

12. Contact

For any privacy-related queries: [email protected]