Privacy Policy
Last updated: 12 March 2026
This Privacy Policy explains how FromCISO (“we”, “us”, “our”) collects, uses, and protects your personal data when you use the DORA Register of Information tool (“DORA RoI”) available at roi.fromciso.com.
1. Data Controller
The data controller for personal data collected through the DORA RoI access gate is:
- Entity: FromCISO
- Website: www.fromciso.com
- Contact: privacy@fromciso.com
2. What Data We Collect
Personal data we receive
- Email address (required) — collected when you request access to the tool through the access gate.
- Name (optional) — if provided during the access request.
Data we do NOT collect
- Register data — all DORA register data (ICT contracts, third-party providers, signatories, functions, assessments) is processed and stored exclusively in your browser's localStorage. We never receive, transmit, or store register data on any server.
- We do not collect analytics data, browsing behavior, device fingerprints, or IP addresses for tracking purposes.
3. How We Use Your Data
| Purpose | Data Used | Details |
|---|---|---|
| Service access | Your email is used to authenticate you and provide access to the tool. A signed HTTP-only cookie is set in your browser for 30 days. | |
| Lead management | Email, Name | Your email and name (if provided) are stored in our CRM (HubSpot) to manage user relationships and communicate about the service. |
| Newsletter | Your email may be added to our Substack newsletter at fromciso.com, where we share cybersecurity and compliance insights. You can unsubscribe at any time using the unsubscribe link included in every newsletter email. |
4. Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR:
- Legitimate interest (Article 6(1)(f)) — for providing access to the tool, managing user relationships in our CRM, and sending relevant professional communications. Our legitimate interest is to operate and improve the service and share relevant content with professional users.
You have the right to object to processing based on legitimate interest at any time. For the newsletter specifically, you can unsubscribe using the link in any email, or by contacting us directly.
5. Third-Party Data Processors
We share your personal data with the following service providers:
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| HubSpot, Inc. | CRM — stores email and name for lead management | United States | Data Processing Agreement |
| Substack, Inc. | Newsletter delivery | United States | Unsubscribe available in every email |
| Vercel, Inc. | Application hosting, serves static assets | United States | Standard server logs only; no personal data stored beyond HTTP requests |
6. Data Retention
- CRM data (email, name) — retained for as long as your relationship with us is active, or until you request deletion.
- Access cookie — expires automatically after 30 days. You can clear it at any time via your browser settings or by signing out.
- Browser localStorage — register data and settings stored in your browser remain entirely under your control. You can clear them at any time via the app's Settings page or browser settings.
7. Your Rights
Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:
- Right of access (Art. 15) — request a copy of your personal data
- Right to rectification (Art. 16) — correct inaccurate data
- Right to erasure (Art. 17) — request deletion of your data
- Right to restriction (Art. 18) — restrict processing of your data
- Right to data portability (Art. 20) — receive your data in a machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interest, including newsletter communications
- Right to withdraw consent (Art. 7(3)) — where processing is based on consent
- Right to lodge a complaint — with a supervisory authority in your EU/EEA member state
To exercise any of these rights, contact us at privacy@fromciso.com. We will respond within 30 days.
8. International Data Transfers
Your personal data may be transferred to and processed in the United States by our service providers (HubSpot, Substack, Vercel). These transfers are protected by appropriate safeguards, including Standard Contractual Clauses approved by the European Commission.
9. Cookies
DORA RoI uses a single functional cookie:
| Name | Purpose | Type | Duration |
|---|---|---|---|
dora_roi_access | Authenticates your session | HTTP-only, Secure, SameSite=Lax | 30 days |
We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.
10. Changes to This Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. We encourage you to review this policy periodically.
11. Contact
For any privacy-related questions or requests, please contact us at: privacy@fromciso.com